CVE-2026-28685

Kimai is a web-based multi-user time-tracking application. Prior to version 2.51.0, "GET /api/invoices/id" only checks the role-based viewinvoice permission but does not verify the requesting user has access to the invoice's customer. Any user with ROLETEAMLEAD which grants viewinvoice can read a...

CVE-2026-28685

creationtimestamp| type| source ---|---|--- 2026-03-04 12:43:17+00:00| published-proof-of-concept| https://github.com/kimai/kimai/security/advisories/GHSA-v33r-r6h2-8wr7...

CVE-2022-28685

This vulnerability allows remote attackers to execute arbitrary code on affected installations of AVEVA Edge 2020 SP2 Patch 04201.2111.1802.0000. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw...

CVE-2022-28685

creationtimestamp| type| source ---|---|--- 2023-03-29 22:16:01+00:00| seen| https://t.me/cibsecurity/61055...

CVE-2022-28685

AVEVA Edge 2020 SP2 Patch 0 (4201.2111.1802.0000) is affected by CVE-2022-28685, a Deserialization of untrusted data vulnerability in the APP file parsing path. The flaw arises from inadequate validation of user-supplied data, enabling arbitrary code execution when a victim opens a malicious APP ...

CVE-2023-28685

Jenkins AbsInt a³ Plugin 1.1.0 and earlier does not configure its XML parser to prevent XML external entity XXE attacks...

CVE-2023-28685

CVE-2023-28685 affects Jenkins AbsInt a³ Plugin (≤1.1.0). It does not configure its XML parser to prevent XML External Entity (XXE) attacks, enabling potential disclosure of secrets from the Jenkins controller via crafted XML. CVSSv3.1 base score 7.1 (HIGH): Network attack vector, LOW privileges ...

CVE-2021-28685

ASUS GPUTweak II before 2.3.0.3 is affected by CVE-2021-28685 via AsIO2_64.sys and AsIO2_32.sys. The driver routines allow low-privileged users to map physical memory into the process’s virtual address space and to interact with MSR registers, enabling exploitation to obtain NT AUTHORITY\SYSTEM p...