56 matches found
CVE-2026-50698 Frappe Framework 17.0.0-dev - Stored XSS in Audit Trail template rendering
A Stored Cross-Site Scripting XSS vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input before generating HTML output in the Audit Trail component...
CVE-2026-9143 Incorrect Conversion between Numeric Types in NI grpc-device due to missing range checks in CodeGen
There is an incorrect conversion between numeric types vulnerability in NI grpc-device due to missing range checks in CodeGen. This may silently discard high bits if a size value exceeded the target type's range. This affects NI grpc-device 2.17.0 and prior versions...
CVE-2026-49871
CVE-2026-49871 describes a Cross-Site Request Forgery (CSRF) vulnerability in the cas-auth plugin under default configurations in Apache APISIX versions 3.0.0–3.16.0. The issue allows a remote attacker who can lure a victim to a controlled webpage to cause the victim’s browser to become authentic...
CVE-2026-44724
systeminformation is a System and OS information library for node.js. From 4.17.0 to 5.31.5, on Linux, systeminformation is vulnerable to command injection in networkInterfaces when an active NetworkManager connection profile name contains shell metacharacters. The vulnerable value is obtained...
CVE-2026-39969
TypeBot is a chatbot builder tool. In versions 3.16.0 and prior, the WhatsApp Cloud API webhook endpoint POST /v1/workspaces/workspaceId/whatsapp/credentialsId/webhook does not verify the x-hub-signature-256 HMAC signature included by Meta in every webhook delivery. The webhook URL exposes both...
CVE-2026-42333
CVE-2026-42333 affects Quarkus OpenAPI Generator. The issue: the generated authentication filter can match OpenAPI path templates too broadly, causing a security scheme for one operation to be applied to a different, similarly-named operation. This can cause bearer tokens, API keys, or basic cred...
BIT-JAVA-MIN-2023-21843
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE component: Sound. Supported versions that are affected are Oracle Java SE: 8u351, 8u351-perf, 11.0.17, 17.0.5, 19.0.1; Oracle GraalVM Enterprise Edition: 20.3.8, 21.3.4 and 22.3.0. Difficult to exploi...
CVE-2026-35397
Jupyter Server is the backend for Jupyter web applications. In versions 2.17.0 and earlier, a path traversal vulnerability in the REST API allows an authenticated user to escape the configured rootdir and access sibling directories whose names begin with the same prefix as the rootdir. For exampl...
Jupyter Server 代码问题漏洞
Jupyter Server is an application developed by the Jupyter organization that provides backend services for Jupyter web applications. Jupyter Server versions 2.17.0 and earlier have code vulnerabilities. These vulnerabilities stem from the persistence of the key used for signing authentication...
CVE-2026-40098 OpenMage LTS imports cross-user wishlist item via shared wishlist code, leading to private option disclosure and file-disclosure variant
Magento Long Term Support LTS is an unofficial, community-driven project provides an alternative to the Magento Community Edition e-commerce platform with a high level of backward compatibility. Prior to version 20.17.0, the shared wishlist add-to-cart endpoint authorizes access with a public...
CVE-2026-6486
A vulnerability was detected in classroombookings up to 2.17.0. This impacts the function read of the file crbs-core/application/views/layout.php of the component User Display Name Handler. The manipulation of the argument displayname results in cross site scripting. The attack can be executed...
CVE-2026-39943
Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, Directus stores revision records in directusrevisions whenever items are created or updated. Due to the revision snapshot code not consistently calling the prepareDelta sanitization pipeline,...
CVE-2026-35441
Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, Directus' GraphQL endpoints /graphql and /graphql/system did not deduplicate resolver invocations within a single request. An authenticated user could exploit GraphQL aliasing to repeat an expensive...
CVE-2026-35408
Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, Directus's Single Sign-On SSO login pages lacked a Cross-Origin-Opener-Policy COOP HTTP response header. Without this header, a malicious cross-origin window that opens the Directus login page retai...
EUVD-2026-12531
A security vulnerability has been detected in Tiandy Easy7 Integrated Management Platform up to 7.17.0. This affects an unknown function of the file /rest/preSetTemplate/getRecByTemplateId. The manipulation of the argument ID leads to sql injection. The attack may be initiated remotely. The explo...
CVE-2026-23646 OpenProject users can delete other user's session, causing them to be logged out
OpenProject is an open-source, web-based project management software. Users of OpenProject versions prior to 16.6.5 and 17.0.1 have the ability to view and end their active sessions via Account Settings → Sessions. When deleting a session, it was not properly checked if the session belongs to the...
EUVD-2025-202640
FreePBX Endpoint Manager is a module for managing telephony endpoints in FreePBX systems. Versions prior to 16.0.96 and 17.0.1 through 17.0.9 have a weak default password. By default, this is a 6 digit numeric value which can be brute forced. This is the apppassword parameter. Depending on local...
CVE-2024-56840
A vulnerability has been identified in RUGGEDCOM ROX MX5000 All versions V2.17.0, RUGGEDCOM ROX MX5000RE All versions V2.17.0, RUGGEDCOM ROX RX1400 All versions V2.17.0, RUGGEDCOM ROX RX1500 All versions V2.17.0, RUGGEDCOM ROX RX1501 All versions V2.17.0, RUGGEDCOM ROX RX1510 All versions V2.17.0...
Siemens RUGGEDCOM ROX II 注入漏洞
Siemens RUGGEDCOM ROX II is an operating system for industrial applications from Siemens, Germany. Siemens RUGGEDCOM ROX II suffers from an injection vulnerability that can be exploited by an attacker to cause execution of arbitrary code...
Siemens RUGGEDCOM ROX II 注入漏洞
Siemens RUGGEDCOM ROX II is an operating system for industrial applications from Siemens, Germany. Siemens RUGGEDCOM ROX II suffers from an injection vulnerability that can be exploited by an attacker to cause execution of arbitrary code...