Lucene search
K

82 matches found

NVD
NVD
added 4 days ago5 views

CVE-2026-56309

Capgo before 12.128.2 fails to enforce plan/quota restrictions on the /files/upload/attachments endpoint, allowing plan-blocked apps to create publicly readable R2 objects. Attackers can upload arbitrary attachments using upload-scoped API keys that bypass plan checks, persist outside normal bund...

5.4CVSS0.00259EPSS
Exploits0References2
Cvelist
Cvelist
added 4 days ago29 views

CVE-2026-58661 n8n - Disk Space Exhaustion via Data-Table File Upload Endpoint

n8n before 2.28.0 and before 1.123.58 on the 1.x branch contains a disk space exhaustion vulnerability in the data-table file upload endpoint. The per-request quota check does not account for files already written to the shared temporary directory, allowing an authenticated user to repeatedly...

5.3CVSS0.00235EPSS
Exploits0References2
PyPA
PyPA
added 2026/07/06 8:3 a.m.4 views

OpenStack Image Service (Glance) allows remote authenticated users to bypass storage quota, cause denial of service

OpenStack Image Service Glance before 2014.2.4 juno and 2015.1.x before 2015.1.2 kilo allows remote authenticated users to bypass the storage quota and cause a denial of service disk consumption by deleting images that are being uploaded using a token that expires during the process. NOTE: this...

6.8CVSS6AI score0.02376EPSS
Exploits0References11Affected Software1
OSV
OSV
added 2026/07/06 8:3 a.m.4 views

PYSEC-2026-812 OpenStack Image Service (Glance) allows remote authenticated users to bypass storage quota, cause denial of service

OpenStack Image Service Glance before 2014.2.4 juno and 2015.1.x before 2015.1.2 kilo allows remote authenticated users to bypass the storage quota and cause a denial of service disk consumption by deleting images that are being uploaded using a token that expires during the process. NOTE: this...

6.8CVSS6AI score0.02376EPSS
Exploits0References11
RedhatCVE
RedhatCVE
added 2026/06/05 7:37 p.m.9 views

CVE-2026-41233

Froxlor is open source server administration software. Prior to version 2.3.6, in Domains.add, the adminid parameter is accepted from user input and used without validation when the calling reseller does not have the customersseeall permission. This allows a reseller to attribute newly created...

5.4CVSS5.5AI score0.00264EPSS
Exploits1References1
Cvelist
Cvelist
added 2026/06/01 1:19 p.m.38 views

CVE-2026-10533 Openshift: openshift: non-admin user can bypass resourcequota and flood etcd with events causing cluster-wide api degradation

A flaw was found in OpenShift Container Platform. Completed pods with restartPolicy: Never do not count toward ResourceQuota pod limits, and Kubernetes events are not quota-scoped. A non-privileged user who can create pods in a namespace can exploit this to generate a large volume of events that...

5CVSS0.0023EPSS
Exploits0References2
NVD
NVD
added 2026/04/23 5:16 a.m.9 views

CVE-2026-41233

Froxlor is open source server administration software. Prior to version 2.3.6, in Domains.add, the adminid parameter is accepted from user input and used without validation when the calling reseller does not have the customersseeall permission. This allows a reseller to attribute newly created...

5.4CVSS0.00264EPSS
Exploits1References3
ATTACKERKB
ATTACKERKB
added 2026/04/23 4:0 a.m.4 views

CVE-2026-41233

Froxlor is open source server administration software. Prior to version 2.3.6, in Domains.add, the adminid parameter is accepted from user input and used without validation when the calling reseller does not have the customersseeall permission. This allows a reseller to attribute newly created...

5.4CVSS5.8AI score0.00264EPSS
Exploits1References4Affected Software1
EUVD
EUVD
added 2026/04/23 4:0 a.m.8 views

EUVD-2026-25188

Froxlor is open source server administration software. Prior to version 2.3.6, in Domains.add, the adminid parameter is accepted from user input and used without validation when the calling reseller does not have the customersseeall permission. This allows a reseller to attribute newly created...

5.4CVSS5.8AI score0.00264EPSS
Exploits1References3
Cvelist
Cvelist
added 2026/04/23 4:0 a.m.35 views

CVE-2026-41233 Froxlor has a Reseller Domain Quota Bypass via Unvalidated adminid Parameter in Domains.add()

Froxlor is open source server administration software. Prior to version 2.3.6, in Domains.add, the adminid parameter is accepted from user input and used without validation when the calling reseller does not have the customersseeall permission. This allows a reseller to attribute newly created...

