EUVD-2026-29500

The nexent v1.7.5.2 backend service contains an unauthorized arbitrary storage file deletion vulnerability in its file management API. The DELETE /storage/objectname:path endpoint lacks authentication, authorization, and input validation mechanisms. Unauthenticated remote attackers can send craft...

CVE-2026-25787

Affected devices do not properly validate and sanitize Technology Object TO name rendered on the "Motion Control Diagnostics" page of the web interface. This could allow an authenticated attacker who is authorized to download a TIA project into the product, to inject malicious scripts into the...

CVE-2026-25787

Affected devices do not properly validate and sanitize Technology Object TO name rendered on the "Motion Control Diagnostics" page of the web interface. This could allow an authenticated attacker who is authorized to download a TIA project into the product, to inject malicious scripts into the...

CVE-2026-31216

The nexent v1.7.5.2 backend service contains an unauthorized arbitrary storage file deletion vulnerability in its file management API. The DELETE /storage/objectname:path endpoint lacks authentication, authorization, and input validation mechanisms. Unauthenticated remote attackers can send craft...

Important: kernel6.12

Issue Overview: In the Linux kernel, the following vulnerability has been resolved: landlock: Fix handling of disconnected directories CVE-2025-68736 In the Linux kernel, the following vulnerability has been resolved: arm64/fpsimd: signal: Fix restoration of SVE context CVE-2026-23102 In the Linu...

A malicious rsh server can overwrite arbitrary files in a directory on the rcp client machine

An issue was discovered in rcp in NetKit through 0.17. For an rcp operation, the server chooses which files/directories are sent to the client. However, the rcp client only performs cursory validation of the object name returned. A malicious rsh server or Man-in-The-Middle attacker can overwrite...

postgresql: CREATE STATISTICS does not check for schema CREATE privilege

A vulnerability has been identified in PostgreSQL’s CREATE STATISTICS command where the database does not check that the user has the required schema CREATE privilege. A table owner user could create a statistics object in any schema, blocking other users who legitimately hold CREATE STATISTICS...

CVE-2025-15449

A vulnerability was determined in cld378632668 JavaMall up to 994f1e2b019378ec9444cdf3fce2d5b5f72d28f0. Affected is the function delete of the file src/main/java/com/macro/mall/controller/MinioController.java. This manipulation of the argument objectName causes path traversal. The attack can be...

CVE-2025-15449

A vulnerability was determined in cld378632668 JavaMall up to 994f1e2b019378ec9444cdf3fce2d5b5f72d28f0. Affected is the function delete of the file src/main/java/com/macro/mall/controller/MinioController.java. This manipulation of the argument objectName causes path traversal. The attack can be...

EUVD-2025-205527

A vulnerability was identified in h-moses moga-mall up to 392d631a5ef15962a9bddeeb9f1269b9085473fa. This vulnerability affects the function addProduct of the file src/main/java/com/ms/product/controller/PmsProductController.java. Such manipulation of the argument objectName leads to unrestricted...

moga-mall 代码问题漏洞

moga-mall is a microservices architecture based e-commerce platform by h-moses individual developers. A code issue vulnerability exists in moga-mall 392d631a5ef15962a9bddeeb9f1269b9085473fa and earlier versions, which originates from the file...

Kentico Xperience 跨站脚本漏洞

Kentico Xperience is a digital experience platform from Kentico. Kentico Xperience suffers from a cross-site scripting vulnerability that can be exploited by an attacker to inject malicious script via an error message containing a specially crafted object name...

USN-7741-1: PostgreSQL vulnerabilities

Dean Rasheed discovered that PostgreSQL incorrectly handled access control lists. An attacker could possibly use this issue to obtain sensitive information. CVE-2025-8713 Martin Rakhmanov, Matthieu Denais, and RyotaK discovered that the PostgreSQL pgdump utility allowed untrusted data inclusion. ...

PostgreSQL Multiple Vulnerabilities (Aug 2025) - Linux

PostgreSQL is prone to multiple vulnerabilities. SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:postgresql:postgresql";...

CRLF Injection

Overview Affected versions of this package are vulnerable to CRLF Injection in the restore process via psql meta-commands inside a purpose-crafted object name. An attacker can execute arbitrary code by injecting meta commands into the file, which can be executed by an unknowing user during the...

CVE-2025-8715 PostgreSQL pg_dump newline in object name executes arbitrary code in psql client and in restore target server

Improper neutralization of newlines in pgdump in PostgreSQL allows a user of the origin server to inject arbitrary code for restore-time execution as the client operating system account running psql to restore the dump, via psql meta-commands inside a purpose-crafted object name. The same attacks...

Linux Distros Unpatched Vulnerability : CVE-2024-25740

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A memory leak flaw was found in the UBI driver in drivers/mtd/ubi/attach.c in the Linux kernel through 6.7.4 for UBIIOCATT, because kobj-name is not released...

SUSE CVE-2021-46996

In the Linux kernel, the following vulnerability has been resolved: netfilter: nftables: Fix a memleak from userdata error path in new objects Release object name if userdata allocation fails...

DEBIAN-CVE-2021-46996

In the Linux kernel, the following vulnerability has been resolved: netfilter: nftables: Fix a memleak from userdata error path in new objects Release object name if userdata allocation fails...

VulnCheck KEV: CVE-2019-15642

rpc.cgi in Webmin through 1.920 allows authenticated Remote Code Execution via a crafted object name because unserialisevariable makes an eval call. NOTE: the WebminServersIndex documentation states "RPC can be used to run any command or modify any file on a server, which is why access to it...