CVE-2026-26138

creationtimestamp| type| source ---|---|--- 2026-03-19 21:32:06+00:00| seen| https://bsky.app/profile/thehackerwire.bsky.social/post/3mhgxafqt4y2s...

CVE-2026-26138 Microsoft Purview Elevation of Privilege Vulnerability

...

CVE-2026-26138

Microsoft Purview contains a server-side request forgery (SSRF) vulnerability (CVE-2026-26138) that enables an unauthenticated attacker to elevate privileges over a network. The CVSSv3.1 base metrics reported by Microsoft indicate a high severity (8.6), with network attack vector, low attack comp...

CVE-2020-26138

In SilverStripe through 4.6.0-rc1, a FormField with square brackets in the field name skips validation...

CVE-2025-26138

Systemic Risk Value =2.8.0 is vulnerable to improper access control in /RiskValue/GroupingEntities/Controls/GetFile.aspx?ID=. Uploaded files are accessible via a predictable numerical ID parameter, allowing unauthorized users to increment or decrement the ID to access and download files they do n...

CVE-2025-26138

Systemic Risk Value =2.8.0 is vulnerable to improper access control in /RiskValue/GroupingEntities/Controls/GetFile.aspx?ID=. Uploaded files are accessible via a predictable numerical ID parameter, allowing unauthorized users to increment or decrement the ID to access and download files they do n...

CVE-2025-26138

Systemic Risk Value =2.8.0 is vulnerable to improper access control in /RiskValue/GroupingEntities/Controls/GetFile.aspx?ID=. Uploaded files are accessible via a predictable numerical ID parameter, allowing unauthorized users to increment or decrement the ID to access and download files they do n...

CVE-2024-26138 License information is public, exposing instance id and license holder details

The XWiki licensor application, which manages and enforce application licenses for paid extensions, includes the document Licenses.Code.LicenseJSON that provides information for admins regarding active licenses. This document is public and thus exposes this information publicly. The information...

CVE-2024-26138 License information is public, exposing instance id and license holder details

The XWiki licensor application, which manages and enforce application licenses for paid extensions, includes the document Licenses.Code.LicenseJSON that provides information for admins regarding active licenses. This document is public and thus exposes this information publicly. The information...

CVE-2024-26138

The CVE concerns the XWiki licensor application, where the Licenses.Code.LicenseJSON document is publicly accessible and exposes admins’ license information, including the instance ID and license owner’s name and email. This data exposure could enable correlation of active installations and targe...

CVE-2023-26138

creationtimestamp| type| source ---|---|--- 2023-07-06 12:37:33+00:00| seen| https://t.me/cibsecurity/66057...

CVE-2023-26138

All versions of the package drogonframework/drogon are vulnerable to CRLF Injection when untrusted user input is used to set request headers in the addHeader function. An attacker can add the \r\n carriage return line feeds characters and inject additional headers in the request sent...

CVE-2023-26138

The CVE-2023-26138 entry concerns drogonframework/drogon with a CRLF Injection vulnerability in the addHeader function. Untrusted user input used to set request headers can insert \r\n characters, enabling injection of additional headers into outgoing requests. Several sources (NVD, Red Hat, PRio...

Atlassian Confluence: Questions for Confluence App Hardcoded Credentials Vulnerability (CVE-2022-26138)

Over the last few months, Atlassian Confluence has increasingly become a target for attackers. In June 2022, a critical severity OGNL Remote Code Execution vulnerability was disclosed CVE-2022-26134. More recently, CVE-2022-26138 was disclosed on social media platforms in July 2022. In...

Questions for Confluence App Default Credentials (CVE-2022-26138)

The remote confluence web application uses a known set of hard-coded default credentials of the 'Questions for Confluence' marketplace application. An attacker can exploit this to gain administrative access to the remote host. C Tenable, Inc. include'compat.inc'; if description scriptid164091;...

Atlassian Questions for Confluence App Hardcoded Credentials (CVE-2022-26138)

A hardcoded credentials vulnerability exists in Atlassian Questions for Confluence App. Successful exploitation of this vulnerability would allow remote attackers to obtain sensitive information and gain unauthorized access into the affected system...

Exploit for Use of Hard-coded Credentials in Atlassian Questions_For_Confluence

CVE-2022-26138 1. Introduction Confluence Hardcoded Pass...

CISA Warns of Atlassian Confluence Hard-Coded Credential Bug Exploited in Attacks

The U.S. Cybersecurity and Infrastructure Security Agency CISA on Friday added the recently disclosed Atlassian security flaw to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. The vulnerability, tracked as CVE-2022-26138, concerns the use of hard-coded...

Latest Critical Atlassian Confluence Vulnerability Under Active Exploitation

A week after Atlassian rolled out patches to contain a critical flaw in its Questions For Confluence app for Confluence Server and Confluence Data Center, the shortcoming has now come under active exploitation in the wild. The bug in question is CVE-2022-26138, which concerns the use of a...

VulnCheck KEV: CVE-2022-26138

Atlassian Questions For Confluence App has hard-coded credentials, exposing the username and password in plaintext. A remote unauthenticated attacker can use these credentials to log into Confluence and access all content accessible to users in the confluence-users group...