Lucene search
K

137 matches found

Cvelist
Cvelist
added 2026/06/24 8:55 p.m.54 views

CVE-2026-45687 Rocket.Chat: Authenticated Arbitrary Data Export Theft via Mass Assignment in sendFileMessage

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11, Rocket.Chat's sendFileMessage DDP method passes the entire attacker-supplied file object into Uploads.updateFileComplete, which merges it...

8.5CVSS0.00205EPSS
Exploits0References1
CVE
CVE
added 2026/06/24 8:55 p.m.12 views

CVE-2026-45687

CVE-2026-45687 affects Rocket.Chat prior to fixed versions (8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, 7.10.11). The issue lies in the sendFileMessage DDP path, where the attacker-provided file object is passed to Uploads.updateFileComplete and merged into a MongoDB $set via Object.assign ...

8.5CVSS5.9AI score0.00205EPSS
Exploits0References1
OSV
OSV
added 2026/06/20 6:49 a.m.2 views

SUSE-SU-2026:22187-1 Security update for perl-HTTP-Daemon

This update for perl-HTTP-Daemon fixes the following issue - CVE-2026-8450: HTTP: Daemon versions before 6.17 for Perl allow OS command injection via sendfile bsc1266370...

9.1CVSS5.8AI score0.01231EPSS
Exploits0References3
Tenable Nessus
Tenable Nessus
added 2026/06/20 12:0 a.m.6 views

Fedora 43 : perl-HTTP-Daemon (2026-f276b2154e)

The remote Fedora 43 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2026-f276b2154e advisory. Changes: 6.17 2026-05-19 23:11:06Z - Fix CVE-2026-8450 affects 6.15 and earlier: 2-arg open in sendfile enabled RCE / arbitrary file write / response-body...

9.1CVSS6.1AI score0.01231EPSS
Exploits0References2
OSV
OSV
added 2026/06/18 7:24 a.m.4 views

SUSE-SU-2026:2442-1 Security update for perl-HTTP-Daemon

This update for perl-HTTP-Daemon fixes the following issues: - CVE-2026-8450: Fixed OS command injection via sendfile bsc1266370...

9.1CVSS5.8AI score0.01231EPSS
Exploits0References3
Tenable Nessus
Tenable Nessus
added 2026/06/08 12:0 a.m.9 views

Amazon Linux 2023 : perl-HTTP-Daemon, perl-HTTP-Daemon-tests (ALAS2023-2026-1794)

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2026-1794 advisory. HTTP::Daemon versions before 6.17 for Perl allow OS command injection via sendfile. sendfile opens its string argument with Perl's 2-arg open. The 2-arg form interprets magic prefixes: '| cmd' and 'cmd...

9.1CVSS5.6AI score0.01231EPSS
Exploits0References4
Amazon
Amazon
added 2026/06/08 12:0 a.m.12 views

Important: perl-HTTP-Daemon

Issue Overview: HTTP::Daemon versions before 6.17 for Perl allow OS command injection via sendfile. sendfile opens its string argument with Perl's 2-arg open. The 2-arg form interprets magic prefixes: '| cmd' and 'cmd |' open a pipe to a subprocess, ' path' and ' path' open the path for write or...

9.1CVSS5.5AI score0.01231EPSS
Exploits0
RedhatCVE
RedhatCVE
added 2026/06/06 6:42 a.m.13 views

CVE-2026-8450

A flaw was found in HTTP::Daemon, a Perl module used for creating HTTP servers. A remote attacker can exploit this vulnerability by providing specially crafted input to the sendfile function, leading to OS command injection. This allows the attacker to execute arbitrary commands on the system wit...

9.1CVSS6AI score0.01231EPSS
Exploits0References6
OSV
OSV
added 2026/05/29 5:12 a.m.13 views

MGASA-2026-0157 Updated perl-HTTP-Daemon package fixes a security vulnerability

The updated package fixes a security vulnerability: HTTP::Daemon versions before 6.17 for Perl allow OS command injection via sendfile. CVE-2026-8450...

9.1CVSS5.8AI score0.01231EPSS
Exploits0References4
Mageia
Mageia
added 2026/05/29 5:12 a.m.19 views

Updated perl-HTTP-Daemon package fixes a security vulnerability

The updated package fixes a security vulnerability: HTTP::Daemon versions before 6.17 for Perl allow OS command injection via sendfile. CVE-2026-8450...

