2797252 matches found
IServ Schoolserver User Enumeration
IServ Schoolserver suffers from a user enumeration vulnerability. The vendor does not feel this is an issue...
CVE-2026-25550
Seagull Software BarTender 2010, 2016, and 2019 contain an unauthenticated remote code execution vulnerability in the .NET Remoting service exposed on TCP port 7375 via BtSystem.Service.exe. The service registers an unauthenticated singleton endpoint — BarTenderSystem for BarTender 2016 = R9, and...
CVE-2025-67447
The network diagnosis ping module in Neterbit NW-431F Router 20241014-IR03 and before is vulnerable to OS command injection. The application does not properly sanitize user input in the IP address field before passing it to the system's ping command. An attacker can inject arbitrary OS commands,...
CVE-2026-41237
Froxlor is open source server administration software. In version 2.3.6 and earlier, the LOC record regex uses \s+ which matches newlines allowing embedded newlines to pass, TLSA matchingType=0 has no upper bound on hex data length, and all validators return raw input without zone-file escaping...
CVE-2026-41236
Froxlor is open source server administration software. Version 2.3.6 contains a symlink-following flaw in the root-owned SSH key synchronization path used for customer FTP users. The provisioning code appends public keys to /.ssh/authorizedkeys under a customer-controlled home directory without...
CVE-2026-50076
Deserialization of Untrusted Data in the Java replace-resolve path in Apache Fory fory-core Java SDK before 1.1.0 on Java/JVM platforms allows a remote attacker to bypass class registration, TypeChecker, and DisallowedList checks and invoke classpath-present readResolve/readExternal hooks via...
CVE-2026-49941
Net::CIDR::Set versions through 0.20 for Perl did not validate IP addresses. The add method called the encode method to parse addresses. If the addresses did not look like netmasks or network ranges, then they were assumed to single IP addresses and passed back to itself as a 32-bit or 128-bit...
CVE-2026-46741
Etsy::StatsD versions through 1.002002 for Perl allow metric injections. The metric names and values are not checked for newlines, colons or pipes. Metrics generated from untrusted sources could inject additional statsd metrics. Note that the git repository contains an unreleased version with the...
CVE-2026-25550
Seagull Software BarTender 2010, 2016, and 2019 expose an unauthenticated .NET Remoting service on TCP port 7375 (BtSystem.Service.exe). BarTenderSystem (BarTender 2016 ≤ R9) and DataServiceSingleton (BarTender 2019 ≤ R10) are registered as unauthenticated singleton endpoints configured with Bina...
Exploit for CVE-2026-8732
CVE-2026-8732 – WordPress WP Maps Pro Exploit Unauthenticat...
CVE-2026-10813
A flaw has been found in LMCache up to 0.4.6. This affects the function hexhashtoint16 of the file lmcache/integration/vllm/utils.py of the component KV Cache Handler. Executing a manipulation can lead to use of weak hash. The attack needs to be launched locally. The attack requires a high level ...
php: NULL pointer dereference in php_mb_check_encoding() via mb_ereg_search_init()
A flaw was found in PHP. When an attacker input can influence the encoding passed to mbregexencoding and the application subsequently uses mbregex search APIs, a NULL pointer dereference can occur due to a mismatch between the Oniguruma and mbfl encoding support. This issue can cause a crash in t...
PHP: PHP-FPM: PHP-FPM: Cross-Site Scripting vulnerability via improper URL sanitation
A flaw was found in PHP, specifically within the PHP-FPM status page. Due to improper sanitation of user data, a remote attacker can craft a malicious URL. When a user views the PHP-FPM status page with this crafted URL, it can lead to the execution of arbitrary JavaScript code Cross-Site Scripti...
CVE-2026-50076 Apache Fory: Java ReplaceResolverSerializer deserialization checks bypass
Deserialization of Untrusted Data in the Java replace-resolve path in Apache Fory fory-core Java SDK before 1.1.0 on Java/JVM platforms allows a remote attacker to bypass class registration, TypeChecker, and DisallowedList checks and invoke classpath-present readResolve/readExternal hooks via...
CVE-2026-49941
Net::CIDR::Set for Perl versions up to 0.20 contains an input validation flaw in the add path: the _encode method misclassifies addresses that are not netmasks or network ranges as single IPs, causing indefinite recursion when the argument is not a well-formed IP. This can be exploited to trigger...
CVE-2026-49940
Net::CIDR::Set versions through 0.20 for Perl accept non-ASCII IP addresses and netmasks. Unicode digits such as the Arabic-Indic One U+0661 were accepted but not properly parsed as numbers. This could allow network masks to accept larger networks...
CVE-2026-26379
An issue in Koha v.25.11 and before allows a remote attacker to execute arbitrary code via the Z39.50 configuration module...
CVE-2026-42317
GLPI is a free asset and IT management software package. Starting in version 0.78 and prior to versions 10.0.25 and 11.0.7, a technician can delete arbitrary files from the filesystem as long as the webserver has write rights on them. Upgrade to 10.0.25 or 11.0.7 to receive a patch...
Security Bulletin: IBM Security SOAR is using a component with a known vulnerability (CVE-2026-42264)
Summary IBM Security SOAR uses an older version of the Axios component that may be identified and exploited. Updates for supported versions have been released which address the issue. It is recommended to upgrade to version 51.0.10.0 Vulnerability Details CVEID:CVE-2026-42264 DESCRIPTION: Axios i...
Security Bulletin: IBM Security SOAR is using a component with a known vulnerability (CVE-2026-42033, CVE-2026-42034, CVE-2026-42035, CVE-2026-42036)
Summary IBM Security SOAR uses an older version of the Axios component that may be identified and exploited. Updates for supported versions have been released which address the issue. It is recommended to upgrade to version 51.0.10.0 Vulnerability Details CVEID:CVE-2026-42033 DESCRIPTION: Axios i...