Lucene search
K

1578 matches found

Vulnrichment
Vulnrichment
added 2026/05/26 7:46 p.m.10 views

CVE-2026-48593 Unbounded range expansion in cron describe causes memory exhaustion in oban_web

Uncontrolled Resource Consumption vulnerability in oban-bg obanweb 'Elixir.Oban.Web.CronExpr' modules allows memory exhaustion via unbounded cron range expansion. An attacker with access to schedule cron jobs can submit a malicious cron expression such as "0 0 1-100000000 ". When a user with...

5.9CVSS5.8AI score0.00341EPSS
Exploits0References4
CVE
CVE
added 2026/05/26 7:46 p.m.26 views

CVE-2026-48593

CVE-2026-48593 describes an uncontrolled resource consumption in oban_web’s cron rendering. The issue arises in the Elixir CronExpr describe/1 rendering path where unbounded cron ranges (e.g., 1-100000000) are parsed by parse_range/1 without bounds checks, then expand_dom_parts/1 and expand_dow_p...

5.9CVSS5.8AI score0.00341EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/05/26 7:46 p.m.10 views

CVE-2026-48593

Uncontrolled Resource Consumption vulnerability in oban-bg obanweb 'Elixir.Oban.Web.CronExpr' modules allows memory exhaustion via unbounded cron range expansion. An attacker with access to schedule cron jobs can submit a malicious cron expression such as "0 0 1-100000000 ". When a user with...

5.9CVSS5.8AI score0.00341EPSS
Exploits0References5Affected Software1
OSV
OSV
added 2026/05/26 7:46 p.m.12 views

EEF-CVE-2026-48593 Unbounded range expansion in cron describe causes memory exhaustion in oban_web

Summary Uncontrolled Resource Consumption vulnerability in oban-bg oban\web 'Elixir.Oban.Web.CronExpr' modules allows memory exhaustion via unbounded cron range expansion. An attacker with access to schedule cron jobs can submit a malicious cron expression such as "0 0 1-100000000 \ ". When a use...

5.9CVSS6.1AI score0.00341EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/05/26 12:0 a.m.11 views

PT-2026-43408

Name of the Vulnerable Software and Affected Versions oban web versions 2.12.0 through 2.12.4 Description Uncontrolled Resource Consumption in the Elixir.Oban.Web.CronExpr module allows memory exhaustion through unbounded cron range expansion. An attacker with permissions to schedule cron jobs ca...

5.9CVSS5.8AI score0.00341EPSS
Exploits0References9
CNNVD
CNNVD
added 2026/05/26 12:0 a.m.11 views

Oban Web 安全漏洞

Oban Web is an embedded real-time backend task monitoring dashboard developed under the Oban Framework. Versions 2.12.0 to 2.12.5 of Oban Web contained a security vulnerability. This vulnerability stemmed from the unlimited cron range expansion in the Elixir.Oban.Web.CronExpr module, which could...

5.9CVSS5.8AI score0.00341EPSS
Exploits0References5
OSV
OSV
added 2026/05/23 12:17 a.m.5 views

GHSA-99GV-2M7H-3HH9 Nezha Monitoring: RoleMember can run shell on every server (cross-tenant RCE) via POST /api/v1/cron

Summary nezha's dashboard supports two user roles: RoleAdmin Role==0 and RoleMember Role==1. The cron routes POST /api/v1/cron and PATCH /api/v1/cron/:id are wired through commonHandler any authenticated user rather than adminHandler, and the per-server permission check on cron creation has a...

9.9CVSS6AI score0.00339EPSS
Exploits1References3
Github Security Blog
Github Security Blog
added 2026/05/23 12:17 a.m.15 views

Nezha Monitoring: RoleMember can run shell on every server (cross-tenant RCE) via POST /api/v1/cron

Summary nezha's dashboard supports two user roles: RoleAdmin Role==0 and RoleMember Role==1. The cron routes POST /api/v1/cron and PATCH /api/v1/cron/:id are wired through commonHandler any authenticated user rather than adminHandler, and the per-server permission check on cron creation has a...

9.9CVSS6AI score0.00339EPSS
Exploits1References3Affected Software1
OSV
OSV
added 2026/05/23 12:8 a.m.11 views

GHSA-RXF6-WJH4-JFJ6 Nezha Monitoring: RoleMember can fire other users' cron tasks via AlertRule.FailTriggerTasks (no ownership check)

Summary createAlertRule and createService and their update siblings accept FailTriggerTasks uint64 and RecoverTriggerTasks uint64 — IDs of cron tasks to fire when the alert/service trips. The validation function only validates the alert's Rules.Ignore server map; it never checks that the cron tas...

5.4CVSS5.9AI score0.00261EPSS
Exploits0References3
Github Security Blog
Github Security Blog
added 2026/05/23 12:8 a.m.20 views

Nezha Monitoring: RoleMember can fire other users' cron tasks via AlertRule.FailTriggerTasks (no ownership check)

Summary createAlertRule and createService and their update siblings accept FailTriggerTasks uint64 and RecoverTriggerTasks uint64 — IDs of cron tasks to fire when the alert/service trips. The validation function only validates the alert's Rules.Ignore server map; it never checks that the cron tas...

