CVE-2026-45405

Dokku is a docker-powered PaaS. Prior to 0.38.2, the git:from-archive and certs:add commands extract user-supplied tar/zip archives into temporary directories without sanitizing member paths or preventing symlink traversal. GNU tar creates symlinks during extraction and follows them for subsequen...

CVE-2026-45405

Dokku before 0.38.2 is affected by a file-write vulnerability in tar extraction during git:from-archive and certs:add. User-supplied tar/zip archives are extracted into temporary directories without sanitizing member paths or preventing symlink traversal; GNU tar can create and follow symlinks, e...

MAL-2026-6474 Malicious code in ref-slot (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1e1ef3e785cf6cb007c0b33be2ed43ebe49d64f476bb4fb3a66b914b06def5e1 On npm install, the package's postinstall hook runs node test.js which invokes index.js to perform multi-stage installer compromise. 1 Credential...

CVE-2026-52811

Gogs is an open source self-hosted Git service. Prior to 0.14.3, Repository.UploadRepoFiles checks for symlinks only on the leaf of the upload target osx.IsSymlinktargetPath. The siblings UpdateRepoFile, DeleteRepoFile, and GetDiffPreview use hasSymlinkInPath, which lstats every component —...

CVE-2026-52797

Gogs is an open source self-hosted Git service. Prior to 0.14.0, as an authorized user, an intruder can dictate the value which is passed to the git diff command which, together with bypassing the filtering of the passed value, allows the user to bypass the target directory and write the result o...

CVE-2026-52797

Summary: CVE-2026-52797 affects Gogs, an open source self-hosted Git service. Before version 0.14.0, an authorized user could influence the value passed to the git diff command, bypass path filtering, and cause the diff output to be written to an arbitrary path, enabling potential Denial of Servi...

GHSA-89MR-XQFV-758M Gogs: UploadRepoFiles writes outside repo working tree via committed parent sym

Summary Repository.UploadRepoFiles checks for symlinks only on the leaf of the upload target osx.IsSymlinktargetPath. The siblings UpdateRepoFile, DeleteRepoFile, and GetDiffPreview use hasSymlinkInPath, which lstats every component — UploadRepoFiles is the lone outlier. An attacker with repo-wri...

CVE-2025-62180 Pega Platform versions 8.3.0 through Infinity 25.1.2 are affected by an authorization weakness that may allow authenticated users to access certain additional data via crafted URLs.

Pega Platform versions 8.3.0 through Infinity 25.1.2 are affected by an authorization weakness that may allow authenticated users to access certain additional data via crafted URLs...

WordPress Simple File List plugin <= 6.3.7 - Missing Authorization to Authenticated (Contributor+) Arbitrary File Operations (Deletion / Move / Folder Creation / Download) via 'frontmanage' Shortcode Attribute vulnerability

Missing Authorization to Authenticated Contributor+ Arbitrary File Operations Deletion / Move / Folder Creation / Download via 'frontmanage' Shortcode Attribute vulnerability discovered by WordFence in WordPress Plugin Simple File List versions = 6.3.7...

CVE-2026-32208

Improper neutralization of input during web page generation 'cross-site scripting' in Microsoft Edge Chromium-based allows an authorized attacker to perform spoofing over a network...

EUVD-2026-38090

Missing authorization in Microsoft Exchange Online allows an authorized attacker to elevate privileges over a network...

EUVD-2026-38085

Improper neutralization of input during web page generation 'cross-site scripting' in Microsoft Edge Chromium-based allows an authorized attacker to perform spoofing over a network...

Astra Linux – Vulnerability in unrar-nonfree

RARLAB’s UnRAR version prior to 6.12 on Linux and UNIX allowed directory traversal, enabling writing to files during an extraction operation also known as unpacking. This was demonstrated by creating a file named /.ssh/authorizedkeys. NOTE: WinRAR and Android RAR are not affected by this issue...

Malicious code in node-slot (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 0d71bcdec983467ab6a47b538e524abc1cdafc98b411761bffb375be17d72009 On npm install, package.json's postinstall hook executes node test.js which invokes code in index.js that performs two distinct attacks on the...

PT-2026-51034

Name of the Vulnerable Software and Affected Versions Azure Synapse affected versions not specified Description Execution with unnecessary privileges allows an authorized attacker to elevate privileges over a network. Recommendations At the moment, there is no information about a newer version th...

PT-2026-51033

Name of the Vulnerable Software and Affected Versions Microsoft Exchange Online affected versions not specified Description Missing authorization in Microsoft Exchange Online allows an authorized attacker to elevate privileges over a network. There have been reports of elevated activities targeti...

Azure Bot Service Elevation of Privilege Vulnerability

Improper authentication in Azure Bot Service allows an authorized attacker to elevate privileges over a network...

Microsoft Exchange Online Elevation of Privilege Vulnerability

Missing authorization in Microsoft Exchange Online allows an authorized attacker to elevate privileges over a network...

Dynamics 365 Elevation of Privilege Vulnerability

Improper access control in Microsoft Dynamics 365 allows an authorized attacker to elevate privileges over a network...

CVE-2026-55201

CVE-2026-55201 affects Evil-WinRM (up to version 3.9). A path traversal in download_dir() can cause the server to generate filenames with traversal sequences from Get-ChildItem output, which are passed unsanitized to File.join(), enabling writes outside the intended download directory. Attackers ...