ResourceSpace - Metadata Export

In Montala ResourceSpace through 9.8 before r19636, csvexportresultsmetadata.php allows attackers to export collection metadata via a non-NULL k value. id: CVE-2022-31260 info: name: ResourceSpace - Metadata Export author: ritikchaddha severity: medium description: | In Montala ResourceSpace...

GeoServer - Missing Authorization on REST API Index

GeoServer contains a missing authorization vulnerability that allows unauthorized access to the REST API Index page, potentially exposing sensitive configuration information. id: CVE-2025-27505 info: name: GeoServer - Missing Authorization on REST API Index author: securitytaters severity: medium...

Boa 0.94.13 - Information Disclosure

Boa 0.94.13 allows remote attackers to obtain sensitive information via a misconfiguration involving backup.html, preview.html, js/log.js, log.html, email.html, online-users.html, and config.js. NOTE- multiple third parties report that this is a site-specific issue because those files are not par...

Open WebUI < 0.9.5 - Information Disclosure

Open WebUI 0.9.5 contains an information disclosure vulnerability caused by unauthenticated access to GET /api/v1/retrieval/ endpoint, letting remote attackers retrieve live RAG pipeline configuration without authorization, exploit requires no authentication. id: CVE-2026-45397 info: name: Open...

EUVD-2026-38231

MISP allowed an authenticated site administrator to set the Kafkardkafkaconfig setting to an arbitrary filesystem path. MISP subsequently parsed the referenced INI file and passed its options to rdkafka. A crafted attacker-controlled configuration file could use rdkafka options such as...

Kramer VIAware - Privilege Escalation and Remote Code Execution

Kramer VIAware, all tested versions, allow privilege escalation and remote code execution due to misconfigured sudo permissions. Attackers can execute arbitrary system commands remotely if the web interface is accessible, due to vulnerabilities in the handling of privileged operations through...

InfluxDB <1.7.6 - Authentication Bypass

InfluxDB before 1.7.6 contains an authentication bypass vulnerability via the authenticate function in services/httpd/handler.go. A JWT token may have an empty SharedSecret aka shared secret. An attacker can possibly obtain sensitive information, modify data, and/or execute unauthorized...

Keycloak - Open Redirect

A misconfiguration flaw was found in Keycloak. This issue can allow an attacker to redirect users to an arbitrary URL if a 'Valid Redirect URI' is set to http://localhost or http://127.0.0.1, enabling sensitive information such as authorization codes to be exposed to the attacker, potentially...

CVE-2026-56081

Cap-go before 12.128.2 contains an authentication logic flaw allowing an attacker to register and take control of an account bound to a victim’s unverified email. By enabling two-factor authentication on the pre-registered account, the attacker can read and modify the account’s state and enforce ...

Astra Linux – Vulnerability in docker.io

Docker CLI is the command-line interface for the Docker container runtime. A bug was discovered in Docker CLI where running docker login my-private-registry.example.com with a misconfigured configuration file typically /.docker/config.json, which lists a credsStore or credhelpers that cannot be...

Cross-Origin Resource Sharing (CORS) Misconfiguration

hono is vulnerable to Cross-Origin Resource Sharing CORS Misconfiguration. The vulnerability is due to reflecting arbitrary Origin headers while allowing credentials when no explicit origin is configured, which allows an attacker-controlled website to make authenticated cross-origin requests and...

CVE-2026-54810

Missing Authorization vulnerability in Nexi Payments Nexi XPay allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Nexi XPay: from n/a through 8.3.1...

CVE-2026-40722

Missing Authorization vulnerability in Yoast BV Yoast SEO Premium allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Yoast SEO Premium: from n/a through 26.6...

CVE-2024-37210

Missing Authorization vulnerability in ali2woo AliNext allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects AliNext: from n/a through 3.3.5...

What Changed in OWASP Top 10 2025 and Recommendations for Each Category

Key Takeaways 1. The 2025 list introduces two new categories – Software Supply Chain Failures A03 and Mishandling of Exceptional Conditions A10 - reflecting attacks already happening in production. 2. Security Misconfiguration jumping from 5 to 2 signals that continuous deployment without...

Security Misconfiguration

@hulumi/baseline is vulnerable to Security Misconfiguration. The vulnerability is due to AccountFoundation reuse paths silently downgrading GuardDuty and Security Hub security settings, which allows an attacker to operate with reduced detection and monitoring capabilities in the affected...

CVE-2026-47177

Quest Bot: Affects versions before 1.0.4. If a user with config access sets the ticket transcript channel to a channel they can read, closing tickets causes the bot to export the full ticket history to that transcript channel, potentially exposing private messages to users who could not read the ...

EUVD-2023-60590

Missing Authorization vulnerability in Sparkle WP MetroStore metrostore allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects MetroStore: from n/a through 1.3.2...

PT-2026-48642

Missing Authorization vulnerability in Sparkle WP MetroStore metrostore allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects MetroStore: from n/a through 1.3.2...

WordPress plugin MetroStore 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. There is...