CVE-2026-11372

IBM TRIRIGA Application Platform 5.0.2 through 5.0.3 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted...

CVE-2025-33128

IBM Engineering Workflow Management 7.0.3 through 7.0.3 Interim Fix 020, and 7.1 through 7.1 Interim Fix 007 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially...

CVE-2026-8059

IBM Datacap 9.1.7, 9.1.8, and 9.1.9 and IBM Datacap Navigator 9.1.7, 9.1.8, and 9.1.9 is vulnerable to cross-site scripting. This vulnerability allows an unauthenticated attacker to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to...

CVE-2026-11372

IBM TRIRIGA Application Platform versions 5.0.2–5.0.3 are affected by a cross-site scripting (XSS) vulnerability in the Web UI that an authenticated user can abuse to embed arbitrary JavaScript, potentially leading to credentials disclosure within a trusted session. The issue is tracked as CVE-20...

EUVD-2026-38280

IBM TRIRIGA Application Platform 5.0.2 through 5.0.3 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted...

CVE-2025-33128

The CVE-2025-33128 affects IBM Engineering Workflow Management (part of IBM Engineering Lifecycle Management). Affected versions are 7.0.3 through 7.0.3 Interim Fix 020, and 7.1 through 7.1 Interim Fix 007. The issue is a cross-site scripting (XSS) vulnerability in the Web UI that lets an authent...

CVE-2026-20262 Cisco Catalyst SD-WAN Manager Arbitrary File Write Vulnerability

A vulnerability in the web UI of Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an authenticated, remote attacker to create a file or overwrite any file on the filesystem of an affected system. This vulnerability exists because the affected software does not properly validate...

Cisco Catalyst SD-WAN Manager Arbitrary File Write Vulnerability

A vulnerability in the web UI of Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an authenticated, remote attacker to create a file or overwrite any file on the filesystem of an affected system. This vulnerability exists because the affected software does not properly validate...

PT-2026-49259

Name of the Vulnerable Software and Affected Versions Cisco Catalyst SD-WAN Manager affected versions not specified Description A directory or path traversal issue exists in the web UI of Cisco Catalyst SD-WAN Manager formerly SD-WAN vManage. The flaw occurs because the software does not properly...

VulnCheck KEV: CVE-2026-20262

A vulnerability in the web UI of Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, could allow an authenticated, remote attacker to create a file or overwrite any file on the filesystem of an affected system. This vulnerability exists because the affected software does not properly validate...

Ubuntu 22.04 LTS / 24.04 LTS / 25.10 / 26.04 LTS : Transmission vulnerability (USN-8404-1)

The remote Ubuntu 22.04 LTS / 24.04 LTS / 25.10 / 26.04 LTS host has packages installed that are affected by a vulnerability as referenced in the USN-8404-1 advisory. It was discovered that Transmission had a clickjacking weakness in the browser-facing WebUI and RPC response paths. An attacker...

CVE-2026-0273

A command injection vulnerability in Palo Alto Networks PAN-OS® software enables an authenticated administrator to bypass system restrictions and run arbitrary commands as a root user. To be able to exploit this issue, the user must have access to the PAN-OS CLI or Web UI. The security risk posed...

CVE-2026-0273

CVE-2026-0273 is a command injection vulnerability in Palo Alto Networks PAN-OS software that allows an authenticated administrator to bypass system restrictions and execute arbitrary commands as root. The issue affects PAN-OS on PA-Series and VM-Series firewalls and Panorama , with access requir...

CVE-2026-0412 Insufficient input validation vulnerability in NETGEAR JR6150 Web UI

Insufficient input validation vulnerability in NETGEAR JR6150 AC750 WiFi Router 802.11ac Dual Band Gigabit released in 2014 allows administrators connected to the local network to make unauthorized modification of router software and functionality. NETGEAR JR6150 reached End-of-Support status in...

CVE-2026-0412 Insufficient input validation vulnerability in NETGEAR JR6150 Web UI

Insufficient input validation vulnerability in NETGEAR JR6150 AC750 WiFi Router 802.11ac Dual Band Gigabit released in 2014 allows administrators connected to the local network to make unauthorized modification of router software and functionality. NETGEAR JR6150 reached End-of-Support status in...

Hermes Web UI 操作系统命令注入漏洞

Hermes Web UI is a lightweight, dark-themed web interface developed by Nathan Esquenazi. Versions of Hermes Web UI prior to 0.51.311 contained a vulnerability related to operating system command injection. This vulnerability stemmed from a problem with remote code execution, which could allow...

PT-2026-48119

Name of the Vulnerable Software and Affected Versions Hermes WebUI versions prior to 0.51.296 Description An authenticated attacker can bypass workspace boundary checks by exploiting an early return in the SSH/remote terminal profile workspace resolution logic within the remote terminal workspace...

GHSA-273Q-QGH5-WRJ6 nebula-mesh's web UI lacks CSRF tokens on /ui/* mutating endpoints

Every /ui/ POST / PUT / PATCH / DELETE route processes the request as soon as the session cookie validates. SameSite=Lax on the session cookie prevents most cross-site form submits but does not protect: - top-level form-submit navigations from third-party pages some browsers still send Lax cookie...

nebula-mesh: Web UI and API responses lack security headers (CSP, X-Frame-Options, HSTS, etc.)

None of the response paths in internal/web/ or internal/api/ set the standard browser-security headers. grep for Content-Security-Policy, X-Frame-Options, Strict-Transport-Security, X-Content-Type-Options, Referrer-Policy returns zero matches across the codebase. Impact The admin UI signs CA...

USN-8404-1: Transmission vulnerability

It was discovered that Transmission had a clickjacking weakness in the browser-facing WebUI and RPC response paths. An attacker could possibly use this issue to trick users into performing unintended actions...