EUVD-2026-19986

IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM Security Verify Access Container 10.0 through 10.0.9.1 and IBM Verify Identity Access 11.0 through 11.0.2 and IBM Security Verify Access 10.0 through 10.0.9.1 could allow a locally authenticated user to execute malicious scripts fro...

Six Apart Movable Type 代码注入漏洞

Six Apart Movable Type is an application system developed by the Six Apart company in the United States. It offers features such as multi-user access, comments, Trackbacks, and themes. Six Apart Movable Type has a code injection vulnerability; this vulnerability can be exploited by code injection...

Fleet 操作系统命令注入漏洞

Fleet is an open-source device management platform developed by Fleet Device Management. It supports various operating systems and devices, and helps IT and security teams with device management, vulnerability reporting, MDM operations, etc. Versions of Fleet prior to 4.81.1 contained a...

PT-2026-31544

Name of the Vulnerable Software and Affected Versions Sonatype Nexus Repository versions 3.22.1 through 3.90.2 Description A flaw exists in the task management component of Sonatype Nexus Repository. An authenticated attacker possessing task creation permissions can execute arbitrary code,...

IBM多款产品 安全漏洞

IBM Verify Identity Access Container is a product of the American multinational company International Business Machines IBM. IBM Verify Identity Access Container is a containerized software that provides identity authentication and authorization capabilities for applications. IBM Security Verify...

CVE-2026-1342 Security Vulnerabilities have been found in IBM Verify Identity Access and IBM Security Verify Access

IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM Security Verify Access Container 10.0 through 10.0.9.1 and IBM Verify Identity Access 11.0 through 11.0.2 and IBM Security Verify Access 10.0 through 10.0.9.1 could allow a locally authenticated user to execute malicious scripts fro...

CVE-2026-35164

Brave CMS is an open-source CMS. Prior to 2.0.6, an unrestricted file upload vulnerability exists in the CKEditor upload functionality. It is found in app/Http/Controllers/Dashboard/CkEditorController.php within the ckupload method. The method fails to validate uploaded file types and relies...

EUVD-2026-19923

Cronicle is a multi-server task scheduler and runner, with a web based front-end UI. Prior to 0.9.111, a non-admin user with createevents and runevents privileges can inject arbitrary JavaScript through job output fields html.content, html.title, table.header, table.rows, table.caption. The serve...

CVE-2026-39400

Cronicle is a multi-server task scheduler and runner, with a web based front-end UI. Prior to 0.9.111, a non-admin user with createevents and runevents privileges can inject arbitrary JavaScript through job output fields html.content, html.title, table.header, table.rows, table.caption. The serve...

CVE-2026-28808

A flaw was found in Erlang OTP inets modules. A remote unauthenticated attacker could exploit an incorrect authorization vulnerability when CGI Common Gateway Interface scripts are served via scriptalias. This vulnerability arises from a path mismatch where access controls are evaluated against a...

Incorrect Authorization

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Incorrect Authorization through the approval process for local scripts in pnpm dlx. An attacker can execute unauthorized or modified scripts by replacing an approved local script after...

GHSA-W6WX-JQ6J-6MCJ OpenClaw: pnpm dlx approvals did not bind local script operands

Summary Before OpenClaw 2026.4.2, pnpm dlx approval planning did not bind local script operands the same way as related pnpm exec flows. A local script approved through a pnpm dlx path could be replaced before execution without invalidating the approval. Impact An operator could approve a benign...

OpenClaw: pnpm dlx approvals did not bind local script operands

Summary Before OpenClaw 2026.4.2, pnpm dlx approval planning did not bind local script operands the same way as related pnpm exec flows. A local script approved through a pnpm dlx path could be replaced before execution without invalidating the approval. Impact An operator could approve a benign...

CVE-2026-22683

Windmill versions 1.56.0 through 1.614.0 contain a missing authorization vulnerability that allows users with the Operator role to perform prohibited entity creation and modification actions via the backend API. Although Operators are documented and priced as unable to create or modify entities,...

CVE-2026-22683

Windmill versions 1.56.0 through 1.614.0 contain a missing authorization vulnerability that allows users with the Operator role to perform prohibited entity creation and modification actions via the backend API. Although Operators are documented and priced as unable to create or modify entities,...

Exposure of Resource to Wrong Sphere

Overview electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS. Affected versions of this package are vulnerable to Exposure of Resource to Wrong Sphere via the window.open function. An attacker can gain access to or manipulate the browsin...

DEBIAN-CVE-2026-28808

Incorrect Authorization vulnerability in Erlang OTP inets modules allows unauthenticated access to CGI scripts protected by directory rules when served via scriptalias. When scriptalias maps a URL prefix to a directory outside DocumentRoot, modauth evaluates directory-based access controls agains...

CVE-2026-28808

Incorrect Authorization vulnerability in Erlang OTP inets modules allows unauthenticated access to CGI scripts protected by directory rules when served via scriptalias. When scriptalias maps a URL prefix to a directory outside DocumentRoot, modauth evaluates directory-based access controls agains...

CVE-2026-28808

Incorrect Authorization vulnerability in Erlang OTP inets modules allows unauthenticated access to CGI scripts protected by directory rules when served via scriptalias. When scriptalias maps a URL prefix to a directory outside DocumentRoot, modauth evaluates directory-based access controls agains...

UBUNTU-CVE-2026-28808

Incorrect Authorization vulnerability in Erlang OTP inets modules allows unauthenticated access to CGI scripts protected by directory rules when served via scriptalias. When scriptalias maps a URL prefix to a directory outside DocumentRoot, modauth evaluates directory-based access controls agains...