8 matches found
CVE-2026-41237 Froxlor has an incomplete fix for CVE-2026-30932
Froxlor is open source server administration software. In version 2.3.6 and earlier, the LOC record regex uses \s+ which matches newlines allowing embedded newlines to pass, TLSA matchingType=0 has no upper bound on hex data length, and all validators return raw input without zone-file escaping...
CVE-2026-41236 Froxlor has privilege escalation in SSH key synchronization via symlinked `authorized_keys` path
Froxlor is open source server administration software. Version 2.3.6 contains a symlink-following flaw in the root-owned SSH key synchronization path used for customer FTP users. The provisioning code appends public keys to /.ssh/authorizedkeys under a customer-controlled home directory without...
CVE-2025-71281
XenForo before 2.3.7 contains a template method-call restriction bypass. The issue stems from a loose prefix match instead of a strict first-word match for methods accessible via callbacks and variable method calls in templates, potentially allowing unauthorized method invocations. Affected softw...
CVE-2026-30402
An issue in wgcloud v.2.3.7 and before allows a remote attacker to execute arbitrary code via the test connection function...
CVE-2025-64723
Summary: Arduino IDE for macOS prior to 2.3.7 had overly permissive security entitlements that could bypass the macOS Hardened Runtime protections, enabling an attacker to inject malicious dynamic libraries into the process and access all TCC permissions granted to the app. Impact (as stated): by...
CVE-2025-62415 bagisto - Cross Site Scripting (XSS) in TinyMCE Image Upload (HTML)
Bagisto is an open source laravel eCommerce platform. In Bagisto v2.3.7, the TinyMCE image upload functionality allows an attacker with sufficient privileges e.g. admin to upload a crafted HTML file containing embedded JavaScript. When viewed, the malicious code executes in the context of the...
PT-2024-36184 · Unknown · Yalla Ya! Simple Payment
Name of the Vulnerable Software and Affected Versions: yalla ya! Simple Payment versions 2.3.7 and earlier Description: The issue is related to Improper Neutralization of Input During Web Page Generation, also known as Cross-site Scripting. This allows for Reflected XSS, where an attacker can...
mojarra: Path traversal in ResourceManager.java:getLocalePrefix() via the loc parameter
The getLocalePrefix function in ResourceManager.java in Eclipse Mojarra before 2.3.7 is affected by Directory Traversal via the loc parameter. A remote attacker can download configuration files or Java bytecodes from applications...