82314 matches found
GeoServer Demo Request Endpoint - Server Side Request Forgery
It is possible to achieve Server Side Request Forgery SSRF via the Demo request endpoint if Proxy Base URL has not been set. An unauthenticated user can supply a request that will be issued by the server, allowing enumeration of internal networks and, in the case of cloud instances, access to...
Reflected XSS - Telerik Reporting Module
Cross-site scripting vulnerability in Telerik.ReportViewer.WebForms.dll in Telerik Reporting for ASP.NET WebForms Report Viewer control before R1 2017 SP2 11.0.17.406 allows remote attackers to inject arbitrary web script or HTML via the bgColor parameter to Telerik.ReportViewer.axd. id:...
AJ-Report < 1.4.1 - Remote Code Execution
AJ-Report before version 1.4.1 is affected by an authentication bypass vulnerability. A remote and unauthenticated attacker can append ";swagger-ui" to HTTP requests to bypass authentication and execute arbitrary Java code on the victim server through script engine injection in the validation rul...
Wipro Holmes Orchestrator 20.4.1 - Information Disclosure
Wipro Holmes Orchestrator 20.4.1 20.4.102112020 allows remote attackers to download arbitrary files, such as reports containing sensitive information, because authentication is not required for API access to processexecution/DownloadExcelFile/DomainCredentialReportExcel,...
CVE-2026-35152
A SQL Injection vulnerability exists in Apache Fineract's Report Execution API runreports endpoint in versions up to and including 1.14.0. Report parameter values are incorporated into the generated SQL query without sufficient validation, allowing an authenticated user with permission to run...
CVE-2026-35152 Apache Fineract: SQL injection in runreports endpoint
A SQL Injection vulnerability exists in Apache Fineract's Report Execution API runreports endpoint in versions up to and including 1.14.0. Report parameter values are incorporated into the generated SQL query without sufficient validation, allowing an authenticated user with permission to run...
EUVD-2026-44604
A SQL Injection vulnerability exists in Apache Fineract's Report Execution API runreports endpoint in versions up to and including 1.14.0. Report parameter values are incorporated into the generated SQL query without sufficient validation, allowing an authenticated user with permission to run...
CVE-2026-15751 mastergo-design mastergo-magic-mcp mcp__getComponentGenerator component-workflow.md execute path traversal
A security vulnerability has been detected in mastergo-design mastergo-magic-mcp up to 0.2.0. The affected element is the function execute of the file mastergo/component-workflow.md of the component mcpgetComponentGenerator. The manipulation of the argument rootPath leads to path traversal. An...
CVE-2026-15751
CVE-2026-15751 affects the mastergo-design mastergo-magic-mcp component set up to version 0.2.0. The vulnerability targets the execute function in mastergo/component-workflow.md for mcp__getComponentGenerator, where manipulation of the rootPath argument enables path traversal. Exploitation is loc...
GHSA-9MC4-RQMQ-H467 vulnerabilities
Vulnerabilities for packages: python...
Microsoft PowerBI Report Server Spoofing Vulnerability
Improper neutralization of input during web page generation 'cross-site scripting' in Power BI allows an authorized attacker to perform spoofing over a network...
CVE-2026-15625
creationtimestamp| type| source ---|---|--- 2026-07-14 06:12:24+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mqlkfme2yr2x...
CVE-2026-15675 code-projects Online Job Portal EditUser.php sql injection
A vulnerability was identified in code-projects Online Job Portal 1.0. The affected element is an unknown function of the file /Admin/EditUser.php. Such manipulation of the argument UserId leads to sql injection. The attack may be launched remotely. The exploit is publicly available and might be...
EUVD-2026-43621
A vulnerability was found in louisho5 picobot up to 0.2.0. This issue affects the function ExecTool.Execute of the file internal/agent/tools/exec.go of the component exec Tool. The manipulation results in os command injection. The attack requires a local approach. The exploit has been made public...
EUVD-2026-43553
A weakness has been identified in antv layout 2.0.0. This impacts the function setNestedValue in the library lib/util/object.js. Executing a manipulation of the argument path can lead to improperly controlled modification of object prototype attributes. The attack can be launched remotely. The...
KLA91151 Multiple vulnerabilities in Microsoft SQL Server
Multiple vulnerabilities were found in Microsoft SQL Server. Malicious users can exploit these vulnerabilities to bypass security restrictions, execute arbitrary code, gain privileges, obtain sensitive information, spoof user interface. Below is a complete list of vulnerabilities: 1. An elevation...
WordPress Booking Package plugin <= 1.7.20 - Unauthenticated SQL Injection vulnerability
Unauthenticated SQL Injection vulnerability discovered by PRISM in WordPress Plugin Booking Package versions = 1.7.20...
EUVD-2026-43276
A flaw has been found in WuzhiCMS up to 4.1.0. Affected by this vulnerability is the function config/listimage of the file /index.php?m=attachment&f=index&v=upload of the component Attachment API. Executing a manipulation can lead to information disclosure. The attack can be launched remotely. Th...
CVE-2026-15521 makafeli n8n-workflow-builder update_node_from_file server.cjs path traversal
A vulnerability was identified in makafeli n8n-workflow-builder up to 0.11.0. Affected is an unknown function of the file build/server.cjs of the component updatenodefromfile. The manipulation of the argument filePath leads to path traversal. An attack has to be approached locally. The exploit is...
CVE-2026-15478
A flaw has been found in IceHRM up to 35.0.1. This impacts an unknown function of the file core/src/Reports/User/Reports/EmployeeAttendanceReport.php of the component UserReport Endpoint. Executing a manipulation of the argument employeeList can lead to sql injection. The attack can be launched...