598 matches found
CVE-2026-62963
Centrifugo is an open-source scalable real-time messaging server. Prior to 6.8.4, Centrifugo unidirectional WebSocket transport with uniwebsocket.compression enabled enforced uniwebsocket.messagesizelimit against compressed wire-frame length in internal/websocket/conn.go advanceFrame, but...
CVE-2026-44981
CrowdSec offers crowdsourced protection against malicious IPs. From 1.7.0 until 1.7.8, the LAPI router used gin-contrib/gzip with DefaultDecompressHandle globally in pkg/apiserver/controllers/controller.go, causing /v1/watchers and /v1/watchers/login to decompress unauthenticated gzip-compressed...
CVE-2026-44981 CrowdSec LAPI: Denial of Service via Unbounded Gzip Decompression
CrowdSec offers crowdsourced protection against malicious IPs. From 1.7.0 until 1.7.8, the LAPI router used gin-contrib/gzip with DefaultDecompressHandle globally in pkg/apiserver/controllers/controller.go, causing /v1/watchers and /v1/watchers/login to decompress unauthenticated gzip-compressed...
CVE-2026-62963 Centrifugo: Decompression bomb DoS via permessage-deflate in unidirectional WebSocket transport
Centrifugo is an open-source scalable real-time messaging server. Prior to 6.8.4, Centrifugo unidirectional WebSocket transport with uniwebsocket.compression enabled enforced uniwebsocket.messagesizelimit against compressed wire-frame length in internal/websocket/conn.go advanceFrame, but...
CVE-2026-60065
CVE-2026-60065 affects NGINX Plus when the MQTT filter module (ngx_stream_mqtt_filter_module) is enabled. Unauthenticated attackers can send crafted requests to trigger a heap buffer over-read in an NGINX worker process, potentially causing a restart. Impact is limited to data-plane availability ...
CVE-2026-42533 NGINX Map directive and Regex matching vulnerability
A vulnerability exists in NGINX Plus and NGINX Open Source when a map directive uses regex matching and a string expression references the map's regex capture variables before referencing the map output variable. Alternatively, the same result could be achieved by using a non-cacheable variable i...
CVE-2026-59762 BIG-IP HTTP/2 vulnerability
When an HTTP/2 profile is configured on a virtual server, undisclosed requests can cause an increase in memory resource utilization. Impact: System performance can degrade until the TMM process is either forced to restart or is manually restarted. This vulnerability allows a remote,...
CVE-2026-45754
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Prior to 6.4.40, 7.4.12, and 8.0.12, the Mailjet mailer bridge and LOX24 notifier bridge webhook parsers received configured webhook secrets but did not verify them, allowing unauthenticated POST...
CVE-2026-45755
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Prior to 7.4.12 and 8.0.12, MailtrapRequestParser::doParse received the configured webhook secret but ignored the X-Mt-Signature HMAC header, allowing unauthenticated POST requests to inject forged...
CVE-2026-45755 Symfony: Mailtrap Mailer Webhook Parser Never Verifies the X-Mt-Signature HMAC — Unauthenticated Webhook Event Injection
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Prior to 7.4.12 and 8.0.12, MailtrapRequestParser::doParse received the configured webhook secret but ignored the X-Mt-Signature HMAC header, allowing unauthenticated POST requests to inject forged...
CVE-2026-10628 Points and Rewards for WooCommerce <= 2.10.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Modification via Multiple AJAX Actions
The Points and Rewards for WooCommerce plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.10.0. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with...
CVE-2026-57475
Deloitte AI Assist for Customer accepted unauthenticated POST requests through public-facing API endpoints that allowed a remote attacker to make limited additions to the configuration. These additions were not used by the system. On 2026-03-25, AI Assist for Customer restricted network access an...
CVE-2026-57475
Deloitte AI Assist for Customer had an unauthenticated POST vulnerability on public API endpoints that allowed a remote attacker to perform limited additions to the configuration. These changes were not used by the system. On 2026-03-25, access was restricted and authentication enforced for the e...
CVE-2026-54004
Kirby is an open-source content management system. Prior to 4.9.4 and 5.4.4, Kirby sites with content.fileRedirects enabled could redirect unauthenticated clean file URL requests for files stored in top-level draft pages to physical media URLs without checking page access permissions or preview...
CVE-2026-54004 Kirby: Access to files of top-level drafts is not protected by permissions
Kirby is an open-source content management system. Prior to 4.9.4 and 5.4.4, Kirby sites with content.fileRedirects enabled could redirect unauthenticated clean file URL requests for files stored in top-level draft pages to physical media URLs without checking page access permissions or preview...
EUVD-2026-42612
n8n is an open source workflow automation platform. Prior to 1.123.61, 2.27.4, and, 2.28.1, an authenticated user with the default workflow:create permission could pollute Object.prototype through a crafted workflow saved, updated, or imported via the workflow API, allowing unauthenticated reques...
PYSEC-2026-1451 User accounts disclosed to unauthenticated actors on the LAN
Summary The login page discloses all active user accounts to any unauthenticated browsing request originating on the Local Area Network. Details Starting the Home Assistant 2023.12 release, the login page returns all currently active user accounts to browsing requests from the Local Area Network...
CVE-2026-57690
The CVE-2026-57690 entry documents an unauthenticated Cross Site Request Forgery (CSRF) in the WordPress Werkstatt theme versions ≤ 4.7.2. The vulnerability affects the Werkstatt theme (WordPress plugin/theme) and is described as CSRF without details on exploit vectors beyond unauthenticated acce...
PT-2026-55202
Name of the Vulnerable Software and Affected Versions Fleet versions prior to 0.15.2 Fleet versions prior to 0.14.6 Fleet versions prior to 0.13.11 Fleet versions prior to 0.12.15 Description An issue exists when the webhook endpoint is configured without a secret, allowing unauthenticated...
CVE-2026-47204
Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.26.0 until 1.35.13, 1.36.9, 1.37.5, and 1.38.3, the envoy.filters.http.grpcstats filter crashes null pointer dereference / segfault when a Connect protocol request Content-Type: application/connect+proto...