CVE-2026-8855

IBM HTTP Server versions 8.5 and 9.0 are affected by CVE-2026-8855, with remote code execution and denial of service when TLS mutual authentication is configured. The issue is documented by IBM and reflected in NVD with high-severity vectors (NETWORK, no user interaction). The IBM PSIRT bulletin ...

Exploit for Double Free in Apache Http_Server

This is a proactive tool for security auditing. For your GitHub...

CVE-2025-65104 Firebird: Information leak vulnerability in firebird3 client when used with newer server

Firebird is an open-source relational database management system. In versions FB3 of the client library placed incorrect data length values into XSQLDA fields when communicating with FB4 or higher servers, resulting in an information leak. This issue is fixed by upgrading to the FB4 client or...

Insufficient Granularity of Access Control

Overview Affected versions of this package are vulnerable to Insufficient Granularity of Access Control inadequate authorization checks in the POST /api/agents/:id/keys, GET /api/agents/:id/keys, and DELETE /api/agents/:id/keys/:keyId routes. An attacker can gain unauthorized access to sensitive...

CVE-2026-22675

OCS Inventory NG Server version 2.12.3 and prior contain a stored cross-site scripting vulnerability that allows unauthenticated attackers to execute arbitrary JavaScript by submitting malicious User-Agent HTTP headers to the /ocsinventory endpoint. Attackers can register rogue agents or craft...

EUVD-2026-17921

Improper authentication in the external OAuth authentication flow in Devolutions Server 2026.1.11 and earlier allows an authenticated user to authenticate as other users, including administrators, via reuse of a session code from an external authentication flow...

CVE-2025-41359

Vulnerability related to an unquoted service path in Small HTTP Server 3.06.36, specifically affecting the executable located at 'C:\Program Files x86\shttpsmg\http.exe service'. This misconfiguration allows a local attacker to place a malicious executable with the same name in a higher priority...

@openinc/parse-server-opendash (>=4.0.0 <=4.0.3) potentially affected by CVE-2026-33323 via parse-server (=9.6.0-alpha.37)

parse-server NPM version =9.6.0-alpha.37 is affected by a known vulnerability. The following packages have a transitive dependency on parse-server and may be impacted: - @openinc/parse-server-opendash =4.0.0, =4.0.3 Source cves: CVE-2026-33323 Source advisory: SNYK:JS-PARSESERVER-15701837...

📄 BuptLab DNS Relay Server 1.0 Buffer Underflow

This is a proof of concept exploit that leverages a remote heap buffer underflow denial of service vulnerability in BuptLab DNS Relay Server version 1.0.0 that was recently discovered by Antonius...

CVE-2026-3130

Improper Enforcement of Behavioral Controls in Devolutions Server 2025.3.15 and earlier allows an authenticated attacker with the delete permission to delete a PAM account that is currently checked out by selecting it alongside at least one non-checked-out account and performing a bulk deletion...

GO-2025-4260 Mattermost doesn't verify that post actions invoking `/share-issue-publicly` were created by the Jira plugin in github.com/mattermost/mattermost-server

Mattermost doesn't verify that post actions invoking /share-issue-publicly were created by the Jira plugin in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If...

CVE-2025-46320

A cross-site scripting XSS vulnerability in a FileMaker WebDirect custom homepage could lead to unauthorized access and remote code execution. This vulnerability has been fully addressed in FileMaker Server 22.0.4 and FileMaker Server 21.1.7...

CVE-2026-26369 JUNG eNet SMART HOME server 2.2.1/2.3.1 Privilege Escalation via setUserGroup

eNet SMART HOME server 2.2.1 and 2.3.1 contains a privilege escalation vulnerability due to insufficient authorization checks in the setUserGroup JSON-RPC method. A low-privileged user UGUSER can send a crafted POST request to /jsonrpc/management specifying their own username to elevate their...

CVE-2026-21569

This High severity XXE XML External Entity Injection vulnerability was introduced in version 7.1.0 of Crowd Data Center and Server. This XXE XML External Entity Injection vulnerability, with a CVSS Score of 7.9, allows an authenticated attacker to access local and remote content which has high...

Faulty input validation in the core of Apache allows malicious or exploitable backend/content generators to split HTTP responses

Faulty input validation in the core of Apache allows malicious or exploitable backend/content generators to split HTTP responses. This issue affects Apache HTTP Server: through 2.4.58...

MedDream PACS Premium encapsulatedDoc reflected cross-site scripting (XSS) vulnerability

Talos Vulnerability Report TALOS-2025-2256 MedDream PACS Premium encapsulatedDoc reflected cross-site scripting XSS vulnerability January 20, 2026 CVE Number CVE-2025-54157 SUMMARY A reflected cross-site scripting xss vulnerability exists in the encapsulatedDoc functionality of MedDream PACS...

CVE-2020-24376

A DNS rebinding vulnerability in the UPnP IGD implementations in Freebox v5 before 1.5.29 and Freebox Server before 4.2.3...

TrueConf Server 安全漏洞

TrueConf Server is a self-hosted and secure video collaboration platform from the Russian company TrueConf. A security vulnerability exists in TrueConf Server version 5.5.2.10813, which stems from improper cleanup of user input in the Meeting Location field and could lead to a stored cross-site...

CVE-2025-66573

Solstice Pod API version 5.5, 6.2 contains an unauthenticated API endpoint /api/config that exposes sensitive information such as the session key, server version, product details, and display name. Unauthorized users can extract live session information by accessing this endpoint without...

CVE-2024-58288

Genexus Protection Server 9.7.2.10 contains an unquoted service path vulnerability in the protsrvservice Windows service configuration. Attackers can exploit the unquoted binary path to execute arbitrary code with elevated LocalSystem privileges by placing malicious executables in specific file...