377 matches found
CVE-2026-25623 Arista Edge Threat Management NGFW UI Arbitrary Command Execution
An input validation command execution vulnerability exists in the browser management pipeline of Arista Edge Threat Management - Arista Next Generation Firewall NGFW. Authenticated administrators can leverage this exposure to obtain underlying terminal script code processing execution permissions...
CVE-2026-40500
ProcessWire CMS version 3.0.255 and prior contain a server-side request forgery vulnerability in the admin panel's 'Add Module From URL' feature that allows authenticated administrators to supply arbitrary URLs to the module download parameter, causing the server to issue outbound HTTP requests t...
CVE-2026-9144
Taiko AG1000-01A SMS Alert Gateway Rev 7.3 and Rev 8 contains a stored cross-site scripting vulnerability in the embedded web configuration interface that allows authenticated attackers to execute persistent JavaScript by fragmenting malicious payloads across multiple administrative form fields...
CVE-2026-45628
Dokploy is a free, self-hostable Platform as a Service PaaS. In 0.29.2 and earlier, Dokploy constructs shell commands using JavaScript template literals and executes them via childprocess.exec which runs through /bin/sh -c. User-supplied branch names, repository URLs, and Docker credentials are...
CVE-2026-44917
OpenStack Ironic before 35.0.2 allows a malicious authenticated project admin or manager to read local files on the Ironic conductor via a pxetemplate...
WebPros Comet Backup 安全漏洞
WebPros Comet Backup is a data backup and recovery platform developed by the Swiss company WebPros. There is a security vulnerability in WebPros Comet Backup, which stems from insufficient character filtering in the backup proxy signature module. This vulnerability may allow authenticated tenant...
EUVD-2024-55597
Insufficiently protected credentials vulnerability in IPSpeaker component in Synology Surveillance Station before 9.2.2-11575 and 9.2.2-9575 allows remote authenticated users with administrator privileges to obtain sensitive information via unspecified vectors...
CVE-2024-47268
CVE-2024-47268 affects Synology Surveillance Station prior to 9.2.2-11575 and 9.2.2-9575, with a missing authorization vulnerability in the AddOns functionality. The issue allows remote authenticated users with administrator privileges to obtain sensitive information via unspecified vectors. The ...
CVE-2024-47267
Improper limitation of a pathname to a restricted directory 'Path Traversal' vulnerability in Archiving Pull functionality in Synology Surveillance Station before 9.2.2-11575 and 9.2.2-9575 allows remote authenticated users with administrator privileges to limited file write via unspecified vecto...
PT-2026-43633
The rexCrawler plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and...
PT-2026-43578
Name of the Vulnerable Software and Affected Versions Synology Surveillance Station versions prior to 9.2.2-11575 Synology Surveillance Station versions prior to 9.2.2-9575 Description A path traversal issue exists in the Archiving Pull functionality. This occurs when there is an improper...
Synology Surveillance Station 路径遍历漏洞
Synology Surveillance Station is an application developed by Synology, a Chinese company. It provides intelligent monitoring and video management tools to protect your valuable assets. Versions of Synology Surveillance Station prior to 9.2.2-11575 and 9.2.2-9575 have a path traversal vulnerabilit...
CVE-2026-42425
OpenKM 6.3.12 contains an unrestricted SQL execution vulnerability that allows authenticated administrative users to execute arbitrary SQL statements against the application database via the DatabaseQuery interface. Attackers can submit malicious SQL queries through the qs parameter to the...
CVE-2026-41917
OpenKM 6.3.12 contains a local file inclusion vulnerability in the administrative scripting interface at /admin/Scripting that allows authenticated administrators to read arbitrary files by supplying an attacker-controlled filesystem path through the fsPath parameter with action=Load. Attackers c...
CVE-2026-42785
OpenKM 6.3.12 contains a remote code execution vulnerability that allows authenticated administrators to execute arbitrary Java/BeanShell code through the /admin/Scripting endpoint. Attackers can submit malicious script content with an action=Evaluate parameter to execute operating system command...
OpenKM 代码注入漏洞
OpenKM is a document management system developed by OpenKM Company in Spain. This system offers features such as version control, file history, and file sharing. Version OpenKM 6.3.12 has a code injection vulnerability. This vulnerability arises from allowing authenticated administrators to submi...
Concrete CMS 安全漏洞
Concrete CMS is an open-source content management system developed by Concrete CMS. Versions of Concrete CMS 9.5.0 and earlier have a security vulnerability. This vulnerability arises from failing to clean up the path traversal sequences in the ptComposerFormLayoutSetControlCustomTemplate field...
PT-2026-42563
Name of the Vulnerable Software and Affected Versions Concrete CMS versions prior to 9.5.1 Description Reflected Cross-Site Scripting XSS occurs in Legacy Pagination through HTML attribute injection. The ConcreteCoreLegacyPagination class constructs pagination links by raw-interpolating the $URL...
CVE-2026-9144
Taiko AG1000-01A SMS Alert Gateway Rev 7.3 and Rev 8 contains a stored cross-site scripting vulnerability in the embedded web configuration interface that allows authenticated attackers to execute persistent JavaScript by fragmenting malicious payloads across multiple administrative form fields...
CVE-2026-9144
Taiko AG1000-01A SMS Alert Gateway Rev 7.3 and Rev 8 contains a stored cross-site scripting vulnerability in the embedded web configuration interface that allows authenticated attackers to execute persistent JavaScript by fragmenting malicious payloads across multiple administrative form fields...