CVE-2026-39901 monetr: Protected Transactions Deletable via PUT

monetr is a budgeting application focused on planning for recurring expenses. Prior to 1.12.3, a transaction integrity flaw allows an authenticated tenant user to soft-delete synced non-manual transactions through the transaction update endpoint, despite the application explicitly blocking deleti...

Juju has a resource poisoning vulnerability

Summary Any authenticated user, machine or controller under a Juju controller can modify the resources of an application within the entire controller. This one is very straightforward to just read in the code: Step 1: The authorisation mechanism for the resource handler is defined here. One is on...

CVE-2026-23939

Improper Limitation of a Pathname to a Restricted Directory 'Path Traversal' vulnerability in hexpm hexpm/hexpm 'Elixir.Hexpm.Store.Local' module allows Relative Path Traversal. This vulnerability is associated with program files lib/hexpm/store/local.ex and program routines...

CVE-2026-23939 Path Traversal in Local File Store Backend

Improper Limitation of a Pathname to a Restricted Directory 'Path Traversal' vulnerability in hexpm hexpm/hexpm 'Elixir.Hexpm.Store.Local' module allows Relative Path Traversal. This vulnerability is associated with program files lib/hexpm/store/local.ex and program routines...

tomcat: org.apache.tomcat/tomcat-catalina: Apache Tomcat: Directory traversal via rewrite with possible RCE

A directory traversal vulnerability in Apache Tomcat caused by improper URL normalization during request rewriting. When specific rewrite rules are used, an attacker could craft a malicious request to bypass access restrictions and reach protected directories such as /WEB-INF/ or /META-INF/. If...

PT-2025-49017

Name of the Vulnerable Software and Affected Versions Seafile version 12.0.10 Description A stored Cross-Site Scripting XSS issue exists in Seafile. This allows an attacker to execute arbitrary code in a victim’s browser. The issue is caused by storing malicious payloads with the name parameter i...

Mageia: Security Advisory (MGASA-2025-0250)

The remote host is missing an update for the SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

EUVD-2018-4604

Malware in sbrugna...

EUVD-2020-29733

Malware in sbrugna...

EUVD-2025-19706

Malicious code in bioql PyPI...

Fixed in Apache Tomcat 11.0.11

Low: Console manipulation via escape sequences in log messages CVE-2025-55754 Tomcat did not escape ANSI escape sequences in log messages. If Tomcat was running in a console on a Windows operating system, and the console supported ANSI escape sequences, it was possible for an attacker to use a...

CVE-2020-8892

An issue was discovered in MISP before 2.4.121. It did not consider the HTTP PUT method when trying to block a brute-force series of invalid requests...

Apache Tomcat: Potential RCE and/or information disclosure and/or information corruption with partial PUT

Path Equivalence: 'file.Name' Internal Dot leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through...

CVE-2024-35209

A vulnerability has been identified in SINEC Traffic Analyzer 6GK8822-1BG01-0BA0 All versions V1.2. The affected web server is allowing HTTP methods like PUT and Delete. This could allow an attacker to modify unauthorized files...

PT-2024-4579 · Unknown · Sinec Traffic Analyzer

Name of the Vulnerable Software and Affected Versions: SINEC Traffic Analyzer versions prior to V1.2 Description: A vulnerability has been identified in the web server of SINEC Traffic Analyzer, which allows HTTP methods like PUT and Delete. This could allow an attacker to modify unauthorized...

PT-2024-1629 · Plone · Plone

Name of the Vulnerable Software and Affected Versions: Plone Docker version 5.2.13 5221 Description: The issue is related to the absence of a mechanism to prevent unintended changes to resources when processing requests. This allows unauthenticated attackers to execute dangerous actions, such as...

Limited File Write

MindsDB is vulnerable to Limited File Write. The vulnerability is caused due to a put method in mindsdb/mindsdb/api/http/namespaces/file.py does not validate the user-controlled name value, which is used to construct a temporary file name. This allows to write files anywhere on the server leading...

VulnCheck KEV: CVE-2023-45852

In Vitogate 300 2.1.3.0, /cgi-bin/vitogate.cgi allows an unauthenticated attacker to bypass authentication and execute arbitrary commands via shell metacharacters in the ipaddr params JSON data for the put method...

PT-2023-32478 · Mlflow · Mlflow

Name of the Vulnerable Software and Affected Versions: MLflow affected versions not specified Description: The issue allows arbitrary files to be uploaded onto the server using the PUT method. There is no information provided about the estimated number of potentially affected devices or real-worl...

CVE-2023-45852

In Vitogate 300 2.1.3.0, /cgi-bin/vitogate.cgi allows an unauthenticated attacker to bypass authentication and execute arbitrary commands via shell metacharacters in the ipaddr params JSON data for the put method...