PT-2026-48481

Name of the Vulnerable Software and Affected Versions Nezha Monitoring versions 1.0.0 through 2.0.13 Description A cross-site request forgery CSRF issue exists where a cross-site GET request can trigger stored cron commands on a victim's agents. The dashboard exposes a manual-trigger action via t...

Incorrect Default Permissions

Overview Affected versions of this package are vulnerable to Incorrect Default Permissions due to insecure default permissions that grant regular users elevated privileges. An attacker can gain unauthorized access to host files and execute code with root-level privileges by leveraging authenticat...

Incorrect Default Permissions

Overview Affected versions of this package are vulnerable to Incorrect Default Permissions due to insecure default permissions that grant regular users elevated privileges. An attacker can gain unauthorized access to host files and execute code with root-level privileges by leveraging authenticat...

Incorrect Default Permissions

Overview Affected versions of this package are vulnerable to Incorrect Default Permissions due to insecure default permissions that grant regular users elevated privileges. An attacker can gain unauthorized access to host files and execute code with root-level privileges by leveraging authenticat...

EUVD-2026-13372

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management CRM software application. Prior to versions 8.9.3, an authenticated API endpoint allows any user to retrieve detailed information about any other user, including their password hash, username, and MFA configuration. As...

CVE-2026-27832

Group-Office is an enterprise customer relationship management and groupware tool. Versions prior to 26.0.8, 25.0.87, and 6.8.153 have a SQL Injection SQLi vulnerability, exploitable through the advancedQueryData parameter comparator field on an authenticated endpoint. The endpoint...

CVE-2026-27832

Group-Office is an enterprise customer relationship management and groupware tool. Versions prior to 26.0.8, 25.0.87, and 6.8.153 have a SQL Injection SQLi vulnerability, exploitable through the advancedQueryData parameter comparator field on an authenticated endpoint. The endpoint...

CVE-2026-27832

Group-Office is an enterprise customer relationship management and groupware tool. Versions prior to 26.0.8, 25.0.87, and 6.8.153 have a SQL Injection SQLi vulnerability, exploitable through the advancedQueryData parameter comparator field on an authenticated endpoint. The endpoint...

PT-2026-22388

Name of the Vulnerable Software and Affected Versions Group-Office versions prior to 26.0.8 Group-Office versions prior to 25.0.87 Group-Office versions prior to 6.8.153 Description The software has a SQL Injection issue that can be exploited through the advancedQueryData parameter, specifically...

CVE-2026-26228 VLC for Android < 3.7.0 Remote Access Path Traversal

VideoLAN VLC for Android prior to version 3.7.0 contains a path traversal vulnerability in the Remote Access Server routing for the authenticated endpoint GET /download. The file query parameter is concatenated into a filesystem path under the configured download directory without canonicalizatio...

Exploit for Improper Neutralization of Null Byte or NUL Character in Wftpserver Wing_Ftp_Server

CVE-2025-47812 — Wing FTP Server Unauthenticated RCE ██╗...

EUVD-2024-19490

Malicious code in bioql PyPI...

GO-2025-3804 Juju zip slip vulnerability via authenticated endpoint in github.com/juju/juju

Juju zip slip vulnerability via authenticated endpoint in github.com/juju/juju...

GO-2025-3805 Juju allows arbitrary executable uploads via authenticated endpoint without authorization in github.com/juju/juju

Juju allows arbitrary executable uploads via authenticated endpoint without authorization in github.com/juju/juju. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive report...

GO-2025-3806 Juju vulnerable to sensitive log retrieval via authenticated endpoint without authorization in github.com/juju/juju

Juju vulnerable to sensitive log retrieval via authenticated endpoint without authorization in github.com/juju/juju...

CVE-2025-53908

RomM is a self-hosted rom manager and player. Versions prior to 3.10.3 and 4.0.0-beta.3 have an authenticated path traversal vulnerability in the /api/raw endpoint. Anyone running the latest version of RomM and has multiple users, even unprivileged users, such as the kiosk user in the official...

Juju vulnerable to sensitive log retrieval via authenticated endpoint without authorization

Impact Any user with a Juju account on a controller can read debug log messages from the /log endpoint. No specific permissions are required - it's just sufficient for the user to exist in the controller user database. The log messages may contain sensitive information. Details The /log endpoint ...

Juju zip slip vulnerability via authenticated endpoint

Impact Any user with a Juju account on a controller can upload a charm to the /charms endpoint. No specific permissions are required - it's just sufficient for the user to exist in the controller user database. A charm which exploits the zip slip vulnerability may be used to allow such a user to...

CVE-2024-47217

An issue was discovered in Iglu Server 0.13.0 and below. It is similar to CVE-2024-47214, but involves an authenticated endpoint. It can render Iglu Server completely unresponsive. If the operation of Iglu Server is not restored, event processing in the pipeline would eventually halt...

CVE-2024-47217

An issue was discovered in Iglu Server 0.13.0 and below. It is similar to CVE-2024-47214, but involves an authenticated endpoint. It can render Iglu Server completely unresponsive. If the operation of Iglu Server is not restored, event processing in the pipeline would eventually halt...