327 matches found
CVE-2026-28790 OliveTin: Unauthenticated Action Termination via KillAction When Guests Must Login
OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.0, OliveTin allows an unauthenticated guest to terminate running actions through KillAction even when authRequireGuestsToLogin: true is enabled. Guests are correctly blocked from dashboard access, bu...
CVE-2026-28790 OliveTin: Unauthenticated Action Termination via KillAction When Guests Must Login
OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.0, OliveTin allows an unauthenticated guest to terminate running actions through KillAction even when authRequireGuestsToLogin: true is enabled. Guests are correctly blocked from dashboard access, bu...
GHSA-VF6J-6739-78M8 Rancher's Azure AD permission changes are not reflected on active sessions
A bug has been identified in which permission changes in Azure AD are not reflected to users while they are logged in the Rancher UI. This would cause the users to retain their previous permissions in Rancher, even if they change groups on Azure AD, for example, to a lower privileged group, or ar...
Incorrect Authorization
Overview Affected versions of this package are vulnerable to Incorrect Authorization in the KillAction function. An attacker can terminate active jobs initiated by legitimate users by directly invoking the KillAction endpoint without authentication, even when guest login is required. This can...
CVE-2026-27458 LinkAce: Stored XSS in Atom Feed via CDATA Escape in List Description
LinkAce is a self-hosted archive to collect website links. Versions 2.4.2 and below have a Stored Cross-site Scripting vulnerability through the Atom feed endpoint for lists /lists/feed. An authenticated user can inject a CDATA-breaking payload into a list description that escapes the XML CDATA...
CVE-2025-11598
In mObywatel iOS application an unauthorized user can use the App Switcher to view the account owner's personal information in the minimized app window, even after the login session has ended reopening the app would require the user to log in. The data exposed depends on the last application view...
EUVD-2025-206765
In mObywatel iOS application an unauthorized user can use the App Switcher to view the account owner's personal information in the minimized app window, even after the login session has ended reopening the app would require the user to log in. The data exposed depends on the last application view...
PT-2026-5872
Name of the Vulnerable Software and Affected Versions mObywatel versions prior to 4.71.0 Description An unauthorized user can view an account owner's personal information in the minimized application window using the App Switcher, even after the login session has ended. Reopening the application...
CVE-2026-21984
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization component: Core. Supported versions that are affected are 7.1.14 and 7.2.4. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to...
CVE-2026-21956
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization component: Core. Supported versions that are affected are 7.1.14 and 7.2.4. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromis...
Unity Linux 20.1060e / 20.1070e Security Update: kernel (UTSA-2026-003617)
The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-003617 advisory. An information disclosure vulnerability exists when certain central processing units CPU speculatively access memory. An attacker who successfully exploited the...
CVE-2025-68492
Chainlit versions prior to 2.8.5 contain an authorization bypass through user-controlled key vulnerability. If this vulnerability is exploited, threads may be viewed or thread ownership may be obtained by an attacker who can log in to the product...
CVE-2023-49620
Before DolphinScheduler version 3.1.0, the login user could delete UDF function in the resource center unauthorized which almost used in sql task, with unauthorized access vulnerability IDOR, but after version 3.1.0 we fixed this issue. We mark this cve as moderate level because it still requires...
Unity Linux 20.1070e Security Update: kernel (UTSA-2026-000205)
The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-000205 advisory. An information disclosure vulnerability exists when certain central processing units CPU speculatively access memory. An attacker who successfully exploited the...
CVE-2025-53592
A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service DoS attack. We have already fixed the vulnerability in the following...
CVE-2025-52692
Successful exploitation of the vulnerability could allow an attacker with local network access to send a specially crafted URL to access certain administration functions without login credentials...
Linksys E9450-SG 安全漏洞
The Linksys E9450-SG is a WiFi router from Linksys USA. A security vulnerability exists in the Linksys E9450-SG that originates from a local network attacker being able to send a specially crafted URL to access certain administrative functions without requiring login credentials...
CVE-2025-55895
TOTOLINK A3300R V17.0.0cu.557B20221024 and N200RE V9.3.5u.6448B20240521 and V9.3.5u.6437B20230519 are vulnerable to Incorrect Access Control. Attackers can send payloads to the interface without logging in remote...
CVE-2025-55895
TOTOLINK A3300R V17.0.0cu.557B20221024 and N200RE V9.3.5u.6448B20240521 and V9.3.5u.6437B20230519 are vulnerable to Incorrect Access Control. Attackers can send payloads to the interface without logging in remote...
PT-2025-48774
ASUS warns of a critical flaw in AiCloud routers CVE-2025-593656. Attackers can remotely run OS commands no login needed. • Update firmware • Disable AiCloud/Samba/WAN access if no patch • Replace end-of-life devices • Strengthen passwords https://t.co/Dt2oT0g298...