161216 matches found
PT-2026-41935
Name of the Vulnerable Software and Affected Versions HestiaCP versions 1.2.0 through 1.9.4 Description An IP spoofing issue allows unauthenticated remote attackers to bypass authentication security controls. This occurs when the system accepts an arbitrary IP address provided in the...
Sparx Systems Sparx Pro Cloud Server 安全漏洞
Sparx Pro Cloud Server is a modeling and service platform developed by Sparx Systems in Australia. It supports remote access to model repositories and collaborative management. Versions of Sparx Pro Cloud Server 6.1 and earlier contained security vulnerabilities. These vulnerabilities stemmed fro...
Malicious code in @antv/async-hook (npm)
Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...
PT-2026-41951
Name of the Vulnerable Software and Affected Versions Panabit PAP-XM320 versions prior to 7.8 Description An authentication bypass exists in the embedded HTTP server. The server validates session cookies by performing a filesystem existence check based on a user-controlled cookie value. Due to a...
Panabit PAP-XM320 路径遍历漏洞
Panabit PAP-XM320 is an enterprise-level network traffic management and bandwidth control gateway device developed by Panabit Corporation. Versions of Panabit PAP-XM320 prior to v7.7 contain a path traversal vulnerability. This vulnerability stems from the use of a file system existence check bas...
CVE-2026-36829
An authentication bypass vulnerability exists in the embedded HTTP server of Panabit PAP-XM320 up to and including v7.7. The server validates session cookies using a filesystem existence check based on a user-controlled cookie value without proper sanitization, allowing directory traversal and...
PT-2026-41974
Name of the Vulnerable Software and Affected Versions @haxtheweb/open-apis versions 9.0.1 through 25.x Description Multiple functions perform substring-only matching to validate hostnames for basic authorization. This allows an attacker to append matched substrings to an attacker-controlled...
CVE-2025-61081
In BYD Atto3, an attacker can obtain an authentication key through Brute Force attack, which is permanently available. The authentication key enables flash to the Electronic Parking Break EPB and Supplemental Restoration System SRS related ECUs...
CVE-2026-36829
CVE-2026-36829 affects Panabit PAP-XM320 (up to v7.7). The embedded HTTP server authenticates via a cookie-based value checked against the filesystem, using a user-controlled cookie without proper sanitization. This leads to a directory traversal scenario and authentication bypass, enabling bypas...
PT-2026-41983
Name of the Vulnerable Software and Affected Versions BYD Atto3 affected versions not specified Description An attacker can obtain a permanently available authentication key through a Brute Force attack. This key allows unauthorized flashing of the Electronic Parking Break EPB and Supplemental...
Apache OFBiz 授权问题漏洞
Apache OFBiz is an ERP system developed by the Apache Foundation in the United States. This system provides a complete set of Java-based web application components and tools. Versions of Apache OFBiz prior to 24.09.06 had an authorization vulnerability, which stemmed from improper authentication...
HestiaCP 安全漏洞
HestiaCP is an open-source control panel designed for modern networks, offering a lightweight yet powerful solution. Versions 1.2.0 to 1.9.4 of HestiaCP contain security vulnerabilities. These vulnerabilities stem from an IP spoofing vulnerability, allowing unauthorized remote attackers to bypass...
CVE-2026-36829
An authentication bypass vulnerability exists in the embedded HTTP server of Panabit PAP-XM320 up to and including v7.7. The server validates session cookies using a filesystem existence check based on a user-controlled cookie value without proper sanitization, allowing directory traversal and...
PT-2026-42049
Name of the Vulnerable Software and Affected Versions Budibase versions prior to 3.38.2 Description The public API role unassignment endpoint "/api/public/v1/roles/unassign" updates user documents in CouchDB but fails to invalidate the corresponding Redis user cache entries. Because the...
PT-2026-41833
Name of the Vulnerable Software and Affected Versions Keycloak affected versions not specified Description An authenticated user can bypass configured WebAuthn policies during credential registration by manipulating client-side JavaScript. The issue exists because the server-side processAction...
EUVD-2025-209899
In BYD Atto3, an attacker can obtain an authentication key through Brute Force attack, which is permanently available. The authentication key enables flash to the Electronic Parking Break EPB and Supplemental Restoration System SRS related ECUs...
FreeBSD : Vinyl/Varnish -- HTTP/2 parsing deficiency (f0f4bb64-52c6-11f1-a1c0-0050569f0b83)
The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the f0f4bb64-52c6-11f1-a1c0-0050569f0b83 advisory. Vinyl Development Team reports: A deficiency in HTTP/2 request parsing can be exploited to launch a...
squid security update
7:3.5.20-17.0.11.13 - Security update for CVE-2026-32748 CVE-2026-33526 Orabug: 39230173 7:3.5.20-17.0.9.13 - Fixes CVE-2025-62168, squid: Squid vulnerable to information disclosure via - authentication credential leakage in error handling Orabug: 38587551 7:3.5.20-17.0.7.13 - Fixes CVE-2025-5457...
CVE-2025-61081
DO NOT USE THIS CVE RECORD. ConsultIDs: none. Reason: This record was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none...
PT-2026-41872
Name of the Vulnerable Software and Affected Versions Keycloak affected versions not specified Description A flaw in the WebAuthn Web Authentication flow allows a remote attacker to replay ExecuteActionsActionToken tokens. By intercepting an execute-actions email link, an attacker can register...