73 matches found
golang: internal/syscall/unix: Root.Chmod can follow symlinks out of the root
A flaw was found in the internal/syscall/unix package in the Go standard library. If the target of the Root.Chmod function is replaced with a symbolic link during execution, specifically after Root.Chmod checks the target but before acting, the chmod operation will be performed on the file the...
PT-2026-40951
HCL AION is affected by a vulnerability where sensitive backend infrastructure details may be exposed. Exposure of such information could reveal internal system architecture or configuration details, which may potentially assist in further analysis or targeted actions under certain conditions...
HCL AION 安全漏洞
HCL AION is an AI lifecycle management platform developed by the Indian company HCL. HCL AION has a security vulnerability, which stems from the possibility of exposing sensitive details related to backend infrastructure. This could lead to the disclosure of internal system architecture or...
PT-2026-37164
Name of the Vulnerable Software and Affected Versions Kirby versions prior to 4.9.0 Kirby versions prior to 5.4.0 Description Missing authorization in the system API endpoint allows authenticated users to access sensitive information. Specifically, the '/api/system' endpoint leaks the installed...
EUVD-2026-17650
AVideo: Missing Authentication in CreatePlugin list.json.php Template Affects 21 Endpoints...
CVE-2026-34732
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo CreatePlugin template for list.json.php does not include any authentication or authorization check. While the companion templates add.json.php and delete.json.php both require admin privileges, the list.json.php...
CVE-2026-34732
WWBN AVideo CVE-2026-34732 affects the CreatePlugin list.json.php template (versions ≤26.0). The template ships without authentication/authorization checks, while add.json.php and delete.json.php require admin privileges. This omission creates 21 unauthenticated data-listing endpoints across the ...
EUVD-2025-209145
Cato Networks’ Socket versions prior to 25 contain a command injection vulnerability that allows an authenticated attacker with access to the Socket web interface UI to execute arbitrary operating system commands as the root user on the Socket’s internal system...
CVE-2025-14213 Cato's Socket WebUI is vulnerable to OS Command Injection
Cato Networks’ Socket versions prior to 25 contain a command injection vulnerability that allows an authenticated attacker with access to the Socket web interface UI to execute arbitrary operating system commands as the root user on the Socket’s internal system...
IBM InfoSphere Information Server 安全漏洞
IBM InfoSphere Information Server is IBM's data integration platform for integrating, cleansing, transforming and managing enterprise data. An information disclosure vulnerability exists in IBM InfoSphere Information Server that stems from the system returning overly detailed error messages. An...
CVE-2026-28442
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.5.2-beta3, users are restricted from deleting internal system files or folders through the application interface. However, when interacting directly with the API, these restrictions can be...
CVE-2026-28442
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.5.2-beta3, users are restricted from deleting internal system files or folders through the application interface. However, when interacting directly with the API, these restrictions can be...
CVE-2026-28442 ZimaOS: Arbitrary Deletion of Internal System Files via API Path Manipulation
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.5.2-beta3, users are restricted from deleting internal system files or folders through the application interface. However, when interacting directly with the API, these restrictions can be...
CVE-2026-28442 ZimaOS: Arbitrary Deletion of Internal System Files via API Path Manipulation
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.5.2-beta3, users are restricted from deleting internal system files or folders through the application interface. However, when interacting directly with the API, these restrictions can be...
CVE-2026-28442 ZimaOS: Arbitrary Deletion of Internal System Files via API Path Manipulation
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.5.2-beta3, users are restricted from deleting internal system files or folders through the application interface. However, when interacting directly with the API, these restrictions can be...
PT-2026-23517
Name of the Vulnerable Software and Affected Versions ZimaOS version 1.5.2-beta3 Description ZimaOS, a fork of CasaOS, exhibits a security issue where restrictions on deleting internal system files and folders can be bypassed through manipulation of the API. Specifically, altering the path...
CVE-2025-59819
This vulnerability allows authenticated attackers to read an arbitrary file by changing a filepath parameter into an internal system path...
CVE-2025-59819
This vulnerability allows authenticated attackers to read an arbitrary file by changing a filepath parameter into an internal system path...
CVE-2025-59819 Authenticated Arbitrary File Read via filepath parameter
This vulnerability allows authenticated attackers to read an arbitrary file by changing a filepath parameter into an internal system path...
CVE-2025-59819
The CVE-2025-59819 entries describe an authenticated arbitrary-file-read vulnerability: an attacker can supply a crafted filepath parameter that is mapped to an internal system path, enabling access to arbitrary files. Multiple sources (NVD, Red Hat, CVE list, Attackerkb, etc.) corroborate the sa...