17 matches found
CVE-2026-33746
Convoy is a KVM server management panel for hosting businesses. From version 3.9.0-beta to before version 4.5.1, the JWTService::decode method did not verify the cryptographic signature of JWT tokens. While the method configured a symmetric HMAC-SHA256 signer via lcobucci/jwt, it only validated...
CVE-2026-33746
Convoy is a KVM server management panel for hosting businesses. From version 3.9.0-beta to before version 4.5.1, the JWTService::decode method did not verify the cryptographic signature of JWT tokens. While the method configured a symmetric HMAC-SHA256 signer via lcobucci/jwt, it only validated...
CVE-2026-33746
Convoy is a KVM server management panel for hosting businesses. From version 3.9.0-beta to before version 4.5.1, the JWTService::decode method did not verify the cryptographic signature of JWT tokens. While the method configured a symmetric HMAC-SHA256 signer via lcobucci/jwt, it only validated...
CVE-2026-33746 Convoy: JWT Signature Verification Bypass Allows Authentication as Arbitrary Users
Convoy is a KVM server management panel for hosting businesses. From version 3.9.0-beta to before version 4.5.1, the JWTService::decode method did not verify the cryptographic signature of JWT tokens. While the method configured a symmetric HMAC-SHA256 signer via lcobucci/jwt, it only validated...
CVE-2026-33746
Convoy (KVM server management panel) is vulnerable in versions 3.9.0-beta through
CVE-2026-33746 Convoy: JWT Signature Verification Bypass Allows Authentication as Arbitrary Users
Convoy is a KVM server management panel for hosting businesses. From version 3.9.0-beta to before version 4.5.1, the JWTService::decode method did not verify the cryptographic signature of JWT tokens. While the method configured a symmetric HMAC-SHA256 signer via lcobucci/jwt, it only validated...
Convoy 数据伪造问题漏洞
Convoy is an open-source platform developed by Convoy for hosting providers and enthusiasts. Versions of Convoy from 3.9.0-beta to 4.5.1 contained a data manipulation vulnerability due to insufficient validation of JWT token signatures, which could lead to authentication bypasses...
CVE-2025-52562
Convoy is a KVM server management panel for hosting businesses. In versions 3.9.0-rc3 to before 4.4.1, there is a directory traversal vulnerability in the LocaleController component of Performave Convoy. An unauthenticated remote attacker can exploit this vulnerability by sending a specially...
CVE-2025-52562 Convey Panel Directory Traversal in LocaleController leading to Remote Code Execution
Convoy is a KVM server management panel for hosting businesses. In versions 3.9.0-rc3 to before 4.4.1, there is a directory traversal vulnerability in the LocaleController component of Performave Convoy. An unauthenticated remote attacker can exploit this vulnerability by sending a specially...
CVE-2025-52562
Convoy CVE-2025-52562 describes an unauthenticated directory traversal vulnerability in the LocaleController affecting Convoy versions 3.9.0-rc3 through 4.4.0. Exploitation allows including and executing arbitrary PHP files on the server. The issue has been patched in version 4.4.1; a temporary w...
CVE-2025-52562 Convey Panel Directory Traversal in LocaleController leading to Remote Code Execution
Convoy is a KVM server management panel for hosting businesses. In versions 3.9.0-rc3 to before 4.4.1, there is a directory traversal vulnerability in the LocaleController component of Performave Convoy. An unauthenticated remote attacker can exploit this vulnerability by sending a specially...
Convoy 安全漏洞
Convoy is Convoy Open Source a modern platform tailored for hosting providers and enthusiasts. A security vulnerability exists in Convoy versions prior to 4.4.1 that stems from a directory traversal vulnerability in the LocaleController component...
PT-2025-26645 · Convoy · Convoy
Name of the Vulnerable Software and Affected Versions: Convoy versions 3.9.0-rc3 through 4.4.0 Description: Convoy is a KVM server management panel for hosting businesses. A directory traversal vulnerability exists in the LocaleController component, allowing an unauthenticated remote attacker to...
CVE-2025-22344
Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in timmcdaniels Media Category Library media-category-library allows Reflected XSS.This issue affects Media Category Library: from n/a through = 2.7...
PT-2025-4458 · Unknown · Convoy Media Category Library
Name of the Vulnerable Software and Affected Versions: Convoy Media Category Library versions n/a through 2.7 Description: The issue affects Convoy Media Category Library, allowing Reflected XSS due to improper neutralization of input during web page generation. This is a type of Cross-site...
convoy-shipping.com Cross Site Scripting vulnerability OBB-3932171
Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently hidde...
Christian crowdfunding site GiveSendGo hit by DDoS attack
By Waqas The "heavy" DDoS attack on GiveSendGo took place when the platform started collecting donations for Freedom Convoy 2022… This is a post from HackRead.com Read the original post: Christian crowdfunding site GiveSendGo hit by DDoS attack...