57353 matches found
Siemens Siveillance Video Management Servers
SUMMARY The Webhooks implementation of Siveillance Video Management Servers contains a vulnerability that could allow an authenticated remote attacker with read-only privileges to achieve full access to Webhooks API. Siemens has released new versions for the affected products and recommends to...
@cubejs-backend/server (>=1.5.0 <=1.5.12), @cubejs-backend/server-core (>=1.5.0 <=1.5.12) +1 more potentially affected by CVE-2026-25958 via @cubejs-backend/api-gateway (>=1.5.0 <=1.5.12)
@cubejs-backend/api-gateway NPM version =1.5.0, =1.5.0, =1.5.0, =1.5.0, =1.5.12 Source cves: CVE-2026-25958 Source advisory: SNYK:JS-CUBEJSBACKENDAPIGATEWAY-15265447...
@codefresh-io/cubejs-backend-server-core (>=0.30.77 <=0.35.47-rc.bp.2), @cubejs-backend-json-clone/server (=1.0.0) +15 more potentially affected by CVE-2026-25958 via @cubejs-backend/api-gateway (>=0.27.53 <=1.0.12)
@cubejs-backend/api-gateway NPM version =0.27.53, =0.30.77, =0.3.1, =0.3.1, =0.3.1, =0.8.0, =0.8.0, =0.32.28, =0.29.4, =1.0.0, =0.27.30, =0.30.61, =0.32.0, =0.33.8 and more Source cves: CVE-2026-25958 Source advisory: SNYK:JS-CUBEJSBACKENDAPIGATEWAY-15265447...
@cubejs-backend/server (>=1.1.0 <=1.4.0), @cubejs-backend/server-core (>=1.1.0 <=1.4.0) +2 more potentially affected by CVE-2026-25958 via @cubejs-backend/api-gateway (>=1.1.0 <=1.4.0)
@cubejs-backend/api-gateway NPM version =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.4.0 - cubejs-backend-server-core-fork =1.1.3 Source cves: CVE-2026-25958 Source advisory: SNYK:JS-CUBEJSBACKENDAPIGATEWAY-15265447...
@cubejs-backend/server (>=1.5.0 <=1.5.12), @cubejs-backend/server-core (>=1.5.0 <=1.5.12) +1 more potentially affected by CVE-2026-25957 via @cubejs-backend/api-gateway (>=1.5.0 <=1.5.12)
@cubejs-backend/api-gateway NPM version =1.5.0, =1.5.0, =1.5.0, =1.5.0, =1.5.12 Source cves: CVE-2026-25957 Source advisory: SNYK:JS-CUBEJSBACKENDAPIGATEWAY-15265448...
@cubejs-backend/server (>=1.1.2 <=1.4.0), @cubejs-backend/server-core (>=1.1.2 <=1.4.0) +2 more potentially affected by CVE-2026-25957 via @cubejs-backend/api-gateway (>=1.1.17 <=1.4.0)
@cubejs-backend/api-gateway NPM version =1.1.17, =1.1.2, =1.1.2, =1.1.2, =1.4.0 - cubejs-backend-server-core-fork =1.1.3 Source cves: CVE-2026-25957 Source advisory: SNYK:JS-CUBEJSBACKENDAPIGATEWAY-15265448...
Improper Handling of Exceptional Conditions
Overview @cubejs-backend/api-gateway is a package that provides idempotent long polling API. Affected versions of this package are vulnerable to Improper Handling of Exceptional Conditions in the Cube API endpoint. An attacker can cause the server to crash and make the API unavailable by sending ...
CVE-2026-25957
Cube is a semantic layer for building data applications. From 1.1.17 to before 1.5.13 and 1.4.2, it is possible to make the entire Cube API unavailable by submitting a specially crafted request to a Cube API endpoint. This vulnerability is fixed in 1.5.13 and 1.4.2...
