4987 matches found
EUVD-2026-40377
Orkes Conductor 3.21.21 before 3.30.2 contains an unauthenticated remote code execution vulnerability that allows remote attackers to execute arbitrary OS commands by submitting inline workflow definitions containing malicious JavaScript or Python expressions to the workflow API endpoint prior to...
CVE-2026-58138 Orkes Conductor 3.21.21 < 3.30.2 Unauthenticated RCE via GraalVM Script Evaluators
Orkes Conductor 3.21.21 before 3.30.2 contains an unauthenticated remote code execution vulnerability that allows remote attackers to execute arbitrary OS commands by submitting inline workflow definitions containing malicious JavaScript or Python expressions to the workflow API endpoint prior to...
EUVD-2026-40356
RuoYi-Vue-Plus through 5.6.2, fixed in commit 88d03d9, exposes workflow task management endpoints under /workflow/task FlwTaskController without any permission check: the controller declares no class-level or method-level authorization annotation, so the endpoints are gated only by global...
Security Bulletin: NVIDIA AIStore Framework - June 2026
NVIDIA has released a software update for NVIDIA® AIStore™ framework. To protect your system, download and install the latest version of the NVIDIA AIStore framework. Go to NVIDIA Product Security. Details The following table summarizes the potential vulnerabilities that this security update...
EUVD-2026-40168
Mythic before 3.4.0.60 contains a broken hasura permission filter on the payloadbuildstep table with an always-satisfied or condition that bypasses operation-scoped access controls. Authenticated operators and spectators can query payloadbuildstep to read stepstdout, stepstderr, stepname, and...
PYSEC-2026-254 AgentScope path traversal vulnerability
A path traversal vulnerability exists in the modelscope/agentscope application, affecting all versions. The vulnerability is present in the /delete-workflow endpoint, allowing an attacker to delete arbitrary files from the filesystem. This issue arises due to improper input validation, enabling t...
dotCMS Core Publish Audit API - Unauthenticated SQL Injection
dotCMS Core 25.11.04-1 through 26.04.28-02 contains an SQL injection caused by unsanitized input in Publish Audit API endpoints /api/auditPublishing/get and /api/auditPublishing/getAll, letting remote unauthenticated attackers read, modify, or destroy arbitrary database content, exploit requires ...
UBUNTU-CVE-2026-53289
In the Linux kernel, the following vulnerability has been resolved: ice: fix NULL pointer dereference in iceresetallvfs iceresetallvfs ignores the return value of icevfrebuildvsi. When the VSI rebuild fails e.g. during NVM firmware update via nvmupdate64e, icevsirebuild tears down the VSI on its...
CVE-2026-53289 ice: fix NULL pointer dereference in ice_reset_all_vfs()
In the Linux kernel, the following vulnerability has been resolved: ice: fix NULL pointer dereference in iceresetallvfs iceresetallvfs ignores the return value of icevfrebuildvsi. When the VSI rebuild fails e.g. during NVM firmware update via nvmupdate64e, icevsirebuild tears down the VSI on its...
EUVD-2026-39744
Administrator SQL Injection in WP All Import = 4.0.1 versions...
CVE-2026-57628 WordPress WP All Import plugin <= 4.0.1 - SQL Injection vulnerability
Administrator SQL Injection in WP All Import = 4.0.1 versions...
CVE-2026-57628
CVE-2026-57628 : Concrete details across connected sources show an Admin SQL Injection vulnerability in the WordPress WP All Import plugin, versions
CVE-2026-54837 WordPress Intranet & Private Site – All-In-One Intranet plugin <= 1.8.1 - Broken Access Control vulnerability
Unauthenticated Broken Access Control in Intranet & Private Site All-In-One Intranet = 1.8.1 versions...
CVE-2026-54837
The WordPress plugin All-In-One Intranet (Intranet & Private Site) <= 1.8.1 exposes unauthenticated Broken Access Control. Affected software is the All-In-One Intranet WordPress plugin (version
EUVD-2026-39680
Unauthenticated Broken Access Control in Intranet & Private Site All-In-One Intranet = 1.8.1 versions...
WordPress WP All Import plugin <= 4.0.1 - SQL Injection vulnerability
SQL Injection vulnerability discovered by Ananda Dhakal Patchstack in WordPress Plugin WP All Import versions = 4.0.1...
CVE-2026-13325 Virt-handler-rhel9: kubevirt: kubevirt: disabletls migration setting removes authentication, exposing unauthenticated virtqemud proxy on all interfaces
A flaw was found in KubeVirt's migration proxy. When spec.configuration.migrations.disableTLS is set to true on the KubeVirt custom resource, the target virt-handler binds a plain TCP listener on all interfaces 0.0.0.0/:: on a random port with no authentication, peer allow-list, or handshake toke...
CVE-2026-13325
The CVE-2026-13325 issue affects KubeVirt’s migration proxy. When spec.configuration.migrations.disableTLS is set to true, the target virt-handler binds a plain TCP listener on all interfaces (0.0.0.0/::) on a random port with no authentication, peer allow-list, or handshake token. This listener ...
PT-2026-52799
Administrator SQL Injection in WP All Import = 4.0.1 versions...
PT-2026-53018
Name of the Vulnerable Software and Affected Versions linkify-it versions prior to 5.0.1 Description LinkifyIt.prototype.match, the primary public API of the library, exhibits ON² algorithmic complexity when processing inputs containing numerous fuzzy links or emails. This occurs because the...