3910 matches found
CVE-2026-33807
@fastify/express v4.0.4 and earlier contains a path handling bug in the onRegister function that causes middleware paths to be doubled when inherited by child plugins. When a child plugin is registered with a prefix that matches a middleware path, the middleware path is prefixed a second time,...
CVE-2026-42611
Grav is a file-based Web platform. Prior to 2.0.0-beta.2, a low-privileged with the ability to create a page user can cause XSS with the injection of svg element. The XSS can further be escalated to dump the entire system information available under /admin/config/info whenever a Super Admin visit...
CVE-2026-8850
IBM HTTP Server 8.5, and 9.0 is vulnerable to denial of service via the optional module modibmupload...
CVE-2026-8431
An administrative user with access to configure webhooks can execute arbitrary commands by configuring and then triggering webhooks containing specific FreeMarker template syntax. This issue affects all MongoDB Ops Manager 7.0 versions and MongoDB Ops Manager versions 8.0.22 and prior...
CVE-2026-8835
IBM HTTP Server 8.5, and 9.0 is vulnerable to invalid pointer dereference. A privileged user, authenticated to the Administration Server, could exploit this vulnerability to expose sensitive information or cause a denial of service...
CVE-2026-8644
IBM WebSphere Application Server 9.0, and 8.5 is vulnerable to identity spoofing...
OESA-2026-2558 assimp security update
Assimp is a library to load and process geometric scenes from various data formats. Assimp aims to provide a full asset conversion pipeline for use in game engines and real-time rendering systems of any kind, but is not limited to this purpose. Security Fixes: A vulnerability, which was classifie...
tomcat-9.0.118-1.1 on GA media (moderate)
tomcat-9.0.118-1.1 on GA media Announcement ID: openSUSE-SU-2026:10925-1 Rating: moderate Cross-References: CVE-2026-41284 CVE-2026-41293 CVE-2026-42498 CVE-2026-43512 CVE-2026-43513 CVE-2026-43514 CVE-2026-43515 CVSS scores: CVE-2026-41284 SUSE : 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H...
RLSA-2026:20606 Important: ruby4.0 security update
Ruby is the interpreted scripting language for quick and easy object-oriented programming. It has many features to process text files and to do system management tasks as in Perl. It is simple, straight-forward, and extensible. Security Fixes: ruby/json: Ruby JSON: Denial of Service or Informatio...
[slackware-security] httpd
New httpd packages are available for Slackware 15.0 and -current to fix a security issue. Here are the details from the Slackware 15.0 ChangeLog: patches/packages/httpd-2.4.67-i586-2slack15.0.txz: Rebuilt. This update fixes "HTTP/2 Bomb", a resource exhaustion denial-of-service attack against...
itsourcecode Fees Management System 代码注入漏洞
itsourcecode Fees Management System is an open-source charging management system developed by itsourcecode. Versions of itsourcecode Fees Management System 1.0 and earlier had a code injection vulnerability. This vulnerability stemmed from the operation of unknown functions in the /navbar.php fil...
PT-2026-46317
Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In versions 4.9.0 through 5.0.0, an authenticated user with project-editor permissions can store arbitrary HTML/JavaScript in the ChartDatasetConfig.legend field. The...
EUVD-2026-34097
GLPI is a free asset and IT management software package. Starting in version 10.0.4 and prior to version 10.0.25, a technician can store an XSS payload in the asset locked tab. Upgrade to 10.0.25 or 11.0.7 to receive a patch...
CVE-2025-14774
Incorrect Authorization vulnerability in ABB T-MAC Plus. This issue affects T-MAC Plus: 4.0-24...
CVE-2025-14771
Files or directories accessible to external parties vulnerability in ABB T-MAC Plus. This issue affects T-MAC Plus: 4.0-24...
PT-2026-45907
Name of the Vulnerable Software and Affected Versions ABB T-MAC Plus version 4.0-24 Description A file disclosure issue exists in the ABB T-MAC Plus web application and the ABB T-MAC plus Server - Default IIS Web Site, where files or directories are accessible to external parties. Recommendations...
CVE-2026-35482 alf.io has an Authenticated RCE via Extension Script Sandbox Escape
alf.io is an open source ticket reservation system for conferences, trade shows, workshops, and meetups. Prior to version 2.0-M5-2606, a sandbox escape vulnerability in the alf.io extension script engine allows an authenticated administrator to execute arbitrary operating system commands on the...
EUVD-2026-34050
alf.io is an open source ticket reservation system for conferences, trade shows, workshops, and meetups. Prior to version 2.0-M5-2606, a sandbox escape vulnerability in the alf.io extension script engine allows an authenticated administrator to execute arbitrary operating system commands on the...
CVE-2026-1829 Content Visibility for Divi Builder <= 4.02 - Authenticated (Contributor+) Remote Code Execution
The Content Visibility for Divi Builder plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.02 via the 'etpbtext' shortcode 'cvdbcontentvisibilitycheck' parameter. This makes it possible for authenticated attackers, with Contributor-level access and...
Linux Distros Unpatched Vulnerability : CVE-2026-10229
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A vulnerability was determined in Assimp up to 6.0.4. This affects the function HL1MDLLoader::readmeshes of the file HL1MDLLoader.cpp of the component Half-Life...