CVE-2026-42564 jotty·page: Unauthenticated Path Traversal leads to sensitive file disclosure and session-token reuse impact

jotty·page is a self-hosted app for your checklists and notes. Prior to 1.22.0, an unauthenticated path traversal vulnerability exists in /api/app-icons/filename. The filename route parameter is joined into a filesystem path without traversal/boundary validation, allowing file reads outside...

CVE-2026-42564

CVE-2026-42564 affects jotty.page (self-hosted notes/checklists app). Before version 1.22.0, there is an unauthenticated path traversal in the /api/app-icons/[filename] endpoint: the filename parameter is directly joined into a filesystem path without traversal/boundary validation, allowing reads...

Devolutions Server < 2025.3.18 / 2026.1.x < 2026.1.12 Multiple Vulnerabilities (DEVO-2026-0010)

The version of Devolutions Server installed on the remote host is prior to 2025.3.18 or 2026.1.x prior to 2026.1.12. It is, therefore, affected by multiple vulnerabilities, including: - Improper authentication in the OAuth login functionality allows a remote attacker with valid credentials to...

CVE-2026-4924

CVE-2026-4924 concerns Devolutions Server 2026.1.11 and earlier, where improper authentication in the 2FA feature allows a remote attacker with valid credentials to bypass MFA and gain unauthorized access by reusing a partially authenticated session token. The affected component is the 2FA mechan...

PT-2026-29538

Improper authentication in the two-factor authentication 2FA feature in Devolutions Server 2026.1.11 and earlier allows a remote attacker with valid credentials to bypass multifactor authentication and gain unauthorized access to the victim account via reuse of a partially authenticated session...

EUVD-2020-5559

Malware in sbrugna...

EUVD-2025-9330

Malicious code in bioql PyPI...

Linux Distros Unpatched Vulnerability : CVE-2020-13299

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. The revocation feature was not revoking all session tokens and one could...

CVE-2021-41553

In ARCHIBUS Web Central 21.3.3.815 a version from 2014, the Web Application in /archibus/login.axvw assign a session token that could be already in use by another user. It was therefore possible to access the application through a user whose credentials were not known, without any attempt by the...

CVE-2021-25981

In Talkyard, regular versions v0.2021.20 through v0.2021.33 and dev versions v0.2021.20 through v0.2021.34, are vulnerable to Insufficient Session Expiration. This may allow an attacker to reuse the admin’s still-valid session token even when logged-out, to gain admin privileges, given the attack...

CVE-2025-28132

A session management flaw in Nagios Network Analyzer 2024R1.0.3 allows an attacker to reuse session tokens even after a user logs out, leading to unauthorized access and account takeover. This occurs due to insufficient session expiration, where session tokens remain valid beyond logout, allowing...

CVE-2024-45386

A vulnerability has been identified in SIMATIC PCS neo V4.0 All versions, SIMATIC PCS neo V4.1 All versions V4.1 Update 2, SIMATIC PCS neo V5.0 All versions V5.0 Update 1, SIMOCODE ES V19 All versions V19 Update 1, SIRIUS Safety ES V19 TIA Portal All versions V19 Update 1, SIRIUS Soft Starter ES...

CVE-2024-45386

A vulnerability has been identified in SIMATIC PCS neo V4.0 All versions, SIMATIC PCS neo V4.1 All versions V4.1 Update 2, SIMATIC PCS neo V5.0 All versions V5.0 Update 1, SIMOCODE ES V19 All versions V19 Update 1, SIRIUS Safety ES V19 TIA Portal All versions V19 Update 1, SIRIUS Soft Starter ES...

CVE-2024-45386

The CVE-2024-45386 entry concerns Siemens SIMATIC PCS neo (v4.0, v4.1 &lt; Update 2, v5.0 &lt; Update 1), SIMOCODE ES v19 (&lt; Update 1), SIRIUS Safety ES v19 (TIA Portal) (&lt; Update 1), SIRIUS Soft Starter ES (TIA Portal) (&lt; Update 1), and TIA Administrator (

PT-2024-5559

Name of the Vulnerable Software and Affected Versions FortiAIOps version 2.0.0 Description The issue is related to insufficient session expiration in the FortiAIOps graphical user interface, allowing an attacker to reuse stolen old session tokens. This could enable a remote attacker to gain...

Fortinet FortiAIOps 代码问题漏洞

Fortinet FortiAIOps is a Fortinet networking solution that combines artificial intelligence and machine learning AI/ML from Fortinet. A code issue vulnerability exists in Fortinet FortiAIOps version 2.0.0, which stems from the presence of multiple sessions that have insufficiently expired, and ca...

PT-2022-3425 · Siemens · Desigo Pxc4 +3

Name of the Vulnerable Software and Affected Versions: Desigo DXR2 versions prior to V01.21.142.5-22 Desigo PXC3 versions prior to V01.21.142.4-18 Desigo PXC4 versions prior to V02.20.142.10-10884 Desigo PXC5 versions prior to V02.20.142.10-10884 Description: A vulnerability has been identified i...

CVE-2021-37866 Session is not invalidated on server-side when user logged out of Boards

Mattermost Boards plugin v0.10.0 and earlier fails to invalidate a session on the server-side when a user logged out of Boards, which allows an attacker to reuse old session token for authorization...

CVE-2021-41553

In ARCHIBUS Web Central 21.3.3.815 a version from 2014, the Web Application in /archibus/login.axvw assign a session token that could be already in use by another user. It was therefore possible to access the application through a user whose credentials were not known, without any attempt by the...

PT-2021-23327 · Archibus · Archibus Web Central

Name of the Vulnerable Software and Affected Versions: ARCHIBUS Web Central versions 21.3.3.815 and earlier Description: The issue arises from the Web Application in /archibus/login.axvw, where a session token could be assigned that is already in use by another user. This allowed access to the...