PT-2026-42539

Name of the Vulnerable Software and Affected Versions LiteLLM versions prior to 1.83.10 Description An issue exists where the '/user/update' endpoint does not restrict which fields a user can modify when updating their own account. This allows a user to change their user role to proxy admin,...

PT-2026-42613

This is not applicable if an application is configuring the Secrets Store to store credentials. Please make sure to follow the best practices when deploying in production In OpenMetadata 1.12.1, a non-admin SSO user can trigger a TEST CONNECTION workflow for a Database Service and receive, in the...

VulnCheck KEV: CVE-2026-34926

A directory traversal vulnerability in the Apex One on-premise server could allow a pre-authenticated local attacker to modify a key table on the server to inject malicious code to deploy to agents on affected installations. This vulnerability is only exploitable on the on-premise version of Apex...

PT-2026-42465

Name of the Vulnerable Software and Affected Versions Apex One on-premise versions prior to SP1 Build 18012 Apex One new installs versions prior to 17079 Apex One SaaS agent versions prior to 14.0.20731 Description A directory traversal issue in the on-premise management server allows an attacker...

LiteLLM 安全漏洞

LiteLLM is an open-source application developed by Berri AI. It can utilize all LLM APIs in the OpenAI format. Prior to version 1.83.10, LiteLLM had a security vulnerability. This vulnerability stemmed from the lack of restrictions on the fields that could be modified by the /user and /update...

PT-2026-42547

Concrete CMS 9.5.0 and below contains a CSRF vulnerability in the install package method of concrete/controllers/single page/dashboard/extend/install.php. An attacker who can cause an authenticated administrator to visit a crafted page, and who has placed or caused a package to be present under...

PT-2026-42414

Name of the Vulnerable Software and Affected Versions Netatalk versions 2.2.2 through 4.4.2 Description An authentication bypass allows a remote privileged user to authenticate as an arbitrary user through the admin auth user mechanism. Recommendations Update to version 4.5.0...

Concrete CMS 安全漏洞

Concrete CMS is an open-source content management system designed for teams. Concrete CMS versions 9.5.0 and earlier have security vulnerabilities. These vulnerabilities stem from a lack of authorization in the bulkuserassignment.php file, which may lead to permissions being granted to...

F5 Networks BIG-IP : iControl REST and tmsh vulnerability (K000160788)

The version of F5 Networks BIG-IP installed on the remote host is prior to 17.1.3.1 / 17.5.1.4 / 21.0.0.1. It is, therefore, affected by a vulnerability as referenced in the K000160788 advisory. When BIG-IP DNS is provisioned, a vulnerability exists in an undisclosed iControl REST and BIG-IP TMOS...

F5 Networks BIG-IP : BIG-IP Appliance mode vulnerability (K000158971)

The version of F5 Networks BIG-IP installed on the remote host is prior to 17.1.3.1 / 17.5.1.4 / 21.0.0.1. It is, therefore, affected by a vulnerability as referenced in the K000158971 advisory. A vulnerability exists in BIG-IP systems that may allow an authenticated attacker with administrative...

CVE-2026-39960

Mantis Bug Tracker MantisBT is an open source issue tracker. Versions 2.28.1 and below contain flawed logic that causes improper escaping of a textarea custom field's contents in the Update Issue page, bugupdatepage.php allowing an attacker to inject HTML and, if CSP settings permit, execute...

Exploit for CVE-2026-2587

CVE-2026-2587 — GlassFish EL Injection RCE...

EUVD-2026-31192

Mantis Bug Tracker MantisBT is an open source issue tracker. Versions 2.28.1 and below contain flawed logic that causes improper escaping of a textarea custom field's contents in the Update Issue page, bugupdatepage.php allowing an attacker to inject HTML and, if CSP settings permit, execute...

CVE-2026-9139

Taiko AG1000-01A SMS Alert Gateway Rev 7.3 and Rev 8 contains a hard-coded credential vulnerability in the embedded web configuration interface where authentication is implemented entirely in client-side JavaScript in login.zhtml, exposing static plaintext credentials in the page source...

CVE-2026-9141

Taiko AG1000-01A SMS Alert Gateway Rev 7.3 and Rev 8 contains an authentication bypass vulnerability in the embedded web configuration interface that allows unauthenticated attackers to access internal application pages without any session management or server-side authentication checks. Attacker...

CVE-2026-9144

Taiko AG1000-01A SMS Alert Gateway Rev 7.3 and Rev 8 contains a stored cross-site scripting vulnerability in the embedded web configuration interface that allows authenticated attackers to execute persistent JavaScript by fragmenting malicious payloads across multiple administrative form fields...

CVE-2026-2812

ArcGIS Server contains an improper authentication vulnerability in an undocumented administrative endpoint. An unauthenticated attacker could exploit this issue by sending a crafted request to the endpoint. Successful exploitation may result in disruption of the web-based browsing interface. This...

CVE-2026-9144 Taiko AG1000-01A Rev 7.3/8 Stored XSS via Web Configuration Interface

Taiko AG1000-01A SMS Alert Gateway Rev 7.3 and Rev 8 contains a stored cross-site scripting vulnerability in the embedded web configuration interface that allows authenticated attackers to execute persistent JavaScript by fragmenting malicious payloads across multiple administrative form fields...

CVE-2026-9144 Taiko AG1000-01A Rev 7.3/8 Stored XSS via Web Configuration Interface

Taiko AG1000-01A SMS Alert Gateway Rev 7.3 and Rev 8 contains a stored cross-site scripting vulnerability in the embedded web configuration interface that allows authenticated attackers to execute persistent JavaScript by fragmenting malicious payloads across multiple administrative form fields...

CVE-2026-9144

Taiko AG1000-01A SMS Alert Gateway Rev 7.3 and Rev 8 contains a stored cross-site scripting vulnerability in the embedded web configuration interface that allows authenticated attackers to execute persistent JavaScript by fragmenting malicious payloads across multiple administrative form fields...