CVE-2026-40564 Apache Flink Kubernetes Operator: Server-Side Request Forgery and local file access in Kubernetes Operator

Files or Directories Accessible to External Parties, Server-Side Request Forgery SSRF vulnerability in Apache Flink Kubernetes Operator. The FlinkSessionJob jarURI is currently not validated so that it points to user-owned files or addresses. This lets a user with CR create permissions read files...

PT-2026-41975

Name of the Vulnerable Software and Affected Versions HAX CMS versions prior to 26.0.0 Description An authenticated Server-Side Request Forgery SSRF allows users to fetch arbitrary internal or local resources and write the responses to a web-accessible directory, enabling arbitrary file read and...

PT-2026-20879

Name of the Vulnerable Software and Affected Versions Kargo versions 1.7.0 through 1.7.7 Kargo version 1.8.11 Kargo version 1.9.3 Description Kargo manages and automates the promotion of software artifacts. The batch resource creation endpoints of both Kargo's legacy gRPC API and newer REST API...

CVE-2026-26056

Yoke is a Helm-inspired infrastructure-as-code IaC package deployer. In 0.19.0 and earlier, a vulnerability exists in the Air Traffic Controller ATC component of Yoke. It allows users with CR create/update permissions to execute arbitrary WASM code in the ATC controller context by injecting a...

EUVD-2025-203050

The WP Fastest Cache plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.7.4 via the 'getservertimeajaxrequest' AJAX action. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to...

Summer Pearl Group Vacation Rental Management Platform 安全漏洞

Summer Pearl Group Vacation Rental Management Platform is a vacation rental property management software platform from Summer Pearl Group, Greece. A security vulnerability exists in Summer Pearl Group Vacation Rental Management Platform versions prior to 1.0.2, which stems from insufficient...

WordPress plugin aoa-downloadable 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a set of blogging platforms developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plug-in. A security...

GO-2024-3281 github.com/rancher/steve's users can issue watch commands for arbitrary resources in github.com/rancher/steve

github.com/rancher/steve's users can issue watch commands for arbitrary resources in github.com/rancher/steve...

The vulnerability of the kube-apiserver component, a software component for managing clusters of virtual machines in Kubernetes, allows a attacker to increase their privileges.

The vulnerability of the kube-apiserver component, which is part of the Kubernetes cluster management software, relates to the redirection of requests for updates to arbitrary resources. Exploiting this vulnerability can allow a remote attacker to increase their privileges...

CVE-2024-26029 Adobe Experience Manager | Improper Access Control (CWE-284)

Adobe Experience Manager versions 6.5.20 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain disclose information. Exploitation of this issue does no...

CVE-2024-26029 Adobe Experience Manager | Improper Access Control (CWE-284)

Adobe Experience Manager versions 6.5.20 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain disclose information. Exploitation of this issue does no...

CVE-2023-3154 NextGEN Gallery < 3.39 - Admin+ PHAR Deserialization

The WordPress Gallery Plugin WordPress plugin before 3.39 is vulnerable to PHAR Deserialization due to a lack of input parameter validation in the galleryedit function, allowing an attacker to access arbitrary resources on the server...

PT-2023-25486 · Solarwinds · Solarwinds Platform

Name of the Vulnerable Software and Affected Versions: SolarWinds Platform affected versions not specified Description: The issue allows an underprivileged user to bypass access controls and read arbitrary resources. Recommendations: At the moment, there is no information about a newer version th...

Directory traversal

The iWay Service Manager Console component of TIBCO Software Inc.'s TIBCO iWay Service Manager contains an easily exploitable Directory Traversal vulnerability that allows a low privileged attacker with network access to read arbitrary resources on the affected system. Affected releases are TIBCO...

PYSEC-2019-151

sendemail in graphite-web/webapp/graphite/composer/views.py in Graphite through 1.1.5 is vulnerable to SSRF. The vulnerable SSRF endpoint can be used by an attacker to have the Graphite web server request any resource. The response to this SSRF request is encoded into an image file and then sent ...

UBUNTU-CVE-2017-18638

sendemail in graphite-web/webapp/graphite/composer/views.py in Graphite through 1.1.5 is vulnerable to SSRF. The vulnerable SSRF endpoint can be used by an attacker to have the Graphite web server request any resource. The response to this SSRF request is encoded into an image file and then sent ...

The vulnerability of the microprogramming software of the NR Electric PCS-9611 protection device arises from insufficient verification of input data. This vulnerability allows a perpetrator to gain access to arbitrary system resources and influence the functionality of the system.

The vulnerability of the microprogramming software of the NR Electric PCS-9611 protection device exists due to insufficient verification of input data. Exploiting this vulnerability can allow an attacker, operating remotely, to gain access to arbitrary system resources and influence the...

Design/Logic Flaw

AdBlock before 2.21 allows remote attackers to block arbitrary resources on arbitrary websites and to disable arbitrary blocking filters...

CVE-2015-5207

Apache Cordova iOS before 4.0.0 might allow attackers to bypass a URL whitelist protection mechanism in an app and load arbitrary resources by leveraging unspecified methods...

Code injection

Apache Cordova iOS before 4.0.0 might allow attackers to bypass a URL whitelist protection mechanism in an app and load arbitrary resources by leveraging unspecified methods...