20 matches found
CVE-2026-23638
Kiteworks is a private data network PDN. Prior to version 9.3.0, an Insecure Direct Object Reference IDOR vulnerability in Kiteworks Secure Data Forms allows an authenticated attacker to tamper with the internal approval flow configurations of forms belonging to other users due to insufficient...
CVE-2026-33656
EspoCRM is an open source customer relationship management application. Prior to version 9.3.4, EspoCRM's built-in formula scripting engine allowing updating attachment's sourceId thus allowing an authenticated admin to overwrite the sourceId field on Attachment entities. Because sourceId is...
EUVD-2026-33837
Kiteworks is a private data network PDN. Prior to version 9.3.0, a stored XSS vulnerability in Kiteworks Secure Data Forms could allow an authenticated attacker to execute arbitrary JavaScript code in other users' sessions. Upgrade Kiteworks to version 9.3.0 or later to receive a patch...
EUVD-2026-32947
EspoCRM is an open source customer relationship management application. Prior to 9.3.5, the POST /api/v1/EmailTemplate/:id/prepare endpoint accepts an emailAddress parameter and resolves the owning entity Contact, Lead, Account, or User without performing an ACL check. An authenticated user with...
PT-2026-32509
EspoCRM is an open source customer relationship management application. Versions 9.3.3 and below have a stored HTML injection vulnerability that allows any authenticated user with standard non-administrative privileges to inject arbitrary HTML into system-generated email notifications by crafting...
GHSA-CJG8-H5QC-HRJV kedro-datasets has a path traversal vulnerability in PartitionedDataset that allows arbitrary file write
Impact PartitionedDataset in kedro-datasets was vulnerable to path traversal. Partition IDs were concatenated directly with the dataset base path without validation. An attacker or malicious input containing .. components in a partition ID could cause files to be written outside the configured...
CVE-2026-25063
CVE-2026-25063 affects the gradle-completion project (Bash and Zsh completion for Gradle). The issue is a command injection in the Bash completion logic up to and including version 9.3.0, where Gradle task names or descriptions containing backticks can be evaluated as shell commands during Bash t...
CVE-2026-21940
Vulnerability in the Oracle Agile PLM product of Oracle Supply Chain component: User and User Group. The supported version that is affected is 9.3.6. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Agile PLM. Successful attacks of...
Malicious code in @cheqplease/structured-logger (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7f4111b892bba0089b3619c99cd5135fa3693d4a78c790a23017e359beff0cd8 The package @cheqplease/structured-logger was found to contain malicious code. Source: ghsa-malware...
EUVD-2025-32906
Malicious code in v0-core npm...
CVE-2025-58174
LDAP Account Manager LAM is a webfrontend for managing entries stored in an LDAP directory. LAM before 9.3 allows stored cross-site scripting in the Profile section via the profile name field, which renders untrusted input as HTML and executes a supplied script for example a script element. An...
CVE-2023-22700
Cross-Site Request Forgery CSRF vulnerability in PixelYourSite PixelYourSite โ Your smart PIXEL TAG Manager plugin = 9.3.0 versions...
CVE-2019-17121
REDCap before 9.3.4 has XSS on the Customize & Manage Locking/E-signatures page via Lock Record Custom Text values...
๐ ABB Cylon FLXeon 9.3.5 siteGuide.js Authenticated Directory Traversal
The ABB Cylon FLXeon BACnet controller is vulnerable to authenticated file traversal via the /api/siteGuide endpoint. An attacker with valid credentials can manipulate the filename parameter to move and access or overwrite arbitrary files. The issue arises due to improper input validation in...
LoLLMs Operating System Command Injection Vulnerability
LoLLMs is a Web UI for a large language multimodal system by the individual developer Saifeddine ALOUI. An operating system command injection vulnerability exists in LoLLMs version 9.3 that stems from improper neutralization of special elements used in operating system commands, which could allow...
IBM MQ Appliance Security Vulnerability
The IBM MQ Appliance is an all-in-one appliance for rapid deployment of enterprise-class messaging middleware from International Business Machines IBM. A security vulnerability exists in IBM MQ Appliance version 9.3 that stems from improper security key authentication. An attacker exploited the...
DEBIAN-CVE-2023-38408
The PKCS11 feature in ssh-agent in OpenSSH before 9.3p2 has an insufficiently trustworthy search path, leading to remote code execution if an agent is forwarded to an attacker-controlled system. Code in /usr/lib is not necessarily safe for loading into ssh-agent. NOTE: this issue exists because o...
TOTOLINK LR350 ๅฝไปคๆณจๅ ฅๆผๆด
TOTOLINK LR350 is a wireless router from China Gion Electronics TOTOLINK. A security vulnerability exists in TOTOLINK LR350 version V9.3.5u.6369B20220309. An attacker can exploit this vulnerability to conduct a command injection attack via the hostname parameter of the setOpModeCfg method...
CVE-2023-33653
Sitecore Experience Platform XP v9.3 was discovered to contain an authenticated remote code execution RCE vulnerability via the component /Applications/Content%20Manager/Execute.aspx?cmd=convert&mode=HTML...
CVE-2018-17447
An Information Exposure Through Log Files issue was discovered in Citrix SD-WAN 10.1.0 and NetScaler SD-WAN 9.3.x before 9.3.6 and 10.0.x before 10.0.4...