1919 matches found
Allocation of Resources Without Limits or Throttling
Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the group parsing process. An attacker can cause memory exhaustion and disrupt the container runtime API by supplying a maliciously crafted image that triggers unbounded parsing,...
CVE-2026-8417
Concrete CMS 9.5.0 and below does not validate a CSRF token before processing requests to /dashboard/extend/update/doupdate/. The doupdate method in concrete/controllers/singlepage/dashboard/extend/update.php checks only canInstallPackages before executing upgradeCoreData and upgrade on the named...
Cross-site Request Forgery (CSRF)
Overview concrete5/concrete5 is a concrete5 open source CMS. Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF in the doupdate process. An attacker can cause an authenticated administrator to unintentionally trigger a package upgrade by enticing them to visit a...
CVE-2026-8417
Concrete CMS 9.5.0 and below does not validate a CSRF token before processing requests to /dashboard/extend/update/doupdate/. The doupdate method in concrete/controllers/singlepage/dashboard/extend/update.php checks only canInstallPackages before executing upgradeCoreData and upgrade on the named...
EUVD-2026-31334
Concrete CMS 9.5.0 and below does not validate a CSRF token before processing requests to /dashboard/extend/update/doupdate/. The doupdate method in concrete/controllers/singlepage/dashboard/extend/update.php checks only canInstallPackages before executing upgradeCoreData and upgrade on the named...
CVE-2026-8417 Concrete CMS 9.5.0 and below is vulnerable to CSRF in do_update() in the package update controller
Concrete CMS 9.5.0 and below does not validate a CSRF token before processing requests to /dashboard/extend/update/doupdate/. The doupdate method in concrete/controllers/singlepage/dashboard/extend/update.php checks only canInstallPackages before executing upgradeCoreData and upgrade on the named...
CVE-2026-8417 Concrete CMS 9.5.0 and below is vulnerable to CSRF in do_update() in the package update controller
Concrete CMS 9.5.0 and below does not validate a CSRF token before processing requests to /dashboard/extend/update/doupdate/. The doupdate method in concrete/controllers/singlepage/dashboard/extend/update.php checks only canInstallPackages before executing upgradeCoreData and upgrade on the named...
CVE-2026-8417
Concrete CMS 9.5.0 and earlier is vulnerable to CSRF in the do_update() handler for package upgrades. The endpoint /dashboard/extend/update/do_update/ is invoked via a state-changing GET request and only checks canInstallPackages() before calling upgradeCoreData() and upgrade() on the target pack...
CVE-2026-6478 affecting package postgresql for versions less than 16.14-1
CVE-2026-6478 affecting package postgresql for versions less than 16.14-1. An upgraded version of the package is available that resolves this issue...
[SECURITY] [DLA 4580-1] exim4 security update
------------------------------------------------------------------------- Debian LTS Advisory DLA-4580-1 [email protected] https://www.debian.org/lts/security/ Thorsten Alteholz May 12, 2026 https://wiki.debian.org/LTS -...
[SECURITY] [DSA 6258-1] linux security update
------------------------------------------------------------------------- Debian Security Advisory DSA-6258-1 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso May 09, 2026 https://www.debian.org/security/faq -...
Important: Red Hat Security Advisory: Red Hat Hardened Images RPMs bug fix and enhancement update
An update for Red Hat Hardened Images RPMs is now available. This update includes the following RPMs: httpd: httpd-2.4.67-0.1.hum1 aarch64, x8664 httpd-core-2.4.67-0.1.hum1 aarch64, x8664 httpd-devel-2.4.67-0.1.hum1 aarch64, x8664 httpd-filesystem-2.4.67-0.1.hum1 noarch httpd-manual-2.4.67-0.1.hu...
[SECURITY] [DSA 6225-1] firefox-esr security update
------------------------------------------------------------------------- Debian Security Advisory DSA-6225-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff April 22, 2026 https://www.debian.org/security/faq -...
Arbitrary Code Injection
Overview Affected versions of this package are vulnerable to Arbitrary Code Injection via the -env-vars process when multi-step templates are used against untrusted targets. An attacker can execute arbitrary code by injecting malicious DSL expressions. This is only exploitable if multi-step...
Insufficient Verification of Data Authenticity
Overview Affected versions of this package are vulnerable to Insufficient Verification of Data Authenticity via the decidedByUserId field in approval-related endpoints. An attacker can forge decision attribution by supplying an arbitrary user identifier in the request body, causing the system to...
Improper Authorization
Overview Affected versions of this package are vulnerable to Improper Authorization in the authentication process. An attacker can maintain unauthorized access to resources by using valid API tokens, CalDAV credentials, or OpenID Connect authentication even after the account has been disabled or...
Incorrect Authorization
Overview Affected versions of this package are vulnerable to Incorrect Authorization via the Vault secrets back-end implementation. An attacker can modify secret revisions without proper authorization by leveraging access as an authenticated unit agent and possessing sufficient information about...
Server-side Request Forgery (SSRF)
Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via httprequester.go and httpdownloader.go. An attacker can access internal network resources and exfiltrate sensitive data by crafting malicious promotion templates or Promotion resources that trigger...
Missing Authorization
Overview github.com/mattermost/mattermost/server/channels/app is a private-cloud Slack alternative Affected versions of this package are vulnerable to Missing Authorization in the invite ID validation process. An attacker can gain unauthorized access to create accounts by using leaked invite IDs...
Memory Allocation with Excessive Size Value
Overview Affected versions of this package are vulnerable to Memory Allocation with Excessive Size Value in the PSD file preview. An attacker can exhaust server memory resources by uploading a specially crafted PSD file, potentially leading to a denial of service. Remediation Upgrade...