CVE-2026-25957 Cube Denial of Service (DoS) - An authenticated attacker can crash the server by sending a specially crafted request
Cube is a semantic layer for building data applications. From 1.1.17 to before 1.5.13 and 1.4.2, it is possible to make the entire Cube API unavailable by submitting a specially crafted request to a Cube API endpoint. This vulnerability is fixed in 1.5.13 and 1.4.2...
CVE-2026-25957
Cube is a semantic layer for building data applications. From 1.1.17 to before 1.5.13 and 1.4.2, it is possible to make the entire Cube API unavailable by submitting a specially crafted request to a Cube API endpoint. This vulnerability is fixed in 1.5.13 and 1.4.2...
CVE-2026-25957 Cube Denial of Service (DoS) - An authenticated attacker can crash the server by sending a specially crafted request
Cube is a semantic layer for building data applications. From 1.1.17 to before 1.5.13 and 1.4.2, it is possible to make the entire Cube API unavailable by submitting a specially crafted request to a Cube API endpoint. This vulnerability is fixed in 1.5.13 and 1.4.2...
CVE-2026-25893 FUXA Unauthenticated Remote Code Execution via Admin JWT Minting
FUXA is a web-based Process Visualization SCADA/HMI/Dashboard software. Prior to 1.2.10, an authentication bypass vulnerability in FUXA allows an unauthenticated, remote attacker to gain administrative access via the heartbeat refresh API and execute arbitrary code on the server. This issue has...
Keycloak Affected by Broken Access Control Vulnerability in the UserManagedPermissionService
A flaw was found in Keycloak. A significant Broken Access Control vulnerability exists in the UserManagedPermissionService UMA Protection API. When updating or deleting a UMA policy associated with multiple resources, the authorization check only verifies the caller's ownership against the first...
CVE-2026-25806
PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the GET /api/students/:email PUT /api/students/:email/status, and DELETE /api/students/:email routes in backend/src/routes/student.routes.ts only enforce authentication using authenticateToken but do...
keycloak: Incorrect ownership checks in /uma-policy/
A flaw was found in Keycloak. A significant Broken Access Control vulnerability exists in the UserManagedPermissionService UMA Protection API. When updating or deleting a UMA policy associated with multiple resources, the authorization check only verifies the caller's ownership against the first...
CVE-2026-25497
Craft is a platform for creating digital experiences. In Craft versions from 4.0.0-RC1 to before 4.17.0-beta.1 and 5.9.0-beta.1, there is a Privilege Escalation vulnerability in Craft CMS’s GraphQL API that allows an authenticated user with write access to one asset volume to escalate their...
CVE-2025-14778
A flaw was found in Keycloak. A significant Broken Access Control vulnerability exists in the UserManagedPermissionService UMA Protection API. When updating or deleting a UMA policy associated with multiple resources, the authorization check only verifies the caller's ownership against the first...
CVE-2026-25528 LangSmith Client SDK Affected by Server-Side Request Forgery via Tracing Header Injection
LangSmith Client SDKs provide SDK's for interacting with the LangSmith platform. The LangSmith SDK's distributed tracing feature is vulnerable to Server-Side Request Forgery via malicious HTTP headers. An attacker can inject arbitrary apiurl values through the baggage header, causing the SDK to...
CVE-2026-25528 LangSmith Client SDK Affected by Server-Side Request Forgery via Tracing Header Injection
LangSmith Client SDKs provide SDK's for interacting with the LangSmith platform. The LangSmith SDK's distributed tracing feature is vulnerable to Server-Side Request Forgery via malicious HTTP headers. An attacker can inject arbitrary apiurl values through the baggage header, causing the SDK to...
CVE-2026-25528
CVE-2026-25528 affects LangSmith Client SDKs with distributed tracing. The baggage header in HTTP requests could inject replica configurations (api_url/api_key), causing the SDK to send trace data to attacker-controlled endpoints via post()/patch() after a traced operation. Root cause: RunTree.fr...