392 matches found
CVE-2026-58501
Zeep (Python SOAP client) is affected in versions 4.0.0 through before 4.3.3, where Settings.forbid_external is defined but not enforced during WSDL/XSD parsing. This allows transitive xsd:import, xsd:include, wsdl:import, and lxml entity or DTD references to fetch attacker‑controlled HTTP/HTTPS ...
PT-2026-51626
Name of the Vulnerable Software and Affected Versions Gogs affected versions not specified Description An authorization bypass exists where three API endpoints are protected by write-level middleware instead of administrator-level middleware. This allows a collaborator with write access to perfor...
CVE-2026-50086
creationtimestamp| type| source ---|---|--- 2026-06-12 17:02:38+00:00| seen| https://bsky.app/profile/thehackerwire.bsky.social/post/3mo47staxip26 2026-06-12 17:22:22+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mo4aw4qbey2p...
CVE-2026-20256 Improper Input Validation through Protocol-Relative URL in Classic Dashboards in Splunk Enterprise
In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.3.2512.13, 10.2.2510.15, 10.1.2507.23, and 9.3.2411.132, a low-privileged user that does not hold the 'admin' or 'power' Splunk roles could cause data exfiltration through classic...
CVE-2026-42591
Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.32.0, the LibreOffice conversion endpoint /forms/libreoffice/convert passes uploaded documents directly to LibreOffice without inspecting their content. LibreOffice then fetches any embedded external URLs on its own, completely...
CVE-2026-11279
creationtimestamp| type| source ---|---|--- 2026-06-05 03:02:06+00:00| seen| https://bsky.app/profile/thehackerwire.bsky.social/post/3mnj5lde6ga2b 2026-06-05 13:24:40+00:00| seen| https://infosec.exchange/users/cR0w/statuses/116697713800926918 2026-06-07 18:00:00+00:00| seen|...
CVE-2026-4944
creationtimestamp| type| source ---|---|--- 2026-05-28 20:01:05+00:00| seen| https://bsky.app/profile/thehackerwire.bsky.social/post/3mmwss4nokb2g 2026-05-28 21:34:10+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mmwxykvxhb2i...
Astra Linux – Vulnerability in Thunderbird
When an email contains multiple attachments with external links via the X-Mozilla-External-Attachment-URL header, only the last link is displayed when the mouse hovers over any attachment. Although the correct link is used upon clicking, the misleading hover text may lead users to download conten...
CVE-2026-42591 Gotenberg: Server-Side Request Forgery (SSRF) in github.com/gotenberg/gotenberg/v8
Gotenberg is a Docker-powered stateless API for PDF files. Prior to 8.32.0, the LibreOffice conversion endpoint /forms/libreoffice/convert passes uploaded documents directly to LibreOffice without inspecting their content. LibreOffice then fetches any embedded external URLs on its own, completely...
CVE-2026-41513
Horilla is an HR and CRM software. In 1.5.0, the notification endpoints trust the unvalidated next parameter and redirect users to arbitrary external URLs. This allows an attacker to turn trusted application links into phishing or social-engineering redirects...
CVE-2026-41513
Horilla is an HR and CRM software. In 1.5.0, the notification endpoints trust the unvalidated next parameter and redirect users to arbitrary external URLs. This allows an attacker to turn trusted application links into phishing or social-engineering redirects...
Weblate 安全漏洞
Weblate is an open-source, copyleft, web-based free software system for continuous localization. Versions of Weblate prior to 5.17 contained security vulnerabilities, which stemmed from the ZIP download feature not verifying the files being downloaded; these vulnerabilities could exploit symbolic...
CVE-2026-32920
creationtimestamp| type| source ---|---|--- 2026-03-31 12:51:11+00:00| seen| https://bsky.app/profile/thehackerwire.bsky.social/post/3mie7pzf3zw2h 2026-03-31 13:19:01+00:00| seen| Telegram/jSTFa01DEWFRhQKHtf4fP3tqxxyDE1Jfuh4yALHVDvczs38 2026-03-31 13:51:47+00:00| seen|...
CVE-2026-33728
creationtimestamp| type| source ---|---|--- 2026-03-27 01:30:32+00:00| seen| https://bsky.app/profile/offseq.bsky.social/post/3mhyxta3ux52y 2026-03-27 01:30:32+00:00| seen| https://infosec.exchange/users/offseq/statuses/116298549180324287 2026-03-27 03:05:08+00:00| seen|...
CVE-2026-28536
creationtimestamp| type| source ---|---|--- 2026-03-05 07:30:28+00:00| seen| https://infosec.exchange/users/offseq/statuses/116175393685481196 2026-03-05 07:30:29+00:00| seen| https://bsky.app/profile/offseq.bsky.social/post/3mgcboltqp32m 2026-03-05 08:01:30+00:00| seen|...
CVE-2026-1628
Mattermost Desktop App versions =5.13.3 fail to attach listeners restricting navigation to external sites within the Mattermost app which allows a malicious server to expose preload script functionality to untrusted servers via having a user open an external link in their Mattermost server...
CVE-2026-1628
Mattermost Desktop App versions
CVE-2026-1628 Mattermost allows external websites to open within the app, exposing preload functionality to non-trusted sites.
Mattermost Desktop App versions =5.13.3 fail to attach listeners restricting navigation to external sites within the Mattermost app which allows a malicious server to expose preload script functionality to untrusted servers via having a user open an external link in their Mattermost server...
PT-2026-22584
Mattermost Desktop App versions =5.13.3 fail to attach listeners restricting navigation to external sites within the Mattermost app which allows a malicious server to expose preload script functionality to untrusted servers via having a user open an external link in their Mattermost server...
EUVD-2026-8777
Zed, a code editor, has a symlink escape vulnerability in versions prior to 0.225.9 in Agent file tools readfile, editfile. It allows reading and writing files outside the project directory when a project contains symbolic links pointing to external paths. This bypasses the intended workspace...