33562 matches found
CVE-2026-54765
Traefik is an open source HTTP reverse proxy and load balancer. From v3.7.0 prior to v3.7.6, Traefik's Kubernetes Gateway API provider may resolve two accepted HTTPRoutes that target the same backend Service:port but configure different backendRef filters to the same child service and apply only...
CVE-2026-58404
Hugo is a static site generator. From v0.162.0 through v0.163.0, the default security.http.urls policy denies requests to loopback, internal, and cloud-metadata IPv4 literals, but the deny rule only matched dotted-decimal notation, so alternate IPv4 encodings of the same addresses, including...
CVE-2026-48206
Apache Camel JIRA: A vulnerability allows an unauthenticated HTTP client to bypass input validation by supplying non-Camel header names (IssueKey, ProjectKey, IssueTransitionId, etc.) that flow into jira: producers. This lets the attacker potentially drive JIRA operations (delete/transition issue...
golang.org/x/crypto/ssh: golang.org/x/crypto/ssh: Denial of Service via resource leak from unsolicited SSH responses
A flaw was found in golang.org/x/crypto/ssh. A remote malicious SSH peer can exploit this by sending unsolicited global request responses, which fills an internal buffer and blocks the connection's read loop. This prevents the associated resources from being released, leading to a resource leak p...
LobeHub LobeChat <= 2.1.56 - Server-Side Request Forgery
LobeHub LobeChat versions up to and including 2.1.56 are vulnerable to an unauthenticated server-side request forgery vulnerability in the /webapi/proxy endpoint. The endpoint accepts a URL in the POST request body and fetches it server-side without authentication. id: CVE-2026-54157 info: name:...
LoLLMS WebUI - Subfolder Prediction via Path Traversal
A Path Traversal vulnerability exists in the parisneo/lollms-webui, specifically within the 'addreferencetolocalmode' function due to the lack of input sanitization. This vulnerability affects versions v9.6 to the latest. id: CVE-2024-4841 info: name: LoLLMS WebUI - Subfolder Prediction via Path...
Journyx - XML External Entities Injection (XXE)
The "soapcgi.pyc" API handler allows the XML body of SOAP requests to contain references to external entities. This allows an unauthenticated attacker to read local files, perform server-side request forgery, and overwhelm the web server resources. id: CVE-2024-6893 info: name: Journyx - XML...
ChanCMS <= 3.3.0 - Server-Side Request Forgery
yanyutao0402 ChanCMS 3.3.0 contains a server-side request forgery caused by manipulation of the "taskUrl" argument in /cms/collect/getArticle, letting remote attackers make arbitrary requests, exploit requires no special privileges. id: CVE-2025-10211 info: name: ChanCMS = 3.3.0 - Server-Side...
webp_server_go 0.4.0 - Path Traversal
webpservergo 0.4.0 contains a path traversal caused by insufficient sanitization in file handling, letting attackers read arbitrary files on the server, exploit requires attacker to send crafted requests. id: CVE-2021-46104 info: name: webpservergo 0.4.0 - Path Traversal author: pikpikcu severity...
St. Joe ERP system - SQL Injection
A SQL injection vulnerability exists in the St. Joe ERP system "圣乔ERP系统" that allows unauthenticated remote attackers to execute arbitrary SQL commands via crafted HTTP POST requests to the login endpoint. The application fails to properly sanitize user-supplied input before incorporating it into...
DATAGERRY - REST API Auth Bypass
Incorrect access control in BECN DATAGERRY v2.2 allows attackers to execute arbitrary commands via crafted web requests. id: CVE-2024-46627 info: name: DATAGERRY - REST API Auth Bypass author: gy741 severity: critical description: | Incorrect access control in BECN DATAGERRY v2.2 allows attackers...
Dify v1.6.0 - Server-Side Request Forgery
Dify v1.6.0 contains a server side request forgery caused by improper validation in controllers.console.remotefiles.RemoteFileUploadApi, letting attackers make arbitrary requests from the server, exploit requires network access. id: CVE-2025-56520 info: name: Dify v1.6.0 - Server-Side Request...
kkFileView 4.0 - Server-Side Request Forgery
kkFileView 4.0 contains a server-side request forgery caused by improper validation in OnlinePreviewController.java, letting attackers induce the server to make arbitrary requests, exploit requires sending crafted requests. id: CVE-2022-42149 info: name: kkFileView 4.0 - Server-Side Request Forge...
Apache APISIX - Remote Code Execution
A default configuration of Apache APISIX with default API key is vulnerable to remote code execution. An attacker can abuse the batch-requests plugin to send requests to bypass the IP restriction of Admin API. When the admin key was changed or the port of Admin API was changed to a port different...
CVE-2026-14634
Summary (CVE-2026-14634) The vulnerability exists in kirilkirkov’s Ecommerce-CodeIgniter-Bootstrap (up to commit 213babdbaa949e94557246414db0130e01394517) and affects the function checkForPostRequests in the file application/core/MY_Controller.php for the Subscribed Emails Admin Page. Manipulatio...
Improper Resource Shutdown or Release
Overview Affected versions of this package are vulnerable to Improper Resource Shutdown or Release in the NGSetupRequest process. An attacker can cause the service to become unavailable by sending specially crafted requests remotely. Remediation Upgrade github.com/omec-project/amf/metrics to...
Improper Resource Shutdown or Release
Overview Affected versions of this package are vulnerable to Improper Resource Shutdown or Release in the NGSetupRequest process. An attacker can cause the service to become unavailable by sending specially crafted requests remotely. Remediation Upgrade github.com/omec-project/amf/util to version...
Improper Resource Shutdown or Release
Overview Affected versions of this package are vulnerable to Improper Resource Shutdown or Release in the NGSetupRequest process. An attacker can cause the service to become unavailable by sending specially crafted requests remotely. Remediation Upgrade github.com/omec-project/amf/gmm to version...
Improper Authorization
Overview Affected versions of this package are vulnerable to Improper Authorization in the workflow approval process. An attacker can gain unauthorized access to protected resources or perform privileged actions by bypassing the intended approval gate through manipulation of permanent fork pull...
Improper Authorization
Overview Affected versions of this package are vulnerable to Improper Authorization in the workflow approval process. An attacker can gain unauthorized access to protected resources or perform privileged actions by bypassing the intended approval gate through manipulation of permanent fork pull...