CVE-2026-42398

Server-Side Request Forgery CWE-918 in Kibana allows authenticated users with connector management privileges to bypass the operator-configured connection allowlist. By configuring a Webhook connector with a crafted target, an attacker can cause Kibana to issue outbound requests to destinations...

CVE-2026-33458 Server-Side Request Forgery (SSRF) in Kibana One Workflow Leading to Information Disclosure

Server-Side Request Forgery CWE-918 in Kibana One Workflow can lead to information disclosure. An authenticated user with workflow creation and execution privileges can bypass host allowlist restrictions in the Workflows Execution Engine, potentially exposing sensitive internal endpoints and data...

CVE-2025-15101

An OS command injection vulnerability in the web management interface of certain ASUS router models allows remote authenticated administrators to execute arbitrary system commands via a crafted parameter. Refer to the 'Security Update for ASUS Router Firmware' section on the ASUS Security Advisor...

MongoDB 7.0.x < 7.0.31 / 8.0.x < 8.0.20 / 8.2.x < 8.2.6 / 8.3.0-rc0 Double Free (SERVER-118849)

The version of MongoDB installed on the remote host is 7.0 prior to 7.0.31, 8.0 prior to 8.0.20, 8.2 prior to 8.2.6, and 8.3.0-rc0. It is, therefore, affected by a vulnerability as referenced in the SERVER-118849 advisory. - A specially crafted aggregation query with $lookup by an authenticated...

CVE-2025-68390

Allocation of Resources Without Limits or Throttling CWE-770 in Elasticsearch can allow an authenticated user with snapshot restore privileges to cause Excessive Allocation CAPEC-130 of memory and a denial of service DoS via crafted HTTP request...

CVE-2025-14148

CVE-2025-14148 affects IBM UCD - IBM DevOps Deploy versions 8.1 through 8.1.2.3. An authenticated user with LLM integration configuration privileges can recover a previously saved LLM API Token, exposing credentials. Root cause identified as insufficiently protected credentials (CWE-522). CVSSv3....

EUVD-2008-7084

Malware in sbrugna...

CVE-2022-3911

The iubenda WordPress plugin before 3.3.3 does does not have authorisation and CSRF in an AJAX action, and does not ensure that the options to be updated belong to the plugin as long as they are arrays. As a result, any authenticated users, such as subscriber can grant themselves any privileges,...

CVE-2019-8230

In Magentoprior to 1.9.4.3, and Magento prior to 1.14.4.3, an authenticated user with administrative privileges to edit configuration settings can execute arbitrary code through a crafted support/output path...

CVE-2019-8159

A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with system data manipulation privileges can execute aribitrary code through arbitrary file deletion and OS command injection...

Cisco DNA Center Software 跨站请求伪造漏洞

Cisco DNA Center is the network management and command center for Cisco DNA. A cross-site request forgery vulnerability exists in the web management interface of Cisco DNA Center versions prior to 2.1.2.0. An attacker could exploit this vulnerability by tricking a user into visiting a specially...

ZKTeco ZKAccess Professional 3.5.3 File Elevation of Privilege Vulnerability

ZKTeco ZKAccess Professional is an access control system. ZKTeco ZKAccess Professional 3.5.3 File Elevation of Privilege Vulnerability, which occurs due to incorrect privileges of an authenticated user with the 'M' flag...