163 matches found
Joplin 3.3.3 Server - Privilege Escalation
Joplin is a free, open source note taking and to-do application, which can handle a large number of notes organised into notebooks. Prior to version 3.3.3, a privilege escalation vulnerability exists in the Joplin server, allowing non-admin users to exploit the API endpoint PATCH /api/users/-id t...
CVE-2026-5793 XSS in Inrove Software's BiEticaret
Improper neutralization of input during web page generation 'cross-site scripting' vulnerability in Inrove Software and Internet Services BiEticaret allows Reflected XSS. This issue affects BiEticaret: before v3.3.57...
CVE-2026-14198
@fastify/middie versions 9.1.0 through 9.3.2 decode the encoded slash %2F inside path parameter values before matching middleware paths, while Fastify's underlying router preserves the encoding during route lookup. The two layers disagree on the canonical request path, so the middleware fails to...
CVE-2026-54903 vulnerabilities
Vulnerabilities for packages: ruby3.2-fluentd-kubernetes-daemonset, ruby4.0-fluentd-kubernetes-daemonset, ruby3.3-fluentd-kubernetes-daemonset, kube-logging-operator, ruby3.4-fluentd-kubernetes-daemonset...
GHSA-3V45-F3VH-WG7M vulnerabilities
Vulnerabilities for packages: ruby3.2-fluentd-kubernetes-daemonset, ruby4.0-fluentd-kubernetes-daemonset, ruby3.3-fluentd-kubernetes-daemonset, kube-logging-operator, ruby3.4-fluentd-kubernetes-daemonset...
GHSA-9PPP-W3G4-FH4Q vulnerabilities
Vulnerabilities for packages: ruby3.2-fluentd-kubernetes-daemonset, ruby4.0-fluentd-kubernetes-daemonset, ruby3.3-fluentd-kubernetes-daemonset, kube-logging-operator, ruby3.4-fluentd-kubernetes-daemonset...
GHSA-475M-PH3X-64GP vulnerabilities
Vulnerabilities for packages: ruby3.2-fluentd-kubernetes-daemonset, ruby4.0-fluentd-kubernetes-daemonset, ruby3.3-fluentd-kubernetes-daemonset, kube-logging-operator, ruby3.4-fluentd-kubernetes-daemonset...
CVE-2026-52784
CVE-2026-52784 (OpenProject) is a CSRF vulnerability in OpenProject’s web UI. The issue allows CSRF on a user-targeted action via POST to /users/:id with the parameter user[admin], enabling unauthorized state changes without user interaction. Affected software versions are prior to 17.3.3 and 17....
PT-2026-52911
Name of the Vulnerable Software and Affected Versions OpenProject versions prior to 17.3.3 OpenProject versions prior to 17.4.1 Description Cache store poisoning allows for Remote Code Execution RCE, a process where an attacker executes arbitrary code on a remote machine. Recommendations Update t...
Astra Linux – Vulnerability in openexr
OpenEXR provides the specification and reference implementation of the EXR file format, a image storage format for the motion picture industry. From version 3.2.0 up to versions 3.2.7, 3.3.9, and 3.4.9, the DWA lossy decoder used signed 32-bit arithmetic to construct temporary per-component block...
CVE-2026-47693 Poweradmin: CSV Injection in log export endpoints allows formula execution in spreadsheet applications
Poweradmin is a web-based DNS administration tool for PowerDNS server. Versions prior to 4.2.4 and 4.3.3 are vulnerable to CSV Injection Formula Injection in its log export functionality. User-controlled data — specifically the username field — is written to exported CSV files without sanitizing...
GHSA-6WX8-W4F5-WWCR vulnerabilities
Vulnerabilities for packages: ruby3.2-fluentd-kubernetes-daemonset, ruby4.0-fluentd-kubernetes-daemonset, ruby4.0-rails, ruby3.2-rails, ruby3.3-rails, ruby3.4-rails, ruby3.3-fluentd-kubernetes-daemonset, kube-fluentd-operator, kube-logging-operator, ruby3.4-fluentd-kubernetes-daemonset...
CVE-2026-41049 Caching of Authentication allows Authentication Bypass between users in qSnapper
Incorrect caching of authentication between different users of the qSnapper dbus service before version 1.3.3 allowed any local attacker to use dbus functions after a privileged users has authenticated for them...
CVE-2026-45441
Unauthenticated Other Vulnerability Type in WpEvently = 5.3.3 versions...
PT-2026-49467
Unauthenticated Other Vulnerability Type in WpEvently = 5.3.3 versions...
CVE-2026-47241 vulnerabilities
Vulnerabilities for packages: ruby4.0-rails, logstash, ruby3.2-rails, ruby3.3-rails, truffleruby, gitlab-rails-ce-fips, ruby3.4-rails, kube-fluentd-operator, gitlab-rails-ce, kube-logging-operator, logstash-fips...
CVE-2026-33740
EspoCRM is an open source customer relationship management application. In versions 9.3.3 and below, the POST /api/v1/Email/importEml endpoint contains an Insecure Direct Object Reference IDOR vulnerability where the attacker-supplied fileId parameter is used to fetch any attachment directly from...
CVE-2026-50591
In Znuny LTS before 6.5.21 and Znuny before 7.3.3, XSS can occur via stored user preferences...
CVE-2025-53345
Missing Authorization vulnerability leading to code execution after installing malicious vulnerable plugin in ThimPress Thim Core. This issue affects Thim Core: from n/a through 2.3.3...
CVE-2026-40989
Under infinite recursion in the routing layer, request-handling can cause OOM error. Affected Spring Products and Versions: Spring Cloud Function 3.2.x: versions prior to 3.2.16 Spring Cloud Function 4.1.x: versions prior to 4.1.10 Spring Cloud Function 4.2.x: versions prior to 4.2.6 Spring Cloud...