CVE-2026-46395

HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0, the hmacBase64 function in the HAXcms Node.js backend contains two critical cryptographic implementation errors that together allow any unauthenticated attacker to extract the system’s private signing ke...

CVE-2026-44569

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.19, there's an IDOR in the channels message management system that allows authenticated users to modify or delete any message within channels they have read access to. The vulnerability...

OESA-2026-2323 gvfs security update

Gvfs is a userspace virtual filesystem implementation for GIO a library available in GLib. It comes with a set of backends, including trash support, SFTP, SMB, HTTP, DAV, and many others. Gvfs also contains modules for GIO that implement volume monitors and persistent metadata storage. Security...

wasmtime 缓冲区错误漏洞

Wasmtime is a lightweight WebAssembly runtime open source by the Bytecode Alliance. Versions of Wastime prior to 36.0.7, 42.0.2, and 43.0.1 contained a buffer error vulnerability. This vulnerability stemmed from a flaw in the Winch compiler backend, which could allow guest Wasm access to host...

Medium: gvfs

Issue Overview: A flaw was found in the FTP GVfs backend. A malicious FTP server can exploit this vulnerability by providing an arbitrary IP address and port in its passive mode PASV response. The client unconditionally trusts this information and attempts to connect to the specified endpoint,...

Amazon Linux 2 : gvfs, --advisory ALAS2-2026-3197 (ALAS-2026-3197)

The version of gvfs installed on the remote host is prior to 1.36.2-3. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2026-3197 advisory. A flaw was found in the FTP GVfs backend. A malicious FTP server can exploit this vulnerability by providing an arbitrary IP...

UBUNTU-CVE-2026-28295

A flaw was found in the FTP GVfs backend. A malicious FTP server can exploit this vulnerability by providing an arbitrary IP address and port in its passive mode PASV response. The client unconditionally trusts this information and attempts to connect to the specified endpoint, allowing the...

CVE-2025-52023

A vulnerability in the PHP backend of gemscms.aptsys.com.sg thru 2025-05-28 allows unauthenticated remote attackers to trigger detailed error messages that disclose internal file paths, code snippets, and stack traces. This occurs when specially crafted HTTP GET/POST requests are sent to public A...

Important: kernel

Issue Overview: A flaw was found in the Linux kernel. The existing KVM SEV API has a vulnerability that allows a non-root host user-level application to crash the host kernel by creating a confidential guest VM instance in AMD CPU that supports Secure Encrypted Virtualization SEV. CVE-2022-0171 A...

CVE-2022-2308

A flaw was found in vDPA with VDUSE backend. There are currently no checks in VDUSE kernel driver to ensure the size of the device config space is in line with the features advertised by the VDUSE userspace application. In case of a mismatch, Virtio drivers config read helpers do not initialize t...

SQL Injection Vulnerability in Heybbs Backend ad***_ad***_no***.php Page

Heybbs micro-community is a front-end based on bootstrap + jq + css, back-end php + mysql development of micro-community program. Heybbs background adadno.php page SQL injection vulnerability, attackers can use the vulnerability to obtain database sensitive information...

S-CMS php version government website builder system backend aj***.php page has SQL injection vulnerability

S-CMS is a content management system CMS based on PHP and MySQL. A SQL injection vulnerability exists in the background aj.php page of the S-CMS php version of the government website building system, which can be exploited by attackers to obtain sensitive database data...

DhCms Cross-Site Scripting Vulnerability

DhCms Dinghua Cloud CMS is a content management system based on PHP and MySQL. A cross-site scripting vulnerability exists in the admin.php?r=admin/Index/index backend in DhCms 2017-09-18 and earlier versions. A remote attacker can exploit this vulnerability to obtain cookie information...

CVE-2016-0202

A vulnerability has been identified in tasks, backend object generated for handling any action performed by the application in IBM Cloud Orchestrator. It is possible for an authenticated user to view any task of the current users domain...

Django: possible DoS by filling session store

A flaw was found in the Django session backend, which could allow an unauthenticated attacker to create session records in the configured session store, causing a denial of service by filling up the session store...