24 matches found
CVE-2026-48008 Shopware: Privilege Escalation via Sync API Integration Admin Flag Bypass
Shopware is an open commerce platform. Prior to 6.6.10.18 and 6.7.10.1, a non-admin API user with integration:create ACL privilege can escalate to full administrator by creating an integration with admin: true through the Sync API POST /api/action/sync; the regular integration endpoint POST...
Arbitrary Command Injection
Overview Affected versions of this package are vulnerable to Arbitrary Command Injection via the ssh process. An attacker can execute arbitrary commands on the operator's workstation by injecting malicious OpenSSH options when the operator runs non-interactive SSH commands. Remediation Upgrade...
CVE-2025-14362
The login limit is not enforced on the SFTP service of Fortra's GoAnywhere MFT prior to 7.10.0 if the Web User attempting to be logged in to is configured to log in with an SSH Key, making the SSH key vulnerable to being guessed via Brute Force...
Astra Linux – Vulnerability in Redis
Redis is an in-memory database that persists data on disk. Starting from version 7.0.8 and before version 7.0.10, authenticated users could use the MSETNX command to trigger a runtime assertion and terminate the Redis server process. This issue was fixed in Redis version 7.0.10...
CVE-2026-0972 HTML Injection possible in system generated emails in Fortra's GoAnywhere MFT
HTML injection is possible in system generated emails in Fortra's GoAnywhere MFT prior to 7.10.0. Note: The title, details, and description of this CVE were corrected post-publishing...
CVE-2026-0971
An improper session timeout issue in Fortra's GoAnywhere MFT prior to version 7.10.0 results in SAML configured Web Users being redirected to the regular login page instead of the SAML login page...
PT-2026-33979
User‑Controlled HTTP Header in Fortra's GoAnywhere MFT prior to version 7.10.0 allows attackers to trigger a DNS lookup, as well as DNS Rebinding and Information Disclosure...
CVE-2026-23542
Deserialization of Untrusted Data vulnerability in ThemeGoods Grand Restaurant grandrestaurant allows Object Injection.This issue affects Grand Restaurant: from n/a through = 7.0.10...
Use of Hard-coded Credentials
Overview Affected versions of this package are vulnerable to Use of Hard-coded Credentials via the deriveVaultKey function. An attacker can recover a significant portion of the cryptographic key by brute-forcing the remaining unpredictable bytes if they have physical access to the device...
PT-2025-36485
Name of the Vulnerable Software and Affected Versions: Avigilon ACM version 7.10.0.20 Description: A Host Header Injection vulnerability in Avigilon ACM v7.10.0.20 allows attackers to execute arbitrary code via supplying a crafted URL. Recommendations: At the moment, there is no information about...
UBUNTU-CVE-2025-53029
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization component: Core. The supported version that is affected is 7.1.10. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle ...
Zyxel NWA50AX PRO 路径遍历漏洞
The Zyxel NWA50AX PRO is a wireless router from China Hopkins Zyxel. A path traversal vulnerability exists in Zyxel NWA50AX PRO 7.10 ACGE.2 and earlier versions, which stems from a path traversal in the fileupload-cgi CGI program that could lead to the deletion of configuration files...
PT-2023-24726 · Mongoose · Mongoose
Name of the Vulnerable Software and Affected Versions: Mongoose versions prior to 7.10 Description: The issue arises from the HTTP server in Mongoose accepting requests with negative Content-Length headers. This can be exploited by an attacker sending a single malicious payload over TCP, causing...
AZL-26736 CVE-2023-2700 affecting package libvirt for versions less than 7.10.0-5
A vulnerability was found in libvirt. This security flaw ouccers due to repeatedly querying an SR-IOV PCI device's capabilities that exposes a memory leak caused by a failure to free the virPCIVirtualFunction array within the parent struct's gautoptr cleanup...
Karmasis Infraskope Agent 访问控制错误漏洞
Karmasis Infraskope Agent is an application logger from Karmasis. An Access Control Error vulnerability exists in Karmasis Infraskope Agent versions prior to 7.10.00, which stems from improper access control in the application and can be exploited by an attacker to corrupt the page listing the...
PT-2022-15843 · Open Xchange · Ox App Suite
Name of the Vulnerable Software and Affected Versions: OX App Suite versions 7.10.6 and earlier Description: The issue allows OS Command Injection via Documentconverter, for example, through an email attachment. Recommendations: For OX App Suite versions 7.10.6 and earlier, update to a version...
GitLab 安全漏洞
GitLab is a Ruby on Rails-developed, self-hosted, Git version control system project repository application from the American company GitLab. The program can be used to access a project's file contents, commit history, bug lists, and more. A security vulnerability exists in GitLab CE/EE that stem...
PT-2021-6753 · Gitlab · Gitlab Ce/Ee +1
Name of the Vulnerable Software and Affected Versions: GitLab CE/EE versions 7.10 and later Description: The issue is related to incorrect authorization in GitLab, a platform for collaborative code development. Under specific conditions, it allows existing users to use an invite URL intended for...
CVE-2021-23932
OX App Suite through 7.10.4 allows XSS via an inline image with a crafted filename...
CVE-2020-8542
OX App Suite through 7.10.3 allows XSS...