EUVD-2026-23275

Silverstripe Assets Module has a DBFile::getURL permission bypass...

Silverstripe Assets Module has a DBFile::getURL() permission bypass

Impact Images rendered in templates or otherwise accessed via DBFile::getURL or DBFile::getSourceURL incorrectly add an access grant to the current session, which bypasses file permissions. This usually happens when creating an image variant, for example using a manipulation method like ScaleWidt...

Incorrect Authorization

Overview silverstripe/assets is an asset module required component of SilverStripe Framework. Affected versions of this package are vulnerable to Incorrect Authorization via the DBFile::getURL process. An attacker can gain unauthorized access to protected files by exploiting the way access grants...

CVE-2026-24749

The Silverstripe Assets Module is a required component of Silverstripe Framework. In versions prior to 2.4.5 and 3.0.0-rc1 through 3.1.2, images rendered in templates or otherwise accessed via DBFile::getURL or DBFile::getSourceURL incorrectly add an access grant to the current session, which...

CVE-2026-24749

The CVE concerns the SilverStripe Assets Module (required for SilverStripe Framework). In versions prior to 2.4.5 and 3.0.0-rc1 through 3.1.2, images rendered via templates or accessed with DBFile::getURL() or DBFile::getSourceURL() erroneously add an access grant to the current session, bypassin...

CVE-2026-24749 Silverstripe Assets Module has a DBFile::getURL() permission bypass

The Silverstripe Assets Module is a required component of Silverstripe Framework. In versions prior to 2.4.5 and 3.0.0-rc1 through 3.1.2, images rendered in templates or otherwise accessed via DBFile::getURL or DBFile::getSourceURL incorrectly add an access grant to the current session, which...

EUVD-2026-23239

Zohocorp ManageEngine PAM360 versions before 8531 and ManageEngine Password Manager Pro versions from 8600 to 13230 are vulnerable to Authenticated SQL injection in the query report module...

CVE-2026-5785

Zohocorp ManageEngine PAM360 versions before 8531 and ManageEngine Password Manager Pro versions from 8600 to 13230 are vulnerable to Authenticated SQL injection in the query report module...

CVE-2026-5785

The CVE-2026-5785 issue affects Zohocorp ManageEngine PAM360 (versions before 8531) and ManageEngine Password Manager Pro (versions 8600 to 13230). The vulnerability is an Authenticated SQL injection in the query report module, allowing an attacker with LOW privileges and no user interaction to t...

CVE-2026-5785

Zohocorp ManageEngine PAM360 versions before 8531 and ManageEngine Password Manager Pro versions from 8600 to 13230 are vulnerable to Authenticated SQL injection in the query report module...

CVE-2026-5785 SQL Injection

Zohocorp ManageEngine PAM360 versions before 8531 and ManageEngine Password Manager Pro versions from 8600 to 13230 are vulnerable to Authenticated SQL injection in the query report module...

CVE-2026-5785 SQL Injection

Zohocorp ManageEngine PAM360 versions before 8531 and ManageEngine Password Manager Pro versions from 8600 to 13230 are vulnerable to Authenticated SQL injection in the query report module...

CVE-2026-30480

A Local File Inclusion LFI vulnerability in the NFSen module nfsen.inc.php of LibreNMS 22.11.0-23-gd091788f2 allows authenticated attackers to include arbitrary PHP files from the server filesystem via path traversal sequences in the nfsen parameter...

CVE-2026-40960

A flaw was found in Luanti. When at least one module mod is configured as trusted or secure, a specially crafted module can intercept requests to an insecure environment or the HTTP API. This allows the crafted module to gain unintended access to sensitive information and functionality within tha...

CVE-2026-3428

A Download of Code Without Integrity Check vulnerability in the update modules in ASUS Member Center华硕大厅 allows a local user to achieve privilege escalation to Administrator via exploitation of a Time-of-check Time-of-use TOC-TOU during the update process, where an unexpected payload is substitut...

MAL-2026-2907 Malicious code in nj-logger (npm)

nj-logger is a malicious npm package that when imported in file dist/logger/telemetry.js downloads a trojan for Windows only, W64.AIDetectMalware / Trojan.Malware.300983.susgen from http://178.128.88.40:8080/download/svc to path nodemodules/.cache/nj-logger/nj-transport-win32-x64.node and execute...

Code Execution

Overview renovate is a dependency updater. Affected versions of this package are vulnerable to Code Execution in the via lockfile maintenance in bazel-module/lockfile.ts‎, used by bazel-module and bazelisk. An attacker can execute arbitrary code by introducing a malicious dependency that is...

GHSA-5VJQ-5JMG-39XQ Renovate affected by remote code execution was possible using the bazel-module or bazelisk managers, when using lockFileMaintenance

When using lockFileMaintenance using the bazel-module or bazelisk managers between Renovate 43.65.0 2026-03-12 and 43.102.11 2026-04-02, there was the opportunity for remote code execution from a malicious dependency, if the Bazel module executes code that relies on a dependency. As this is an...

Renovate affected by remote code execution was possible using the bazel-module or bazelisk managers, when using lockFileMaintenance

When using lockFileMaintenance using the bazel-module or bazelisk managers between Renovate 43.65.0 2026-03-12 and 43.102.11 2026-04-02, there was the opportunity for remote code execution from a malicious dependency, if the Bazel module executes code that relies on a dependency. As this is an...

CVE-2026-40960

Luanti 5 before 5.15.2 sometimes allows unintended access to an insecure environment. If at least one mod is listed as secure.trustedmods or secure.httpmods, then a crafted mod can intercept the request for the insecure environment or HTTP API, and also receive access to it...