CVE-2026-45298 Dozzle: Pre-auth SSRF with response-body reflection via POST /api/notifications/test-webhook (default no-auth deploy)

Dozzle is a realtime log viewer for docker containers. Prior to 10.5.2, in a default dozzle deploy the documented quickstart, no DOZZLEAUTHPROVIDER set, POST /api/notifications/test-webhook is reachable without authentication and forwards an attacker-controlled URL into a WebhookDispatcher that...

Dozzle: Pre-auth SSRF with response-body reflection via POST /api/notifications/test-webhook (default no-auth deploy)

Summary In a default dozzle deploy the documented quickstart, no DOZZLEAUTHPROVIDER set, POST /api/notifications/test-webhook is reachable without authentication and forwards an attacker-controlled URL into a WebhookDispatcher that: - Sends an HTTP POST to the supplied URL with attacker-controlle...

CVE-2026-42869 SOCFortress CoPilot: Hardcoded JWT secret allows unauthenticated full admin compromise and lateral movement into all integrated SOC tools

SOCFortress CoPilot focuses on providing a single pane of glass for all your security operations needs. Prior to 0.1.57, SOCFortress CoPilot ships a hardcoded JWT signing secret as a fallback value in backend/app/auth/utils.py:28 and ships it verbatim in .env.example. Any deployment where JWTSECR...

CVE-2026-33619

PinchTab is a standalone HTTP server that gives AI agents direct control over a Chrome browser. PinchTab v0.8.3 contains a server-side request forgery issue in the optional scheduler's webhook delivery path. When a task is submitted to POST /tasks with a user-controlled callbackUrl, the v0.8.3...

CVE-2026-33071

FileRise is a self-hosted web file manager / WebDAV server. In versions prior to 3.8.0, the WebDAV upload endpoint accepts any file extension including .phtml, .php5, .htaccess, and other server-side executable types, bypassing the filename validation enforced by the regular upload path. In...

SICK AG TLOC100-100 安全漏洞

The SICK AG TLOC100-100 is a mobile robot positioning system from SICK Germany. A security vulnerability exists in the SICK AG TLOC100-100 that originates from a default deployment state and is not configured in accordance with the latest best practices, which could result in an unauthorized...

PT-2022-6764 · Vmware · Vmware Tanzu Application Service For Vms +1

Name of the Vulnerable Software and Affected Versions: VMware Tanzu Application Service for VMs and Isolation Segment affected versions not specified Description: The issue is related to an information disclosure vulnerability due to the logging of credentials in hex encoding in platform system...

Oracle 9i HTTP Server Soap Router Access - Ver2 (CVE-2001-1371)

A SOAP vulnerability has been reported in Oracle Application Server 9iAS 1.0.2.2. The vulnerability allows anonymous users to deploy applications by default. A remote attacker could trigger this flaw by default via urn:soap-service-manager and urn:soap-provider-manager...