CVE-2025-67862

An Internal Asset Exposed to Unsafe Debug Access Level or State vulnerability CWE-1244 vulnerability in Fortinet FortiOS 7.6.0 through 7.6.2, FortiOS 7.4.0 through 7.4.7, FortiOS 7.2.0 through 7.2.10, FortiOS 7.0.0 through 7.0.16, FortiOS 6.4 all versions, FortiProxy 7.6.0 through 7.6.3, FortiPro...

runZero Platform 安全漏洞

RunZero Platform is an asset discovery and attack surface management platform developed by the US company RunZero. Versions of RunZero Platform prior to 4.0.260202.0 contained security vulnerabilities. These vulnerabilities were due to improper authorization, which could lead to unauthorized acce...

Craft CMS: Authorized asset "preview file" requests bypass allows users without asset access to retrieve private preview metadata

Summary An authenticated low-privileged user can call assets/preview-file for an asset they are not authorized to view and still receive preview response data previewHtml for that private asset. The returned preview HTML included a private preview image route containing the target private assetId...

CVE-2026-3125

A Server-Side Request Forgery SSRF vulnerability was identified in the @opennextjs/cloudflare package, resulting from a path normalization bypass in the /cdn-cgi/image/ handler.The @opennextjs/cloudflare worker template includes a /cdn-cgi/image/ handler intended for development use only. In...

PT-2026-23032

Name of the Vulnerable Software and Affected Versions @opennextjs/cloudflare affected versions not specified Description A Server-Side Request Forgery SSRF issue exists in the @opennextjs/cloudflare package. This is due to a path normalization bypass in the /cdn-cgi/image/ handler. Specifically,...

CVE-2026-27705

Plane is an an open-source project management tool. Prior to version 1.2.2, the ProjectAssetEndpoint.patch method in apps/api/plane/app/views/asset/v2.py lines 579–593 performs a global asset lookup using only the asset ID pk via FileAsset.objects.getid=pk, without verifying that the asset belong...

CVE-2025-68437

CVE-2025-68437 affects Craft CMS via SSRF in the GraphQL mutation save__Asset , caused by insufficient validation of the _file.url parameter. Affected versions are 5.0.0-RC1–5.8.20 and 4.0.0-RC1–4.16.16 . An attacker with asset-management permissions can supply a URL pointing to internal IPs or c...

CVE-2025-68436 Craft CMS vulnerable to potential information disclosure via unchecked asset relocation

Craft is a platform for creating digital experiences. In versions 5.0.0-RC1 through 5.8.20 and 4.0.0-RC1 through 4.16.16, authenticated users on a Craft installation could potentially expose sensitive assets via their user profile photo via maliciously crafted requests. Users should update to the...

PT-2026-1343

Name of the Vulnerable Software and Affected Versions Craft versions 5.0.0-RC1 through 5.8.20 Craft versions 4.0.0-RC1 through 4.16.16 Description Craft is a platform for creating digital experiences. Authenticated users on a Craft installation could potentially expose sensitive assets via their...

DoS (Denial of Service) io.netty:netty-handler Dependency in Jira Service Management Data Center and Server

This High severity Third-Party Dependency vulnerability was introduced in versions 5.11.3, 5.12.0, 5.13.0, 5.14.0, 5.15.2, 5.16.0, 5.17.0, 10.0.0, 10.1.1, 10.2.0, 10.3.0, 10.4.0, and 10.5.0 of Jira Service Management Data Center and Server. This Third-Party Dependency vulnerability, with a CVSS...

Exploit for Authorization Bypass Through User-Controlled Key in Snipeitapp Snipe-It

CVE-2025-47226 - IDOR Vulnerability in Snipe-IT = v8.0.4 🚨 I...

Dell UPnP SUBSCRIBE function Incorrect Default Permissions (CVE-2020-12695)

The Open Connectivity Foundation UPnP specification before 2020-04-17 does not forbid the acceptance of a subscription request with a delivery URL on a different network segment than the fully qualified event-subscription URL, aka the CallStranger issue. This plugin only works with Tenable.ot...

DoS (Denial of Service) org.bouncycastle:bcprov-jdk18on Dependency in Crowd Data Center and Server

This High severity org.bouncycastle:bcprov-jdk18on Dependency vulnerability was introduced in versions 5.2.4 and 5.3.0 of Crowd Data Center and Server. This org.bouncycastle:bcprov-jdk18on Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of...

DoS (Denial of Service) org.bouncycastle:bcprov-jdk18on Dependency in Confluence Data Center and Server

This High severity org.bouncycastle:bcprov-jdk18on Dependency vulnerability was introduced in versions 3.7.0 of Confluence Data Center and Server. This org.bouncycastle:bcprov-jdk18on Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of...

DoS (Denial of Service) org.bouncycastle:bcprov-jdk18on Dependency in Bamboo Data Center and Server

This High severity org.bouncycastle:bcprov-jdk18on Dependency vulnerability was introduced in versions 9.0.0, 9.1.0, 9.2.1, 9.3.0, 9.4.0, 9.5.0, and 9.6.0 of Bamboo Data Center and Server. This org.bouncycastle:bcprov-jdk18on Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of...

DoS (Denial of Service) org.apache.commons:commons-compress Dependency in Confluence Data Center and Server

This High severity org.apache.commons:commons-compress Dependency vulnerability was introduced in versions 7.19.23, 8.5.10, 8.9.2 of Confluence Data Center and Server. This org.apache.commons:commons-compress Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of...

DoS (Denial of Service) org.apache.commons:commons-compress Dependency in Confluence Data Center and Server

This High severity org.apache.commons:commons-compress Dependency vulnerability was introduced in versions 7.19.23, 8.5.10, 8.9.2 of Confluence Data Center and Server. This org.apache.commons:commons-compress Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of...

DoS (Denial of Service) org.apache.struts:struts2-core Dependency in Crowd Data Center and Server

This High severity org.apache.struts:struts2-core Dependency vulnerability was introduced in versions 5.0.0, 5.1.0, and 5.2.0 of Crowd Data Center and Server. This org.apache.struts:struts2-core Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of...

DoS (Denial of Service) org.eclipse.jetty:jetty-io Dependency in Crowd Data Center and Server

This High severity org.eclipse.jetty:jetty-io Dependency vulnerability was introduced in versions 5.0.0, 5.1.0, and 5.2.0 of Crowd Data Center and Server. This org.eclipse.jetty:jetty-io Dependency vulnerability, with a CVSS Score of 7.5 and a CVSS Vector of...

Injection com.fasterxml.jackson.core:jackson-databind Dependency in Crowd Data Center and Server

This High severity com.fasterxml.jackson.core:jackson-databind Dependency vulnerability was introduced in versions 5.0.0, 5.1.0, and 5.2.0 of Crowd Data Center and Server. This com.fasterxml.jackson.core:jackson-databind Dependency vulnerability, with a CVSS Score of 8.1 and a CVSS Vector of...