89 matches found
CVE-2026-49471
Serena exposes an unauthenticated Flask API on a fixed port prior to v1.5.2, with no authentication, CSRF protection, or Host header validation. A DNS rebinding attack can reach this API from any browser and write arbitrary content to the agent’s persistent memory store, which the agent may read ...
CVE-2026-46910
Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards component: Enterprise Infrastructure Security. Supported versions that are affected are 9.2.0.0-9.2.26.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise JD...
PT-2026-49881
Name of the Vulnerable Software and Affected Versions Oracle Coherence versions 12.2.1.4.0 Oracle Coherence versions 14.1.1.0.0 Oracle Coherence versions 14.1.2.0.0 Oracle Coherence versions 15.1.1.0.0 Description An issue in the Core component of Oracle Fusion Middleware allows an unauthenticate...
CVE-2026-40621
ELECOM wireless LAN access point devices do not require authentication to access some specific URLs. The affected product may be operated without authentication...
PT-2026-45765
A critical chain of vulnerabilities in the Collibra Platform Agent, including CVE-2026-26847 improper authentication and path traversal, allows remote, unauthenticated attackers to achieve Remote Code Execution RCE. Technical Breakdown: Vulnerability Chain: Attackers can exploit improperly...
GHSA-63GR-G7JC-V8RG @agenticmail/mcp Missing Authentication for Critical Function
AgenticMail MCP HTTP authorization bypass Summary @agenticmail/mcp exposes a Streamable HTTP transport when started with --http or MCPHTTP=1. In that mode, the /mcp endpoint accepts requests without any HTTP authentication layer. A remote client can initialize a session and call tools directly. T...
CVE-2026-34311
Vulnerability in the Oracle Hospitality OPERA 5 Property Services product of Oracle Hospitality Applications component: Opera. Supported versions that are affected are 5.6.19.24, 5.6.22, 5.6.25.19, 5.6.27.6 and 5.6.28. Easily exploitable vulnerability allows unauthenticated attacker with network...
CVE-2026-47672 epa4all-client: Unauthenticated REST API for Patient Record Writes
epa4all-client is the Java Client for epa4all / ePA 3.0 in the Telematik Infrastruktur. In 1.2.4 and earlier, any network-reachable caller can write arbitrary documents to any patient's electronic health record accessible by the institution's SMC-B card. In a misconfigured deployment e.g.,...
CVE-2026-30496
The Optoma CinemaX P2 projector firmware TVOS-04.24.010.04.01, Android 8.0.0 exposes an HTTP API on TCP port 2345 that allows full unauthenticated remote control of the device. The API supports both reading configuration 74 endpoints and writing/modifying settings including volume, mute,...
EUVD-2026-28367
The Optoma CinemaX P2 projector firmware TVOS-04.24.010.04.01, Android 8.0.0 exposes an HTTP API on TCP port 2345 that allows full unauthenticated remote control of the device. The API supports both reading configuration 74 endpoints and writing/modifying settings including volume, mute,...
EUVD-2026-23986
Glances: Cross-Origin Information Disclosure via Unauthenticated REST API /api/4 due to Permissive CORS...
Oracle Financial Services Analytical Applications Infrastructure 安全漏洞
Oracle Financial Services Analytical Applications Infrastructure is a financial data analysis and modeling platform developed by Oracle Corporation. Versions 8.0.7.9, 8.0.8.7, and 8.1.2.5 of Oracle Financial Services Analytical Applications Infrastructure contain security vulnerabilities. These...
Oracle HCM Common Architecture 安全漏洞
Oracle HCM Common Architecture is an HR management system architecture component developed by Oracle, a US-based company. Versions 12.2.3 to 12.2.15 of Oracle HCM Common Architecture contain security vulnerabilities. These vulnerabilities stem from issues with the Knowledge Integration component,...
EUVD-2026-15194
SHARP routers do not perform authentication for some web APIs. The device information may be retrieved without authentication. If the administrative password of the device is left as the initial one, the device may be taken over...
CVE-2026-32326
SHARP routers are affected by CVE-2026-32326 due to missing authentication for some web APIs, enabling retrieval of device information without authentication. The impact could be severe if the administrative password is left as the initial default, potentially allowing takeover of the device. The...
CVE-2026-32326
SHARP routers do not perform authentication for some web APIs. The device information may be retrieved without authentication. If the administrative password of the device is left as the initial one, the device may be taken over...
CVE-2026-32596 Glances exposes the REST API without authentication
Glances is an open-source system cross-platform monitoring tool. Prior to 4.5.2, Glances web server runs without authentication by default when started with glances -w, exposing REST API with sensitive system information including process command-lines containing credentials passwords, API keys,...
glances 信息泄露漏洞
Glances is a system monitoring tool developed by Nicolas Hennion. Versions of Glances prior to 4.5.2 contained an information leakage vulnerability. This vulnerability stemmed from the web server running without authentication, allowing unauthenticated network clients to access sensitive system...
Navtor NavBox 安全漏洞
Navtor NavBox is a shipping information system device developed by the Norwegian company Navtor. It is used for electronic nautical chart management and synchronization of navigation data. There is a security vulnerability in Navtor NavBox, which stems from the lack of authentication in the HTTP...
Honeywell Trend IQ4xx BMS Controller Unauthenticated Remote Web-HMI Control And Lockout
Summary The Honeywell IQ4 Trend IQ4 is a line of intelligent building-management controllers designed to provide advanced unitary control, HVAC integration, and scalable I/O expansion for commercial environments. These controllers use Ethernet and TCP/IP networking with embedded XML, support BACn...