Lucene search
K

35 matches found

ATTACKERKB
ATTACKERKB
added 2026/05/04 8:8 p.m.7 views

CVE-2026-42220

Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.8, an authenticated user can call GET /api/settings and retrieve sensitive configuration values, including node.secret. The same node.secret is accepted by AuthRequired through the X-Node-Secret header or nodesecret...

6.5CVSS5.7AI score0.00299EPSS
Exploits1References3Affected Software1
CVE
CVE
added 2026/05/04 8:8 p.m.22 views

CVE-2026-42220

Nginx UI (nginx-ui) prior to version 2.3.8 exposes a vulnerability where an authenticated user can call GET /api/settings to retrieve sensitive values, including node.secret. The node.secret is accepted by AuthRequired() via the X-Node-Secret header (or node_secret query parameter), allowing the ...

6.5CVSS5.7AI score0.00299EPSS
Exploits1References2Affected Software1
CNNVD
CNNVD
added 2026/05/04 12:0 a.m.12 views

Nginx UI 信息泄露漏洞

Nginx UI is a web interface for Nginx developed by Jacky. Versions of Nginx UI prior to 2.3.8 had a vulnerability related to information leakage. This vulnerability stemmed from the ability for authenticated users to call the GET /api/settings request to retrieve sensitive configuration values,...

6.5CVSS5.8AI score0.00299EPSS
Exploits1References2
OSV
OSV
added 2026/04/29 8:54 p.m.5 views

GHSA-WR32-99HH-6F35 Nginx-UI has Server-Side Request Forgery (SSRF) via Cluster Proxy Middleware that Allows Access to Internal Services

Summary An authenticated user can perform Server-Side Request Forgery SSRF by creating a cluster node pointing to an arbitrary internal URL and then sending API requests with the X-Node-ID header. The Proxy middleware forwards these requests to the attacker-specified internal address, bypassing...

8.5CVSS6AI score0.00318EPSS
Exploits1References3
Positive Technologies
Positive Technologies
added 2026/04/21 12:0 a.m.16 views

PT-2026-36920

Name of the Vulnerable Software and Affected Versions Nginx UI versions prior to 2.3.8 Description An authenticated user can access the 'GET /api/settings' endpoint to retrieve sensitive configuration values, such as node.secret. This secret is accepted by the AuthRequired function via the...

6.8CVSS5.8AI score0.00299EPSS
Exploits1References12
GithubExploit
GithubExploit
added 2026/03/14 2:43 a.m.163 views

Exploit for Missing Encryption of Sensitive Data in Nginxui Nginx_Ui

CVE-2026-27944 POC: Nginx UI Unauthenticated Backup Download +...

9.8CVSS5.9AI score0.22162EPSS
Exploits13
NVD
NVD
added 2026/02/19 5:24 p.m.10 views

CVE-2026-26016

Wings is the server control plane for Pterodactyl, a free, open-source game server management panel. Prior to version 1.12.1, a missing authorization check in multiple controllers allows any user with access to a node secret token to fetch information about any server on a Pterodactyl instance,...

9.2CVSS0.00316EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/02/19 3:55 p.m.22 views

CVE-2026-26016 Pterodactyl Panel Allows Cross-Node Server Configuration Disclosure via Remote API Missing Authorization

Wings is the server control plane for Pterodactyl, a free, open-source game server management panel. Prior to version 1.12.1, a missing authorization check in multiple controllers allows any user with access to a node secret token to fetch information about any server on a Pterodactyl instance,...

9.2CVSS0.00316EPSS
Exploits0References2
CVE
CVE
added 2026/02/19 3:55 p.m.29 views

CVE-2026-26016

Summary: CVE-2026-26016 affects Pterodactyl Panel (Wings) prior to 1.12.1 due to missing authorization checks across multiple controllers/endpoints. An authenticated Wings node with a node secret token can access and disclose information about servers on other nodes, retrieve server installation ...

9.2CVSS5.7AI score0.00316EPSS
Exploits0References2Affected Software1
OSV
OSV
added 2026/02/17 6:54 p.m.3 views

GHSA-G7VW-F8P5-C728 Pterodactyl Panel Allows Cross-Node Server Configuration Disclosure via Remote API Missing Authorization

Summary A missing authorization check in multiple controllers allows any user with access to a node secret token to fetch information about any server on a Pterodactyl instance, even if that server is associated with a different node. This issue stems from missing logic to verify that the node...

9.2CVSS5.8AI score0.00316EPSS
Exploits0References4
Github Security Blog
Github Security Blog
added 2026/02/17 6:54 p.m.11 views

Pterodactyl Panel Allows Cross-Node Server Configuration Disclosure via Remote API Missing Authorization

Summary A missing authorization check in multiple controllers allows any user with access to a node secret token to fetch information about any server on a Pterodactyl instance, even if that server is associated with a different node. This issue stems from missing logic to verify that the node...

9.2CVSS5.8AI score0.00316EPSS
Exploits0References4Affected Software1
Github Security Blog
Github Security Blog
added 2024/01/11 4:32 p.m.62 views

Authenticated (user role) arbitrary command execution by modifying `start_cmd` setting (GHSL-2023-268)

Summary Nginx-UI is a web interface to manage Nginx configurations. It is vulnerable to arbitrary command execution by abusing the configuration settings. Details The Home Preference page exposes a list of system settings such as Run Mode, Jwt Secret, Node Secret and Terminal Start Command. The...

8.8CVSS8.2AI score0.04088EPSS
Exploits2References10Affected Software1
Github Security Blog
Github Security Blog
added 2024/01/11 4:30 p.m.45 views

Authenticated (user role) remote command execution by modifying `nginx` settings (GHSL-2023-269)

Summary The Home Preference page exposes a small list of nginx settings such as Nginx Access Log Path and Nginx Error Log Path. However, the API also exposes testconfigcmd, reloadcmd and restartcmd. While the UI doesn't allow users to modify any of these settings, it is possible to do so by sendi...

8.8CVSS7.1AI score0.01537EPSS
Exploits1References8Affected Software1
NVD
NVD
added 2013/05/22 1:29 p.m.49 views

CVE-2013-0941

EMC RSA Authentication API before 8.1 SP1, RSA Web Agent before 5.3.5 for Apache Web Server, RSA Web Agent before 5.3.5 for IIS, RSA PAM Agent before 7.0, and RSA Agent before 6.1.4 for Microsoft Windows use an improper encryption algorithm and a weak key for maintaining the stored data of the no...

2.1CVSS5.6AI score0.01263EPSS
Exploits0References1
Cvelist
Cvelist
added 2013/05/22 10:0 a.m.47 views

CVE-2013-0941

EMC RSA Authentication API before 8.1 SP1, RSA Web Agent before 5.3.5 for Apache Web Server, RSA Web Agent before 5.3.5 for IIS, RSA PAM Agent before 7.0, and RSA Agent before 6.1.4 for Microsoft Windows use an improper encryption algorithm and a weak key for maintaining the stored data of the no...

5.6AI score0.01263EPSS
Exploits0References1
Rows per page
Query Builder