CVE-2026-44441

ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 15.106.0 and 16.16.0, a malicious user could send a crafted request to an endpoint, which would lead to the server making an HTTP call to a service of the user's choice. This vulnerability is fixed in 15.106.0 and 16.16...

CVE-2026-40868 kyverno apicall servicecall implicit bearer token injection leaks kyverno serviceaccount token

Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to 1.16.4, kyverno’s apiCall servicecall helper implicitly injects Authorization: Bearer ... using the kyverno controller serviceaccount token when a policy does not explicitly set an Authorization header...

CVE-2026-25197

CVE-2026-25197 pertains to Gardyn Cloud API, where an endpoint allows an authenticated user to pivot to other user profiles by altering the id parameter in the API call. The underlying issue is an authorization bypass via a user-controlled key/id, enabling access to other profiles and potentially...

CVE-2026-31878

Frappe is a full-stack web application framework. Prior to 14.100.1, 15.100.0, and 16.6.0, a malicious user could send a crafted request to an endpoint which would lead to the server making an HTTP call to a service of the user's choice. This vulnerability is fixed in 14.100.1, 15.100.0, and 16.6...

EUVD-2026-11290

Frappe is a full-stack web application framework. Prior to 14.100.1, 15.100.0, and 16.6.0, a malicious user could send a crafted request to an endpoint which would lead to the server making an HTTP call to a service of the user's choice. This vulnerability is fixed in 14.100.1, 15.100.0, and 16.6...

CVE-2026-30862 Critical Stored XSS & Privilege Escalation in Appsmith

Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 1.96, a Critical Stored XSS vulnerability exists in the Table Widget TableWidgetV2. The root cause is a lack of HTML sanitization in the React component rendering pipeline, allowing malicious attributes to be...

MLflow 访问控制错误漏洞

MLflow is an open source platform from MLflow that simplifies machine learning development, including tracking experiments, packaging code into repeatable runs, and sharing and deploying models. An Access Control Error vulnerability exists in MLflow 3.4.0 and prior versions, which stems from a la...

UBUNTU-CVE-2025-39694

In the Linux kernel, the following vulnerability has been resolved: s390/sclp: Fix SCCB present check Tracing code called by the SCLP interrupt handler contains early exits if the SCCB address associated with an interrupt is NULL. This check is performed after physical to virtual address...

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via Service Call functionality. A user with sufficient privileges to create Kyverno policies can expose all data from a Kubernetes cluster using a malicious Kyverno policy that makes external service cal...

GHSA-459X-Q9HG-4GPQ Kyverno vulnerable to SSRF via Service Calls

Summary An attacker with the ability to create Kyverno policies in a Kubernetes cluster can use Service Call functionality to perform SSRF to a server under their control in order to exfiltrate data. Details According to the documentation, Service Call is intended to address services located insi...

PT-2024-31434 · Lenovo · Lxca

Name of the Vulnerable Software and Affected Versions: LXCA affected versions not specified Description: A valid, authenticated LXCA user without sufficient privileges may be able to use the device identifier to modify an LXCA managed device through a specially crafted web API call...

SonicWALL Analytics和GMS 安全漏洞

SonicWALL Analytics and SonicWALL GMS are both products of SonicWALL, Inc. of the U.S. SonicWALL Analytics is a high-performance management and reporting engine for the Web.SonicWALL GMS is a global management system. A powerful and intuitive solution for organizations, distributed enterprises an...

CVE-2023-34422

A valid, authenticated LXCA user with elevated privileges may be able to delete folders in the LXCA filesystem through a specifically crafted web API call due to insufficient input validation...

Lenovo XClarity Administrator 操作系统命令注入漏洞

Lenovo XClarity Administrator LXCA is a centralized resource management solution from Lenovo, China. The product is capable of providing agentless hardware management for servers, storage, network switches, and more. A command injection vulnerability exists in Lenovo XClarity Administrator, which...

CVE-2021-27102

Accellion FTA 912411 and earlier is affected by OS command execution via a local web service call. The fixed version is FTA912416 and later...

CVE-2021-27102

Accellion FTA 912411 and earlier is affected by OS command execution via a local web service call. The fixed version is FTA912416 and later. Recent assessments: Assessed Attacker Value: 0 Assessed Attacker Value: 0Assessed Attacker Value: 0...

Design/Logic Flaw

An issue was discovered in BlueStacks 4.110 and below on macOS and on 4.120 and below on Windows. BlueStacks employs Android running in a virtual machine VM to enable Android apps to run on Windows or MacOS. Bug is in a local arbitrary file read through a system service call. The impacted method...

CVE-2019-14220

An issue was discovered in BlueStacks 4.110 and below on macOS and on 4.120 and below on Windows. BlueStacks employs Android running in a virtual machine VM to enable Android apps to run on Windows or MacOS. Bug is in a local arbitrary file read through a system service call. The impacted method...

LibreOffice Arbitrary File Read Vulnerability

LibreOffice is a free and open source office software suite developed by The Document Foundation TDF. The suite consists of Writer text documents, Calc spreadsheets and Impress presentations and other applications. A security vulnerability exists in LibreOffice 6.0.1 and earlier versions. A remot...

CVE-2017-8007

In EMC ViPR SRM, Storage M&R, VNX M&R, and M&R Watch4Net for SAS Solution Packs, the Webservice Gateway is affected by a directory traversal vulnerability. Attackers with knowledge of Webservice Gateway credentials could potentially exploit this vulnerability to access unauthorized information, a...