22 matches found
CVE-2026-49984
Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.23, the local internal-storage backend validates user-supplied paths for .. traversal before it converts Windows-style backslashes to forward slashes. An attacker can therefore smuggle a traversal sequence past...
CVE-2026-49869
Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, AuthenticationFilter in Kestra OSS uses request.getPath.endsWith"/configs" to whitelist the public configuration endpoint from Basic Auth. Because the check is a suffix match rather than an exact path match...
CVE-2026-49869 Kestra: Unauthenticated Remote Code Execution via Authentication Bypass in `AuthenticationFilter`
Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, AuthenticationFilter in Kestra OSS uses request.getPath.endsWith"/configs" to whitelist the public configuration endpoint from Basic Auth. Because the check is a suffix match rather than an exact path match...
CVE-2026-49984
CVE-2026-49984 – Kestra : A path traversal vulnerability in the LocalStorage backend allows any authenticated user who can view an execution to read arbitrary files on the server. Before patching, the LocalStorage path validator mishandles Windows-style backslashes, letting an attacker smuggle tr...
CVE-2026-49984 Kestra: Path traversal in `LocalStorage` allows any authenticated user to read arbitrary server files via the execution file-download API (`\..\` bypasses the `..` guard)
Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.23, the local internal-storage backend validates user-supplied paths for .. traversal before it converts Windows-style backslashes to forward slashes. An attacker can therefore smuggle a traversal sequence past...
CVE-2026-53576
Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, the authentication filter for the REST API @Filter"/api/v1/" treats any request whose path ends in /configs as the public instance-config endpoint and forwards it without a credential check. kestra addresse...
CVE-2026-53577 Kestra: Cross-Execution File Read via Preview Endpoint (IDOR)
Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, the previewFileFromExecution endpoint GET /api/v1/tenant/executions/executionId/file/preview contains an access control bypass that allows any authenticated user to read output files from any other executio...
CVE-2026-53577 Kestra: Cross-Execution File Read via Preview Endpoint (IDOR)
Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, the previewFileFromExecution endpoint GET /api/v1/tenant/executions/executionId/file/preview contains an access control bypass that allows any authenticated user to read output files from any other executio...
PT-2026-52984
Name of the Vulnerable Software and Affected Versions Kestra versions prior to 1.0.45 Kestra versions prior to 1.3.21 Description The authentication filter for the REST API endpoint /api/v1/ incorrectly treats any request path ending in /configs as a public instance-config endpoint, allowing it t...
EUVD-2023-38074
Malicious code in bioql PyPI...
CVE-2023-41684
Cross-Site Request Forgery CSRF vulnerability in Felix Welberg SIS Handball plugin = 1.0.45 versions...
CVE-2023-33924
Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in Felix Welberg SIS Handball allows SQL Injection.This issue affects SIS Handball: from n/a through 1.0.45...
WordPress plugin Realty Workstation 安全漏洞
WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a set of blogging platforms developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A security...
WordPress Realty Workstation plugin <= 1.0.45 - Broken Access Control vulnerability
Broken Access Control vulnerability discovered by ghsinfosec in WordPress Plugin Realty Workstation versions = 1.0.45...
CVE-2024-50489
Authentication Bypass Using an Alternate Path or Channel vulnerability in Realty Workstation allows Authentication Bypass.This issue affects Realty Workstation: from n/a through 1.0.45...
PT-2024-34266 · Unknown · Realty Workstation
Name of the Vulnerable Software and Affected Versions: Realty Workstation versions 1.0.0 through 1.0.45 Description: The issue is related to an Authentication Bypass Using an Alternate Path or Channel vulnerability in Realty Workstation, allowing unauthorized access. Recommendations: For versions...
WordPress Realty Workstation plugin <= 1.0.45 - Account Takeover vulnerability
Account Takeover vulnerability discovered by ghsinfosec Patchstack Alliance in WordPress Plugin Realty Workstation versions = 1.0.45...
CVE-2023-33924
Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in Felix Welberg SIS Handball allows SQL Injection.This issue affects SIS Handball: from n/a through 1.0.45...
PT-2023-24571 · Felix Welberg · Felix Welberg Sis Handball
Name of the Vulnerable Software and Affected Versions: Felix Welberg SIS Handball versions 1.0.0 through 1.0.45 Description: The issue is related to an SQL Injection vulnerability due to improper neutralization of special elements used in an SQL command. This allows for SQL Injection attacks...
CVE-2023-41684
Cross-Site Request Forgery CSRF vulnerability in Felix Welberg SIS Handball plugin = 1.0.45 versions...