23 matches found
CVE-2026-49973
Hermes WebUI before version 0.51.358 contains an improper access control vulnerability that allows unauthenticated remote attackers to hijack initial setup by submitting the setpassword parameter to the settings API endpoint without any network origin restriction. Attackers on any reachable netwo...
CVE-2026-49973 Hermes WebUI < 0.51.358 Unauthenticated Password Takeover via /api/settings
Hermes WebUI before version 0.51.358 contains an improper access control vulnerability that allows unauthenticated remote attackers to hijack initial setup by submitting the setpassword parameter to the settings API endpoint without any network origin restriction. Attackers on any reachable netwo...
CVE-2026-49973 Hermes WebUI < 0.51.358 Unauthenticated Password Takeover via /api/settings
Hermes WebUI before version 0.51.358 contains an improper access control vulnerability that allows unauthenticated remote attackers to hijack initial setup by submitting the setpassword parameter to the settings API endpoint without any network origin restriction. Attackers on any reachable netwo...
CVE-2026-49973
CVE-2026-49973 affects Hermes WebUI prior to version 0.51.358. The issue is an improper access control in the settings API that allows unauthenticated remote attackers to hijack the initial setup by posting to the /api/settings endpoint using the _set_password parameter without origin restriction...
Malicious code in @elvatis_com/openclaw-cli-bridge-elvatis (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8ea4d389a7d7fc1ab1598f69441105d1ebe696d9d5d351f805644bded733fe7e When the OpenClaw gateway loads this plugin and starts its proxy server, code paths in dist/index.js lines 1076 and 1093 schedule outbound WhatsApp...
MAL-2026-4386 Malicious code in @elvatis_com/openclaw-cli-bridge-elvatis (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8ea4d389a7d7fc1ab1598f69441105d1ebe696d9d5d351f805644bded733fe7e When the OpenClaw gateway loads this plugin and starts its proxy server, code paths in dist/index.js lines 1076 and 1093 schedule outbound WhatsApp...
Missing Authentication for Critical Function
Overview github.com/0xJacky/Nginx-UI is a yet another Nginx Web UI, developed by 0xJacky and Hintay. Affected versions of this package are vulnerable to Missing Authentication for Critical Function in the POST /api/install endpoint during the initial setup 10 minutes window, which is accessible...
EUVD-2026-27135
Nginx-UI: Unauthenticated First-Run Installer Allows Remote Initial Admin Claim...
Nginx-UI: Unauthenticated First-Run Installer Allows Remote Initial Admin Claim
An unauthenticated network attacker can claim the initial administrator account on a fresh nginx-ui instance during the first-run setup window. The public /api/install endpoint is reachable without authentication, and the request-encryption flow only protects payload confidentiality in transit; i...
CVE-2026-42221
Nginx UI is a web user interface for the Nginx web server. From version 2.0.0 to before version 2.3.8, an unauthenticated network attacker can claim the initial administrator account on a fresh nginx-ui instance during the first-run setup window. The public /api/install endpoint is reachable...
CVE-2026-42221
Nginx UI is a web user interface for the Nginx web server. From version 2.0.0 to before version 2.3.8, an unauthenticated network attacker can claim the initial administrator account on a fresh nginx-ui instance during the first-run setup window. The public /api/install endpoint is reachable...
CVE-2026-42221 nginx-ui: Unauthenticated First-Run Installer Allows Remote Initial Admin Claim
Nginx UI is a web user interface for the Nginx web server. From version 2.0.0 to before version 2.3.8, an unauthenticated network attacker can claim the initial administrator account on a fresh nginx-ui instance during the first-run setup window. The public /api/install endpoint is reachable...
CVE-2026-42221 nginx-ui: Unauthenticated First-Run Installer Allows Remote Initial Admin Claim
Nginx UI is a web user interface for the Nginx web server. From version 2.0.0 to before version 2.3.8, an unauthenticated network attacker can claim the initial administrator account on a fresh nginx-ui instance during the first-run setup window. The public /api/install endpoint is reachable...
CVE-2026-42221
Nginx UI is a web user interface for the Nginx web server. From version 2.0.0 to before version 2.3.8, an unauthenticated network attacker can claim the initial administrator account on a fresh nginx-ui instance during the first-run setup window. The public /api/install endpoint is reachable...
Nginx UI 访问控制错误漏洞
Nginx UI is a web interface for Nginx developed by Jacky. In versions 2.0.0 to 2.3.8 of Nginx UI, there was an access control vulnerability. This vulnerability stemmed from the fact that the public/api/install endpoint required no authentication during the first run, allowing unauthenticated...
PT-2026-36921
Name of the Vulnerable Software and Affected Versions Nginx UI versions 2.0.0 through 2.3.7 Description An unauthenticated network attacker can claim the initial administrator account on a fresh instance during the first-run setup window. The public endpoint "/api/install" is accessible without...
CVE-2021-22961
A code injection vulnerability exists within the firewall software of GlassWire v2.1.167 that could lead to arbitrary code execution from a file in the user path on first execution...
September 26, 2018—KB4458469 (OS Build 17134.320)
September 26, 2018—KB4458469 OS Build 17134.320 Note This update has been re-released because of a missing solution. If you installed build 17134.319, please install this newer version of OS build 17134.320. Improvements and fixes This update includes quality improvements. No new operating system...
August 23, 2016 — KB3176934 (OS Build 14393.82)
August 23, 2016 — KB3176934 OS Build 14393.82 This update includes quality improvements. No new operating system features are being introduced in this update. Key changes include: Improved reliability of Network Controller, DNS server, gateways, Storage Spaces Direct, Group Managed Service...
Microsoft Office: Disable First Run Movie
This test checks the setting for policy OpenVAS Vulnerability Test $Id: office2013firstrunmovie.nasl 11843 2018-10-11 14:33:21Z emoss $ Check value for Disable First Run Movie Authors: Emanuel Moss Copyright: Copyright c 2018 Greenbone Networks GmbH, http://www.greenbone.net This program is free...