6909 matches found
CVE-2026-41878
Vulnerability (CVE-2026-41878) in R-SOFT DMS: Insecure Direct Object Reference (IDOR) affecting multiple file download endpoints. The app fetches files from the database by ID and serves them to any request, relying solely on session authentication, enabling a valid user to access any file. Repor...
XWiki DeleteApplication - Cross-Site Scripting
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 6.2-milestone-1 through 16.10.9 and 17.0.0-rc-1 through 17.4.1 of both XWiki Platform Flamingo Skin Resources and XWiki Platform Web Templates are vulnerable to a reflected XSS attack...
Chuanhu Chat - Directory Traversal
The gaizhenbiao/chuanhuchatgpt application is vulnerable to a path traversal attack due to its use of an outdated gradio component. The application is designed to restrict user access to resources within the webassets folder. However, the outdated version of gradio it employs is susceptible to pa...
QNAP Music Station < 5.4.0 - Authentication Bypass
An improper authentication vulnerability has been reported to affect Music Station. If exploited, the vulnerability could allow users to compromise the security of the system via a network. We have already fixed the vulnerability in the following version: Music Station 5.4.0 and later id:...
Sonatype Nexus Repository Manager 3 - Local File Inclusion
Path Traversal in Sonatype Nexus Repository 3 allows an unauthenticated attacker to read system files. Fixed in version 3.68.1. id: CVE-2024-4956 info: name: Sonatype Nexus Repository Manager 3 - Local File Inclusion author: ritikchaddha severity: high description: | Path Traversal in Sonatype...
EUVD-2026-39007
Mistune: Potential DoS via quadratic-time parsing in parselinktext...
CVE-2026-55689
OpenFGA is an authorization/permission engine built for developers. Prior to 1.18.0, OpenFGA's OIDC authenticator skipped JWT audience validation when authn.method was set to oidc, authn.oidc.issuer was configured, and authn.oidc.audience was not set, allowing a token minted for an unrelated...
CVE-2026-55212
CVE-2026-55212 affects Pimcore’s Studio API: the class definition creation endpoint POST /pimcore-studio/api/class/definition/configuration-view/detail/create validates permissions against the objects permission instead of the classes permission, enabling a standard editor-level user to create cl...
CVE-2026-59213
Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.6.27 before 0.10.0, getallmodels handlers in routers/openai.py and routers/ollama.py passed a lambda to aiocache key instead of keybuilder, causing permission-filtered per-user model lists to share a stat...
CVE-2026-50644
SOPlanning is vulnerable to SQL injection in the audit retention configuration. An attacker holding parametersall rights can inject SQL commands into the audit configuration form which is then saved. The execution is triggered when the audit functionality is accessed by the attacker or another...
CVE-2026-59269
A user authenticating to Kubernetes clusters via the Pinniped Supervisor could potentially gain elevated permissions in the clusters, only if all the following conditions were true: the Pinniped Supervisor server is running with an ActiveDirectoryIdentityProvider resource configured; the...
CVE-2026-54777
CoreWCF.NetNamedPipe transport is vulnerable to a local TOCTOU race where an attacker can race a NamedPipeListener between the shared-memory GUID publication and the creation of the service pipe, enabling interception of NetNamedPipe traffic by attaching to a pre-existing named pipe instance. Aff...
CVE-2026-35210 OpenCTI: Authorization Bypass via `synchronized-upsert` HTTP Header Injection
OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to 7.260326.0, an authorization bypass vulnerability in OpenCTI allows any authenticated user with KNOWLEDGEKNUPDATE permission to bypass Confidence Level validation and Object Marking...
CVE-2026-58192 Appium: Unauthenticated arbitrary file/directory deletion in @appium/storage-plugin
Appium is a cross-platform automation framework for all kinds of apps, built on top of the W3C WebDriver protocol. Prior to 1.1.6, the Appium storage plugin exposes POST /storage/delete, whose handler passes the user-supplied name value directly into path.joinstorageRoot, name and fs.rimraf witho...
CVE-2026-59935 pypdf: Possible infinite loop for not terminated inline images (ASCII85 and ASCIIHex filter)
pypdf is a free and open-source pure-python PDF library. Prior to 6.14.2, an attacker can craft a PDF with a page content stream containing a not terminated inline image that uses the ASCII85 or ASCIIHex filters, causing an infinite loop during parsing such as when extracting page text. This issu...
CVE-2026-59946 Composer: Path traversal in package bin field lets dependencies chmod arbitrary host files
Composer is a dependency Manager for the PHP language. Prior to 2.2.29 and 2.10.2, a Composer package bin entry containing .. path segments can resolve outside the package install directory and cause Composer's binary installation flow to chmod an existing host file to a world-readable and...
CVE-2026-59924
Mistune is a Python Markdown parser with renderers and plugins. Prior to 3.3.0, Include.parse joins and normalizes user-supplied include paths without verifying that the result remains within the intended markdown directory, allowing crafted include paths to access files outside that directory wh...
CVE-2026-59876 protobufjs: Text Format string map parsing can mutate returned map object prototype
protobufjs compiles protobuf definitions into JavaScript JS functions. From 8.2.0 until 8.6.5, the protobufjs Text Format extension parsed string-keyed map entries using ordinary property assignment, allowing a map entry with key proto to change the prototype of the returned map object instead of...
CVE-2026-57439
CyberChef’s CVE-2026-57439 affects the Series Chart operation prior to version 11.2.0. The vulnerability arises when parsing user-supplied CSV, where proto can be used as a key, enabling prototype pollution. This can be chained with other operations (e.g., Parse UDP) to inject malicious JavaScrip...
CVE-2026-58654
The Grav API plugin (getgrav/grav-plugin-api) 1.0.0 suffers an unrestricted file upload in /api/v1/users/user/avatar: it validates only the client-declared MIME type and allows arbitrary content to be stored under user/accounts/avatars/ with predictable filenames. Although direct HTTP access is b...