20174 matches found
EUVD-2026-44531
HCL BigFix Platform is affected by a user enumeration vulnerability which might allow an attacker, through careful system control and response time monitoring, to perform some level of user enumeration for the BigFix service...
CVE-2026-21840
CVE-2026-21840 — HCL BigFix Platform is reported to have a user enumeration vulnerability. The available documents indicate that an attacker could perform some level of user enumeration for the BigFix service by observing system behavior/response times. The CVSS 3.1 metrics show a low base score ...
CVE-2026-15642
Affected product: Devolutions Server 2026.1.22.0 and 2026.2.11.0. Vulnerable path: Recovery Kit response file generation feature. Root cause: insertion of sensitive information into the response file, leaking the Azure Key Vault client secret in cleartext even when the option to exclude sensitive...
CVE-2025-43892
Fortinet FortiOS is affected by CVE-2025-43892: a buffer over-read in FortiOS 7.6.0–7.6.2, 7.4.0–7.4.8, and 7.2 all versions. An authenticated remote attacker could cause the device to return a portion of memory in the redirect response by submitting a specially crafted request. The CVSSv3.1 vect...
CVE-2025-62675
The CVE-2025-62675 entry concerns an issue described as an Improper Neutralization of CRLF Sequences in HTTP Headers (HTTP Response Splitting) in Fortinet FortiOS and FortiProxy products. Affected versions are FortiOS 7.6.0–7.6.4, FortiOS 7.4 all versions, FortiOS 7.2 all versions, FortiProxy 7.6...
Emlog Pro v2.1.14 - Cross-Site Scripting
Cross Site Scripting XSS vulnerability in Emlog Pro v2.1.14 via /admin/store.php. id: CVE-2023-41621 info: name: Emlog Pro v2.1.14 - Cross-Site Scripting author: ritikchaddha severity: medium description: | Cross Site Scripting XSS vulnerability in Emlog Pro v2.1.14 via /admin/store.php. impact: ...
SuiteCRM - SQL Injection
SuiteCRM is an open-source Customer Relationship Management CRM software application. Prior to versions 7.14.4 and 8.6.1, a vulnerability in events response entry point allows for a SQL injection attack. Versions 7.14.4 and 8.6.1 contain a fix for this issue. id: CVE-2024-36412 info: name: SuiteC...
Dify User Enumeration via Observable Response Discrepancy
Dify is an open-source LLM app development platform. Prior to 1.9.0, responses from the Dify API to existing and non-existent accounts differ, allowing an attacker to enumerate email addresses registered with Dify. Version 1.9.0 fixes the issue. id: CVE-2026-28288 info: name: Dify User Enumeratio...
Reprise License Manager 14.2 - Cross-Site Scripting
Reprise License Manager 14.2 contains a cross-site scripting vulnerability in the /goform/activateprocess "count" parameter via GET. id: CVE-2021-45422 info: name: Reprise License Manager 14.2 - Cross-Site Scripting author: edoardottt severity: medium description: | Reprise License Manager 14.2...
CData API Server < 23.4.8844 - Path Traversal
A path traversal vulnerability exists in the Java version of CData API Server 23.4.8844 when running using the embedded Jetty server, which could allow an unauthenticated remote attacker to gain complete administrative access to the application. id: CVE-2024-31848 info: name: CData API Server...
CVE-2026-27690
Due to an HTTP Request Smuggling vulnerability in SAP Approuter, an unauthenticated attacker could send a specially crafted HTTP request that leads to request-response desynchronization. This could result in the exposure of user responses and cause the system to become unavailable. This leads to ...
CVE-2026-44760
The CVE-2026-44760 entry concerns a Cross-Site Scripting (XSS) in SAP NetWeaver Application Server ABAP-based applications that use the Business Server Pages framework. The vulnerability arises from unsanitized input being reflected in the HTTP response, enabling an attacker to inject and execute...
CVE-2026-61503 Rejetto HFS < 3.2.1 Username Enumeration via Login Response Differences
Rejetto HFS 3.0.0 through 3.2.0 returns observably different responses from its login endpoint depending on whether the submitted username exists. A remote unauthenticated attacker can use this to confirm valid account names, including the default admin account, facilitating password-guessing and...
CVE-2026-61503 Rejetto HFS < 3.2.1 Username Enumeration via Login Response Differences
Rejetto HFS 3.0.0 through 3.2.0 returns observably different responses from its login endpoint depending on whether the submitted username exists. A remote unauthenticated attacker can use this to confirm valid account names, including the default admin account, facilitating password-guessing and...
ruby: net-imap: Net::IMAP: Denial of Service via crafted IMAP responses
A flaw was found in Net::IMAP, a Ruby library implementing the Internet Message Access Protocol IMAP client functionality. A hostile server can exploit a quadratic time complexity issue in the Net::IMAP::ResponseReader when processing large responses containing numerous string literals. This can...
CVE-2026-15488
The CVE affects hcr707305003 shiroiAdmin versions 1.1/1.3 where FileController.php (FileController::upload) can be manipulated to trigger an unrestricted file upload. This could be exploited remotely. A public exploit exists. Upgrade to version 1.4 to address the issue (patch 3ecde28ea8a20a3840db...
Malicious code in tinyparrot (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ec7ebbcc82edaa241764193ea85c0492b99f9ed3be805c57ef0914518cd4b6f9 The postinstall script src/build.js reconstructs the strings 'https', 'POST', and the destination host 'rnjkerbf.org/P' from integer-encoded arrays v...
CVE-2026-53878
A flaw was found in Django. django.core.validators.DomainNameValidator accepted newline characters in domain name input. When applications use this validator outside Django form fields and include the validated value in HTTP response headers, a remote attacker could perform HTTP header injection...
CVE-2026-14461 Out-of-bound read in mtr
mtr is vulnerable to Out-of-bound read vulnerability in ipinfolookup function. An attacker who can influence the TXT response used for AS lookups can trigger this bug by returning a DNS response that is larger than 512 bytes and uses a crafted compression pointer in the answer NAME...
CVE-2026-14461 Out-of-bound read in mtr
mtr is vulnerable to Out-of-bound read vulnerability in ipinfolookup function. An attacker who can influence the TXT response used for AS lookups can trigger this bug by returning a DNS response that is larger than 512 bytes and uses a crafted compression pointer in the answer NAME...