9.1CVSS5.8AI score0.01231EPSS
Exploits0References3
SUSE CVE
SUSE CVE
added 2026/05/27 10:58 a.m.11 views

SUSE CVE-2026-8450

HTTP::Daemon versions before 6.17 for Perl allow OS command injection via sendfile. sendfile opens its string argument with Perl's 2-arg open. The 2-arg form interprets magic prefixes: '| cmd' and 'cmd |' open a pipe to a subprocess, ' path' and ' path' open the path for write or append. Untruste...

8.1CVSS5.8AI score0.01231EPSS
Exploits0References6
UbuntuCve
UbuntuCve
added 2026/05/27 5:16 a.m.19 views

CVE-2026-8450

HTTP::Daemon versions before 6.17 for Perl allow OS command injection via sendfile. sendfile opens its string argument with Perl's 2-arg open. The 2-arg form interprets magic prefixes: '| cmd' and 'cmd |' open a pipe to a subprocess, ' path' and ' path' open the path for write or append. Untruste...

9.1CVSS5.8AI score0.01231EPSS
Exploits0References6
OSV
OSV
added 2026/05/27 5:16 a.m.14 views

UBUNTU-CVE-2026-8450

HTTP::Daemon versions before 6.17 for Perl allow OS command injection via sendfile. sendfile opens its string argument with Perl's 2-arg open. The 2-arg form interprets magic prefixes: '| cmd' and 'cmd |' open a pipe to a subprocess, ' path' and ' path' open the path for write or append. Untruste...

9.1CVSS5.8AI score0.01231EPSS
Exploits0References7
CVE
CVE
added 2026/05/27 4:22 a.m.106 views

CVE-2026-8450

CVE-2026-8450 affects HTTP::Daemon before 6.17 (Perl). The vulnerability allows OS command execution via the send_file() function, which opens its string argument with Perl’s 2-arg open(). The 2-arg form supports magic prefixes: “| cmd” and “cmd |” to pipe to a subprocess, and “> path”/“>&g...

9.1CVSS5.8AI score0.01231EPSS
Exploits0References11
Vulnrichment
Vulnrichment
added 2026/05/27 4:22 a.m.11 views

CVE-2026-8450 HTTP::Daemon versions before 6.17 for Perl allow OS command injection via send_file()

HTTP::Daemon versions before 6.17 for Perl allow OS command injection via sendfile. sendfile opens its string argument with Perl's 2-arg open. The 2-arg form interprets magic prefixes: '| cmd' and 'cmd |' open a pipe to a subprocess, ' path' and ' path' open the path for write or append. Untruste...

5.8AI score0.01231EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/05/27 12:0 a.m.16 views

PT-2026-43494

Name of the Vulnerable Software and Affected Versions HTTP::Daemon versions prior to 6.17 Description OS command injection is possible through the send file function. This occurs because send file utilizes Perl's 2-arg open function, which interprets magic prefixes. Specifically, prefixes like '|...

9.1CVSS5.8AI score0.01231EPSS
Exploits0References38
RedhatCVE
RedhatCVE
added 2026/01/09 10:48 a.m.5 views

CVE-2022-31539

The kotekan/kotekan repository through 2021.11 on GitHub allows absolute path traversal because the Flask sendfile function is used unsafely...

9.3CVSS7AI score0.01118EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2026/01/09 10:48 a.m.8 views

CVE-2022-31568

The Rexians/rex-web repository through 2022-06-05 on GitHub allows absolute path traversal because the Flask sendfile function is used unsafely...

9.3CVSS7AI score0.01118EPSS
Exploits1References1
CNVD
CNVD
added 2025/10/21 12:0 a.m.3 views

Newforma Project Center Server Cross-Site Scripting Vulnerability

Newforma Project Center Server is a project information management solution for the Architecture, Engineering and Construction AEC industry from Newforma for centralized storage and management of project documents and collaboration. Newforma Project Center suffers from a cross-site scripting...

5.5CVSS6.2AI score0.00201EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2025/10/09 8:22 p.m.4 views

CVE-2025-35060 Newforma Info Exchange (NIX) stored XSS via SVG file upload

Newforma Info Exchange NIX provides a 'Send a File Transfer' feature that allows a remote, authenticated attacker to upload SVG files that contain JavaScript or other content that may be executed or rendered by a web browser using a mobile user agent...

5.5CVSS6.4AI score0.00201EPSS
Exploits0References2
Rows per page
Query Builder