104857 matches found
CVE-2026-45627
Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to 1.19.0, the unauthenticated GET /api/app-images/logo endpoint reflects a user-supplied color query parameter into the body of an SVG document via strings.ReplaceAll with no escaping. The substitution...
CVE-2026-49378
JetBrains TeamCity prior to version 2026.1 exposes credentials parameters through parameter autocompletion. Affected product: TeamCity server. Root cause: credential values were surfaced in autocompletion UI, enabling potential disclosure. This entry provides no specific exploit details, affected...
CVE-2026-49378
In JetBrains TeamCity before 2026.1 credentials parameters were exposed via parameter autocompletion...
CVE-2026-49378
In JetBrains TeamCity before 2026.1 credentials parameters were exposed via parameter autocompletion...
EUVD-2026-33386
In JetBrains TeamCity before 2026.1 credentials parameters were exposed via parameter autocompletion...
CVE-2026-49378
In JetBrains TeamCity before 2026.1 credentials parameters were exposed via parameter autocompletion...
CVE-2026-46344
CVE-2026-46344 pertains to the liboqs C library (post-quantum cryptography). Before v0.16.0, there is a heap/out-of-bounds risk in XMSS/XMSS^MT stateful signature verification when a public key’s OID points to a larger parameter set than the declared algorithm, causing xmss_sign_open / xmssmt_sig...
CVE-2026-46344 liboqs: Heap-buffer-overflow in XMSS verification path via OID-controlled parameter mismatch (xmss_commons.c:194)
liboqs is a C-language cryptographic library that provides implementations of post-quantum cryptography algorithms. Prior to 0.16.0, an out-of-bounds read has been identified in the XMSS and XMSS^MT stateful signature verification code. When the verification function is called with a...
CVE-2026-46344
liboqs is a C-language cryptographic library that provides implementations of post-quantum cryptography algorithms. Prior to 0.16.0, an out-of-bounds read has been identified in the XMSS and XMSS^MT stateful signature verification code. When the verification function is called with a...
CVE-2026-46344 liboqs: Heap-buffer-overflow in XMSS verification path via OID-controlled parameter mismatch (xmss_commons.c:194)
liboqs is a C-language cryptographic library that provides implementations of post-quantum cryptography algorithms. Prior to 0.16.0, an out-of-bounds read has been identified in the XMSS and XMSS^MT stateful signature verification code. When the verification function is called with a...
CVE-2026-45626 Arcane: OS Command Injection in Volume Browser ListDirectory via path query parameter
Arcane is an interface for managing Docker containers, images, networks, and volumes. In 1.18.1 and earlier, GET /environments/id/volumes/volumeName/browse accepts a path query parameter that is passed to a shell command sh -c "find … | while …" inside an Arcane helper container. The path sanitis...
CVE-2026-45626 Arcane: OS Command Injection in Volume Browser ListDirectory via path query parameter
Arcane is an interface for managing Docker containers, images, networks, and volumes. In 1.18.1 and earlier, GET /environments/id/volumes/volumeName/browse accepts a path query parameter that is passed to a shell command sh -c "find … | while …" inside an Arcane helper container. The path sanitis...
CVE-2026-45626
Summary: CVE-2026-45626 (Arcane) enables OS command injection via the volume browser’s path parameter. Affected: Arcane’s browse API (GET /environments/{id}/volumes/{volumeName}/browse) in 1.18.1 and earlier. Root cause: the path sanitiser only blocks ../ traversal and does not strip Bourne-shell...
CVE-2026-45627 Arcane: Unauthenticated reflected XSS via SVG color parameter in /api/app-images/logo enables admin account takeover
Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to 1.19.0, the unauthenticated GET /api/app-images/logo endpoint reflects a user-supplied color query parameter into the body of an SVG document via strings.ReplaceAll with no escaping. The substitution...
CVE-2026-45627
Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to 1.19.0, the unauthenticated GET /api/app-images/logo endpoint reflects a user-supplied color query parameter into the body of an SVG document via strings.ReplaceAll with no escaping. The substitution...
CVE-2026-45627 Arcane: Unauthenticated reflected XSS via SVG color parameter in /api/app-images/logo enables admin account takeover
Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to 1.19.0, the unauthenticated GET /api/app-images/logo endpoint reflects a user-supplied color query parameter into the body of an SVG document via strings.ReplaceAll with no escaping. The substitution...
EUVD-2026-33371
Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to 1.19.0, the unauthenticated GET /api/app-images/logo endpoint reflects a user-supplied color query parameter into the body of an SVG document via strings.ReplaceAll with no escaping. The substitution...
CVE-2026-45627
CVE-2026-45627 describes an unauthenticated reflected XSS in Arcane via the GET /api/app-images/logo endpoint, where a user-supplied color parameter is injected into an SVG block without escaping. The resulting SVG is served as image/svg+xml with no CSP or X-Content-Type-Options headers, enablin...
CVE-2026-39229
Bolt CMS through 3.7.0 allows SQL Injection in the 'order' parameter of the content listing pages. An authenticated attacker with low-level privileges can exploit this through the OrderDirective component. This allows for the extraction of sensitive information...
CVE-2018-25403
The Open ISES Project 3.30A contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the p1 parameter. Attackers can send GET requests to citygraph.php with crafted SQL payloads to extract sensitive database...