CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

141 matches found

CVE-2026-48616

Rocket.Chat versions 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, 7.13.9, 7.10.13 has an access control vulnerability in Livechat files. Protected file downloads at /file-upload/:fileId/:name authorize livechat access using rcroomtype=l with rcrid+rctoken, but the authorization path does not verify...

9.3CVSS0.00277EPSS

Exploits0References2

CVE•added 3 days ago•7 views

CVE-2026-48616

CVE-2026-48616 affects Rocket.Chat Livechat file downloads in multiple legacy branches (versions

9.3CVSS8.4AI score0.00277EPSS

Exploits0References2Affected Software1

CVE•added 3 days ago•11 views

CVE-2026-48929

Rocket.Chat versions older than 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, 7.13.9, and 7.10.13 are vulnerable to unauthenticated file deletion through the deleteFileMessage Meteor method. When called over an unauthenticated DDP WebSocket connection, Meteor.userId() returns null, bypassing the auth...

7.5CVSS7.3AI score0.00643EPSS

Exploits0References2Affected Software1

Positive Technologies•added 3 days ago•12 views

PT-2026-50128

Rocket.Chat versions 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, 7.13.9, 7.10.13 has an access control vulnerability in Livechat files. Protected file downloads at /file-upload/:fileId/:name authorize livechat access using rc room type=l with rc rid+rc token, but the authorization path does not...

9.3CVSS5.3AI score0.00277EPSS

Exploits0References3

Positive Technologies•added 3 days ago•10 views

PT-2026-50131

Rocket.Chat in versions 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, 7.13.9, and 7.10.13 is vulnerable to unauthenticated file deletion. The deleteFileMessage Meteor method permanently deletes any uploaded file by ID without requiring authentication. When called via an unauthenticated DDP WebSocket...

7.5CVSS5.3AI score0.00643EPSS

Exploits0References3

NVD•added 2026/06/09 5:16 a.m.•16 views

CVE-2026-8841

The Extra Settings for RocketChat plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'rocketchat' shortcode's 'title' attribute in versions up to, and including, 0.1. This is due to insufficient input sanitization and output escaping in the rxstgshortcode function, which...

6.4CVSS0.00187EPSS

Exploits0References3

RedhatCVE•added 2026/06/05 7:49 p.m.•5 views

CVE-2026-29198

In Rocket.Chat 8.3.0, 8.2.1, 8.1.2, 8.0.3, 7.13.5, 7.12.6, 7.11.6, and 7.10.9, a NoSQL injection vulnerability can lead to account takeover of the first user with a generated token when an OAuth app is configured...

9.8CVSS5.5AI score0.00308EPSS

Exploits0References1

RedhatCVE•added 2026/06/05 7:20 p.m.•5 views

CVE-2026-32995

The Rocket.Chat DDP method autoTranslate.translateMessage in versions 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.5, 7.13.8, and 7.10.12 accepts a client-supplied IMessage object and passes it directly to translateMessage without checking Meteor.userId or verifying room membership. Any authenticated D...

7.5CVSS7.2AI score0.00283EPSS

Exploits0References1

vulnersOsv•added 2026/05/29 5:51 p.m.•3 views

org.webjars.npm:degenerator (=4.0.4), org.webjars.npm:pac-resolver (=6.0.2) +1 more potentially affected by CVE-2026-47210 via org.webjars.npm:vm2 (=3.9.19)

org.webjars.npm:vm2 MAVEN version =3.9.19 is affected by a known vulnerability. The following packages have a transitive dependency on org.webjars.npm:vm2 and may be impacted: - org.webjars.npm:degenerator =4.0.4 - org.webjars.npm:pac-resolver =6.0.2 - org.webjars.npm:rocket.chatapps-engine =1.35...

5.5AI score0.00883EPSS

Exploits0

vulnersOsv•added 2026/05/29 5:50 p.m.•5 views

org.webjars.npm:degenerator (=4.0.4), org.webjars.npm:pac-resolver (=6.0.2) +1 more potentially affected by CVE-2026-47137 via org.webjars.npm:vm2 (=3.9.19)

5.5AI score0.00705EPSS

Exploits0

vulnersOsv•added 2026/05/29 5:49 p.m.•5 views

org.webjars.npm:degenerator (=4.0.4), org.webjars.npm:pac-resolver (=6.0.2) +1 more potentially affected by CVE-2026-47209 via org.webjars.npm:vm2 (=3.9.19)

5.5AI score0.00506EPSS

Exploits0

vulnersOsv•added 2026/05/29 5:44 p.m.•3 views

org.webjars.npm:degenerator (=4.0.4), org.webjars.npm:pac-resolver (=6.0.2) +1 more potentially affected by CVE-2026-47135 via org.webjars.npm:vm2 (=3.9.19)

5.5AI score0.00442EPSS

Exploits0

vulnersOsv•added 2026/05/29 5:33 p.m.•4 views

org.webjars.npm:degenerator (=4.0.4), org.webjars.npm:pac-resolver (=6.0.2) +1 more potentially affected by CVE-2026-47131 via org.webjars.npm:vm2 (=3.9.19)

5.5AI score0.00697EPSS

Exploits0

NVD•added 2026/05/28 5:16 a.m.•10 views

CVE-2026-32995

7.5CVSS0.00283EPSS

Exploits0References2

Cvelist•added 2026/05/28 4:1 a.m.•29 views

CVE-2026-32995

7.5CVSS0.00283EPSS

Exploits0References2

EUVD•added 2026/05/28 4:1 a.m.•8 views

EUVD-2026-32711

7.5CVSS7.1AI score0.00283EPSS

Exploits0References2

CVE•added 2026/05/28 4:1 a.m.•29 views

CVE-2026-32995

The CVE-2026-32995 entry affects Rocket.Chat: the DDP method autoTranslate.translateMessage in versions prior to 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.5, 7.13.8, and 7.10.12. The underlying issue is that the method accepts a client-supplied IMessage object and passes it directly to translateMess...

7.5CVSS7.1AI score0.00283EPSS

Exploits0References2

CNNVD•added 2026/05/28 12:0 a.m.•6 views

Rocket.Chat 安全漏洞

Rocket.Chat is a chat software developed by the Rocket.Chat company. Vulnerabilities exist in versions prior to 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.5, 7.13.8, and 7.10.12. These vulnerabilities stem from the DDP method autoTranslate.translateMessage, which accepts an IMessage object provided b...

7.5CVSS7.1AI score0.00283EPSS

Exploits0References2

CNNVD•added 2026/05/19 12:0 a.m.•6 views

Rocket.Chat 访问控制错误漏洞

Rocket.Chat is a chat software developed by the Rocket.Chat company. Vulnerabilities in access control existed in versions prior to 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12. These vulnerabilities stemmed from the lack of room access checks for the...

5.3CVSS6.1AI score0.00252EPSS

Exploits0References1