CVE-2026-43984

Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Versions prior to 2.17.1 expose logjserrors to any authenticated user, including guest users when guest access is enabled. The endpoint writes attacker-controlled strings directly into the main application log. The...

PT-2026-45040

Summary modules/documents-files.php mode file rename save shares the same root-cause shape as the cross-folder move bug 05-documents-cross-folder-move-idor.md: the top-level rights check at lines 79-89 validates hasUploadRight on the URL parameter folder uuid, but the rename operation acts on fil...

CVE-2026-23887

Group-Office is an enterprise customer relationship management and groupware tool. In versions 6.8.148 and below, and 25.0.1 through 25.0.79, the application stores unsanitized filenames in the database, which can lead to Stored Cross-Site Scripting XSS. Users who interact with these specially...

CVE-2026-23887 Group-Office has stored XSS vulnerability via unsanitized filenames

Group-Office is an enterprise customer relationship management and groupware tool. In versions 6.8.148 and below, and 25.0.1 through 25.0.79, the application stores unsanitized filenames in the database, which can lead to Stored Cross-Site Scripting XSS. Users who interact with these specially...

EUVD-2026-4201

Group-Office is an enterprise customer relationship management and groupware tool. In versions 6.8.148 and below, and 25.0.1 through 25.0.79, the application stores unsanitized filenames in the database, which can lead to Stored Cross-Site Scripting XSS. Users who interact with these specially...

PT-2026-3883

Group-Office is an enterprise customer relationship management and groupware tool. In versions 6.8.148 and below, and 25.0.1 through 25.0.79, the application stores unsanitized filenames in the database, which can lead to Stored Cross-Site Scripting XSS. Users who interact with these specially...

CVE-2025-60915

An issue in the size query parameter /views/file.py of Austrian Archaeological Institute Openatlas before v8.12.0 allows attackers to execute a path traversal via a crafted request...

Austrian Academy of Sciences OpenAtlas 安全漏洞

Austrian Academy of Sciences OpenAtlas is a database application dealing with archaeology and history organized by the Austrian Academy of Sciences in Austria. A security vulnerability exists in Austrian Academy of Sciences OpenAtlas versions prior to 8.12.0, which stems from improper handling of...

EUVD-2025-14191

Malicious code in bioql PyPI...

Scada-LTS 安全漏洞

Scada-LTS is an open source, web-based, multi-platform solution from Scada-LTS Open Source. A security vulnerability exists in Scada-LTS version 2.7.8.1 and earlier, which stems from a cross-site scripting attack due to incorrect manipulation of the parameter Name in the file viewedit.shtm...

tomcat: Potential RCE and/or information disclosure and/or information corruption with partial PUT

A flaw was found in Apache Tomcat. In certain conditions and configurations, this vulnerability allows a remote attacker to exploit a path equivalence flaw to view file system contents and add malicious content via a write-enabled Default Servlet in Apache Tomcat. For the vulnerability to be...

CVE-2024-6215

The CVE-2024-6215 entry concerns SourceCodester Food Ordering Management System (up to 1.0). A vulnerability affects the view-ticket-admin.php file where manipulating the id parameter leads to SQL injection. The issue is described as remote-exploitable with a publicly disclosed exploit. Multiple ...

CVE-2024-5103

A vulnerability was found in Campcodes Complete Web-Based School Management System 1.0. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /view/studentfirstpayment.php. The manipulation of the argument grade leads to sql injection. The attack...

CVE-2024-4905

CVE-2024-4905 affects Kashipara College Management System 1.0. The vulnerability resides in an unknown function of the file view_students_each_detail.php where manipulation of the id argument enables SQL injection. Exploitation is described as remote and publicly disclosed, with VDB-264438 as the...

CVE-2024-4815

A vulnerability, which was classified as critical, has been found in Ruijie RG-UAC up to 20240506. Affected by this issue is some unknown functionality of the file /view/bugSolve/viewData/detail.php. The manipulation of the argument filename leads to os command injection. The attack may be launch...

Improper access control

IBM CICS Transaction Gateway 9.3 could allow a user to transfer or view files due to improper access controls. IBM X-Force ID: 270259...

CVE-2023-47140

IBM CICS Transaction Gateway 9.3 (Containers) is affected by CVE-2023-47140 due to improper access controls that could allow a user to transfer or view files. The IBM Security Bulletin (CA480D0E529A...) states affected product: CICS Transaction Gateway Containers 9.3, with remediation guidance po...

VulnCheck KEV: CVE-2023-38831

RARLAB WinRAR contains an unspecified vulnerability that allows an attacker to execute code when a user attempts to view a benign file within a ZIP archive...

CVE-2023-35786

Zoho ManageEngine ADManager Plus before 7183 allows admin users to exploit an XXE issue to view files...

CVE-2023-35786

CVE-2023-35786 affects Zoho ManageEngine ADManager Plus; before build 7183, authenticated administrators can trigger an XML External Entity (XXE) injection to view server files. The issue is constrained to versions prior to 7183, with the vulnerability arising from XXE in the application’s handli...