56 matches found
CVE-2026-46356
Fleet is open source device management software. Prior to version 4.80.1, a vulnerability in Fleet's IP extraction logic allows unauthenticated attackers to bypass API rate limiting by spoofing client IP headers. This may allow brute-force login attempts or other abuse against Fleet instances...
Improper Authentication
Overview Affected versions of this package are vulnerable to Improper Authentication via the windowsMDMManagement endpoint. An attacker can gain unauthorized access to management functionality by bypassing authentication mechanisms. Remediation Upgrade github.com/fleetdm/fleet/server/mock to...
User Impersonation
Overview Affected versions of this package are vulnerable to User Impersonation due to the reliance on client-supplied IP address headers such as X-Forwarded-For, X-Real-IP, and True-Client-IP. An attacker can circumvent per-IP rate limiting by supplying arbitrary values in these headers, causing...
CVE-2026-46356
Fleet (open-source device management) before v4.80.1 is vulnerable: an IP extraction flaw lets unauthenticated attackers bypass per-IP rate limits by rotating headers like True-Client-IP, X-Real-IP, or X-Forwarded-For, enabling brute-force or credential stuffing on exposed instances. Root cause: ...
CVE-2026-26062 Fleet server may terminate unexpectedly when handling certain gRPC requests
Fleet is open source device management software. Prior to version 4.81.0, Fleet contained a denial-of-service DoS issue in the gRPC Launcher PublishLogs endpoint. In affected versions, certain unexpected input values were not handled gracefully, which could cause the Fleet server process to...
CVE-2026-27806
Fleet is open source device management software. Prior to 4.81.1, the Orbit agent's FileVault disk encryption key rotation flow on collects a local user's password via a GUI dialog and interpolates it directly into a Tcl/expect script executed via exec.Command"expect", "-c", script. Because the...
SUSE CVE-2026-34385
Fleet is open source device management software. Prior to 4.81.0, a second-order SQL injection vulnerability in Fleet's Apple MDM profile delivery pipeline could allow an attacker with a valid MDM enrollment certificate to exfiltrate or modify the contents of the Fleet database, including user...
CVE-2026-34388
Fleet is open source device management software. Prior to 4.81.0, a denial-of-service vulnerability in Fleet's gRPC Launcher endpoint allows an authenticated host to crash the entire Fleet server process by sending an unexpected log type value. The server terminates immediately, disrupting all...
CVE-2026-26060
Fleet is open source device management software. Prior to 4.81.0, a vulnerability in Fleet’s password management logic could allow previously issued password reset tokens to remain valid after a user changes their password. As a result, a stale password reset token could be reused to reset the...
CVE-2026-34385 Fleet's Apple MDM profile delivery has second-order SQL injection that can compromise the database
Fleet is open source device management software. Prior to 4.81.0, a second-order SQL injection vulnerability in Fleet's Apple MDM profile delivery pipeline could allow an attacker with a valid MDM enrollment certificate to exfiltrate or modify the contents of the Fleet database, including user...
CVE-2026-26060
CVE-2026-26060 concerns Fleet, an open-source device-management platform. According to the provided sources, prior to version 4.81.0, the password-management logic allowed previously issued password-reset tokens to remain valid after a user changes their password, enabling a stale token to be use...
SUSE CVE-2026-26186
Fleet is open source device management software. A SQL injection vulnerability in versions prior to 4.80.1 allowed authenticated users to inject arbitrary SQL expressions via the orderkey query parameter. Due to unsafe use of goqu.I when constructing the ORDER BY clause, specially crafted input...
EUVD-2026-11115
Update to verison IFTOPP4181 or later...
EUVD-2026-8826
Fleet: Device lock PIN can be predicted if lock time is known...
CVE-2026-25963
Fleet is open source device management software. In versions prior to 4.80.1, a broken authorization check in Fleet’s certificate template deletion API could allow a team administrator to delete certificate templates belonging to other teams within the same Fleet instance. Fleet supports...
CVE-2026-24004 Fleet: Unauthenticated Android device disenrollment vulnerability via Pub/Sub endpoint
Fleet is open source device management software. In versions prior to 4.80.1, a vulnerability in Fleet’s Android MDM Pub/Sub handling could allow unauthenticated requests to trigger device unenrollment events. This may result in unauthorized removal of individual Android devices from Fleet...
CVE-2026-24004
CVE-2026-24004 affects Fleet open source device management software prior to 4.80.1. The issue is in Android MDM Pub/Sub handling, allowing unauthenticated requests to trigger unenrollment events, potentially removing individual Android devices from Fleet management. Impact is disruption of Andro...
MiracleLinux 7 : qemu-kvm-1.5.3-126.el7 (AXSA:2016-1109:04)
The remote MiracleLinux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2016-1109:04 advisory. qemu-kvm is an open source virtualizer that provides hardware emulation for the KVM hypervisor. qemu-kvm acts as a virtual machine monitor together...
CVE-2025-64374 WordPress Motors theme <= 5.6.81 - Arbitrary File Upload vulnerability
Unrestricted Upload of File with Dangerous Type vulnerability in StylemixThemes Motors motors allows Using Malicious Files.This issue affects Motors: from n/a through = 5.6.81...
EUVD-2025-200193
Malicious code in internallibv881 npm...