801 matches found
osTicket - Arbitrary File Read
Enhancesoft osTicket versions 1.18.x prior to 1.18.3 and 1.17.x prior to 1.17.7 contain an arbitrary file read vulnerability in the ticket PDF export functionality. A remote attacker can submit a ticket containing crafted rich-text HTML that includes PHP filter expressions which are insufficientl...
CVE-2026-8438
The All-In-One Security (AIOS) WordPress plugin (versions up to and including 5.4.7) is affected by a Stored Cross-Site Scripting vulnerability. The root cause is insufficient input sanitization in get_rest_route() and missing output escaping in the debug log’s column_default() when the admin das...
CVE-2026-45154
Nextcloud is an open source content collaboration platform. From version 2.6.0 to before version 4.3.0, when a previous collective pages was deleted and the collective was shared view-only, guests with access to the collective were able to access the deleted pages directly from the trashbin. This...
CVE-2025-13874
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.1 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have allowed an authenticated user with Guest permissions to view issues in projects they were not authorized to access...
CVE-2026-43984
Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Versions prior to 2.17.1 expose logjserrors to any authenticated user, including guest users when guest access is enabled. The endpoint writes attacker-controlled strings directly into the main application log. The...
CVE-2026-43984
Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Versions prior to 2.17.1 expose logjserrors to any authenticated user, including guest users when guest access is enabled. The endpoint writes attacker-controlled strings directly into the main application log. The...
CVE-2026-43984
CVE-2026-43984 affects Tautulli (Python-based Plex monitoring) prior to version 2.17.1. An authenticated user, including guests when guest access is enabled, can abuse an endpoint that writes attacker-controlled strings into the main application log. The log viewer then embeds the log contents in...
CVE-2026-43984 Tautulli has stored XSS in logFile via guest-controlled log_js_errors input
Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Versions prior to 2.17.1 expose logjserrors to any authenticated user, including guest users when guest access is enabled. The endpoint writes attacker-controlled strings directly into the main application log. The...
CVE-2026-43984 Tautulli has stored XSS in logFile via guest-controlled log_js_errors input
Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Versions prior to 2.17.1 expose logjserrors to any authenticated user, including guest users when guest access is enabled. The endpoint writes attacker-controlled strings directly into the main application log. The...
PT-2026-46257
Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Versions prior to 2.17.1 expose log js errors to any authenticated user, including guest users when guest access is enabled. The endpoint writes attacker-controlled strings directly into the main application log. The...
CVE-2026-45154
Nextcloud is an open source content collaboration platform. From version 2.6.0 to before version 4.3.0, when a previous collective pages was deleted and the collective was shared view-only, guests with access to the collective were able to access the deleted pages directly from the trashbin. This...
CVE-2026-45154
Nextcloud Collectives vulnerability: from version 2.6.0 through before 4.3.0, if a collective page was deleted and the collective was shared view‑only, guests with access could directly retrieve the deleted pages from the trashbin. Root cause: improper access control. A fix is available in versio...
CVE-2026-45154 Nextcloud: Improper Access Control in Collectives
Nextcloud is an open source content collaboration platform. From version 2.6.0 to before version 4.3.0, when a previous collective pages was deleted and the collective was shared view-only, guests with access to the collective were able to access the deleted pages directly from the trashbin. This...
CVE-2026-45154 Nextcloud: Improper Access Control in Collectives
Nextcloud is an open source content collaboration platform. From version 2.6.0 to before version 4.3.0, when a previous collective pages was deleted and the collective was shared view-only, guests with access to the collective were able to access the deleted pages directly from the trashbin. This...
CVE-2026-49367
In JetBrains IntelliJ IDEA before 2026.1.1 command execution was possible via the guest user account...
GHSA-R9G5-7Q8J-958C FUXA provides guest and invalid-token access to protected read APIs in secure mode
Summary When secureEnabled=true, FUXA 1.3.0-2773 still allows guest and invalid-token requests to read project, alarms, and scheduler APIs. Details In secure mode, requests with no token or an explicitly invalid token were still able to access protected read endpoints. Confirmed behavior: - guest...
FUXA provides guest and invalid-token access to protected read APIs in secure mode
Summary When secureEnabled=true, FUXA 1.3.0-2773 still allows guest and invalid-token requests to read project, alarms, and scheduler APIs. Details In secure mode, requests with no token or an explicitly invalid token were still able to access protected read endpoints. Confirmed behavior: - guest...
Linux Distros Unpatched Vulnerability : CVE-2025-13874
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.1 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that could have...
Astra Linux - уязвимость в qemu
A vulnerability related to out-of-bounds read/write access was discovered in the USB emulator of QEMU in versions prior to 5.2.0. This issue occurs during the processing of USB packets from a guest, when the value of USBDevice’s ‘setuplen’ exceeds the value of ‘databuf4096’ in the dotokenin and...
Astra Linux - уязвимость в libvirt
A flaw was discovered in libvirt during its generation of SELinux MCS category pairs for virtual machines’ dynamic labels. This flaw allows one exploited guest to access files labeled for another guest, resulting in the breach of sVirt confinement. The greatest threat posed by this vulnerability...