135 matches found
EUVD-2026-40112
Unauthenticated Insecure Direct Object References IDOR in Colissimo Officiel : Méthodes de livraison pour WooCommerce = 2.9.0 versions...
CVE-2026-55583
Twenty, before version 2.9.0, is affected by a cross-workspace insecure direct object reference in the AI agent monitor’s Resolver (agent-turn.resolver.ts). The query paths agentTurns(agentId) and evaluateAgentTurn(turnId) retrieved rows by agentId or id without restricting workspaceId, and guard...
WordPress ListingPro theme <= 2.9.11 - Cross Site Scripting (XSS) vulnerability
Cross Site Scripting XSS vulnerability discovered by daroo in WordPress Theme ListingPro versions = 2.9.11...
Astra Linux – Vulnerability in Ansible
A flaw was discovered in Ansible Engine when using Ansible Vault to edit encrypted files. When a user executes “ansible-vault edit”, another user on the same computer can read the old and new secrets. This occurs because the secrets are created in a temporary file using mkstemp, and after the fil...
Astra Linux – Vulnerability in freerdp2
FreeRDP is a free remote desktop protocol library and client. Versions of FreeRDP affected by this issue lack input length validation in the “drive” channel. A malicious server can trick a FreeRDP-based client into reading out-of-bound data and sending it back to the server. This issue has been...
EUVD-2026-37624
Unauthenticated Cross Site Scripting XSS in WPFunnels Pro = 2.9.4 versions...
EUVD-2026-36899
Unauthenticated Sensitive Data Exposure in Affiliates Manager = 2.9.50 versions...
CVE-2026-26237
A missing authorization vulnerability has been reported to affect QuMagie. The remote attackers can then exploit the vulnerability to access unauthorized data or perform unauthorized actions. We have already fixed the vulnerability in the following version: QuMagie 2.9.0 and later...
CVE-2026-44083 QuMagie
An authorization bypass through user-controlled key vulnerability has been reported to affect QuMagie. The remote attackers can then exploit the vulnerability to gain unintended privileges. We have already fixed the vulnerability in the following version: QuMagie 2.9.1 and later...
CVE-2026-26236 QuMagie
A missing authorization vulnerability has been reported to affect QuMagie. The remote attackers can then exploit the vulnerability to access unauthorized data or perform unauthorized actions. We have already fixed the vulnerability in the following version: QuMagie 2.9.0 and later...
CVE-2026-44847
MaxKB is an open-source AI assistant for enterprise. Prior to 2.9.0, MaxKB's webhook trigger endpoint /api/trigger/v1/webhook/triggerid is accessible without authentication. The WebhookAuth class unconditionally returns None, , which Django REST Framework interprets as successful authentication...
CVE-2026-44847 MaxKB: Webhook Trigger Authentication Bypass
MaxKB is an open-source AI assistant for enterprise. Prior to 2.9.0, MaxKB's webhook trigger endpoint /api/trigger/v1/webhook/triggerid is accessible without authentication. The WebhookAuth class unconditionally returns None, , which Django REST Framework interprets as successful authentication...
CVE-2026-45412 MaxKB: Unauthenticated SSRF via Workflow Template Import
MaxKB is an open-source AI assistant for enterprise. Prior to 2.9.1, SSRF via workflowtemplate Import. Authenticated users can supply arbitrary URLs in workflowtemplate.downloadUrl which are fetched server-side without any URL validation or internal IP filtering. This vulnerability is fixed in...
CVE-2026-45412
MaxKB is an open-source AI assistant for enterprise. Prior to 2.9.1, SSRF via workflowtemplate Import. Authenticated users can supply arbitrary URLs in workflowtemplate.downloadUrl which are fetched server-side without any URL validation or internal IP filtering. This vulnerability is fixed in...
PT-2026-43406
MaxKB is an open-source AI assistant for enterprise. Prior to 2.9.1, user passwords are stored using unsalted MD5 hashes, making them trivially crackable via rainbow tables or GPU-accelerated brute force hashcat. This vulnerability is fixed in 2.9.1...
Important: Red Hat Security Advisory: Assisted Installer RHEL 9 components for Multicluster Engine for Kubernetes 2.9.4
Assisted installer RHEL 9 components for the multicluster engine for Kubernetes 2.9.4 General Availability release, with updates to container images. Assisted Installer RHEL 9 integrates components for the general multicluster engine for Kubernetes 2.9.4 release that simplify the process of...
eduMFA: Unauthenticated Failcounter Increment on Resolver Tokens via /validate/check
Impact If the resolver parameter is passed, but the user does not exist, all failcounters of tokens in that resolver will be increased. Patches This, along with other issues, was fixed in eduMFA v2.9.1. Workarounds Limiting access to /validate/check to client applications i.e. Shibboleth/FreeRADI...
CVE-2026-44183
Cleanuparr is a tool for automating the cleanup of unwanted or blocked files in Sonarr, Radarr, and supported download clients like qBittorrent. Prior to 2.9.10, TrustedNetworkAuthenticationHandler.ResolveClientIp parses the leftmost entry of the X-Forwarded-For header as the client IP. That entr...
CVE-2026-44184 Cleanuparr: Reflective CORS combined with trusted-network auth allows cross-origin admin API reads
Cleanuparr is a tool for automating the cleanup of unwanted or blocked files in Sonarr, Radarr, and supported download clients like qBittorrent. Prior to 2.9.10, Cleanuparr's global CORS policy reflects every request Origin and combines it with AllowCredentials. When DisableAuthForLocalAddresses ...
Unity Linux 20.1060e / 20.1070e Security Update: libxml2 (UTSA-2026-017422)
The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-017422 advisory. A vulnerability found in libxml2 in versions before 2.9.11 shows that it did not propagate errors while parsing XML mixed content, causing a NULL dereference. If an...