442 matches found
CVE-2026-13020
CVE-2026-13020 affects Esri Portal for ArcGIS up to version 12.1 on Windows, Linux, and Kubernetes. A weak password-recovery mechanism lets a remote, unauthenticated attacker potentially take ownership of a user account by manipulating the recovery flow. The vulnerability’s impact is described as...
EUVD-2026-42057
A Weak Password Recovery Mechanism for Forgotten Password exists in Esri Portal for ArcGIS versions 12.1 and earlier on Windows, Linux and Kubernetes. A remote, unauthorized attacker may assume ownership of a user’s account by manipulating this mechanism. ArcGIS Administrators should configure an...
PT-2026-56205
Name of the Vulnerable Software and Affected Versions Esri Portal for ArcGIS versions prior to 12.2 Description A weak password recovery mechanism for forgotten passwords allows a remote, unauthorized attacker to assume ownership of a user account by manipulating the recovery process...
EUVD-2026-41848
uniFLOW Universal Login Manager ULM Standalone contains an information disclosure vulnerability that may allow an authenticated administrator to access sensitive configuration information through the ULM Remote User Interface RUI. Exploitation requires administrative privileges and may disclose...
CVE-2026-41951
Path traversal vulnerability exists in GROWI v7.5.0 and earlier, which may allow an attacker to execute arbitrary EJS templates on the server when an email server is running in GROWI...
CVE-2026-45716
Budibase is an open-source low-code platform. Prior to 3.38.1, the POST /api/global/users/onboard endpoint is protected by workspaceBuilderOrAdmin middleware, allowing any user with builder permissions to access it. When SMTP email is not configured the default for self-hosted Budibase instances,...
CVE-2026-50205
System log files output unencrypted SMTP server authentication passwords alongside sensitive employee corporate identification data...
EUVD-2026-34217
System log files output unencrypted SMTP server authentication passwords alongside sensitive employee corporate identification data...
PT-2026-46156
System log files output unencrypted SMTP server authentication passwords alongside sensitive employee corporate identification data...
CVE-2026-45716
Budibase is an open-source low-code platform. Prior to 3.38.1, the POST /api/global/users/onboard endpoint is protected by workspaceBuilderOrAdmin middleware, allowing any user with builder permissions to access it. When SMTP email is not configured the default for self-hosted Budibase instances,...
Budibase 安全漏洞
Budibase is an open-source low-code platform developed by Budibase in the UK. It allows for the creation of internal applications, workflows, and management panels within minutes. Versions of Budibase prior to 3.38.1 contained security vulnerabilities. These vulnerabilities stemmed from the POST...
Budibase: Builder-to-Admin Privilege Escalation via onboardUsers Endpoint Without SMTP Configuration
Summary The POST /api/global/users/onboard endpoint is protected by workspaceBuilderOrAdmin middleware, allowing any user with builder permissions to access it. When SMTP email is not configured the default for self-hosted Budibase instances, this endpoint bypasses the admin-restricted invite flo...
PT-2026-41795
Name of the Vulnerable Software and Affected Versions Budibase versions prior to 3.38.1 Description An issue exists in the "POST /api/global/users/onboard" endpoint, which is protected by the workspaceBuilderOrAdmin middleware. This allows users with builder permissions to access the endpoint. In...
CVE-2026-41132 CKAN: No certificate validation on STMP connection
CKAN is an open-source DMS data management system for powering data hubs and data portals. Prior to 2.10.10 and 2.11.5, the configured SMTP server may be spoofed with any certificate e.g. self-signed, leaving credentials and all emails sent open to MITM attacks. This vulnerability is fixed in...
EUVD-2026-29047
Path traversal vulnerability exists in GROWI v7.5.0 and earlier, which may allow an attacker to execute arbitrary EJS templates on the server when an email server is running in GROWI...
CVE-2026-41951
Path traversal vulnerability exists in GROWI v7.5.0 and earlier, which may allow an attacker to execute arbitrary EJS templates on the server when an email server is running in GROWI...
CVE-2026-41951
Path traversal vulnerability exists in GROWI v7.5.0 and earlier, which may allow an attacker to execute arbitrary EJS templates on the server when an email server is running in GROWI...
CVE-2026-41951
Path traversal vulnerability exists in GROWI v7.5.0 and earlier, which may allow an attacker to execute arbitrary EJS templates on the server when an email server is running in GROWI...
CVE-2026-41951
The vulnerability CVE-2026-41951 affects GROWI up to v7.5.0, where a path traversal flaw could let an attacker cause the server to execute arbitrary EJS templates when an email server is running. The issue is documented in multiple sources (NVD/CVE entries) with CVSS v3.0/4.0 base scores of 7.2/8...
PT-2026-39589
Path traversal vulnerability exists in GROWI v7.5.0 and earlier, which may allow an attacker to execute arbitrary EJS templates on the server when an email server is running in GROWI...