2100 matches found
PT-2026-25758
Mattermost fails to canonicalize IPv4-mapped IPv6 addresses before reserved IP validation in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing...
CVE-2026-2742
Summary of CVE-2026-2742 : Vaadin flow-server contains an authentication bypass via the /VAADIN endpoint when accessed without a trailing slash, allowing unauthenticated users to trigger framework initialization and create sessions. Affected products/versions include Vaadin 14.0.0–14.14.0, 23.0.0...
CVE-2026-2742 Unauthorized session creation via reserved framework path access
An authentication bypass vulnerability exists in Vaadin 14.0.0 through 14.14.0, 23.0.0 through 23.6.6, 24.0.0 through 24.9.7 and 25.0.0 through 25.0.1, applications using Spring Security due to inconsistent path pattern matching of reserved framework paths. Accessing the /VAADIN endpoint without ...
Unauthorized Session Creation via Reserved Framework Path Access
An authentication bypass vulnerability exists in Vaadin applications using Spring Security due to inconsistent path pattern matching of reserved framework paths. Accessing the /VAADIN endpoint without a trailing slash bypasses security filters, allowing unauthenticated users to trigger framework...
CVE-2026-30839
Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.6.2, testwebhooknotifications.php does not validate the target URL against private/reserved IP ranges, enabling full-read SSRF. The server response is returned to the caller. This issue has been patched in...
CVE-2024-35644
CVE-2024-35644 describes a DOM-based Cross-Site Scripting (XSS) vulnerability in the WordPress plugin “Preferred Languages” by Pascal Birchler. The issue is caused by improper input neutralization during web page generation, enabling DOM-based XSS. It affects versions from n/a through 2.2.2 of th...
CVE-2026-3076
REJECT DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2026-2363. Reason: This candidate is a reservation duplicate of CVE-2026-2363. Notes: All CVE users should reference CVE-2026-2363 instead of this candidate. All references and descriptions in this candidate have been removed to prevent...
OpenClaw's runtime /debug override path accepted prototype-reserved keys
Summary OpenClaw accepted prototype-reserved keys in runtime /debug set override object values proto, constructor, prototype. Impact /debug is disabled by default, and exploitation requires an already authorized /debug set caller. No unauthenticated vector was identified. This issue affects runti...
CVE-2024-31328
CVE-2024-31328 is documented in Wear OS/Android Wear context. A logic error in the function broadcastIntentLockedTraced of BroadcastController.java may allow launching arbitrary activities from the background on the paired companion phone, resulting in local elevation of privilege without additio...
[SECURITY] Fedora 42 Update: munge-0.5.18-1.fc42
MUNGE MUNGE Uid 'N' Gid Emporium is an authentication service for creating and validating credentials. It is designed to be highly scalable for use in an HPC cluster environment. It allows a process to authenticate the UID and GID of another local or remote process within a group of hosts having...
GHSA-76RV-2R9V-C5M6 zae-limiter: DynamoDB hot partition throttling enables per-entity Denial of Service
Summary All rate limit buckets for a single entity share the same DynamoDB partition key namespace/ENTITYid. A high-traffic entity can exceed DynamoDB's per-partition throughput limits 1,000 WCU/sec, causing throttling that degrades service for that entity — and potentially co-located entities in...
CVE-2019-19008
DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2019-19363. Reason: This candidate is a reservation duplicate of CVE-2019-19363. Notes: All CVE users should reference CVE-2019-19363 instead of this candidate. All references and descriptions in this candidate have been removed to prevent...
CVE-2018-9146
DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2017-17724. Reason: This candidate is a reservation duplicate of CVE-2017-17724. Notes: All CVE users should reference CVE-2017-17724 instead of this candidate. All references and descriptions in this candidate have been removed to prevent...
CVE-2024-34438
CVE-2024-34438 is a Missing Authorization vulnerability in the WordPress plugin Shared Files (Download Manager & Media Gallery) affecting versions up to and including 1.7.19 . The issue enables unauthorized access to protected resources due to broken access control. The CVSS v3.1 base score is 5....
CVE-2017-4504
DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2017. Notes: none...
CVE-2025-13965
REJECT DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2025-12500. Reason: This candidate is a reservation duplicate of CVE-2025-12500. Notes: All CVE users should reference CVE-2025-12500 instead of this candidate. All references and descriptions in this candidate have been removed to prevent...
CVE-2009-0190
DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2009-1016. Reason: This candidate is a reservation duplicate of CVE-2009-1016. Notes: All CVE users should reference CVE-2009-1016 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental...
CVE-2025-71202
In the Linux kernel, the following vulnerability has been resolved: iommu/sva: invalidate stale IOTLB entries for kernel address space Introduce a new IOMMU interface to flush IOTLB paging cache entries for the CPU kernel address space. This interface is invoked from the x86 architecture code tha...
CVE-2025-68128
reserved but not needed...
CVE-2025-68127
reserved but not needed...