57364 matches found
PT-2026-6207
Name of the Vulnerable Software and Affected Versions Apache Answer versions through 1.7.1 github.com/apache/answer versions prior to 2.0.0 Description An issue exists in Apache Answer where an unauthenticated API endpoint incorrectly exposes the full revision history of deleted content. This...
PT-2026-6476
Summary An XSS vulnerability in the frontend allows a malicious attacker to inject code through the comment metadata of a song to exfiltrate user credentials. An attacker's maliciously crafted song has to be added to Navidrome to exploit the vulnerability. Details The frontend is using React. In...
PT-2026-6101
Name of the Vulnerable Software and Affected Versions AutoGPT versions prior to 0.6.46 Description AutoGPT is a platform for creating and managing AI agents to automate workflows. The Stagehand integration improperly logs API keys and authentication secrets in plaintext using logger.info...
PT-2026-6548
Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.1.20 Description An unauthenticated local client could leverage the Gateway WebSocket API to modify configuration settings through the config.apply function. Specifically, the ability to set unsafe cliPath value...
openSUSE 16 Security Update : chromium (openSUSE-SU-2026:20156-1)
The remote openSUSE 16 host has packages installed that are affected by a vulnerability as referenced in the openSUSE- SU-2026:20156-1 advisory. - Chromium 144.0.7559.109 boo1257404 CVE-2026-1504: Inappropriate implementation in Background Fetch API Tenable has extracted the preceding description...
React Native Community CLI remote command execution
Added: 02/04/2026 Background React Native is a framework for building mobile JavaScript applications. React Native Community CLI is a collection of command line tools that help developers build React Native mobile applications. Problem A vulnerability in React Native Community CLI when running wi...
Docker Desktop 4.44.3 - Unauthenticated API Exposure
Exploit Title: Docker Desktop 4.44.3 - Unauthenticated API Exposure Date: 2025-10-06 Exploit Author: OilSeller2001 Vendor Homepage: https://www.docker.com/ Software Link: https://www.docker.com/products/docker-desktop/ Version: Affected on Windows and macOS versions prior to 4.44.3 Tested on:...
openSUSE 16 Security Update : python-urllib3 (openSUSE-SU-2026:20127-1)
The remote openSUSE 16 host has a package installed that is affected by multiple vulnerabilities as referenced in the openSUSE-SU-2026:20127-1 advisory. - CVE-2025-66471: Fixed excessive resource consumption via decompression of highly compressed data in Streaming API bsc1254867 - CVE-2025-66418:...
WordPress Fortis for WooCommerce plugin <= 1.2.0 - Missing Authorization to Unauthenticated Arbitrary Order Status Update to Paid via 'wc-api' Endpoint vulnerability
Missing Authorization to Unauthenticated Arbitrary Order Status Update to Paid via 'wc-api' Endpoint vulnerability discovered by Md. Moniruzzaman Prodhan NomanProdhan - Knight Squad in WordPress Plugin Fortis for WooCommerce versions = 1.2.0...
GO-2026-4343 SiYuan has a Reflected Cross-Site Scripting (XSS) via /api/icon/getDynamicIcon in github.com/siyuan-note/siyuan/kernel
SiYuan has a Reflected Cross-Site Scripting XSS via /api/icon/getDynamicIcon in github.com/siyuan-note/siyuan/kernel...
GO-2026-4344 File Browser Vulnerable to Username Enumeration via Timing Attack in /api/login in github.com/filebrowser/filebrowser
File Browser Vulnerable to Username Enumeration via Timing Attack in /api/login in github.com/filebrowser/filebrowser...
GO-2026-4345 Mailpit has a Server-Side Request Forgery (SSRF) via HTML Check API in github.com/axllent/mailpit
Mailpit has a Server-Side Request Forgery SSRF via HTML Check API in github.com/axllent/mailpit...
CVE-2026-1802 Ziroom ZHOME A0101 zrMacClone.lua macAddrClone command injection
A security flaw has been discovered in Ziroom ZHOME A0101 1.0.1.0. This issue affects the function macAddrClone of the file luci\controller\api\zrMacClone.lua. The manipulation of the argument macType results in command injection. The attack may be launched remotely. The exploit has been released...
Missing Authentication for Critical Function
Overview fuxa-server is a Web-based Process Visualization SCADA/HMI/Dashboard software Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the /api/upload endpoint, which lacks authentication controls. An attacker can gain administrative access or...
GHSA-2R8F-CF6W-X5VQ Duplicate Advisory: FUXA contains a hard-coded credential vulnerability
Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-c8m8-3jcr-6rj5. This link is maintained to preserve external references. Original Description FUXA v1.2.7 contains a hard-coded credential vulnerability in server/api/jwt-helper.js. The application uses a...
CVE-2025-69970
FUXA v1.2.7 contains an insecure default configuration vulnerability in server/settings.default.js. The 'secureEnabled' flag is commented out by default, causing the application to initialize with authentication disabled. This allows unauthenticated remote attackers to access sensitive API...
SQL Injection
Overview Affected versions of this package are vulnerable to SQL Injection via the sort parameter in API endpoints, which is processed by the getOrderBy function. An attacker can execute arbitrary SQL queries and extract sensitive database information by supplying crafted input to the API while...
GHSA-CJFX-QHWM-HF99 FacturaScripts has SQL Injection in API ORDER BY Clause
Summary FacturaScripts contains a critical SQL Injection vulnerability in the REST API that allows authenticated API users to execute arbitrary SQL queries through the sort parameter. The vulnerability exists in the ModelClass::getOrderBy method where user-supplied sorting parameters are directly...
arches (=8.0.0a1), django-accounts-api (=1.2.5) +24 more potentially affected by CVE-2026-1207 via django (>=6.0.0 <=6.0.1)
django PYPI version =6.0.0, =1.1.0, =0.1.0, =0.1.0b2, =0.1.0, =6.0.0, =0.20.4, =0.22.1 and more Source cves: CVE-2026-1207 Source advisory: SNYK:PYTHON-DJANGO-15183335...
arches (=8.0.0a1), django-accounts-api (=1.2.5) +24 more potentially affected by CVE-2026-1287 via django (>=6.0.0 <=6.0.1)
django PYPI version =6.0.0, =1.1.0, =0.1.0, =0.1.0b2, =0.1.0, =6.0.0, =0.20.4, =0.22.1 and more Source cves: CVE-2026-1287 Source advisory: SNYK:PYTHON-DJANGO-15198932...