Oracle Financial Services Transaction Filtering 安全漏洞

Oracle Financial Services Transaction Filtering is a financial transaction screening system developed by Oracle Corporation. Version 8.1.2.8.0 of Oracle Financial Services Transaction Filtering contains a security vulnerability. This vulnerability stems from issues with the User Interface...

PT-2026-34149

Vulnerability in the Oracle Financial Services Transaction Filtering product of Oracle Financial Services Applications component: User Interface. The supported version that is affected is 8.1.2.8.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to...

PT-2026-35731

Name of the Vulnerable Software and Affected Versions nginx-ui versions prior to 2.3.8 Description An authentication bypass exists in the backup restore functionality. During the first 10 minutes after a fresh installation or any process restart, the 'POST /api/restore' endpoint is completely...

Oracle Financial Services Customer Screening 安全漏洞

Oracle Financial Services Customer Screening is a financial customer screening and risk identification system developed by Oracle Corporation. Version 8.1.2.8.0 of Oracle Financial Services Customer Screening contains a security vulnerability. This vulnerability stems from issues with the User...

PT-2026-34143

Vulnerability in the Oracle Financial Services Analytical Applications Infrastructure product of Oracle Financial Services Applications component: User Interface. Supported versions that are affected are 8.0.7.9, 8.0.8.7 and 8.1.2.5. Difficult to exploit vulnerability allows low privileged attack...

CVE-2026-34403

CVE-2026-34403 : Nginx-UI before 2.3.5 suffers Cross‑Site WebSocket Hijacking (CSWSH) due to an unsafe WebSocket upgrader that unconditionally sets CheckOrigin to true across all endpoints, enabling authenticated WebSocket connections from attacker‑controlled pages. Token authentication is stored...

CVE-2026-33031 Nginx-UI: Disabled users retain full API access through previously issued bearer tokens

Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, a user who was disabled by an administrator can use previously issued API tokens for up to the token lifetime. In practice, disabling a compromised account does not actually terminate that user’s access, so an...

CVE-2026-30898

An example of BashOperator in Airflow documentation suggested a way of passing dagrun.conf in the way that could cause unsanitized user input to be used to escalate privileges of UI user to allow execute code on worker. Users should review if any of their own DAGs have adopted this incorrect advi...

Linux Distros Unpatched Vulnerability : CVE-2026-40179

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Prometheus is an open-source monitoring system and time series database. Versions 3.0 through 3.5.1 and 3.6.0 through 3.11.1 have stored cross-site scripting...

EUVD-2026-23664

UI / API User with asset materialize permission could trigger dags they had no access to. Users are advised to migrate to Airflow version 3.2.0 that fixes the issue...

Apache Airflow 安全漏洞

Apache Airflow is an open-source platform developed by the Apache Foundation in the United States. It allows for the creation, management, and monitoring of workflows. This platform features scalability and dynamic monitoring capabilities. There is a security vulnerability in Apache Airflow, whic...

PT-2026-38090

Name of the Vulnerable Software and Affected Versions Google Chrome on iOS versions prior to 148.0.7778.96 Description A use after free issue in the mobile component allows a remote attacker to execute arbitrary code via a crafted HTML page, provided they can convince a user to perform specific U...

SUSE CVE-2026-6308

Out of bounds read in Media in Google Chrome prior to 147.0.7727.101 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. Chromium security severity: High...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS through incomplete sanitization of the README rendering process in the marketplace UI. An attacker can execute arbitrary scripts in the Electron context with full application privileges by embedding an iframe ta...

SUSE CVE-2026-40179

Prometheus is an open-source monitoring system and time series database. Versions 3.0 through 3.5.1 and 3.6.0 through 3.11.1 have stored cross-site scripting vulnerabilities in multiple components of the Prometheus web UI where metric names and label values are injected into innerHTML without...

Missing Authentication for Critical Function

Overview @paperclipai/ui is a Prebuilt Paperclip board UI assets. Affected versions of this package are vulnerable to Missing Authentication for Critical Function in several API endpoints that lack proper authentication checks. An attacker can access sensitive data, perform state-changing...

CVE-2026-34164

CVE-2026-34164 concerns Valtimo, where the InboxHandlingService logged the full content of incoming inbox messages at INFO level across versions 13.0.0–13.21.0. This exposed sensitive data (PII, BSN, case details) to anyone with log access or admin UI users. The issue was fixed in 13.22.0: the lo...

Incorrect Authorization

Overview weblate is an A web-based continuous localization system with tight version control integration Affected versions of this package are vulnerable to Incorrect Authorization in the user API endpoint due to insufficient restriction on the scope of edits. An attacker can gain elevated...

Insertion of Sensitive Information into Log File

Overview Affected versions of this package are vulnerable to Insertion of Sensitive Information into Log File in the InboxHandlingService. An attacker can access sensitive information such as personal data, citizen identifiers, and case details by viewing application logs that contain full inbox...

CVE-2026-31987

JWT Tokens used by tasks were exposed in logs. This could allow UI users to act as Dag Authors. Users are advised to upgrade to Airflow version that contains fix. Users are recommended to upgrade to version 3.2.0, which fixes this issue...