CVE-2026-48926

The CVE-2026-48926 entry concerns Jenkins Job Import Plugin (versions 143.v044a_2e819b_27 and earlier) where an HTTP endpoint does not enforce a permission check. The flaw enables users with Overall/Read access to enumerate credentials IDs stored in Jenkins, indicating an authorization issue with...

ROS-20260524-73-0053

Vulnerability in nextcloud due to failure to take measures to protect web page structure. Exploitation of the vulnerability could allow an attacker acting remotely to execute arbitrary code...

CVE-2026-8673 Password re-initialization mechanism sends passwords in plain text

Unprotected transport of credentials vulnerability in syslink software AG Avantra on Linux, Windows allows Sniffing Attacks. This issue affects Avantra: before 25.3.0...

CVE-2026-8673

Unprotected transport of credentials vulnerability in syslink software AG Avantra on Linux, Windows allows Sniffing Attacks. This issue affects Avantra: before 25.3.0...

PT-2026-42764

Name of the Vulnerable Software and Affected Versions Avantra versions prior to 25.3.0 Description An unprotected transport of credentials issue in syslink software AG Avantra on Linux and Windows enables sniffing attacks, where an attacker can intercept sensitive authentication data during...

NPM: Flowise: Cross-Workspace Chatflow Disclosure via chatflows/apikey Endpoint Returns All Unprotected Chatflows

NPM: Flowise: Cross-Workspace Chatflow Disclosure via chatflows/apikey Endpoint Returns All Unprotected Chatflows vulnerability discovered by ? in WordPress Npm flowise versions = 3.1.1...

9router: Unauthenticated Remote Code Execution via unprotected MCP custom plugin routes

Summary 9router exposes two unauthenticated API endpoints that, when chained together, allow any network-adjacent attacker to execute arbitrary OS commands as the user running the 9router process — with zero prerequisites and no credentials required. The vulnerability exists because the Next.js...

NPM: 9router: Unauthenticated Remote Code Execution via unprotected MCP custom plugin routes

NPM: 9router: Unauthenticated Remote Code Execution via unprotected MCP custom plugin routes vulnerability discovered by ? in WordPress Npm 9router versions = 0.4.30, 0.4.37...

EUVD-2026-30181

Improper sanitization of the status query parameter of the /unprotected/novaerror endpoint allows unauthenticated attacker to inject arbitrary HTTP header to the response...

CVE-2026-32993

Improper sanitization of the status query parameter of the /unprotected/novaerror endpoint allows unauthenticated attacker to inject arbitrary HTTP header to the response...

CVE-2026-32993

Improper sanitization of the status query parameter of the /unprotected/novaerror endpoint allows unauthenticated attacker to inject arbitrary HTTP header to the response...

CVE-2026-32993

Improper sanitization of the status query parameter of the /unprotected/novaerror endpoint allows unauthenticated attacker to inject arbitrary HTTP header to the response...

CVE-2026-32993

CVE-2026-32993 describes an vulnerability in cPanel & WHM where improper sanitization of the status query parameter on the /unprotected/nova_error endpoint allows an unauthenticated attacker to inject arbitrary HTTP headers in the response. The root cause is insufficient input handling for the st...

K000156604: BIG-IP httpd access control vulnerability CVE-2026-40435

Security Advisory Description When configured, IP-based access restrictions for httpd do not cover all endpoints, which may allow connections from blocked addresses. CVE-2026-40435 Impact This vulnerability allows an attacker to connect to the BIG-IP control plane HTTP services; however, the...

cPanel 注入漏洞

cPanel is a web-based automated hosting platform developed by cPanel Inc. This platform is primarily used for automating the management of websites and servers. cPanel has a vulnerability known as “injection attack,” which stems from improper cleaning of the status query parameters in the...

MISP modules 跨站请求伪造漏洞

MISP modules are scalable threat intelligence platform modules developed under the open-source MISP Project. They support import, export, expansion, and automated workflows. MISP modules 3.0.7 and earlier versions had a cross-site request forgery vulnerability. This vulnerability stemmed from the...

CVE-2026-43914

A flaw was found in Vaultwarden, a Bitwarden-compatible server. A remote attacker can exploit an unprotected two-factor authentication 2FA function, sendemaillogin, to bypass login brute-force protection. This allows the attacker to repeatedly attempt password guesses without rate-limiting,...

CVE-2026-27682 Reflected Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP (Applications based on Business Server Pages)

Due to a reflected cross-site scripting XSS vulnerability in SAP NetWeaver Application Server ABAP Applications based on Business Server Pages, an unauthenticated attacker could craft a URL that exploits an unprotected URL parameter to embed a malicious script. If a victim clicks the link, the...

CVE-2025-15633

An improper authorization vulnerability in HCL BigFix WebUI allows an authenticated user without Master Operator privileges to access internal data site names, versions, and configuration variables and bypass privilege requirements via unprotected endpoints lacking adequate security headers...

CVE-2026-39871

A path handling issue was addressed with improved logic. This issue is fixed in macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5. An app may be able to observe unprotected user data...