CVE-2026-45697 Formie: Pre-authenticated server-side template injection in Hidden fields

Formie is a Craft CMS plugin for creating forms. Prior to 2.2.20 and 3.1.24, unauthenticated users could submit crafted values into Hidden fields with Default value → Custom that were evaluated as Twig during submission handling, which could lead to serious compromise of the Craft site depending ...

Roundcube Webmail 安全漏洞

Roundcube Webmail is a browser-based open source IMAP client from Roundcube open source, which supports address book management, message searching, spell checking and more. A security vulnerability exists in Roundcube Webmail versions prior to 1.6.16 and 1.7.1, which originates from a poison bypa...

CVE-2026-34926

A directory traversal vulnerability in the Apex One on-premise server could allow a pre-authenticated local attacker to modify a key table on the server to inject malicious code to deploy to agents on affected installations. This vulnerability is only exploitable on the on-premise version of Apex...

CVE-2026-34926

A directory traversal vulnerability in the Apex One on-premise server could allow a pre-authenticated local attacker to modify a key table on the server to inject malicious code to deploy to agents on affected installations. This vulnerability is only exploitable on the on-premise version of Apex...

CVE-2026-34926

A directory traversal vulnerability in the Apex One on-premise server could allow a pre-authenticated local attacker to modify a key table on the server to inject malicious code to deploy to agents on affected installations. This vulnerability is only exploitable on the on-premise version of Apex...

CVE-2026-34926

A directory traversal vulnerability in the Apex One on-premise server could allow a pre-authenticated local attacker to modify a key table on the server to inject malicious code to deploy to agents on affected installations. This vulnerability is only exploitable on the on-premise version of Apex...

CVE-2026-34926

CVE-2026-34926 concerns the on‑premise Apex One server, where a directory traversal flaw could let a pre‑authenticated local attacker with admin access modify a server key table to inject code that is deployed to agents. The vulnerability is limited to the on‑premise deployment; no public exploit...

PT-2026-42465

Name of the Vulnerable Software and Affected Versions Apex One on-premise versions prior to SP1 Build 18012 Apex One new installs versions prior to 17079 Apex One SaaS agent versions prior to 14.0.20731 Description A directory traversal issue in the on-premise management server allows an attacker...

TrendAI Apex One 安全漏洞

TrendAI Apex One is an enterprise security platform provided by TrendAI that offers terminal protection, malware detection, and threat response capabilities. TrendAI Apex One has a security vulnerability that stems from directory traversal. This vulnerability may allow pre-authenticated local...

Trend Micro Apex One (On-Premise) Directory Traversal Vulnerability

Trend Micro Apex One on-premise contains a directory traversal vulnerability that could allow a pre-authenticated local attacker to modify a key table on the server to inject malicious code to deploy to agents on affected installations...

VulnCheck KEV: CVE-2026-34926

A directory traversal vulnerability in the Apex One on-premise server could allow a pre-authenticated local attacker to modify a key table on the server to inject malicious code to deploy to agents on affected installations. This vulnerability is only exploitable on the on-premise version of Apex...

CVE-2026-45055

CubeCart pre-authenticated password reset link poisoning via HTTP Host header (affecting 6.6.x–6.7.1) allows an unauthenticated attacker to cause password-reset tokens to be sent to a victim with a malicious domain (evil.com). Builds CC_STORE_URL from Host header without allowlist, embedding the ...

EUVD-2026-21682

A pre-authenticated reflected cross-site scripting XSS vulnerability exists in Rukovoditel CRM version 3.6.4 in the Zadarma telephony API endpoint /api/tel/zadarma.php. The application directly reflects user-supplied input from the 'zdecho' GET parameter into the HTTP response without proper...

MB Connect Line mbCONNECT24 SQL注入漏洞

MB Connect Line mbCONNECT24 is a remote service portal developed by the German company MB Connect Line. This product supports features such as remote access, data recording, and alarm notifications. MB Connect Line mbCONNECT24 has a SQL injection vulnerability. This vulnerability stems from...

CVE-2026-32062

OpenClaw versions2026.2.21-2 prior to 2026.2.22 and @openclaw/voice-call versions 2026.2.21 prior to 2026.2.22 accept media-stream WebSocket upgrades before stream validation, allowing unauthenticated clients to establish connections. Remote attackers can hold idle pre-authenticated sockets open ...

CVE-2026-32062

CVE-2026-32062 affects OpenClaw versions 2026.2.21-2 prior to 2026.2.22 and @openclaw/voice-call 2026.2.21 prior to 2026.2.22. The vulnerability arises from accepting media-stream WebSocket upgrades before stream validation, enabling unauthenticated remote clients to establish connections and hol...

PT-2026-24672

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.2.22 @openclaw/voice-call versions prior to 2026.2.22 Description OpenClaw and @openclaw/voice-call accept media-stream WebSocket upgrades before validating the stream, allowing unauthenticated clients to...

CVE-2026-21718

An authentication bypass vulnerability exists in Copeland XWEB Pro version 1.12.1 and prior, enabling any attackers to bypass the authentication requirement and achieve pre-authenticated code execution on the system...

CVE-2026-21718

An authentication bypass vulnerability exists in Copeland XWEB Pro version 1.12.1 and prior, enabling any attackers to bypass the authentication requirement and achieve pre-authenticated code execution on the system...

CVE-2026-21718

An authentication bypass vulnerability exists in Copeland XWEB Pro version 1.12.1 and prior, enabling any attackers to bypass the authentication requirement and achieve pre-authenticated code execution on the system...