CVE-2026-42071

Mantis Bug Tracker MantisBT is an open source issue tracker. From 2.23.0 to 2.28.1, a missing authorization check in MantisBT's file visibility function allows any authenticated user REPORTER+ to download attachments on private bugnotes they should not be able to access, via the REST API endpoint...

PT-2026-41430

Syncplify.me Server! 5.0.37 contains an unquoted service path vulnerability in the SMWebRestServicev5 service that allows local attackers to escalate privileges by exploiting the unquoted binary path. Attackers can insert a malicious executable into the service path and execute it with LocalSyste...

com.oviva.telematik:epa4all-rest-service (>=0.0.4 <=1.2.1) potentially affected by CVE-2026-45575 via com.oviva.telematik:epa4all-client (>=0.0.4 <=1.2.1)

com.oviva.telematik:epa4all-client MAVEN version =0.0.4, =0.0.4, =1.2.1 Source cves: CVE-2026-45575 Source advisory: OSV:GHSA-GQX7-6552-67HF...

com.oviva.telematik:epa4all-rest-service (>=0.0.4 <=1.2.1) potentially affected by CVE-2026-45574 via com.oviva.telematik:epa4all-client (>=0.0.4 <=1.2.1)

com.oviva.telematik:epa4all-client MAVEN version =0.0.4, =0.0.4, =1.2.1 Source cves: CVE-2026-45574 Source advisory: OSV:GHSA-5HHF-XMFX-4VVR...

Access Control Bypass

Overview Affected versions of this package are vulnerable to Access Control Bypass in the handling of internal service references by the Gateway API provider. An attacker can gain unauthorized dynamic configuration write access by creating or updating an HTTPRoute that targets rest@internal, even...

CVE-2026-8115

CVE-2026-8115 affects gyoridavid short-video-maker (up to v1.3.4). The vulnerability is in the REST API component, specifically the file path src/server/routers/rest.ts. An input manipulation of req.params.tmpFile enables path traversal, with remote exploitation possible. Public exploit exists. T...

CVE-2026-3474

The EmailKit – Email Customizer for WooCommerce & WP plugin for WordPress is vulnerable to arbitrary file read via path traversal in all versions up to, and including, 1.6.3. This is due to the action function in the TemplateData class passing user-supplied input from the 'emailkit-editor-templat...

Linux Distros Unpatched Vulnerability : CVE-2026-32632

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Glances is an open-source system cross-platform monitoring tool. Glances recently added DNS rebinding protection for the MCP endpoint, but prior to version 4.5....

GHSA-CVWP-R2G2-J824 Glances has Incomplete Secrets Redaction: /api/v4/args Endpoint Leaks Password Hash and SNMP Credentials

Summary The GHSA-gh4x fix commit 5d3de60 addressed unauthenticated configuration secrets exposure on the /api/v4/config endpoints by introducing asdictsecure redaction. However, the /api/v4/args and /api/v4/args/item endpoints were not addressed by this fix. These endpoints return the complete...

CVE-2026-3789

A vulnerability was detected in Bytedesk up to 1.3.9. Affected is the function getModels of the file source-code/src/main/java/com/bytedesk/ai/springai/providers/gitee/SpringAIGiteeRestService.java of the component SpringAIGiteeRestController. Performing a manipulation of the argument apiUrl...

Bytedesk 代码问题漏洞

Bytedesk is a multi-channel intelligent customer service platform developed by the individual developers of bytedesk.com. Versions of Bytedesk 1.3.9 and earlier contained code vulnerabilities. These vulnerabilities stemmed from incorrect handling of the parameter apiUrl in the file...

CVE-2026-3789

CVE-2026-3789 affects Bytedesk up to version 1.3.9, specifically the getModels function in SpringAIGiteeRestService.java within SpringAIGiteeRestController. The vulnerability arises from manipulating the apiUrl argument, leading to server-side request forgery and remote exploitation. An exploit i...

Bytedesk 代码问题漏洞

Bytedesk is a multi-channel intelligent customer service platform developed by the individual developers of bytedesk.com. Versions of Bytedesk 1.3.9 and earlier have code vulnerabilities. These vulnerabilities stem from operations on the handleFileUpload function in the UploadRestService.java fil...

Plone Python Library Multiple Vulnerabilities (20230921)

The detected version of Plone python package, plone, is prior to version 5.2.14 or 6.x prior to 6.0.7. It is, therefore, affected by the following the vulnerabilities: - Multiple stored cross site scripting vulnerabilities exits when handling SVG images. An authenticated, remote attacker can...

CVE-2026-3131

Improper access control in multiple DVLS REST API endpoints in Devolutions Server 2025.3.14.0 and earlier allows an authenticated user with view-only permission to access sensitive connection data...

org.glassfish.main.admingui:console-commandrecorder-plugin (>=7.0.16 <=9.0.0-M2), org.glassfish.main.featuresets:debug (>=6.2.5 <=9.0.0-M2) +5 more potentially affected by CVE-2025-14340 via org.glassfish.main.admin:rest-service (>=5.0.1 <=9.0.0-M2)

org.glassfish.main.admin:rest-service MAVEN version =5.0.1, =7.0.16, =6.2.5, =7.1.0, =7.1.0, =5.0.1, =5.0.1, =5.0.1, =9.0.0-M2 Source cves: CVE-2025-14340 Source advisory: SNYK:JAVA-ORGGLASSFISHMAINADMIN-15323111...

CVE-2026-1894 WeKan REST API checklistItems.js Checklist REST Bleed improper authorization

A vulnerability was detected in WeKan up to 8.20. This impacts an unknown function of the file models/checklistItems.js of the component REST API. Performing a manipulation of the argument item.cardId/item.checklistId/card.boardId results in improper authorization. Remote exploitation of the atta...

CVE-2023-31011

NVIDIA DGX H100 BMC contains a vulnerability in the REST service where an attacker may cause improper input validation. A successful exploit of this vulnerability may lead to escalation of privileges and information disclosure...

CVE-2023-31012

NVIDIA DGX H100 BMC contains a vulnerability in the REST service where an attacker may cause improper input validation. A successful exploit of this vulnerability may lead to escalation of privileges and information disclosure...

CVE-2024-2244

REST service authentication anomaly with “valid username/no password” credential combination for batch job processing resulting in successful service invocation. The anomaly doesn’t exist with other credential combinations...