5.4CVSS0.00264EPSS
Exploits1References3
Vulnrichment
Vulnrichment
added 2026/04/23 4:0 a.m.3 views

CVE-2026-41233 Froxlor has a Reseller Domain Quota Bypass via Unvalidated adminid Parameter in Domains.add()

Froxlor is open source server administration software. Prior to version 2.3.6, in Domains.add, the adminid parameter is accepted from user input and used without validation when the calling reseller does not have the customersseeall permission. This allows a reseller to attribute newly created...

5.4CVSS5.8AI score0.00264EPSS
Exploits1References3
CNNVD
CNNVD
added 2026/04/23 12:0 a.m.11 views

Froxlor 安全漏洞

Froxlor is a set of lightweight server management software developed by the Froxlor team. Versions of Froxlor prior to 2.3.6 contained security vulnerabilities. These vulnerabilities stemmed from the use of the adminid parameter in Domains.add without verification, allowing administrators to assi...

5.4CVSS5.8AI score0.00264EPSS
Exploits1References1
Positive Technologies
Positive Technologies
added 2026/04/23 12:0 a.m.8 views

PT-2026-34638

Froxlor is open source server administration software. Prior to version 2.3.6, in Domains.add, the adminid parameter is accepted from user input and used without validation when the calling reseller does not have the customers see all permission. This allows a reseller to attribute newly created...

5.4CVSS5.8AI score0.00264EPSS
Exploits1References4
Snyk
Snyk
added 2026/04/16 12:46 a.m.6 views

Incorrect Authorization

Overview froxlor/froxlor is a server administration software. Affected versions of this package are vulnerable to Incorrect Authorization in the Domains.add process. An attacker can bypass domain quota restrictions and exhaust another admin's quota by specifying an arbitrary adminid parameter whe...

5.4CVSS5.9AI score0.00264EPSS
Exploits1References2
RedhatCVE
RedhatCVE
added 2026/03/26 3:11 p.m.4 views

CVE-2026-32723

SandboxJS is a JavaScript sandboxing library. Prior to 0.8.35, SandboxJS timers have an execution-quota bypass. A global tick state currentTicks.current is shared between sandboxes. Timer string handlers are compiled at execution time using that global tick state rather than the scheduling...

4.8CVSS6AI score0.00148EPSS
Exploits1References1
Vulnrichment
Vulnrichment
added 2026/03/18 9:27 p.m.1 views

CVE-2026-32723 SandboxJS timers have an execution-quota bypass (cross-sandbox currentTicks race)

SandboxJS is a JavaScript sandboxing library. Prior to 0.8.35, SandboxJS timers have an execution-quota bypass. A global tick state currentTicks.current is shared between sandboxes. Timer string handlers are compiled at execution time using that global tick state rather than the scheduling...

4.8CVSS5.9AI score0.00148EPSS
Exploits1References2
ATTACKERKB
ATTACKERKB
added 2026/03/18 9:27 p.m.2 views

CVE-2026-32723

SandboxJS is a JavaScript sandboxing library. Prior to 0.8.35, SandboxJS timers have an execution-quota bypass. A global tick state currentTicks.current is shared between sandboxes. Timer string handlers are compiled at execution time using that global tick state rather than the scheduling...

4.8CVSS5.9AI score0.00148EPSS
Exploits1References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/16 4:43 p.m.6 views

SandboxJS has an execution-quota bypass (cross-sandbox currentTicks race) in SandboxJS timers

Summary Assumed repo path is /Users/zwique/Downloads/SandboxJS-0.8.34 no /Users/zwique/Downloads/SandboxJS found. A global tick state currentTicks.current is shared between sandboxes. Timer string handlers are compiled at execution time using that global tick state rather than the scheduling...

4.8CVSS5.9AI score0.00148EPSS
Exploits1References4Affected Software1
OSV
OSV
added 2026/03/16 4:43 p.m.3 views

GHSA-7P5M-XRH7-769R SandboxJS has an execution-quota bypass (cross-sandbox currentTicks race) in SandboxJS timers

Summary Assumed repo path is /Users/zwique/Downloads/SandboxJS-0.8.34 no /Users/zwique/Downloads/SandboxJS found. A global tick state currentTicks.current is shared between sandboxes. Timer string handlers are compiled at execution time using that global tick state rather than the scheduling...

4.8CVSS5.9AI score0.00148EPSS
Exploits1References4
Positive Technologies
Positive Technologies
added 2026/03/16 12:0 a.m.4 views

PT-2026-25822

Summary Assumed repo path is /Users/zwique/Downloads/SandboxJS-0.8.34 no /Users/zwique/Downloads/SandboxJS found. A global tick state currentTicks.current is shared between sandboxes. Timer string handlers are compiled at execution time using that global tick state rather than the scheduling...

4.8CVSS5.9AI score0.00148EPSS
Exploits1References8
Rows per page
Query Builder