CVE-2026-39400

Cronicle suffers a Stored XSS vulnerability in versions before 0.9.111. A non-admin user with create_events and run_events privileges can inject arbitrary JavaScript through job output fields (html.content, html.title, table.header, table.rows, table.caption). The server stores this data without ...

CVE-2026-39400 Stored XSS via Job HTML/Table Output in Cronicle

Cronicle is a multi-server task scheduler and runner, with a web based front-end UI. Prior to 0.9.111, a non-admin user with createevents and runevents privileges can inject arbitrary JavaScript through job output fields html.content, html.title, table.header, table.rows, table.caption. The serve...

GHSA-4744-96P5-MP2J pyLoad: Unprotected storage_folder enables arbitrary file write to Flask session store and code execution (Incomplete fix for CVE-2026-33509)

Summary The fix for CVE-2026-33509 GHSA-r7mc-x6x7-cqxx added an ADMINONLYOPTIONS set to block non-admin users from modifying security-critical config options. The storagefolder option is not in this set and passes the existing path restriction because the Flask session directory is outside both...

open-vm-tools: Insecure file handling

A vulnerability was found in open-vm-tools. A malicious actor with non-administrative privileges on a guest virtual machine VM may tamper with the local files to trigger insecure file operations within that VM...

EUVD-2018-11878

Malware in sbrugna...

CVE-2025-41245

VMware Aria Operations contains an information disclosure vulnerability. A malicious actor with non-administrative privileges in Aria Operations may exploit this vulnerability to disclose credentials of other users of Aria Operations...

CVE-2020-3972

VMware Tools for macOS 11.x.x and prior before 11.1.1 contains a denial-of-service vulnerability in the Host-Guest File System HGFS implementation. Successful exploitation of this issue may allow attackers with non-admin privileges on guest macOS virtual machines to create a denial-of-service...

UBUNTU-CVE-2025-22247

VMware Tools contains an insecure file handling vulnerability. A malicious actor with non-administrative privileges on a guest VM may tamper the local files to trigger insecure file operations within that VM...

CVE-2025-22230 Authentication bypass vulnerability

VMware Tools for Windows contains an authentication bypass vulnerability due to improper access control. A malicious actor with non-administrative privileges on a guest VM may gain ability to perform certain high privilege operations within that VM...

CVE-2024-24573

facileManager is a modular suite of web apps built with the sysadmin in mind. In versions 4.5.0 and earlier, when a user updates their profile, a POST request containing user information is sent to the endpoint server/fm-modules/facileManager/ajax/processPost.php. It was found that non-admins can...

CVE-2023-34056

vCenter Server contains a partial information disclosure vulnerability. A malicious actor with non-administrative privileges to vCenter Server may leverage this issue to access unauthorized data...

CVE-2020-3972

VMware Tools for macOS 11.x.x and prior before 11.1.1 contains a denial-of-service vulnerability in the Host-Guest File System HGFS implementation. Successful exploitation of this issue may allow attackers with non-admin privileges on guest macOS virtual machines to create a denial-of-service...

CVE-2020-3972

VMware Tools for macOS 11.x.x and prior before 11.1.1 contains a denial-of-service vulnerability in the Host-Guest File System HGFS implementation. Successful exploitation of this issue may allow attackers with non-admin privileges on guest macOS virtual machines to create a denial-of-service...