PT-2026-41864

The file indexer does not normalize the configured directory path. A backend user with permission to edit indexer configurations can index documents from arbitrary locations on the server file system through path traversal sequences...

CVE-2026-45222

CVE-2026-45222 affects Summarize up to version 0.14.1. The issue arises from daemon configuration directory/file permissions that may be world-readable on Unix-like systems, enabling a local attacker to read the daemon bearer token and stored provider credentials from ~/.summarize/daemon.json. Th...

GHSA-RM98-82FR-MCFX phpMyFAQ's Missing CONFIGURATION_EDIT Permission Check on 12 Admin API Configuration Tab Endpoints Allows Information Disclosure by Any Authenticated User

Summary 12 endpoints in ConfigurationTabController.php use userIsAuthenticated login-only check instead of userHasPermissionPermissionType::CONFIGURATIONEDIT. This allows any authenticated user — including ones with zero admin permissions — to enumerate system configuration metadata including the...

CVE-2026-25903 Apache NiFi: Missing Authorization of Restricted Permissions for Component Updates

Apache NiFi 1.1.0 through 2.7.2 are missing authorization when updating configuration properties on extension components that have specific Required Permissions based on the Restricted annotation. The Restricted annotation indicates additional privileges required to add the annotated component to...

Server-Side Template Injection

github.com/lxc/lxd is vulnerable to Server-Side Template Injection SSTI. The vulnerability is due to improper handling of snapshot pattern templates using the Pongo2 template engine, which allows an attacker with instance-configuration permissions to craft malicious templates and read arbitrary...

CVE-2025-6779

An ACAP configuration file has improper permissions, which could allow command injection and potentially lead to privilege escalation. This vulnerability can only be exploited if the Axis device is configured to allow the installation of unsigned ACAP applications, and if an attacker convinces th...

Incorrect Permission Assignment for Critical Resource

Overview snowflake-connector-python is a Snowflake Connector for Python Affected versions of this package are vulnerable to Incorrect Permission Assignment for Critical Resource via the ConfigManager.readconfig path in configmanager.py. An attacker can modify sensitive settings stored in the...

EUVD-2019-9329

Malware in sbrugna...

CVE-2025-54287

Template Injection in instance snapshot creation component in Canonical LXD = 4.0 allows an attacker with instance configuration permissions to read arbitrary files on the host system via specially crafted snapshot pattern templates using the Pongo2 template engine...

EUVD-2022-4572

Malicious code in bioql PyPI...

EUVD-2022-5725

Malicious code in bioql PyPI...

EUVD-2023-42304

Malicious code in bioql PyPI...

CVE-2025-54287

Template Injection in instance snapshot creation component in Canonical LXD = 4.0 allows an attacker with instance configuration permissions to read arbitrary files on the host system via specially crafted snapshot pattern templates using the Pongo2 template engine...

Linux Distros Unpatched Vulnerability : CVE-2021-34182

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - An issue in ttyd v.1.6.3 allows attacker to execute arbitrary code via default configuration permissions. CVE-2021-34182 Note that Nessus relies on the presence...

CVE-2024-13948

CVE-2024-13948 describes an information-disclosure vulnerability in ABB ASPECT family tools (ASPECT-Enterprise, NEXUS Series, MATRIX Series) caused by Windows permissions not being fully secured for ASPECT configuration toolsets. The root cause is an incorrect default privilege flaw that can expo...

CVE-2024-9244

Foxit PDF Reader Update Service Incorrect Permission Assignment Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Foxit PDF Reader. An attacker must first obtain the ability to execute low-privileged code on the...

SUSE-SU-2023:3732-1 Security update for postfix

This update for postfix fixes the following issues: Security fixes: - CVE-2023-32182: Fixed configpostfix SUSE specific script using potentially bad /tmp file bsc1211196. Other fixes: - postfix: config.postfix causes too tight permission on main.cf bsc1215372...

Design/Logic Flaw

MeterSphere is an open-source continuous testing platform. Prior to version 2.10.4 LTS, some interfaces of the Cloud version of MeterSphere do not have configuration permissions, and are sensitively leaked by attackers. Version 2.10.4 LTS contains a patch for this issue...

EulerOS Virtualization 2.11.1 : grub2 (EulerOS-SA-2023-2043)

According to the versions of the grub2 packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - A flaw in grub2 was found where its configuration file, known as grub.cfg, is being created with the wrong permission set allowing...

CVE-2021-34182

An issue in ttyd v.1.6.3 allows attacker to execute arbitrary code via default configuration permissions...