447677 matches found
CVE-2026-55198
Hermes WebUI before 0.51.443 contains an authorization bypass vulnerability in the session export endpoint that allows authenticated users to access sessions from other profiles. The handlesessionexport handler in api/routes.py fails to verify active-profile ownership before serializing session...
CVE-2026-55196
Hermes WebUI before 0.51.409 contains an authentication bypass vulnerability in passkey registration endpoints that allows unauthenticated remote attackers to register arbitrary passkeys. When HERMESWEBUIPASSKEY=1 is enabled with no existing credentials, POST /api/auth/passkey/register/options an...
CVE-2026-53871
Hermes WebUI before 0.51.368 contains an authorization bypass vulnerability in the getprofilecookie function that accepts unauthenticated profile names from the hermesprofile cookie. An authenticated attacker can forge the hermesprofile cookie value to bypass profile-scoped authorization checks a...
CVE-2026-53869
Hermes Agent before 0.16.0 contains a DNS rebinding vulnerability in WebSocket endpoints that allows remote attackers to bypass Host and Origin validation. FastAPI HTTP middleware does not execute for WebSocket upgrade requests on /api/pty, /api/ws, /api/pub, and /api/events endpoints, enabling...
CVE-2026-53870
Hermes Agent before 0.16.0 creates responsestore.db and webhooksubscriptions.json with world-readable permissions mode 0o644, exposing conversation history and HMAC secrets to local users. Attackers with local filesystem access can read these files directly to obtain sensitive data including...
CVE-2026-48818
Starlette is a lightweight ASGI framework/toolkit. In versions 1.0.1 and earlier, StaticFiles on Windows is vulnerable to SSRF. An UNC path such as \attacker.com\share can cause os.path.realpath to initiate an outbound SMB connection before the path is rejected, exposing the service account’s...
CVE-2026-55202 Tinyproxy - Stathost Detection Bypass via Host Header Manipulation
Tinyproxy through 1.11.3, fixed in commit 09312a1, fails to properly validate the Host header during stathost detection, allowing unauthenticated attackers to access the stats page by injecting a matching Host header or bypass detection via port manipulation. Remote attackers can trigger...
EUVD-2026-37786
Tinyproxy through 1.11.3, fixed in commit 09312a1, fails to properly validate the Host header during stathost detection, allowing unauthenticated attackers to access the stats page by injecting a matching Host header or bypass detection via port manipulation. Remote attackers can trigger...
CVE-2026-55202
Tinyproxy (up to version 1.11.3) contains a vulnerability in stathost detection where the Host header is not properly validated. This allows unauthenticated attackers to access the stats page by injecting a matching Host header or bypass detection via port manipulation, potentially misrouting req...
CVE-2026-55202
Tinyproxy through 1.11.3, fixed in commit 09312a1, fails to properly validate the Host header during stathost detection, allowing unauthenticated attackers to access the stats page by injecting a matching Host header or bypass detection via port manipulation. Remote attackers can trigger...
CVE-2026-55201
CVE-2026-55201 affects Evil-WinRM (up to version 3.9). A path traversal in download_dir() can cause the server to generate filenames with traversal sequences from Get-ChildItem output, which are passed unsanitized to File.join(), enabling writes outside the intended download directory. Attackers ...
CVE-2026-55201 Evil-WinRM - Path Traversal in download_dir() Function
Evil-WinRM through 3.9, fixed in commit 6ecd570, contains a path traversal vulnerability in the downloaddir function that allows a rogue or compromised remote Windows server to write files outside the intended download directory by returning filenames with traversal sequences from Get-ChildItem...
CVE-2026-55201 Evil-WinRM - Path Traversal in download_dir() Function
Evil-WinRM through 3.9, fixed in commit 6ecd570, contains a path traversal vulnerability in the downloaddir function that allows a rogue or compromised remote Windows server to write files outside the intended download directory by returning filenames with traversal sequences from Get-ChildItem...
EUVD-2026-37785
Evil-WinRM through 3.9, fixed in commit 6ecd570, contains a path traversal vulnerability in the downloaddir function that allows a rogue or compromised remote Windows server to write files outside the intended download directory by returning filenames with traversal sequences from Get-ChildItem...
CVE-2026-55200 libssh2 - Out-of-Bounds Write via Unchecked packet_length in transport.c
libssh2 through 1.11.1, fixed in commit 7acf3df contains an out-of-bounds write vulnerability in ssh2transportread that fails to enforce upper bounds on packetlength field. Remote attackers can send crafted SSH packets with excessively large packetlength values to corrupt heap memory and achieve...
EUVD-2026-37784
libssh2 through 1.11.1, fixed in commit 7acf3df contains an out-of-bounds write vulnerability in ssh2transportread that fails to enforce upper bounds on packetlength field. Remote attackers can send crafted SSH packets with excessively large packetlength values to corrupt heap memory and achieve...
CVE-2026-55200 libssh2 - Out-of-Bounds Write via Unchecked packet_length in transport.c
libssh2 through 1.11.1, fixed in commit 7acf3df contains an out-of-bounds write vulnerability in ssh2transportread that fails to enforce upper bounds on packetlength field. Remote attackers can send crafted SSH packets with excessively large packetlength values to corrupt heap memory and achieve...
CVE-2026-55200
libssh2 through 1.11.1, fixed in commit 7acf3df contains an out-of-bounds write vulnerability in ssh2transportread that fails to enforce upper bounds on packetlength field. Remote attackers can send crafted SSH packets with excessively large packetlength values to corrupt heap memory and achieve...
CVE-2026-55200
CVE-2026-55200 affects libssh2 up to version 1.11.1. The vulnerability is an out-of-bounds write in ssh2_transport_read() caused by failure to enforce upper bounds on packet_length, allowing remote attackers to send crafted SSH packets to corrupt heap memory and achieve remote code execution. The...
XML External Entity (XXE) Injection
Overview Affected versions of this package are vulnerable to XML External Entity XXE Injection through the saxonTransform function that uses unhardened net.sf.saxon.TransformerFactoryImpl method. An attacker can access sensitive local files or trigger arbitrary HTTPS requests from the host by...