Lucene search
+L

56 matches found

redhatcve
redhatcve
added 2026/06/05 7:29 p.m.12 views

CVE-2026-46356

Fleet is open source device management software. Prior to version 4.80.1, a vulnerability in Fleet's IP extraction logic allows unauthenticated attackers to bypass API rate limiting by spoofing client IP headers. This may allow brute-force login attempts or other abuse against Fleet instances...

7.5CVSS5.5AI score0.00276EPSS
Exploits0References1
snyk
snyk
added 2026/05/26 10:48 p.m.9 views

Improper Authentication

Overview Affected versions of this package are vulnerable to Improper Authentication via the windowsMDMManagement endpoint. An attacker can gain unauthorized access to management functionality by bypassing authentication mechanisms. Remediation Upgrade github.com/fleetdm/fleet/server/mock to...

8.2CVSS5.8AI score0.00214EPSS
Exploits0References3
snyk
snyk
added 2026/05/14 9:22 p.m.6 views

User Impersonation

Overview Affected versions of this package are vulnerable to User Impersonation due to the reliance on client-supplied IP address headers such as X-Forwarded-For, X-Real-IP, and True-Client-IP. An attacker can circumvent per-IP rate limiting by supplying arbitrary values in these headers, causing...

6.9CVSS5.7AI score0.0043EPSS
Exploits0References2
cve
cve
added 2026/05/14 7:3 p.m.41 views

CVE-2026-46356

Fleet (open-source device management) before v4.80.1 is vulnerable: an IP extraction flaw lets unauthenticated attackers bypass per-IP rate limits by rotating headers like True-Client-IP, X-Real-IP, or X-Forwarded-For, enabling brute-force or credential stuffing on exposed instances. Root cause: ...

7.5CVSS5.8AI score0.00276EPSS
Exploits0References2Affected Software1
osv
osv
added 2026/05/14 7:0 p.m.2 views

CVE-2026-26062 Fleet server may terminate unexpectedly when handling certain gRPC requests

Fleet is open source device management software. Prior to version 4.81.0, Fleet contained a denial-of-service DoS issue in the gRPC Launcher PublishLogs endpoint. In affected versions, certain unexpected input values were not handled gracefully, which could cause the Fleet server process to...

8.7CVSS6AI score0.00372EPSS
Exploits0References4
nvd
nvd
added 2026/04/08 7:25 p.m.6 views

CVE-2026-27806

Fleet is open source device management software. Prior to 4.81.1, the Orbit agent's FileVault disk encryption key rotation flow on collects a local user's password via a GUI dialog and interpolates it directly into a Tcl/expect script executed via exec.Command"expect", "-c", script. Because the...

7.8CVSS0.00111EPSS
Exploits0References1
susecve
susecve
added 2026/04/06 11:24 p.m.5 views

SUSE CVE-2026-34385

Fleet is open source device management software. Prior to 4.81.0, a second-order SQL injection vulnerability in Fleet's Apple MDM profile delivery pipeline could allow an attacker with a valid MDM enrollment certificate to exfiltrate or modify the contents of the Fleet database, including user...

8.6CVSS5.9AI score0.00197EPSS
Exploits0References3
redhatcve
redhatcve
added 2026/03/28 11:10 p.m.3 views

CVE-2026-34388

Fleet is open source device management software. Prior to 4.81.0, a denial-of-service vulnerability in Fleet's gRPC Launcher endpoint allows an authenticated host to crash the entire Fleet server process by sending an unexpected log type value. The server terminates immediately, disrupting all...

8.7CVSS5.9AI score0.00263EPSS
Exploits0References1
nvd
nvd
added 2026/03/27 7:16 p.m.5 views

CVE-2026-26060

Fleet is open source device management software. Prior to 4.81.0, a vulnerability in Fleet’s password management logic could allow previously issued password reset tokens to remain valid after a user changes their password. As a result, a stale password reset token could be reused to reset the...

