9809 matches found
CVE-2026-12352
This vulnerability allows an unauthenticated actor to bypass authentication and gain access to restricted resources on the device...
EUVD-2026-42047
This vulnerability allows an unauthenticated actor to bypass authentication and gain access to restricted resources on the device...
CVE-2026-12352
Technical details (affected products/versions, root cause, exploit conditions, or remediation) are not publicly provided in the supplied documents. Monitor for updates on CVE-2026-12352.
Server-side Request Forgery (SSRF)
Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the notification URL validation process. An attacker can access internal network resources and potentially expose sensitive internal data by configuring notification URLs to point to hostnames that...
CVE-2026-8377
Missing Authorization vulnerability in Armiya Information Technologies Ltd. Co. Access Control System GKS allows Collect Data from Common Resource Locations. This issue affects Access Control System GKS: before Version 2...
CVE-2026-34037
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.464, the cloneTo Livewire action in ResourceOperations.php authorizes the source resource but resolves destination resources with unscoped Eloquent lookups, allowing an...
EUVD-2026-41983
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.471, the Livewire component Server\Resources exposes public methods startUnmanaged, stopUnmanaged, restartUnmanaged that accept a container ID parameter directly from the browse...
CVE-2026-50135 Hugo: Symlink confinement bypass in resources.Get
Hugo is a static site generator. From 0.123.0 to 0.161.1, a regression made RootMappingFs.statRoot use Stat follows symlinks instead of Lstat , so a direct resources.Get of a symlink pointing outside its mount returned the target's contents — letting a symlink planted in a local mount e.g. a...
CVE-2026-50135
Summary: Hugo up to v0.161.1 is affected by a symlink confinement bypass in the virtual filesystem used by Hugo’s resources.Get. Root cause: A regression in RootMappingFs.statRoot caused it to call Stat (which follows symlinks) instead of Lstat, allowing a symlink inside a mounted directory (e.g....
CVE-2026-7185
A validation vulnerability has been identified in certain web features related to file management or upload in several products of the TAO 2.0 suite. This vulnerability could allow an attacker capable of interacting with the affected feature to attempt to access file system resources outside the...
CVE-2026-7185
A validation vulnerability has been identified in certain web features related to file management or upload in several products of the TAO 2.0 suite. This vulnerability could allow an attacker capable of interacting with the affected feature to attempt to access file system resources outside the...
EUVD-2026-41599
Operation on a resource after expiration or release in Microsoft Edge Chromium-based allows an unauthorized attacker to disclose information over a network...
CVE-2026-14614
A flaw was found in the ClientResource component of Keycloak's admin services when Fine-Grained Admin Permissions FGAP v2 is enabled. This issue allows a delegated administrator, who should only have limited control over specific clients, to attach or remove hidden client scopes that they are not...
Server-side Request Forgery (SSRF)
Overview @theia/core is a the main extension for all Theia-based applications, and provides the main framework for all dependent extensions. Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the request-service process. An attacker can access sensitive...
Server-side Request Forgery (SSRF)
Overview @theia/request is a Theia Proxy-Aware Request Service Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the request-service process. An attacker can access sensitive internal resources by sending crafted URLs to the backend, which then performs...
CVE-2026-10055
CVE-2026-10055 affects Eclipse Theia (since 1.26.0). The issue arises in the backend /services/request-service RPC, which accepts an attacker-controlled URL from any client connected to the standard /services messaging endpoint, then performs the HTTP request server-side and returns the full resp...
K000162041: Spring Framework vulnerabilities CVE-2026-41843 and CVE-2026-41846
Security Advisory Description CVE-2026-41843 Spring MVC and WebFlux applications are vulnerable to Path Traversal attacks when resolving static resources. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48. CVE-2026-41846 Spri...
io.quarkus/quarkus-vertx-http: Quarkus: Authorization bypass in HTTP path-based policies via encoded characters
A flaw was found in Quarkus. A remote attacker could bypass HTTP path-based authorization policies by using specially crafted encoded semicolons, slashes, or backslashes in HTTP requests. This could allow unauthorized access to protected static resources, leading to information disclosure...
PT-2026-55301
Name of the Vulnerable Software and Affected Versions AutoBangumi versions prior to 3.2.8 Description An unauthenticated remote attacker can probe internal network services via a server-side request forgery SSRF issue. By providing arbitrary host values to the 'POST /api/v1/setup/test-downloader'...
UBUNTU-CVE-2026-54786
Wasmtime is a runtime for WebAssembly. All versions prior to 24.0.10; versions 25.0.0 through those before 36.0.11; versions 37.0.0 through those before 44.0.3; and versions 45.0.0 and 45.0.1 contain a native implementation of WASIp1 which suffers from a leak in the fdrenumber function where the...