Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization via the API response process. An attacker can access sensitive information about team member roles by invoking various team API endpoints without having elevated permissions. Remediation Upgrade...

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization via the API response process. An attacker can access sensitive information about team member roles by invoking various team API endpoints without having elevated permissions. Remediation Upgrade...

Astra Linux - уязвимость в rabbitmq-server

RabbitMQ is a multi-protocol messaging broker. In rabbitMQ-server prior to version 3.8.17, adding a new user through the management UI could result in the user’s banner being displayed in a confirmation message without proper tag sanitization, potentially allowing JavaScript code to execute withi...

Astra Linux - уязвимость в rabbitmq-server

RabbitMQ is a multi-protocol messaging broker. In rabbitmq-server prior to version 3.8.18, when a federation link was displayed in the RabbitMQ management UI through the rabbitmqfederationmanagement plugin, its consumer tag was rendered without proper tag sanitization. This potentially allows for...

CVE-2026-43535

OpenClaw before 2026.4.14 contains an authorization context reuse vulnerability in collect-mode queue batches that allows messages from different senders to inherit the final sender's authorization context. Attackers can exploit this by sending multiple queued messages to drain batches using a mo...

PT-2026-35491

The Fan Control application V251 contains an improper privilege handling vulnerability in its Open File Dialog. The dialog processes user-supplied paths with elevated permissions, which can be exploited by a local attacker to perform actions with administrator-level privileges...

PT-2026-37020

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.4.14 Description An authorization context reuse issue exists in collect-mode queue batches. This allows messages from different senders to inherit the authorization context of the final sender. An attacker can...

CVE-2026-34765

A flaw was found in Electron, a framework for building desktop applications. This vulnerability allows a malicious component within an Electron application to hijack an existing child window opened by another part of the application if both use the same window name. This could lead to the malicio...

PT-2026-24746

Name of the Vulnerable Software and Affected Versions Jellyfin versions affected versions not specified Description Jellyfin is an open-source media system. The code-quality.yml GitHub Actions workflow in the jellyfin/jellyfin-ios repository is susceptible to arbitrary code execution through pull...

PHPGurukul Gym Management System 安全漏洞

PHPGurukul Gym Management System is a gym management system developed by PHPGurukul Inc. Version 1.0 of the PHPGurukul Gym Management System has a security vulnerability. This vulnerability stems from the cross-site request forgery feature in the user panel configuration file update function, whi...

yoke 代码注入漏洞

Yoke is a Kubernetes package management tool developed by YokeCD. Versions of Yoke prior to 0.19.0 contained a code injection vulnerability. This vulnerability stemmed from the lack of proper URL validation in the Air Traffic Controller component, allowing users with the authority to create or...

CVE-2025-62676

An Improper Link Resolution Before File Access 'Link Following' vulnerability CWE-59 vulnerability in Fortinet FortiClientWindows 7.4.0 through 7.4.4, FortiClientWindows 7.2.0 through 7.2.12, FortiClientWindows 7.0 all versions may allow a local low-privilege attacker to perform an arbitrary file...

CVE-2019-25305

JumpStart 0.6.0.0 contains an unquoted service path vulnerability in the jswpbapi service running with LocalSystem privileges. Attackers can exploit the unquoted path containing spaces to inject and execute malicious code with elevated system permissions...

CVE-2021-22311

There is an improper permission assignment vulnerability in Huawei ManageOne product. Due to improper security hardening, the process can run with a higher privilege. Successful exploit could allow certain users to do certain operations with improper permissions. Affected product versions include...

CVE-2023-25646

There is an unauthorized access vulnerability in ZTE H388X. If H388X is caused by brute-force serial port cracking,attackers with common user permissions can use this vulnerability to obtain elevated permissions on the affected device by performing specific operations...

CVE-2021-31840

A vulnerability in the preloading mechanism of specific dynamic link libraries in McAfee Agent for Windows prior to 5.7.3 could allow an authenticated, local attacker to perform a DLL preloading attack with unsigned DLLs. To exploit this vulnerability, the attacker would need to have valid...

CVE-2021-31841

A DLL sideloading vulnerability in McAfee Agent for Windows prior to 5.7.4 could allow a local user to perform a DLL sideloading attack with an unsigned DLL with a specific name and in a specific location. This would result in the user gaining elevated permissions and the ability to execute...

Authorization Bypass

Signal K Server is vulnerable to Authorization Bypass. The vulnerability is due to misleading access request UI and trust of spoofable X-Forwarded-For headers, allowing attackers to impersonate trusted devices and request elevated permissions that administrators may unknowingly approve...

GHSA-VFRF-VCJ7-WVR8 Signal K Server Vulnerable to Access Request Spoofing

The SignalK access request system has two related features that when combined by themselves and with the infromation disclosure vulnerability enable convincing social engineering attacks against administrators. When a device creates an access request, it specifies three fields: clientId,...

PT-2026-1025

Name of the Vulnerable Software and Affected Versions Signal K Server versions prior to 2.19.0 Description Signal K Server is a server application used on boats. Versions prior to 2.19.0 contain issues in the access request system that, when combined, can be used in social engineering attacks...