3513 matches found
Vite Dev Server - Information Exposure
Vite is a frontend tooling framework for JavaScript. Before versions 6.3.4, 6.2.7, 6.1.6, 5.4.19, and 4.5.14, the contents of files in the project root that are denied by a file matching pattern can be returned to the browser. Only apps explicitly exposing the Vite dev server to the network using...
CVE-2026-41878
R-SOFT DMS is vulnerable to Insecure Direct Object Reference IDOR attack in multiple file download endpoints. The application fetches files from the database by ID and serves them to whoever requests them, relying only on session authentication, meaning any valid user can access any file. This...
CVE-2026-55590
CakePHP Authentication is an authentication plugin for CakePHP that can also be used in PSR-7 based applications. Prior to 2.11.1, 3.3.6, and 4.1.1, the getLoginRedirect method contains a weakness to backslash bypasses that allows redirect targets with attacker-controlled hostnames through the...
GitLab 9.1 < 18.11.7 / 19.0 < 19.0.4 / 19.1 < 19.1.2 (CVE-2026-7492)
The version of GitLab installed on the remote host is affected by a vulnerability, as follows: - GitLab has remediated an issue in GitLab CE/EE affecting all versions from 9.1 before 18.11.7, 19.0 before 19.0.4, and 19.1 before 19.1.2 that under certain conditions could have allowed an...
CVE-2026-58254
NATS Server (affected components: leafnode message trace destination checks) could allow a leafnode operator to send trace events to subjects that should be disallowed and use trace-only behavior to interfere with delivery/storage. Root cause: checks were applied to ordinary client connections bu...
CVE-2026-55076
Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7, 2.32.7, 2.33.8, and 2.34.2, Coder's OIDC callback checked emailverified with a direct Go bool type assertion. When an IdP returned the claim as a non-boolean for example the string...
CVE-2026-45796
Coder allows organizations to provision remote development environments via Terraform. Versions prior tp 2.24.5, 2.29.13, 2.30.8, 2.31.12, 2.32.2, and 2.33.3 are vulnerable to unauthenticated semi-blind Server-Side Request Forgery SSRF via the Azure instance identity endpoint POST...
CVE-2026-55434 Coder vulnerable to denial of service via unbounded request body in AI Bridge provider endpoints
Coder allows organizations to provision remote development environments via Terraform. Starting in version 2.33.0 and prior to versions 2.33.8 and 2.34.2, AI Bridge provider handlers read request bodies with io.ReadAll without a maximum size so an authenticated user with AI Bridge access could se...
ROOT-APP-MAVEN-CVE-2022-42003 CVE-2022-42003 in io.root.com.fasterxml.jackson.core:jackson-databind - Patched by Root
Root has patched CVE-2022-42003 in the io.root.com.fasterxml.jackson.core:jackson-databind package for Root:Maven. Multiple fixed versions available...
ROOT-APP-NPM-CVE-2025-48997 CVE-2025-48997 in @rootio/multer - Patched by Root
Root has patched CVE-2025-48997 in the @rootio/multer package for Root:npm. Multiple fixed versions available...
ROOT-APP-PYPI-CVE-2025-69230 CVE-2025-69230 in rootio-aiohttp - Patched by Root
Root has patched CVE-2025-69230 in the rootio-aiohttp package for Root:PyPI. Multiple fixed versions available...
ROOT-APP-MAVEN-CVE-2026-41726 CVE-2026-41726 in io.root.org.springframework.kafka:spring-kafka - Patched by Root
Root has patched CVE-2026-41726 in the io.root.org.springframework.kafka:spring-kafka package for Root:Maven. Multiple fixed versions available...
ROOT-APP-NPM-CVE-2026-48779 CVE-2026-48779 in @rootio/ws - Patched by Root
Root has patched CVE-2026-48779 in the @rootio/ws package for Root:npm. Multiple fixed versions available...
ROOT-APP-PYPI-CVE-2026-49853 CVE-2026-49853 in rootio-tornado - Patched by Root
Root has patched CVE-2026-49853 in the rootio-tornado package for Root:PyPI. Multiple fixed versions available...
ROOT-APP-PYPI-CVE-2025-47287 CVE-2025-47287 in rootio-tornado - Patched by Root
Root has patched CVE-2025-47287 in the rootio-tornado package for Root:PyPI. Multiple fixed versions available...
ROOT-APP-PYPI-CVE-2026-42308 CVE-2026-42308 in rootio-pillow - Patched by Root
Root has patched CVE-2026-42308 in the rootio-pillow package for Root:PyPI. Multiple fixed versions available...
ROOT-APP-PYPI-CVE-2024-28219 CVE-2024-28219 in rootio-pillow - Patched by Root
Root has patched CVE-2024-28219 in the rootio-pillow package for Root:PyPI. Multiple fixed versions available...
CVE-2026-54763
Traefik is an HTTP reverse proxy and load balancer. Prior to v2.11.51, v3.6.22, and v3.7.6, Traefik's BasicAuth, DigestAuth, and ForwardAuth middlewares strip canonical-cased spoofed identity headers before writing Traefik's own value, but do not account for underscore-variant header names, which...
GHSA-75VM-6W67-GWVP Coder's OIDC email_verified type coercion bypass enables account takeover via unverified email linking
Summary Coder's OIDC callback checked emailverified with a direct Go bool type assertion. When an IdP returned the claim as a non-boolean for example the string "false" or omitted it, the assertion failed open and the email was treated as verified. Combined with an unconditional email-based accou...
ROOT-OS-DEBIAN-12-CVE-2026-32739 CVE-2026-32739 in rootio-libheif - Patched by Root
Root has patched CVE-2026-32739 in the rootio-libheif package for Root:Debian:12. Multiple fixed versions available...