CVE-2026-55568

Guzzle is an extensible PHP HTTP client. Prior to 7.12.1, in certain configurations, traffic expected to be protected by TLS on the hop to the proxy is transmitted in cleartext. Proxy authentication credentials the Proxy-Authorization header, proxy userinfo in the proxy URL, or CURLOPTPROXYUSERPW...

EUVD-2026-38465

NanoClaw before 2.1.17 contains a privilege escalation vulnerability in the createagent delivery-action handler that performs privileged central-database writes without host-side authorization checks. Confined agent containers can invoke createagent to create arbitrary agent groups, container...

CVE-2026-56402

CVE-2026-56402 affects NanoClaw prior to 2.1.17. The issue is in handleApprovalsResponse where responder role authorization is not verified, allowing attackers with a valid questionId to approve or reject privileged actions (e.g., package installation) without proper role validation. The vulnerab...

CVE-2026-56815

pwnlift before d7a9544, in a privileged deployment, contains a symlink following vulnerability in the upload handler in Components/Pages/Home.razor...

CVE-2026-56815

The CVE-2026-56815 entry concerns the pwnlift project, specifically a symlink following vulnerability in the upload handler located at Components/Pages/Home.razor, exploitable in a privileged deployment. Root cause is described as a symlink following issue within the upload handler. The CVSS 3.1 ...

EUVD-2026-38454

pwnlift before d7a9544, in a privileged deployment, contains a symlink following vulnerability in the upload handler in Components/Pages/Home.razor...

CVE-2026-56815

pwnlift before d7a9544, in a privileged deployment, contains a symlink following vulnerability in the upload handler in Components/Pages/Home.razor...

EUVD-2026-38436

Nuxt 4.0.0 before 4.4.7 and 3.18.0 before 3.21.7, when running the development server nuxt dev on Linux, binds the vite-node IPC server to an abstract-namespace Unix socket without permission restrictions, allowing local users to enumerate and connect. Unprivileged co-resident users can exploit t...

GHSA-5WRP-CWCJ-Q835 vulnerabilities

Vulnerabilities for packages: art, docker-fips, eks-distro-fips, kgateway, neuvector-sigstore-interface-fips, terraform-provider-databricks, aws-iam-authenticator-fips, authentik, azurefile-csi, flux-notification-controller, argo-workflows-fips, consul-k8s, tempo, kubescape-operator-fips, dapr,...

CVE-2026-41178 vulnerabilities

Vulnerabilities for packages: art, docker-fips, eks-distro-fips, kgateway, neuvector-sigstore-interface-fips, terraform-provider-databricks, aws-iam-authenticator-fips, authentik, azurefile-csi, flux-notification-controller, argo-workflows-fips, consul-k8s, tempo, kubescape-operator-fips, dapr,...

EasySpider 0.6.2 - Arbitrary File Read

A vulnerability classified as problematic was found in NaiboWang EasySpider 0.6.2 on Windows. Affected by this vulnerability is an unknown functionality of the file \EasySpider\resources\app\server.js of the component HTTP GET Request Handler. The manipulation with the input...

CVE-2026-42129

The Loki datasource plugin's callResource handler contains a path traversal vulnerability. An authenticated Viewer-role user can escape the plugin's resource sandbox and access administrative Loki endpoints e.g. /config, /services, /ready to extract sensitive backend configuration and internal...

ROOT-APP-MAVEN-CVE-2026-44249 CVE-2026-44249 in io.root.io.netty:netty-handler - Patched by Root

Root has patched CVE-2026-44249 in the io.root.io.netty:netty-handler package for Root:Maven. Multiple fixed versions available...

ROOT-APP-MAVEN-CVE-2026-45416 CVE-2026-45416 in io.root.io.netty:netty-handler - Patched by Root

Root has patched CVE-2026-45416 in the io.root.io.netty:netty-handler package for Root:Maven. Multiple fixed versions available...

ROOT-APP-MAVEN-CVE-2026-42578 CVE-2026-42578 in io.root.io.netty:netty-handler-proxy - Patched by Root

Root has patched CVE-2026-42578 in the io.root.io.netty:netty-handler-proxy package for Root:Maven. Multiple fixed versions available...

Hongdian H8922 3.0.5 Devices - Local File Inclusion

Hongdian H8922 3.0.5 devices are vulnerable to local file inclusion. The /logdownload.cgi log export handler does not validate user input and allows a remote attacker with minimal privileges to download any file from the device by substituting ../ e.g., ../../etc/passwd This can be carried out wi...

Labstack Echo 4.8.0 - Open Redirect

Labstack Echo 4.8.0 contains an open redirect vulnerability via the Static Handler component. An attacker can leverage this vulnerability to cause server-side request forgery, making it possible to obtain sensitive information, modify data, and/or execute unauthorized operations. id: CVE-2022-400...

Likeshop < 2.5.7.20210311 - Arbitrary File Upload

A vulnerability classified as critical was found in Likeshop up to 2.5.7.20210311. This vulnerability affects the function FileServer::userFormImage of the file server/application/api/controller/File.php of the component HTTP POST Request Handler. The manipulation of the argument file with an...

Apache Flink 1.5.1 - Local File Inclusion

Apache Flink 1.5.1 is vulnerable to local file inclusion because of a REST handler that allows file uploads to an arbitrary location on the local file system through a maliciously modified HTTP HEADER. id: CVE-2020-17518 info: name: Apache Flink 1.5.1 - Local File Inclusion author: pdteam severit...

EUVD-2026-38199

A vulnerability was detected in activepieces up to 0.83.0. This vulnerability affects the function handleUrlFile in the library packages/server/engine/src/lib/variables/processors/file.ts of the component File URL Handler. The manipulation results in server-side request forgery. The attack can be...