CVE-2026-45559 Roxy-WI: LDAP injection in /user/ldap/<username> (admin-only)

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, getldapemail app/modules/roxywi/user.py:120-157 builds the LDAP search filter via f-string concatenation. The username URL path parameter is taken verbatim — no checkAjaxInput, no...

CVE-2026-46746

A vulnerability has been identified in SINEC INS All versions V1.0 SP2 Update 6. The application does not properly sanitize user input in the /api/sftp/uploadFiles endpoint, allowing the injection of shell command payloads via crafted directory names. These payloads are stored and executed when...

CVE-2026-44671

ZITADEL is an open source identity management platform. From 2.71.11 to before 3.4.10 and 4.15.0, a vulnerability was discovered in Zitadel's LDAP identity provider implementation, which fails to properly escape user-provided usernames before incorporating them into LDAP search filters. This allo...

Yamcs security vulnerabilities

Yamcs is an open-source software framework developed by Yamcs. It is used for commanding and controlling spacecraft, satellites, payloads, ground stations, and ground equipment. There are security vulnerabilities in YAMCS, and attackers can exploit these vulnerabilities to perform LDAP injection...

LDAP Injection

Overview Affected versions of this package are vulnerable to LDAP Injection via the LdapAuthModule process. An attacker can gain unauthorized access to user accounts by injecting specially crafted input into the username parameter during LDAP authentication. Note: This is only exploitable if the...

CVE-2026-44930 Apache CXF: LDAP Injection vulnerability in XKMS LDAP Repository

An LDAP injection vulnerability in the LDAP Certificate repository of the XKMS server in Apache CXF may allow an attacker to retrieve arbitrary certificates from the repository. Users are recommended to upgrade to versions 4.2.1, 4.1.6 or 3.6.11, which fix this issue...

CVE-2026-44063

An LDAP injection vulnerability in Netatalk 2.1.0 through 4.4.2 allows a remote authenticated attacker to manipulate LDAP queries and obtain limited information or modify LDAP entries via crafted filter input...

CVE-2026-41919

CVE-2026-41919 is an LDAP Injection vulnerability in Apache OFBiz caused by improper neutralization of LDAP special elements in DN construction. The issue affects OFBiz versions before 24.09.06. Upgrading to 24.09.06 fixes the vulnerability. The CVE list also notes the potential impact as authent...

EUVD-2026-30875

Improper Neutralization of Special Elements used in an LDAP Query 'LDAP Injection' vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue...

PT-2026-41857

Improper Neutralization of Special Elements used in an LDAP Query 'LDAP Injection' vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue...

bouncycastle: BC-JAVA: LDAP injection vulnerability in LDAPStoreHelper.java

A flaw was found in Legion of the Bouncy Castle Inc. BC-JAVA bcprov. The LDAPStoreHelper implementation fails to properly neutralize special elements in user-supplied input before incorporating them into LDAP queries. This allows a remote attacker to execute an LDAP injection attack by supplying...

LDAP Injection

Overview Affected versions of this package are vulnerable to LDAP Injection in the login process due to improper escaping of user-supplied input before it is incorporated into LDAP search filters. An attacker can enumerate valid usernames and extract sensitive attribute data from the connected LD...

CVE-2026-27851

When safe filter is used with variable expansion, all following pipelines on the same string are incorrectly interpreted as safe too, enabling unsafe data to be unescaped. This can enable SQL / LDAP injection attacks when used in authentication. Avoid using safe filter until on fixed version. No...

LDAP Injection

Overview lemur is a Certificate management and orchestration service Affected versions of this package are vulnerable to LDAP Injection via unsanitized input in the username field during the authentication process. An attacker can escalate privileges and gain unauthorized access to sensitive...

PT-2026-38300

Name of the Vulnerable Software and Affected Versions Lemur versions prior to 1.9.0 Description The LDAP authentication module lemur/auth/ldap.py constructs LDAP search filters using unsanitized user input via Python string interpolation. An authenticated LDAP user can inject LDAP filter...

bouncycastle: BC-JAVA: LDAP injection vulnerability in LDAPStoreHelper.java

A flaw was found in Legion of the Bouncy Castle Inc. BC-JAVA bcprov. The LDAPStoreHelper implementation fails to properly neutralize special elements in user-supplied input before incorporating them into LDAP queries. This allows a remote attacker to execute an LDAP injection attack by supplying...

CVE-2026-0636

A flaw was found in Legion of the Bouncy Castle Inc. BC-JAVA bcprov. The LDAPStoreHelper implementation fails to properly neutralize special elements in user-supplied input before incorporating them into LDAP queries. This allows a remote attacker to execute an LDAP injection attack by supplying...

SUSE SLES16 Security Update : dovecot24 (SUSE-SU-2026:21208-1)

The remote SUSE Linux SLES16 / SLESSAP16 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:21208-1 advisory. - Update to v2.4.3 - CVE-2025-59028: Invalid base64 authentication can cause DoS for other logins bsc1260894. - CVE-2025-59031:...

LDAP Injection

Bouncy Castle BC-JAVA is vulnerable to LDAP Injection.The vulnerability is due to improper sanitization of user-supplied input in the LDAPStoreHelper component, which allows an attacker to inject malicious LDAP queries and manipulate directory lookups or retrieve unauthorized data...

GHSA-C3FC-8QFF-9HWX Bouncy Castle has an LDAP injection

Improper neutralization of special elements used in an LDAP query 'LDAP injection' vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcprov on all prov modules. This vulnerability is associated with program files LDAPStoreHelper. This issue affects BC-JAVA: from 1.74 before 1.84...