18 matches found
CVE-2026-42594
Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.32.0, the webhook middleware spawns a goroutine that holds a reference to the request's echo.Context after the synchronous handler returns ErrAsyncProcess and Echo recycles the context back to its sync.Pool. When a concurrent...
CVE-2026-42590 Gotenberg: ExifTool group-prefix syntax bypasses dangerous-tag blocklist
Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.30.0, The ExifTool metadata write blocklist in Gotenberg can be bypassed using ExifTool's group-prefix syntax, enabling arbitrary file rename, move, hardlink, and symlink creation on the server. ExifTool supports group-prefix...
CVE-2026-42595 Gotenberg: Server-Side Request Forgery via Chromium URL Endpoint with Redirect-Based Deny-List Bypass
Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.32.0, Gotenberg's Chromium URL-to-PDF endpoint /forms/chromium/convert/url has no default protection against HTTP/HTTPS-based SSRF. The default deny-list regex only blocks file:// URIs. An unauthenticated attacker can point...
CVE-2026-42594
Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.32.0, the webhook middleware spawns a goroutine that holds a reference to the request's echo.Context after the synchronous handler returns ErrAsyncProcess and Echo recycles the context back to its sync.Pool. When a concurrent...
CVE-2026-42593
Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.32.0, pdfengines/merge, pdfengines/split, libreoffice/convert, chromium/convert/url, chromium/convert/html, and chromium/convert/markdown accept stampSource=pdf + stampExpression=/path and watermarkSource=pdf +...
CVE-2026-42591 Gotenberg: Server-Side Request Forgery (SSRF) in github.com/gotenberg/gotenberg/v8
Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.32.0, the LibreOffice conversion endpoint /forms/libreoffice/convert passes uploaded documents directly to LibreOffice without inspecting their content. LibreOffice then fetches any embedded external URLs on its own, completely...
Gotenberg 安全漏洞
Gotenberg is an open-source, developer-friendly API developed by Gotenberg. It is used to convert various document formats into PDF files. Versions of Gotenberg prior to 8.32.0 contained security vulnerabilities. These vulnerabilities stemmed from timing issues in the DNS parsing of...
CVE-2026-35581
Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, the Executrix utility class constructed shell commands by concatenating configuration-derived values — including the PLACENAME parameter — with insufficient sanitization. Only spaces were replaced with underscores, allowing she...
CVE-2026-30844 Wekan Vulnerable to SSRF through Lack of Validation or Filtering in Attachment URL Loading
Wekan is an open source kanban tool built with Meteor. Versions 8.32 and 8.33 are vulnerable to Server-Side Request Forgery SSRF via attachment URL loading. During board import in Wekan, attachment URLs from user-supplied JSON data are fetched directly by the server without any URL validation or...
CVE-2026-30844
Wekan is an open source kanban tool built with Meteor. Versions 8.32 and 8.33 are vulnerable to Server-Side Request Forgery SSRF via attachment URL loading. During board import in Wekan, attachment URLs from user-supplied JSON data are fetched directly by the server without any URL validation or...
CVE-2026-30843
Wekan versions 8.32 and 8.33 contain a critical Insecure Direct Object Reference (IDOR) in custom fields update endpoints, allowing cross-board modification of custom fields. The PUT /api/boards/:boardId/custom-fields/:customFieldId endpoint validates board access but uses the field’s _id as a fi...
Fedora 43 : gitleaks (2025-55bf0b6949)
The remote Fedora 43 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2025-55bf0b6949 advisory. Update to 8.30.0 Tenable has extracted the preceding description block directly from the Fedora security advisory. Note that Nessus has not tested f...
CVE-2025-57462
Stored cross-site scripting xss in machsol machpanel 8.0.32 allows attackers to execute arbitrary web scripts or HTML via a crafted PDF file...
KioWare 安全漏洞
KioWare is a suite of self-service terminal browser software. The software has the ability to restrict end-user access to certain interfaces. A security vulnerability exists in KioWare 8.33 and earlier versions, which stems from the presence of an incomplete blacklist filter, and can be exploited...
CVE-2021-23182
Cleartext Storage of Sensitive Information in Memory vulnerability in Gallagher Command Centre Server allows OSDP reader master keys to be discoverable in server memory dumps. This issue affects: Gallagher Command Centre 8.40 versions prior to 8.40.1888 MR3; All versions of 8.30...
Gallagher Group Command Centre SQL Injection Vulnerability
Gallagher Group Command Centre is a centralized control tool for Gallagher access control systems from Gallagher Group New Zealand. A SQL injection vulnerability exists in Gallagher Group Command Centre, which can be exploited by a remote attacker to execute arbitrary SQL against a third-party...
PCRE Denial of Service Vulnerability (CNVD-2015-02118)
PCRE Perl Compatible Regular Expressions is a Perl library that includes a library of perl-compatible regular expressions. A denial of service vulnerability exists in PCRE 8.36 and earlier versions, which can be exploited by a remote attacker to cause stack exhaustion leading to a denial of servi...
PT-2014-8764 · Philip Hazel +6 · Pcre +6
Name of the Vulnerable Software and Affected Versions: PCRE versions 8.36 and earlier Description: A heap-based buffer overflow issue allows remote attackers to cause a denial of service crash or have other unspecified impact via a crafted regular expression, related to an assertion that allows...