CVE-2026-26016 Pterodactyl Panel Allows Cross-Node Server Configuration Disclosure via Remote API Missing Authorization

Wings is the server control plane for Pterodactyl, a free, open-source game server management panel. Prior to version 1.12.1, a missing authorization check in multiple controllers allows any user with access to a node secret token to fetch information about any server on a Pterodactyl instance,...

PT-2026-20331

Name of the Vulnerable Software and Affected Versions Pterodactyl Panel versions prior to 1.12.1 Description A missing authorization check allows any user with access to a node secret token to fetch information about any server on a Pterodactyl instance, even if that server is associated with a...

CVE-2026-23493

Pimcore is an Open Source Data & Experience Management Platform. Prior to 12.3.1 and 11.5.14, the httperrorlog file stores the $COOKIE and $SERVER variables, which means sensitive information such as database passwords, cookie session data, and other details can be accessed or recovered through t...

CVE-2026-23493 Pimcore ENV Variables and Cookie Informations are exposed in http_error_log

Pimcore is an Open Source Data & Experience Management Platform. Prior to 12.3.1 and 11.5.14, the httperrorlog file stores the $COOKIE and $SERVER variables, which means sensitive information such as database passwords, cookie session data, and other details can be accessed or recovered through t...

CVE-2025-53505

Group-Office versions prior to 6.8.119 and prior to 25.0.20 provided by Intermesh BV contain a path traversal vulnerability. If this vulnerability is exploited, information on the server hosting the product may be exposed...

CVE-2025-53505

Group-Office versions prior to 6.8.119 and prior to 25.0.20 provided by Intermesh BV contain a path traversal vulnerability. If this vulnerability is exploited, information on the server hosting the product may be exposed...

JVN#72111431: Multiple vulnerabilities in Group-Office

Group-Office provided by Intermesh BV contains multiple vulnerabilities listed below. Cross-site scripting CWE-79 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N Base Score 4.8 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N Base Score 5.4 CVE-2025-53504 Path traversal CWE-22...

CVE-2021-37425

Altova MobileTogether Server before 7.3 SP1 allows XXE attacks, such as an InfoSetChanges/Changes attack against /workflowmanagement, or reading mobiletogetherserver.cfg and then reading the certificate and private key...

graphql-mesh 路径遍历漏洞

graphql-mesh is an application by Arda TANRIKULU Individual Developer. A path traversal vulnerability exists in graphql-mesh, which stems from a lack of checks in the static file handler that could lead to arbitrary file reads and leak server data...

CVE-2023-40726

A vulnerability has been identified in QMS Automotive All versions V12.39. The affected application server responds with sensitive information about the server. This could allow an attacker to directly access the database...

FUXA 代码问题漏洞

FUXA is an open source web-based process visualization SCADA/HMI/Dashboard software. A security vulnerability exists in FUXA 1.1.3 that originates from obtaining sensitive information from the server's internal environment and services, which could typically lead to an attacker executing commands...

PT-2021-14078

Name of the Vulnerable Software and Affected Versions: acmailer versions 4.0.1 and earlier acmailer DB versions 1.1.3 and earlier Description: The issue allows remote attackers to execute an arbitrary OS command or gain administrative privilege, potentially resulting in the obtaining of sensitive...

XML Entity Injection Vulnerability in NC Cloud of UFIDA Network Technology Corporation (CNVD-2020-64771)

NC Cloud is a digital platform for large enterprises, focusing on digital management, digital operation and digital business, helping large enterprises realize the comprehensive digitalization of people, money, goods and customers. An XML entity injection vulnerability exists in NC Cloud of UFIDA...

XML Entity Injection Vulnerability in NC Cloud of UFIDA Network Technology Corporation (CNVD-2020-64772)

NC Cloud is a digital platform for large enterprises, focusing on digital management, digital operation and digital business, helping large enterprises realize the comprehensive digitalization of people, money, goods and customers. An XML entity injection vulnerability exists in NC Cloud of UFIDA...

SQL Injection Vulnerability in Jiangmen Pengjiang Kehui Development Co.

Ltd. is a value-added telecommunication service provider offering website construction, WeChat public number service, WeChat small program development, microsite construction, web hosting, web design, program development, enterprise mailbox and website promotion, Flash animation and multimedia...

Xuzhou Mengchuang Information Technology Co., Ltd. website building system has file upload vulnerability

Vlcms is subordinate to Xuzhou Mengchuang Information Technology Co., Ltd. and Jiangsu Vlcms Network Technology Co., Ltd. and has been focusing on providing technical products and services in the game industry for 9 years, providing professional and scalable game operation technical solutions for...

Ltd. cloud collection of any content plug-ins exist in any file read vulnerability

The Cloud Capture Any Content Plugin by Heyuan Zhongda Culture Media Co. is a free collection plugin. There is an arbitrary file reading vulnerability in the Heyuan Zhongda Culture Media Limited Cloud Capture Any Content Plugin. Attacks can use this vulnerability to obtain sensitive information o...

IBM OpenPages GRC Platform Information Disclosure Vulnerability (CNVD-2017-34430)

IBM OpenPages GRC Platform is a suite of platforms for managing enterprise risk and compliance from IBM in the United States. The platform provides a set of core services and functional components that cover the risk and compliance domain including operational risk, policy and compliance, financi...

SQL Injection Vulnerability in Zzcms admin/logincheck.php Page

ZZCMS is an enterprise website builder. A SQL injection vulnerability exists in the zzcms admin/logincheck.php page. Due to the failure to filter variables coming from $SERVER, an attacker can exploit the vulnerability to obtain sensitive database data...

nss: false start PR_Recv information disclosure security issue

A flaw was found in the way TLS False Start was implemented in NSS. An attacker could use this flaw to potentially return unencrypted information from the server...