CVE-2026-21836 HCL DominoIQ is affected by broken access control

The HCL DominoIQ RAG feature is affected by a Broken Access Control vulnerability. Under certain circumstances, document level access restrictions will be ignored when determining what data to return from an AI query. This could enable an authenticated attacker to view sensitive data...

EUVD-2026-18756

immich is a high performance self-hosted photo and video management solution. Prior to version 2.6.0, the Immich application is vulnerable to credential disclosure when a user authenticates to a shared album. During the authentication process, the application transmits the album password within t...

GHSA-X27P-5F68-M644 Trino: Iceberg REST catalog static and vended credentials are accessible via query JSON

Summary Iceberg connector REST catalog static credentials access key or vended credentials temporary access key are accessible to users that have write privilege on SQL level. Details Iceberg REST catalog typically needs access to object storage. This access can be configured in multiple differen...

EUVD-2025-209016

IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6 could allow an attacker to obtain sensitive information from the query string of an HTTP GET method to process a request which could be obtained using man in the middle techniques...

SUSE CVE-2026-29073

SiYuan is a personal knowledge management system. Prior to version 3.6.0, the /api/query/sql lets a user run sql directly, but it only checks basic auth, not admin rights, any logged-in user, even readers, can run any sql query on the database. This issue has been patched in version 3.6.0...

GHSA-MRQC-3276-74F8 PinchTab: API Bearer Token Exposed in URL Query Parameter via Server Logs and Intermediary Systems

Summary PinchTab v0.7.8 through v0.8.3 accepted the API token from a token URL query parameter in addition to the Authorization header. When a valid API credential is sent in the URL, it can be exposed through request URIs recorded by intermediaries or client-side tooling, such as reverse proxy...

JH Software Simple DNS Plus 安全漏洞

JH Software Simple DNS Plus is a DNS server software from JH Software, Denmark. A security vulnerability exists in JH Software Simple DNS Plus version v9, which stems from mishandling of DNS over TCP, which could lead to information disclosure and allow an attacker to view DNS queries from other...

EUVD-2006-4535

Malware in sbrugna...

EUVD-2020-7256

Malware in sbrugna...

EUVD-2024-45216

Malicious code in bioql PyPI...

CVE-2025-55673

When a guest user accesses a chart in Apache Superset, the API response from the /chart/data endpoint includes a query field in its payload. This field contains the underlying query, which improperly discloses database schema information, such as table names, to the low-privileged guest user. Thi...

CVE-2024-35278

A improper neutralization of special elements used in an sql command 'sql injection' in Fortinet FortiPortal versions 7.2.4 through 7.2.0 and 7.0.0 through 7.2.8 may allow an authenticated attacker to view the SQL query being run server-side when submitting an HTTP request, via including special...

CVE-2023-3197

The MStore API plugin for WordPress is vulnerable to Unauthenticated Blind SQL Injection via the 'id' parameter in versions up to, and including, 4.0.1 due to insufficient escaping on the user supplied parameters and lack of sufficient preparation on the existing SQL query. This makes it possible...

CVE-2022-4770

Hitachi Vantara Pentaho Business Analytics Server prior to versions 9.4.0.0 and 9.3.0.2, including 8.3.x display the full parametrized SQL query in an error message when an invalid character is used within a Pentaho Report .prpt...

CVE-2020-15219

Combodo iTop is a web based IT Service Management tool. In iTop before versions 2.7.2 and 3.0.0, when a download error is triggered in the user portal, an SQL query is displayed to the user. This is fixed in versions 2.7.2 and 3.0.0...

CVE-2025-47937

TYPO3 is an open source, PHP based web content management system. Starting in version 9.0.0 and prior to versions 9.5.51 ELTS, 10.4.50 ELTS, 11.5.44 ELTS, 12.4.31 LTS, and 13.4.12 LTS, when performing a database query involving multiple tables through the database abstraction layer DBAL, frontend...

CVE-2024-35278

A improper neutralization of special elements used in an sql command 'sql injection' in Fortinet FortiPortal versions 7.2.4 through 7.2.0 and 7.0.0 through 7.2.8 may allow an authenticated attacker to view the SQL query being run server-side when submitting an HTTP request, via including special...

unbound: unrestricted reconfiguration enabled to anyone that may lead to local privilege escalation

A vulnerability was found in Unbound due to incorrect default permissions, allowing any process outside the unbound group to modify the unbound runtime configuration. If a process can connect over localhost to port 8953, it can alter the configuration of unbound.service. This flaw allows an...

Apple iOS and iPadOS Security Vulnerabilities

Apple iOS and Apple iPadOS are products of Apple Inc. Apple iOS is an operating system developed for mobile devices, and Apple iPadOS is an operating system for iPad tablets. A security vulnerability exists in Apple iOS version 17 and iPadOS version 17, which stems from the fact that a remote...

PT-2023-2235 · Hitachi Vantara · Hitachi Vantara Pentaho Business Analytics Server

Name of the Vulnerable Software and Affected Versions: Hitachi Vantara Pentaho Business Analytics Server versions prior to 9.4.0.0 and 9.3.0.2, including 8.3.x Description: The issue is related to the error handling mechanism in Hitachi Vantara Pentaho Business Analytics Server, which displays th...