Rclone: Unauthenticated options/set allows runtime auth bypass, leading to sensitive operations and command execution

Summary The RC endpoint options/set is exposed without AuthRequired: true, but it can mutate global runtime configuration, including the RC option block itself. An unauthenticated attacker can set rc.NoAuth=true, which disables the authorization gate for many RC methods registered with...

CVE-2026-27702 Budibase Vulnerable to Remote Code Execution via Unsafe eval() in View Filter Map Function (Budibase Cloud)

Budibase is a low code platform for creating internal tools, workflows, and admin panels. Prior to version 3.30.4, an unsafe eval vulnerability in Budibase's view filtering implementation allows any authenticated user including free tier accounts to execute arbitrary JavaScript code on the server...

Linux Distros Unpatched Vulnerability : CVE-2018-2794

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Vulnerability in the Java SE, JRockit component of Oracle Java SE subcomponent: Security. Supported versions that are affected are Java SE: 6u181, 7u171, 8u162,...

PT-2024-33172 · WordPress · Happy Addons For Elementor

Name of the Vulnerable Software and Affected Versions: The Happy Addons for Elementor plugin for WordPress versions up to, and including, 3.10.8 Description: The issue is related to Stored Cross-Site Scripting via the id parameter due to insufficient input sanitization and output escaping. This...

Authenticated (user role) remote command execution by modifying `nginx` settings (GHSL-2023-269)

Summary The Home Preference page exposes a small list of nginx settings such as Nginx Access Log Path and Nginx Error Log Path. However, the API also exposes testconfigcmd, reloadcmd and restartcmd. While the UI doesn't allow users to modify any of these settings, it is possible to do so by sendi...

Linksys AX3200 1.1.00 Command Injection

Exploit Title: Linksys AX3200 V1.1.00 - Command Injection Date: 2022-09-19 Exploit Author: Ahmed Alroky Author: Linksys Version: 1.1.00 Authentication Required: YES CVE : CVE-2022-38841 Tested on: Windows Proof Of Concept: 1 - login into AX3200 webui 2 - go to diagnostics page 3 - put...

Kanboard 1.2.7 Cross Site Scripting

Reflected Cross-site Scripting Vulnerability in Kanboard 1.2.7 Information -------------------- Advisory by Netsparker Name: Reflected Cross-site Scripting in Kanboard Affected Software: Kanboard Affected Versions: 1.2.7 Homepage: https://kanboard.org/ Vulnerability: Reflected Cross-site Scriptin...