CVE-2026-48827 Apache MINA SSHD: Path traversal in org.apache.sshd:sshd-git

Path traversal vulnerability in Apache MINA SSHD bundle sshd-git. Lack of path validation in git-upload-pack, git-receive-pack, and other git operations allows users authenticated over SSH access to git repositories outside the configured git server root directory. Applications are affected if th...

GHSA-8GPM-H2MH-36QC Eclipse BaSyx Java Server SDK vulnerable to Path Traversal

In Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10, inadequate path normalization in the Submodel HTTP API allows an unauthenticated remote attacker to perform a path traversal attack. By supplying a maliciously crafted fileName parameter during a file upload operation, an...

CVE-2026-7412

In Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10, the Operation Delegation feature fails to validate the destination URI of delegated requests. An unauthenticated remote attacker can exploit this design flaw to force the BaSyx server to execute blind HTTP POST requests to...

UBUNTU-CVE-2026-7411

In Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10, inadequate path normalization in the Submodel HTTP API allows an unauthenticated remote attacker to perform a path traversal attack. By supplying a maliciously crafted fileName parameter during a file upload operation, an...

CVE-2026-7411

In Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10, inadequate path normalization in the Submodel HTTP API allows an unauthenticated remote attacker to perform a path traversal attack. By supplying a maliciously crafted fileName parameter during a file upload operation, an...

CVE-2026-40041

Pachno 1.0.6 contains a cross-site request forgery vulnerability that allows attackers to perform arbitrary actions in authenticated user context by exploiting missing CSRF protections on state-changing endpoints. Attackers can craft malicious requests targeting login, registration, file upload,...

CVE-2026-40041

CVE-2026-40041 affects Pachno 1.0.6 and describes a cross-site request forgery (CSRF) vulnerability arising from missing CSRF protections on state-changing endpoints. Attackers can craft requests that execute actions in an authenticated user context via attacker-controlled sites, targeting login,...

CVE-2026-40041 Pachno 1.0.6 Cross-Site Request Forgery via State-Changing Endpoints

Pachno 1.0.6 contains a cross-site request forgery vulnerability that allows attackers to perform arbitrary actions in authenticated user context by exploiting missing CSRF protections on state-changing endpoints. Attackers can craft malicious requests targeting login, registration, file upload,...

CVE-2026-40041 Pachno 1.0.6 Cross-Site Request Forgery via State-Changing Endpoints

Pachno 1.0.6 contains a cross-site request forgery vulnerability that allows attackers to perform arbitrary actions in authenticated user context by exploiting missing CSRF protections on state-changing endpoints. Attackers can craft malicious requests targeting login, registration, file upload,...

PT-2026-30208

A vulnerability was identified in NASA cFS up to 7.0.0 on 32-bit. Affected is the function CFE TBL ValidateCodecLoadSize of the file cfe/modules/tbl/fsw/src/cfe tbl passthru codec.c. The manipulation leads to integer overflow. The complexity of an attack is rather high. The exploitability is told...

SUSE CVE-2026-26276

Gogs is an open source self-hosted Git service. Prior to version 0.14.2, an attacker can store an HTML/JavaScript payload in a repository's Milestone name, and when another user selects that Milestone on the New Issue page /issues/new, a DOM-Based XSS is triggered. This issue has been patched in...

GO-2026-4627 Gogs: DOM-based XSS via milestone selection in gogs.io/gogs

Gogs: DOM-based XSS via milestone selection in gogs.io/gogs...

CVE-2026-26276

Gogs is an open source self-hosted Git service. Prior to version 0.14.2, an attacker can store an HTML/JavaScript payload in a repository’s Milestone name, and when another user selects that Milestone on the New Issue page /issues/new, a DOM-Based XSS is triggered. This issue has been patched in...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the milestone selection. An attacker can execute arbitrary JavaScript code in the context of another user's browser by storing a crafted HTML or JavaScript payload in a repository's milestone name, which is...

GHSA-VGJM-2CPF-4G7C Gogs: DOM-based XSS via milestone selection

Summary It was confirmed in a test environment that an attacker can store an HTML/JavaScript payload in a repository’s Milestone name, and when another user selects that Milestone on the New Issue page /issues/new, a DOM-Based XSS is triggered. Impact Theft of information accessible in the victim...

Gogs: DOM-based XSS via milestone selection

Summary It was confirmed in a test environment that an attacker can store an HTML/JavaScript payload in a repository’s Milestone name, and when another user selects that Milestone on the New Issue page /issues/new, a DOM-Based XSS is triggered. Impact Theft of information accessible in the victim...

EUVD-2026-9855

Gogs: DOM-based XSS via milestone selection...

CVE-2026-26276

Gogs is an open source self-hosted Git service. Prior to version 0.14.2, an attacker can store an HTML/JavaScript payload in a repository’s Milestone name, and when another user selects that Milestone on the New Issue page /issues/new, a DOM-Based XSS is triggered. This issue has been patched in...

CVE-2026-26276 Gogs: DOM-based XSS via milestone selection

Gogs is an open source self-hosted Git service. Prior to version 0.14.2, an attacker can store an HTML/JavaScript payload in a repository’s Milestone name, and when another user selects that Milestone on the New Issue page /issues/new, a DOM-Based XSS is triggered. This issue has been patched in...

CVE-2026-26276

Gogs is an open source self-hosted Git service. Prior to version 0.14.2, an attacker can store an HTML/JavaScript payload in a repository’s Milestone name, and when another user selects that Milestone on the New Issue page /issues/new, a DOM-Based XSS is triggered. This issue has been patched in...