CVE-2026-27944 Nginx UI: Unauthenticated Backup Download with Encryption Key Disclosure

Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.3, the /api/backup endpoint is accessible without authentication and discloses the encryption keys required to decrypt the backup in the X-Backup-Security response header. This allows an unauthenticated attacker to...

CVE-2026-27944

Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.3, the /api/backup endpoint is accessible without authentication and discloses the encryption keys required to decrypt the backup in the X-Backup-Security response header. This allows an unauthenticated attacker to...

Nginx-UI Vulnerable to Unauthenticated Backup Download with Encryption Key Disclosure

The /api/backup endpoint is accessible without authentication and discloses the encryption keys required to decrypt the backup in the X-Backup-Security response header. This allows an unauthenticated attacker to download a full system backup containing sensitive data user credentials, session...

PT-2026-23481

Name of the Vulnerable Software and Affected Versions Nginx UI versions prior to 2.3.3 Description Nginx UI is a web user interface for the Nginx web server. A critical flaw exists where the '/api/backup' endpoint is accessible without authentication. When this endpoint is accessed, the server...

Unspecified Vulnerability in HCL AION (CNVD-2026-16402)

HCL AION is an AI lifecycle management platform from HCL India. HCL AION suffers from a security vulnerability that stems from a missing or insecure HTTP Strict Transport Security header, which can be exploited by an attacker to cause a man-in-the-middle attack...

CVE-2025-52631

HCL AION is affected by a Missing or Insecure HTTP Strict-Transport-Security HSTS Header vulnerability. This can allow insecure connections, potentially exposing the application to man-in-the-middle and protocol downgrade attacks.. This issue affects AION: 2.0...

CVE-2025-13488

Due to a regression introduced in version 3.83.0, a security header is no longer applied to certain user-uploaded content served from repositories. This may allow an authenticated attacker with repository upload privileges to exploit a stored cross-site scripting XSS vulnerability with user conte...

EUVD-2025-201259

Due to a regression introduced in version 3.83.0, a security header is no longer applied to certain user-uploaded content served from repositories. This may allow an authenticated attacker with repository upload privileges to exploit a stored cross-site scripting XSS vulnerability with user conte...

CVE-2025-13488

Due to a regression introduced in version 3.83.0, a security header is no longer applied to certain user-uploaded content served from repositories. This may allow an authenticated attacker with repository upload privileges to exploit a stored cross-site scripting XSS vulnerability with user conte...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS due to the lack of a security header on certain user-uploaded content served from repositories. An attacker can execute arbitrary scripts in the context of another user by uploading specially crafted content and...

CVE-2025-13488

The CVE-2025-13488 entry concerns Sonatype Nexus Repository 3 where a regression in version 3.83.0 stops applying a security header to certain user-uploaded content served from repositories, enabling stored XSS with user context. Affected component is the Nexus Repository 3 plugin chain handling ...

CVE-2025-13488 Nexus Repository 3 - Stored Cross-Site Scripting (XSS)

Due to a regression introduced in version 3.83.0, a security header is no longer applied to certain user-uploaded content served from repositories. This may allow an authenticated attacker with repository upload privileges to exploit a stored cross-site scripting XSS vulnerability with user conte...

PT-2025-49112

Due to a regression introduced in version 3.83.0, a security header is no longer applied to certain user-uploaded content served from repositories. This may allow an authenticated attacker with repository upload privileges to exploit a stored cross-site scripting XSS vulnerability with user conte...

PT-2025-47591

IBM Concert 1.0.0 through 2.0.0 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict-Transport-Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques...

Unspecified vulnerability in Azure Access Technology BLU-IC2 and Azure Access Technology BLU-IC4 (CNVD-2025-29071)

The Azure Access Technology BLU-IC2 and Azure Access Technology BLU-IC4 are both networked access controllers from Azure Access Technology, USA. A security vulnerability exists in the Azure Access Technology BLU-IC2 and Azure Access Technology BLU-IC4 that stems from a missing security header. No...

Azure Access Technology BLU-IC2和Azure Access Technology BLU-IC4 安全漏洞

The Azure Access Technology BLU-IC2 and Azure Access Technology BLU-IC4 are both networked access controllers from Azure Access Technology, USA. A security vulnerability exists in the Azure Access Technology BLU-IC2 and Azure Access Technology BLU-IC4 that stems from a missing security header. No...

EUVD-2008-2545

Malware in sbrugna...

EUVD-2019-13933

Malware in sbrugna...

EUVD-2025-27841

Malicious code in bioql PyPI...

USN-7780-1 qtbase-opensource-src vulnerabilities

It was discovered that Qt did not correctly handle certain inputs when using the SQL ODBC driver plugin. An attacker could possibly use this issue to cause a denial of service. CVE-2023-24607 It was discovered that Qt did not correctly parse certain strict-transport- security headers. An attacker...