8.8CVSS0.00335EPSS
Exploits0References1
osv
osv
added 2026/03/27 6:29 p.m.6 views

CVE-2026-34385 Fleet's Apple MDM profile delivery has second-order SQL injection that can compromise the database

Fleet is open source device management software. Prior to 4.81.0, a second-order SQL injection vulnerability in Fleet's Apple MDM profile delivery pipeline could allow an attacker with a valid MDM enrollment certificate to exfiltrate or modify the contents of the Fleet database, including user...

8.6CVSS6AI score0.00197EPSS
Exploits0References3
cve
cve
added 2026/03/27 6:22 p.m.29 views

CVE-2026-26060

CVE-2026-26060 concerns Fleet, an open-source device-management platform. According to the provided sources, prior to version 4.81.0, the password-management logic allowed previously issued password-reset tokens to remain valid after a user changes their password, enabling a stale token to be use...

8.8CVSS5.8AI score0.00335EPSS
Exploits0References1Affected Software1
susecve
susecve
added 2026/03/25 12:27 a.m.4 views

SUSE CVE-2026-26186

Fleet is open source device management software. A SQL injection vulnerability in versions prior to 4.80.1 allowed authenticated users to inject arbitrary SQL expressions via the orderkey query parameter. Due to unsafe use of goqu.I when constructing the ORDER BY clause, specially crafted input...

8.8CVSS6.2AI score0.00301EPSS
Exploits0References3
euvd
euvd
added 2026/03/11 9:31 a.m.4 views

EUVD-2026-11115

Update to verison IFTOPP4181 or later...

6.1CVSS5.8AI score0.0025EPSS
Exploits0References3
euvd
euvd
added 2026/02/26 7:35 p.m.11 views

EUVD-2026-8826

Fleet: Device lock PIN can be predicted if lock time is known...

4.1CVSS5.2AI score0.00124EPSS
Exploits0References3
attackerkb
attackerkb
added 2026/02/26 2:49 a.m.4 views

CVE-2026-25963

Fleet is open source device management software. In versions prior to 4.80.1, a broken authorization check in Fleet’s certificate template deletion API could allow a team administrator to delete certificate templates belonging to other teams within the same Fleet instance. Fleet supports...

6.5CVSS5.3AI score0.00191EPSS
Exploits0References2Affected Software1
cvelist
cvelist
added 2026/02/26 2:43 a.m.25 views

CVE-2026-24004 Fleet: Unauthenticated Android device disenrollment vulnerability via Pub/Sub endpoint

Fleet is open source device management software. In versions prior to 4.80.1, a vulnerability in Fleet’s Android MDM Pub/Sub handling could allow unauthenticated requests to trigger device unenrollment events. This may result in unauthorized removal of individual Android devices from Fleet...

6.3CVSS0.00262EPSS
Exploits0References1
cve
cve
added 2026/02/26 2:43 a.m.20 views

CVE-2026-24004

CVE-2026-24004 affects Fleet open source device management software prior to 4.80.1. The issue is in Android MDM Pub/Sub handling, allowing unauthenticated requests to trigger unenrollment events, potentially removing individual Android devices from Fleet management. Impact is disruption of Andro...

6.3CVSS5.6AI score0.00262EPSS
Exploits0References1Affected Software1
nessus
nessus
added 2026/01/16 12:0 a.m.4 views

MiracleLinux 7 : qemu-kvm-1.5.3-126.el7 (AXSA:2016-1109:04)

The remote MiracleLinux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2016-1109:04 advisory. qemu-kvm is an open source virtualizer that provides hardware emulation for the KVM hypervisor. qemu-kvm acts as a virtual machine monitor together...

5.5CVSS6.7AI score0.00513EPSS
Exploits0References3
cvelist
cvelist
added 2025/12/18 7:22 a.m.26 views

CVE-2025-64374 WordPress Motors theme <= 5.6.81 - Arbitrary File Upload vulnerability

Unrestricted Upload of File with Dangerous Type vulnerability in StylemixThemes Motors motors allows Using Malicious Files.This issue affects Motors: from n/a through = 5.6.81...

9.9CVSS0.00315EPSS
Exploits0References1
euvd
euvd
added 2025/12/02 5:46 a.m.2 views

EUVD-2025-200193

Malicious code in internallibv881 npm...

6.6AI score
Exploits0References1
Rows per page
Query Builder