CVE-2026-44184 Cleanuparr: Reflective CORS combined with trusted-network auth allows cross-origin admin API reads

Cleanuparr is a tool for automating the cleanup of unwanted or blocked files in Sonarr, Radarr, and supported download clients like qBittorrent. Prior to 2.9.10, Cleanuparr's global CORS policy reflects every request Origin and combines it with AllowCredentials. When DisableAuthForLocalAddresses ...

EUVD-2026-29726

Cleanuparr is a tool for automating the cleanup of unwanted or blocked files in Sonarr, Radarr, and supported download clients like qBittorrent. Prior to 2.9.10, Cleanuparr's global CORS policy reflects every request Origin and combines it with AllowCredentials. When DisableAuthForLocalAddresses ...

CVE-2026-44184

CVE-2026-44184 affects Cleanuparr prior to 2.9.10. The issue stems from Cleanuparr’s global CORS policy reflecting every Origin and combining it with AllowCredentials(), enabling cross-origin reads of authenticated API responses. If DisableAuthForLocalAddresses is enabled, requests can also be au...

CVE-2026-44183

CVE-2026-44183 affects Cleanuparr prior to 2.9.10. The vulnerability arises because TrustedNetworkAuthenticationHandler.ResolveClientIp uses the leftmost entry of the X-Forwarded-For header as the client IP, which is attacker-controlled since X-Forwarded-For is append-only. An unauthenticated rem...

CVE-2026-44183 Cleanuparr: X-Forwarded-For leftmost parsing allows remote unauthenticated admin takeover when reverse-proxy mode is enabled

Cleanuparr is a tool for automating the cleanup of unwanted or blocked files in Sonarr, Radarr, and supported download clients like qBittorrent. Prior to 2.9.10, TrustedNetworkAuthenticationHandler.ResolveClientIp parses the leftmost entry of the X-Forwarded-For header as the client IP. That entr...

CVE-2026-44183 Cleanuparr: X-Forwarded-For leftmost parsing allows remote unauthenticated admin takeover when reverse-proxy mode is enabled

Cleanuparr is a tool for automating the cleanup of unwanted or blocked files in Sonarr, Radarr, and supported download clients like qBittorrent. Prior to 2.9.10, TrustedNetworkAuthenticationHandler.ResolveClientIp parses the leftmost entry of the X-Forwarded-For header as the client IP. That entr...

CVE-2026-42303 Fides: Privacy Request Identity Verification Bypass Vulnerability via Duplicate Detection

Fides is an open-source privacy engineering platform. From 2.75.0 to before 2.83.2, Fides deployments that enable both subject identity verification and duplicate privacy request detection are affected by a vulnerability in which an administrator can approve a privacy request whose identity was...

CVE-2026-42300

CVE-2026-42300 affects DevGuard’s SessionMiddleware and related components prior to version 1.2.2. The vulnerability arises because a client-supplied header, X-Admin-Token , is accepted and its raw value is used as the authenticated userID when no Kratos session cookie is present. An attacker who...

CVE-2026-42300 DevGuard: Unauthenticated identity assertion via `X-Admin-Token` header

DevGuard provides vulnerability management for the full software supply chain. Prior to 1.2.2, the SessionMiddleware accepts a client-supplied X-Admin-Token HTTP request header and uses its raw string value as the authenticated userID when no Kratos session cookie is present. An unauthenticated...

CVE-2026-42300 DevGuard: Unauthenticated identity assertion via `X-Admin-Token` header

DevGuard provides vulnerability management for the full software supply chain. Prior to 1.2.2, the SessionMiddleware accepts a client-supplied X-Admin-Token HTTP request header and uses its raw string value as the authenticated userID when no Kratos session cookie is present. An unauthenticated...

CVE-2026-41086 Windows Admin Center in Azure Portal Elevation of Privilege Vulnerability

...

CVE-2026-41086 Windows Admin Center in Azure Portal Elevation of Privilege Vulnerability

...

CVE-2026-41086

Improper access control in Windows Admin Center allows an authorized attacker to elevate privileges over a network...

CVE-2026-41086

Technical details about CVE-2026-41086 are not publicly available in the provided documents. Monitor for updates from official sources.

CVE-2026-35438

Windows Admin Center (CVE-2026-35438) has a missing authorization flaw that enables an attacker with network access and low privileges to elevate to higher privileges, potentially compromising confidentiality, integrity, and availability. The available documents identify the affected product and ...

CVE-2026-35438 Windows Admin Center Elevation of Privilege Vulnerability

...

CVE-2026-35438 Windows Admin Center Elevation of Privilege Vulnerability

...

CVE-2026-25690

An improper neutralization of argument delimiters in a command 'argument injection' vulnerability in Fortinet FortiDeceptor 6.0.0 through 6.0.2, FortiDeceptor 5.3.0 through 5.3.3, FortiDeceptor 5.2.0 through 5.2.1, FortiDeceptor 5.1 all versions, FortiDeceptor 5.0 all versions may allow an...

CVE-2026-25690

CVE-2026-25690 affects Fortinet FortiDeceptor 6.0.0–6.0.2, 5.3.0–5.3.3, 5.2.0–5.2.1, and all 5.1/5.0 versions. It results from improper neutralization of argument delimiters in a command (argument injection). An authenticated attacker with at least read-only admin privileges can read log files vi...

CVE-2026-25690

An improper neutralization of argument delimiters in a command 'argument injection' vulnerability in Fortinet FortiDeceptor 6.0.0 through 6.0.2, FortiDeceptor 5.3.0 through 5.3.3, FortiDeceptor 5.2.0 through 5.2.1, FortiDeceptor 5.1 all versions, FortiDeceptor 5.0 all versions may allow an...