Spring Security 安全漏洞

Spring Security is a security framework developed by Spring OpenSource that includes authentication and authorization features. There is a security vulnerability in Spring Security, which occurs when using Spring Security to specify HTTP response headers for servlet applications, and the HTTP...

CVE-2026-27128

Craft is a content management system CMS. In versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22, a Time-of-Check-Time-of-Use TOCTOU race condition exists in Craft CMS’s token validation service for tokens that explicitly set a limited usage. The getTokenRoute method reads a token’s...

CVE-2026-27126

Craft is a content management system CMS. In versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22, a stored Cross-site Scripting XSS vulnerability exists in the editableTable.twig component when using the html column type. The application fails to sanitize the input, allowing an attack...

CVE-2026-27129 Cloud Metadata SSRF Protection Bypass via IPv6 Resolution

Craft is a content management system CMS. In versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22, the SSRF validation in Craft CMS’s GraphQL Asset mutation uses gethostbyname, which only resolves IPv4 addresses. When a hostname has only AAAA IPv6 records, the function returns the...

CVE-2026-27127 Craft CMS has Cloud Metadata SSRF Protection Bypass via DNS Rebinding

Craft is a content management system CMS. In versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22, the SSRF validation in Craft CMS’s GraphQL Asset mutation performs DNS resolution separately from the HTTP request. This Time-of-Check-Time-of-Use TOCTOU vulnerability enables DNS rebindi...

CVE-2026-27127 Craft CMS has Cloud Metadata SSRF Protection Bypass via DNS Rebinding

Craft is a content management system CMS. In versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22, the SSRF validation in Craft CMS’s GraphQL Asset mutation performs DNS resolution separately from the HTTP request. This Time-of-Check-Time-of-Use TOCTOU vulnerability enables DNS rebindi...

CVE-2026-27126

CVE-2026-27126 : Connected docs reveal a concrete vulnerability in Craft CMS: a stored XSS in the editableTable.twig component when using the HTML column type. The flaw allows an attacker to inject arbitrary JavaScript via a table field with Column Type HTML, exploiting it in normal viewing and w...

CVE-2026-27126

Craft is a content management system CMS. In versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22, a stored Cross-site Scripting XSS vulnerability exists in the editableTable.twig component when using the html column type. The application fails to sanitize the input, allowing an attack...

CVE-2025-15438

A vulnerability was determined in PluXml up to 5.8.22. Affected is the function FileCookieJar::destruct of the file core/admin/medias.php of the component Media Management Module. Executing a manipulation of the argument File can lead to deserialization. The attack can be launched remotely. The...

Hutool Security Vulnerabilities

Hutool is a small but complete Java tool library from the Chinese Dromara community. A security vulnerability exists in Hutool version v5.8.23, which stems from an infinite loop in the StrSplitter.splitByRegex function. An attacker can exploit the vulnerability to trigger a Denial of Service DoS ...

PT-2023-31758 · Unknown · Hutool-Core

Name of the Vulnerable Software and Affected Versions: hutool-core version 5.8.23 Description: The NumberUtil.toBigDecimal method in hutool-core was discovered to contain a stack overflow. Recommendations: For hutool-core version 5.8.23, consider disabling the toBigDecimal method in the NumberUti...

Hutool Security Vulnerabilities

Hutool is a small but complete Java tool library from the Chinese Dromara community. A security vulnerability exists in Hutool version v5.8.23, which stems from a stack overflow vulnerability in the NumberUtil.toBigDecimal method...