7.1CVSS5.9AI score0.00261EPSS
Exploits0References3Affected Software1
Positive Technologies
Positive Technologies
added 2026/05/23 12:0 a.m.15 views

PT-2026-42859

Name of the Vulnerable Software and Affected Versions Nezha Monitoring versions 1.4.0 through 2.0.7 Description An authenticated user with RoleMember privileges can trigger cron tasks belonging to other users, including administrators. This occurs because the system fails to verify the ownership ...

7.1CVSS5.3AI score0.00261EPSS
Exploits0References6
Positive Technologies
Positive Technologies
added 2026/05/23 12:0 a.m.19 views

PT-2026-42871

Name of the Vulnerable Software and Affected Versions Nezha Monitoring versions 1.4.0 through 2.0.7 Description An authorization bypass allows users with the RoleMember role to execute arbitrary commands on all servers monitored by the dashboard, including those belonging to other tenants or...

9.9CVSS5.8AI score0.00339EPSS
Exploits1References9
RedhatCVE
RedhatCVE
added 2026/05/18 2:27 p.m.25 views

CVE-2025-67202

A flaw was found in Sidekiq-cron, an open-source scheduling add-on for Sidekiq. A remote attacker could exploit this cross-site scripting XSS vulnerability by injecting malicious scripts into a crafted URL. When this URL is rendered from cron.erb, the attacker's script would execute in the victim...

6.1CVSS5.7AI score0.00194EPSS
Exploits0References5
Vulnrichment
Vulnrichment
added 2026/05/14 12:32 p.m.11 views

CVE-2026-4031 Database Backup for WordPress <= 2.5.2 - Missing Authorization to Unauthenticated Database Backup Interception

The Database Backup for WordPress plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.5.2. This is due to the plugin not restricting access to the wpdbtempdir parameter, which controls where database backups are written. This makes it possible for...

7.5CVSS5.7AI score0.00488EPSS
Exploits0References7
EUVD
EUVD
added 2026/05/11 6:31 p.m.8 views

EUVD-2026-29144

OpenClaw before 2026.4.20 fails to properly preserve untrusted labels for isolated cron awareness events, allowing webhook-triggered cron agent output to be recorded as trusted system events. Attackers can exploit this trust-labeling issue to strengthen prompt-injection attacks by rendering...

6.3CVSS5.8AI score0.00151EPSS
Exploits0References4
OSV
OSV
added 2026/05/11 6:31 p.m.8 views

GHSA-M5J2-R859-R5CV Duplicate Advisory: OpenClaw: Isolated cron awareness events were recorded as trusted system events

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-57r2-h2wj-g887. This link is maintained to preserve external references. Original Description OpenClaw before 2026.4.20 fails to properly preserve untrusted labels for isolated cron awareness events, allowing...

6.3CVSS5.7AI score0.00151EPSS
Exploits0References5
Github Security Blog
Github Security Blog
added 2026/05/11 6:31 p.m.14 views

Duplicate Advisory: OpenClaw: Isolated cron awareness events were recorded as trusted system events

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-57r2-h2wj-g887. This link is maintained to preserve external references. Original Description OpenClaw before 2026.4.20 fails to properly preserve untrusted labels for isolated cron awareness events, allowing...

6.3CVSS5.7AI score0.00151EPSS
Exploits0References5Affected Software1
NVD
NVD
added 2026/05/11 6:16 p.m.20 views

CVE-2026-44999

OpenClaw before 2026.4.20 fails to properly preserve untrusted labels for isolated cron awareness events, allowing webhook-triggered cron agent output to be recorded as trusted system events. Attackers can exploit this trust-labeling issue to strengthen prompt-injection attacks by rendering...

6.3CVSS0.00151EPSS
Exploits0References3
CVE
CVE
added 2026/05/11 4:46 p.m.16 views

CVE-2026-44999

OpenClaw CVE-2026-44999 affects the OpenClaw component prior to version 2026.4.20. The issue is a trust-labeling flaw for isolated cron awareness events: untrusted labels can be preserved for webhook-triggered cron agent output, causing such output to be recorded as trusted System events. This ca...

6.3CVSS5.8AI score0.00151EPSS
Exploits0References3Affected Software1
Vulnrichment
Vulnrichment
added 2026/05/11 4:46 p.m.8 views

CVE-2026-44999 OpenClaw < 2026.4.20 - Improper Trust Labeling in Isolated Cron Awareness Events

OpenClaw before 2026.4.20 fails to properly preserve untrusted labels for isolated cron awareness events, allowing webhook-triggered cron agent output to be recorded as trusted system events. Attackers can exploit this trust-labeling issue to strengthen prompt-injection attacks by rendering...

6.3CVSS5.8AI score0.00151EPSS
Exploits0References3
Rows per page
Query Builder