1294 matches found
Joomla! Component & Plugin JE Tooltip 1.0 - Local File Inclusion
A directory traversal vulnerability in the JE Form Creator comjeformcr component for Joomla!, when magicquotesgpc is disabled, allows remote attackers to read arbitrary files via directory traversal sequences in the view parameter to index.php. NOTE -- the original researcher states that the...
CVE-2026-54518
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, UnwrappedPropertyHandler.processUnwrappedCreatorProperties replays buffered JSON into creator parameters but never consults...
jackson-databind has a @JsonView bypass for unwrapped creator parameters
Summary UnwrappedPropertyHandler.processUnwrappedCreatorProperties replays buffered JSON into creator parameters but never consults prop.visibleInViewactiveView. The normal property-based creator path gates creator properties on the active view, but this unwrapped-creator replay path bypasses tha...
CVE-2026-54518
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, UnwrappedPropertyHandler.processUnwrappedCreatorProperties replays buffered JSON into creator parameters but never consults...
CVE-2026-54518 jackson-databind: @JsonView bypass for unwrapped creator parameters in jackson-databind
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, UnwrappedPropertyHandler.processUnwrappedCreatorProperties replays buffered JSON into creator parameters but never consults...
CVE-2026-54518
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, UnwrappedPropertyHandler.processUnwrappedCreatorProperties replays buffered JSON into creator parameters but never consults...
EUVD-2026-38629
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, UnwrappedPropertyHandler.processUnwrappedCreatorProperties replays buffered JSON into creator parameters but never consults...
CVE-2026-54518
The CVE-2026-54518 issue affects jackson-databind’s UnwrappedPropertyHandler path. From 2.21.0 through 2.21.4 and 3.1.0 through 3.1.4, UnwrappedPropertyHandler.processUnwrappedCreatorProperties() replays buffered JSON into creator parameters without consulting prop.visibleInView(activeView). This...
CVE-2026-54517
Summary: CVE-2026-54517 affects jackson-databind. In BeanDeserializer._deserializeUsingPropertyBased, the active-view filter was only applied to creator properties; the path for regular properties lacked a visibleInView check. This allowed setterless Collection/Map properties annotated with a res...
CVE-2026-54517 jackson-databind: @JsonView bypass for setterless creator properties
jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.21.0 until 2.21.4 and 3.1.4, in BeanDeserializer.deserializeUsingPropertyBased, the active-view @JsonView filter was applied only to creator properties; the regular...
CVE-2026-10609
The vulnerability CVE-2026-10609 affects the OpenShift Cluster Logging Operator. The operator creates and forwards ServiceAccount tokens to output destinations without verifying that the ClusterLogForwarder creator has permission to use those credentials, enabling a delegated editor to exfiltrate...
CVE-2026-10609 Openshift/cluster-logging-operator: cluster logging operator creates and forwards serviceaccount tokens without verifying clf creator authorization
A missing authorization flaw was found in the OpenShift Cluster Logging Operator. The operator creates and forwards ServiceAccount tokens to output destinations without verifying that the ClusterLogForwarder creator has permission to use those credentials, allowing a delegated editor to exfiltrat...
PT-2026-51602
Name of the Vulnerable Software and Affected Versions jackson-databind versions 2.21.0 through 2.21.3 jackson-databind versions 3.0.0 through 3.1.3 Description The UnwrappedPropertyHandler.processUnwrappedCreatorProperties function replays buffered JSON into creator parameters without consulting...
CVE-2022-49036
An inclusion of functionality from untrusted control sphere vulnerability in OpenSSL configuration in Synology Active Backup for Business Recovery Media Creator before 2.5.0-2081 allows local users to execute arbitrary code via unspecified vectors...
GHSA-96FH-M4R8-6V9V NocoDB: Cross-Workspace Integration Use in Connection Test
Summary A user in one workspace could exercise another workspace's integration through the testConnection endpoint by supplying its ID, because the integration was fetched in a bypass scope and the caller's permission check matched any base in any workspace. Details The connection-test endpoint...
PT-2026-46999
Name of the Vulnerable Software and Affected Versions NocoDB versions prior to 2026.05.1 Description A user in one workspace can exercise another workspace's integration by supplying its ID to the 'testConnection' endpoint. This occurs because the integration is fetched in a bypass scope, and the...
CVE-2022-49036
An inclusion of functionality from untrusted control sphere vulnerability in OpenSSL configuration in Synology Active Backup for Business Recovery Media Creator before 2.5.0-2081 allows local users to execute arbitrary code via unspecified vectors...
CVE-2022-49036
Synology Active Backup for Business Recovery Media Creator (before version 2.5.0-2081) is affected by an OpenSSL configuration vulnerability described as an inclusion of functionality from untrusted control sphere, enabling local users to execute arbitrary code via unspecified vectors. Affected c...
EUVD-2022-55998
An inclusion of functionality from untrusted control sphere vulnerability in OpenSSL configuration in Synology Active Backup for Business Recovery Media Creator before 2.5.0-2081 allows local users to execute arbitrary code via unspecified vectors...
CVE-2022-49036
An inclusion of functionality from untrusted control sphere vulnerability in OpenSSL configuration in Synology Active Backup for Business Recovery Media Creator before 2.5.0-2081 allows local users to execute arbitrary code via unspecified vectors...