CVE-2026-42596

CVE-2026-42596 describes an unauthenticated SSRF vulnerability in Gotenberg’s default deny-list filtering for the downloadFrom and webhook features. The issue arises because the deny-lists are regex-based and case-sensitive, allowing attacker-controlled URLs (e.g., IPv4-mapped IPv6 loopback forms...

CVE-2026-35187

pyLoad is a free and open-source download manager written in Python. In 0.5.0b3.dev96 and earlier, the parseurls API function in src/pyload/core/api/init.py fetches arbitrary URLs server-side via geturlurl pycurl without any URL validation, protocol restriction, or IP blacklist. An authenticated...

Ivanti Connect Secure和Ivanti Policy Secure 代码问题漏洞

Ivanti Connect Secure ICS and Ivanti Policy Secure IPS are both products of Ivanti Corporation, U.S.A. Ivanti Connect Secure is a secure remote network connection tool.Ivanti Policy Secure is a network access control NAC solution. A code issue vulnerability exists in Ivanti Connect Secure version...

CVE-2024-57055

Server-Side Access Control Bypass vulnerability in WombatDialer before 25.02 could allow unauthorized users to potentially call certain services without the necessary access level. This issue is limited to services used by the client not the general-use JSON services and requires reverse...

Sage DPW 安全漏洞

Sage DPW is an HR system from Sage UK. A security vulnerability exists in versions prior to Sage DPW 202412000, which stems from a lack of server-side access control and can lead to overstepping by a low-privileged user...

CVE-2024-57055

CVE-2024-57055 affects WombatDialer prior to version 25.02. The issue is a server-side access control bypass that could allow unauthorized users to call certain client-only services, with the exploit requiring reverse engineering of a proprietary serialization protocol. Impact is limited to clien...

DerbyNet 安全漏洞

DerbyNet is a simple code for a match broadcasting program. A SQL injection vulnerability exists in the DerbyNet classids parameter, which can be exploited to send crafted SQL statements to ajax/query.slide.next.inc scripts using the 'classids' parameter, allowing an attacker to view, add, modify...

OpenText AppBuilder Code Issue Vulnerability

OpenText AppBuilder is an application from OpenText Canada. A security vulnerability exists in OpenText AppBuilder versions 21.2 through 23.2, which originates from XML External Entity Injection and allows server-side requests to forge, probe system files...

CVE-2018-16703

A vulnerability in the Gleez CMS 1.2.0 login page could allow an unauthenticated, remote attacker to perform multiple user enumerations, which can further help an attacker to perform login attempts in excess of the configured login attempt limit. The vulnerability is due to insufficient server-si...