PublicCMS 安全漏洞

PublicCMS is an open-source content management system CMS developed by PublicCMS Company in China using the Java language. Versions of PublicCMS 5.202506.d and earlier contain security vulnerabilities. These vulnerabilities stem from PDF files that may contain JavaScript payloads, allowing them t...

PT-2026-22397

Name of the Vulnerable Software and Affected Versions Dify versions prior to 1.9.0 Description The Dify API exhibits differing responses when queried for existing and non-existent accounts, potentially enabling an attacker to enumerate email addresses registered with the Dify platform. This issue...

Copeland XWEB PRO 操作系统命令注入漏洞

Copeland XWEB PRO is an advanced commercial and industrial refrigeration monitoring and management system developed by the American company Copeland. Versions of Copeland XWEB PRO prior to 1.12.1 contained a vulnerability related to operating system command injection. This vulnerability stemmed...

CVE-2026-3263

A vulnerability was found in go2ismail Asp.Net-Core-Inventory-Order-Management-System up to 9.20250118. Affected by this vulnerability is an unknown functionality of the file /api/Security/ of the component Security API. Performing a manipulation results in improper authorization. Remote...

EUVD-2026-8898

wger: IDOR in RepetitionsConfig and MaxRepetitionsConfig API leak other users' workout data...

EUVD-2026-8881

Unitree Go2 firmware versions V1.1.7 through V1.1.9 and V1.1.11 EDU do not implement DDS authentication or authorization for the Eclipse CycloneDDS topic rt/api/programmingactuator/request handled by actuatormanager.py. A network-adjacent, unauthenticated attacker can join DDS domain 0 and publis...

CVE-2026-27509

Unitree Go2 firmware versions V1.1.7 through V1.1.9 and V1.1.11 EDU do not implement DDS authentication or authorization for the Eclipse CycloneDDS topic rt/api/programmingactuator/request handled by actuatormanager.py. A network-adjacent, unauthenticated attacker can join DDS domain 0 and publis...

CVE-2026-27509

Unitree Go2 firmware versions V1.1.7 through V1.1.9, and V1.1.11 EDU do not implement DDS authentication or authorization for the Eclipse CycloneDDS topic rt/api/programmingactuator/request handled by actuatormanager.py. A network-adjacent, unauthenticated attacker can join DDS domain 0 and publi...

CVE-2026-27509 Unitree Go2 Missing DDS Authentication Enables Adjacent RCE

Unitree Go2 firmware versions V1.1.7 through V1.1.9, and V1.1.11 EDU do not implement DDS authentication or authorization for the Eclipse CycloneDDS topic rt/api/programmingactuator/request handled by actuatormanager.py. A network-adjacent, unauthenticated attacker can join DDS domain 0 and publi...

CVE-2026-27961 Agenta's Server-Side Template Injection (SSTI) via custom evaluator Jinja2 templates allows RCE

Agenta is an open-source LLMOps platform. A Server-Side Template Injection SSTI vulnerability exists in versions prior to 0.86.8 in Agenta's API server evaluator template rendering. Although the vulnerable code lives in the SDK package, it is executed server-side within the API process when runni...

CVE-2026-27896

The CVE-2026-27896 concerns the Go MCP SDK, affected in versions prior to 1.3.1, where Go’s json.Unmarshal (case-insensitive field matching) could accept non-standard JSON-RPC/MCP field casing. This violates JSON-RPC 2.0’s exact field names and could allow messages to bypass intermediary inspecti...

Free CRM 授权问题漏洞

Free CRM is a customer relationship management software developed by go2ismail’s individual developers. Free CRM has authorization issues and vulnerabilities; these vulnerabilities arise from improper authorization due to operations on parameters in files, APIs, or Security settings...

PT-2026-22178

Name of the Vulnerable Software and Affected Versions Unitree Go2 firmware versions 1.1.7 through 1.1.9 and 1.1.11 EDU Description The affected firmware does not implement DDS authentication or authorization for the Eclipse CycloneDDS topic /rt/api/programming actuator/request managed by actuator...

UBUNTU-CVE-2025-3525

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 9.0 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1 that could have, under certain circumstances, allowed an authenticated user with certain access to cause Denial of Service by creating specially crafted CI...

CVE-2025-3525

CVE-2025-3525 affects GitLab CE/EE across versions 9.0–before 18.7.5, 18.8–before 18.8.5, and 18.9–before 18.9.1. The issue allowed an authenticated user with certain access to cause a Denial of Service by sending specially crafted CI triggers via the API. Remediation has been applied in GitLab r...

CVE-2025-3525 Allocation of Resources Without Limits or Throttling in GitLab

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 9.0 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1 that could have, under certain circumstances, allowed an authenticated user with certain access to cause Denial of Service by creating specially crafted CI...

CVE-2025-3525 Allocation of Resources Without Limits or Throttling in GitLab

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 9.0 before 18.7.5, 18.8 before 18.8.5, and 18.9 before 18.9.1 that could have, under certain circumstances, allowed an authenticated user with certain access to cause Denial of Service by creating specially crafted CI...

CVE-2026-27736 BigBlueButton has Open Redirect vulnerability in ApiController

BigBlueButton is an open-source virtual classroom. In versions on the 3.x branch prior to 3.0.20, the string received with errorRedirectUrl lacks validation, using it directly in the respondWithRedirect function leads to an Open Redirect vulnerability. BigBlueButton 3.0.20 patches the issue. No...

CVE-2026-20133

Cisco Catalyst SD-WAN Manager (vManage) contains a vulnerability that could let an unauthenticated/low-privilege attacker view sensitive information on the underlying OS due to insufficient file system access restrictions, with descriptions indicating that access to the vshell or API could lead t...

CVE-2026-20133

A vulnerability in Cisco Catalyst SD-WAN Software could allow an unauthenticated, remote attacker to view sensitive information on an affected system. This vulnerability is due to insufficient file system restrictions. An authenticated attacker with netadmin privileges could exploit this...