137 matches found
CVE-2026-45632
Dokploy is a free, self-hostable Platform as a Service PaaS. In 0.26.7 and earlier, the schedule router does not enforce organization/role checks. As a result, any authenticated user can create, update, run, or delete schedules belonging to other organizations if they know the scheduleId/serverId...
CVE-2026-45630
Dokploy is a free, self-hostable Platform as a Service PaaS. In 0.28.8 and earlier, authenticated OS command injection in the application.updateTraefikConfig tRPC endpoint allows admin/owner users to execute arbitrary system commands on remote servers via unsanitized echo shell interpolation...
The Vercel Breach: OAuth Supply Chain Attack Exposes the Hidden Risk in Platform Environment Variables
An OAuth supply chain compromise at Vercel exposed how trusted third party apps and platform environment variables can bypass traditional defenses and amplify blast radius. This article examines the attack chain, underlying design tradeoffs, and what it reveals about modern PaaS and software supp...
CVE-2026-22573
An improper limitation of a pathname to a restricted directory 'path traversal' vulnerability in Fortinet FortiSOAR PaaS 7.6.0 through 7.6.3, FortiSOAR PaaS 7.5 all versions, FortiSOAR PaaS 7.4 all versions, FortiSOAR PaaS 7.3 all versions, FortiSOAR on-premise 7.6.0 through 7.6.3, FortiSOAR...
PT-2026-32666
An improper limitation of a pathname to a restricted directory 'path traversal' vulnerability in Fortinet FortiSOAR PaaS 7.6.0 through 7.6.3, FortiSOAR PaaS 7.5 all versions, FortiSOAR PaaS 7.4 all versions, FortiSOAR PaaS 7.3 all versions, FortiSOAR on-premise 7.6.0 through 7.6.3, FortiSOAR...
CVE-2026-24292
Use after free in Connected Devices Platform Service Cdpsvc allows an authorized attacker to elevate privileges locally...
CVE-2026-24292
CVE-2026-24292 is a Windows vulnerability in the Connected Devices Platform Service (Cdpsvc) described as a use-after-free that enables local privilege escalation for an authenticated, non-user interaction scenario. Connected documents corroborate the issue with Cdpsvc and list the CVE-2026-24292...
CVE-2026-24292 Windows Connected Devices Platform Service Elevation of Privilege Vulnerability
...
Windows Connected Devices Platform Service Elevation of Privilege Vulnerability
Use after free in Connected Devices Platform Service Cdpsvc allows an authorized attacker to elevate privileges locally...
PT-2026-24286
Use after free in Connected Devices Platform Service Cdpsvc allows an authorized attacker to elevate privileges locally...
CVE-2026-21234
Concurrent execution using shared resource with improper synchronization 'race condition' in Windows Connected Devices Platform Service allows an authorized attacker to elevate privileges locally...
CVE-2026-21234
Concurrent execution using shared resource with improper synchronization 'race condition' in Windows Connected Devices Platform Service allows an authorized attacker to elevate privileges locally...
CVE-2026-21234
Concurrent execution using shared resource with improper synchronization 'race condition' in Windows Connected Devices Platform Service allows an authorized attacker to elevate privileges locally...
CVE-2026-21234 Windows Connected Devices Platform Service Elevation of Privilege Vulnerability
...
CVE-2026-21234
CVE-2026-21234 concerns Windows Connected Devices Platform Service where a race condition due to improper synchronization enables local privilege escalation for an authorized attacker. The vulnerability affects the platform service's concurrent execution via a shared resource; impact includes con...
CVE-2026-21234 Windows Connected Devices Platform Service Elevation of Privilege Vulnerability
...
CVE-2026-21234
Concurrent execution using shared resource with improper synchronization 'race condition' in Windows Connected Devices Platform Service allows an authorized attacker to elevate privileges locally...
Windows Connected Devices Platform Service Elevation of Privilege Vulnerability
Concurrent execution using shared resource with improper synchronization 'race condition' in Windows Connected Devices Platform Service allows an authorized attacker to elevate privileges locally...
PT-2026-7338
Concurrent execution using shared resource with improper synchronization 'race condition' in Windows Connected Devices Platform Service allows an authorized attacker to elevate privileges locally...
Injection
Overview Affected versions of this package are vulnerable to Injection via the REST Authenticate Endpoint in the Y9PlatformUtil.java file. An attacker can access, modify, or disrupt sensitive data by sending specially crafted requests to the affected endpoint. Remediation There is no fixed versio...