21099 matches found
CVE-2026-9588 Authenticated Stored Cross-Site Scripting (XSS) in Switchvox SMB Web Portal
A stored cross-site scripting XSS vulnerability exists in Sangoma Switchvox SMB Edition 8.3 104997 within the voicemail notification template functionality. The submitmodifyvoicemailtemplate endpoint fails to properly sanitize HTML content supplied by authenticated users, allowing malicious...
CVE-2026-15783
CVE-2026-15783 (GitHub Enterprise Server) describes a missing authorization flaw where an authenticated user with write access to any repository could read metadata from private repositories they should not access. The attack path involves a delegated bypass endpoint that resolves a rule suite fr...
EUVD-2026-45188
A denial of service vulnerability was identified in GitHub Enterprise Server that allowed an authenticated user to cause service disruption by supplying a repository release notes configuration file containing deeply nested YAML. When release notes were generated, the configuration file was parse...
CVE-2026-15007 Denial of service vulnerability in GitHub Enterprise Server allowed service disruption via deeply nested YAML in release notes configuration
A denial of service vulnerability was identified in GitHub Enterprise Server that allowed an authenticated user to cause service disruption by supplying a repository release notes configuration file containing deeply nested YAML. When release notes were generated, the configuration file was parse...
CVE-2026-15007
The CVE describes a Denial of Service in GitHub Enterprise Server caused by parsing a repository release notes configuration file with deeply nested YAML, without a nesting depth limit. When release notes are generated, this can consume excessive resources and render the instance unresponsive. Af...
CVE-2026-62764
CVE-2026-62764 affects Apache Accumulo 2.1.4 and 2.1.5. An authenticated, low-privilege user without system permissions can remotely issue a command to gracefully shutdown several components (e.g., compaction-coordinator, compactor, gc, manager, monitor, tserver, or sserver), causing a denial of ...
CVE-2026-47084
A flaw was found in Cyrus IMAP cyrus-imapd. An authenticated user, without administrative privileges, could bypass Access Control List ACL checks by using the LOCALDELETE command. This allowed them to delete mailboxes for which they did not have the necessary permissions, leading to unauthorized...
CVE-2026-47083
A flaw was found in Cyrus IMAP. An authenticated user can exploit the ESEARCH command to discover the existence of folder names belonging to other user accounts. This vulnerability leads to information disclosure, allowing an attacker to gain unauthorized knowledge about the structure of other...
CVE-2026-47088
A flaw was found in Cyrus IMAP Internet Message Access Protocol daemon, cyrus-imapd. An authenticated IMAP user could exploit a heap exposure vulnerability during nested Multipurpose Internet Mail Extensions MIME comment parsing. By crafting an email message with a specially formed RFC 822 commen...
CVE-2026-47081
A flaw was found in Cyrus IMAP cyrus-imapd. An authenticated user could exploit this vulnerability by using the XAPPLEPUSHSERVICE command to determine if specific mailboxes exist on other users' accounts. This could allow the attacker to create Apple Push Notification Service APNS notifications f...
CVE-2026-62236
grav-plugin-login before 3.8.11 contains a CSRF in the login.regenerate2FASecret frontend task, which regenerates and persists a new TOTP secret for the authenticated user without anti-CSRF nonce or Origin/Referer checks. Grav core dispatches the task via a top-level GET using the task: URI param...
CVE-2026-62234
Grav 2.x prior to 2.0.4 contains an SSRF vulnerability in webhook dispatch where authenticated users with api.webhooks.write can create webhooks using file://, dict://, or gopher:// protocols. This unrestricted protocol handling can be leveraged to read local files, access process information, or...
CVE-2026-44176
Kirby is an open-source content management system. Versions prior to 4.9.1 and 5.4.1 do not check the pages.access permission during page draft rendering. Permissions are defined for each user role in the user blueprint site/blueprints/users/.... It is also possible to customize the permissions f...
CVE-2026-45334
Kirby CMS (versions < 4.9.1 and
EUVD-2026-45011
An issue was discovered in cyrus-imapd in Cyrus IMAP through 3.12.2. There is heap exposure in nested MIME comment parsing. An authenticated IMAP user could craft an email message containing an RFC 822 comment ending with a backslash. When parsing the message, the server would read past the...
EUVD-2026-45006
An issue was discovered in cyrus-imapd in Cyrus IMAP through 3.12.2. There is an ESEARCH cross-user content oracle. By using the ESEARCH command, an authenticated IMAP user could enumerate folder names under any account they could name. Search would return UIDs of messages matching the search,...
CVE-2026-44176 Kirby: `pages.access` permission is not checked during rendering of page drafts
Kirby is an open-source content management system. Versions prior to 4.9.1 and 5.4.1 do not check the pages.access permission during page draft rendering. Permissions are defined for each user role in the user blueprint site/blueprints/users/.... It is also possible to customize the permissions f...
CVE-2026-53409
Improper Privilege Management in Zoom Rooms for Windows before version 7.1.0 may allow an authenticated user to conduct an escalation of privilege via local access...
CVE-2026-53410
CVE-2026-53410 describes a TOCTOU race condition in the installation and uninstallation flow of certain Zoom Clients for Windows that could allow an authenticated local user to escalate privileges. Affected components include Zoom Workplace for Windows, Zoom Workplace VDI Client, Zoom Workplace V...
CVE-2026-53409
CVE-2026-53409 affects Zoom Rooms for Windows prior to 7.1.0. Root cause: improper privilege management that may allow an authenticated user to escalate privileges via local access. CVSS v3.1 base score 7.8 (HIGH) with LOCAL attack vector, low attack complexity, requiring LOW privileges and no us...