7073 matches found
CVE-2026-20297
In Splunk Enterprise versions below 10.4.1, 10.2.5, 10.0.8, 9.4.13, and 9.3.14, and Splunk Cloud Platform versions below 10.5.2605.0, 10.4.2604.6, 10.2.2510.18, and 10.1.2507.24, a user who holds a role that contains the editlocalapps and installapps capabilities could cause a legitimate app...
CVE-2026-47703
AdGuard Home is a network-wide software for blocking ads and tracking. Prior to 0.107.75, AdGuard Home's client-triggered DoQ forwarding path to a udp:// upstream reduced backend UDP DNS state by producing dnsid=0 or txid=0 and exposed a quoted-port ICMP source-port oracle, weakening DNS response...
CVE-2026-47703 AdGuard Home: DoQ-to-UDP State Reduction and Source-Port Oracle
AdGuard Home is a network-wide software for blocking ads and tracking. Prior to 0.107.75, AdGuard Home's client-triggered DoQ forwarding path to a udp:// upstream reduced backend UDP DNS state by producing dnsid=0 or txid=0 and exposed a quoted-port ICMP source-port oracle, weakening DNS response...
CVE-2026-62685
The CVE affects File Browser prior to version 2.63.17. The issue arises in how user scopes are built from usernames via cleanUsername() when Signup=true and CreateUserDir=true: the many-to-one normalization can collapse usernames such as team/one, team one, and team-one to the same home directory...
CVE-2026-15779
A flaw was found in samba's pamwinbind. When mkhomedir is enabled, pamwinbind chowns the target account's home directory without validating the path is not a critical system directory such as /. On affected systems, accounts with / as their home directory a common default for system accounts can...
EUVD-2026-44662
A flaw was found in samba's pamwinbind. When mkhomedir is enabled, pamwinbind chowns the target account's home directory without validating the path is not a critical system directory such as /. On affected systems, accounts with / as their home directory a common default for system accounts can...
CVE-2026-15779 Samba-winbind: samba: pam_winbind mkhomedir chowns critical system paths without validation
A flaw was found in samba's pamwinbind. When mkhomedir is enabled, pamwinbind chowns the target account's home directory without validating the path is not a critical system directory such as /. On affected systems, accounts with / as their home directory a common default for system accounts can...
CVE-2026-15809 Github.com/cri-o/cri-o: fix bypass for cve-2022-4318 — /etc/passwd injection via home env
A flaw was found in CRI-O. The fix for a previous vulnerability CVE-2022-4318 was incorrect, allowing it to be bypassed. An attacker capable of setting environment variables on a container can inject a newline character into the HOME environment variable. This issue allows the addition of arbitra...
CVE-2026-15809 Github.com/cri-o/cri-o: fix bypass for cve-2022-4318 — /etc/passwd injection via home env
A flaw was found in CRI-O. The fix for a previous vulnerability CVE-2022-4318 was incorrect, allowing it to be bypassed. An attacker capable of setting environment variables on a container can inject a newline character into the HOME environment variable. This issue allows the addition of arbitra...
CVE-2026-15809
The CVE-2026-15809 entry applies to CRI-O. It describes a bypass of the fix for CVE-2022-4318: an attacker who can set container environment variables can inject a newline into HOME, enabling addition of arbitrary lines to /etc/passwd via a crafted environment variable. Affected component is CRI-...
ECT Home Page Products - Reflected XSS
ECT Home Page Products WordPress plugin through 1.9 contains a reflected cross-site scripting caused by lack of sanitization and escaping of a parameter before outputting it in the page, letting attackers execute malicious scripts in the context of high privilege users such as admin, exploit...
Home Assistant HACS - Local File Inclusion
Home Assistant before 2021.1.3 lacks a protection layer against directory-traversal attacks in custom integrations, letting attackers access arbitrary files, exploit requires attacker to deploy malicious custom integration. id: CVE-2021-3152 info: name: Home Assistant HACS - Local File Inclusion...
PT-2026-60310
Name of the Vulnerable Software and Affected Versions Node Version Manager nvm versions 0.32.1 through 0.40.5 Description An issue exists where nvm ls-remote and other commands that refresh remote LTS aliases, such as nvm install --lts, parse the node.js mirror's index.tab and use the LTS codenam...
Malicious code in home-mp-commons (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 885b9dad73e9eeb07a1fcb4a94493ec85573f656f7b9347a8682f56db359cfd6 [email protected] is an empty npm package declared main index.js is absent from the tarball whose sole effect on install is to resolve a single...
CVE-2026-15498
A vulnerability was identified in sergomanov SmartHomeAdatum up to cf495353d81b680675eb8d9aa14a318aa45ce12c. This impacts an unknown function of the file users.php of the component Login. Such manipulation of the argument Login leads to sql injection. The attack may be launched remotely. This...
CVE-2026-15498
CVE-2026-15498 affects the sergomanov SmartHomeAdatum product, specifically the Login component’s file users.php . The root cause is improper handling of the Login argument, which enables a SQL injection. The vulnerability is exploitable remotely over the network. No version details are provided ...
CVE-2026-59854
SiYuan is an open-source personal knowledge management system. Prior to 3.7.1, POST /api/file/globalCopyFiles accepts attacker-supplied absolute source paths and relies on util.IsSensitivePath in kernel/util/path.go, whose denylist misses common home-directory credential files such as...
CVE-2026-59854
SiYuan (open-source PKM) prior to 3.7.1 allows an authenticated administrator or API-token user to copy home-directory credential files into the workspace via POST /api/file/globalCopyFiles. The root cause is util.IsSensitivePath’s denylist in kernel/util/path.go missing common home-dir dotfiles ...
PT-2026-57011
Name of the Vulnerable Software and Affected Versions SiYuan versions prior to 3.7.1 Description An authenticated administrator or API-token user can exfiltrate sensitive files from the host system. The 'POST /api/file/globalCopyFiles' endpoint accepts absolute source paths and uses the...
PYSEC-2026-1454 Home Assistant Core before is vulnerable to Directory Traversal
Home Assistant Core before v2025.8.0 is vulnerable to Directory Traversal. The Downloader integration does not fully validate file paths during concatenation, leaving a path traversal vulnerability...