Incorrect Behavior Order

Overview Affected versions of this package are vulnerable to Incorrect Behavior Order due to a write operation to the session storage backend occurring before authentication. An attacker can exhaust storage resources by sending unauthenticated requests. Remediation Upgrade horizon to version 25.7...

CVE-2026-22420

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in AncoraThemes Horizon horizon allows PHP Local File Inclusion.This issue affects Horizon: from n/a through = 1.1...

CVE-2023-40312

Multiple reflected XSS were found on different JSP files with unsanitized parameters in OpenMNS Horizon 31.0.8 and versions earlier than 32.0.2 on multiple platforms that an attacker can modify to craft a malicious XSS payload. The solution is to upgrade to Meridian 2023.1.6, 2022.1.19, 2021.1.30...

CVE-2025-53122

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in OpenNMS Horizon and Meridian applications allows SQL Injection. Users should upgrade to Meridian 2024.2.6 or newer, or Horizon 33.16 or newer. Meridian and Horizon installation instructions state...

SUSE CVE-2023-0870

A form can be manipulated with cross-site request forgery in multiple versions of OpenNMS Meridian and Horizon. This can potentially allow an attacker to gain access to confidential information and compromise integrity. The solution is to upgrade to Meridian 2023.1.1 or Horizon 31.0.6 or newer...