Joomla! Component BeeHeard 1.0 - Local File Inclusion

A directory traversal vulnerability in the BeeHeard combeeheard and BeeHeard Lite combeeheardlite component 1.0 for Joomla! allows remote attackers to read arbitrary files via a .. dot dot in the controller parameter to index.php. id: CVE-2010-1952 info: name: Joomla! Component BeeHeard 1.0 - Loc...

CVE-2026-50267

Steeltoe is an open source project that provides a collection of libraries that helps users build cloud-native applications. In Steeltoe.Configuration.Abstractions 4.0.0 through 4.1.0, when MySQL or PostgreSQL service bindings from VCAPSERVICES include TLS client credentials, the Connectors libra...

PT-2026-48342

Name of the Vulnerable Software and Affected Versions Net::IMAP versions prior to 0.5.15 Net::IMAP versions prior to 0.6.5 Description The Net::IMAPid and Net::IMAPenable functions do not properly validate their arguments. When Net::IMAPid is called with a hash argument, it fails to prohibit CRLF...

CVE-2026-41858 - Brute forceable windows admin creds | Cloud Foundry

CVSS score: 6.5 Medium CVSS:3/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Vendor CloudFoundry Foundation Versions Affected Severity is HIGH unless otherwise noted. windows-utilities-release – All versions prior to v0.23.0 Description Weak Randomness / Insecure Cryptographic Primitive CWE-338 in...

GHSA-H6FC-48RJ-7QQH Apache Tomcat - Digest authenticator will authenticate any unknown user

Versions Affected: Apache Tomcat 11.0.0-M1 to 11.0.21 Apache Tomcat 10.1.0-M1 to 10.1.54 Apache Tomcat 9.0.0.M1 to 9.0.117 Older, unsupported versions may also be affected Description: When DIGEST authentication was configured, any user not known to the configured Realm would be authenticated if...

Apache Storm Prometheus Reporter vulnerable to Improper Certificate Validation via Global SSL Context Downgrade

Improper Certificate Validation via Global SSL Context Downgrade in Apache Storm Prometheus Reporter Versions Affected: from 2.6.3 to 2.8.6 Description: In production deployments where an administrator enables storm.daemon.metrics.reporter.plugin.prometheus.skiptlsvalidation by default it is...

Bugsink affected by authenticated arbitrary file write in artifactbundle/assemble

Authenticated arbitrary file write in artifact bundle assembly Summary An authenticated file write vulnerability was identified in Bugsink 2.1.0 in the artifact bundle assembly flow. A user with a valid authentication token could cause the application to write attacker-controlled content to a...

GHSA-F9V3-J2M7-4HPG Duplicate Advisory: HTTP Request Smuggling via Premature Upgrade

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-xq2h-p299-vjwv. This link is maintained to preserve external references. Original Description An HTTP request smuggling vulnerability CWE-444 was found in Pingora's handling of HTTP/1.1 connection upgrades. The...

GHSA-CHF7-JQ6G-QRWV OpenClaw: Telegram bot token exposure via logs

Vulnerability Telegram bot tokens can appear in error messages and stack traces for example, when request URLs include https://api.telegram.org/bot/.... OpenClaw previously logged these strings without redaction, which could leak the bot token into logs, crash reports, CI output, or support...

BIT-NIFI-2025-66524 Apache NiFi: Deserialization of Untrusted Data in GetAsanaObject Processor

Apache NiFi 1.20.0 through 2.6.0 include the GetAsanaObject Processor, which requires integration with a configurable Distribute Map Cache Client Service for storing and retrieving state information. The GetAsanaObject Processor used generic Java Object serialization and deserialization without...

EUVD-2017-6971

Malware in sbrugna...

CVE-2025-57818 Firecrawl SSRF Vulnerability via malicious webhook

Firecrawl turns entire websites into LLM-ready markdown or structured data. Prior to version 2.0.1, a server-side request forgery SSRF vulnerability was discovered in Firecrawl's webhook functionality. Authenticated users could configure a webhook to an internal URL and send POST requests with...

Use of Externally-Controlled Format String

Overview Magick.NET-Q8-OpenMP-x64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package ar...

CVE-2025-49128 Jackson-core Vulnerable to Memory Disclosure via Source Snippet in JsonLocation

Jackson-core contains core low-level incremental "streaming" parser and generator abstractions used by Jackson Data Processor. Starting in version 2.0.0 and prior to version 2.13.0, a flaw in jackson-core's JsonLocation.appendSourceDesc method allows up to 500 bytes of unintended memory content t...

CVE-2025-47291

A vulnerability has been identified in containerd's Container Runtime Interface CRI implementation, affecting versions from 2.0.1 up to, but not including, 2.0.5. The flaw lies in the fact that containerd does not correctly place usernamespaced containers within the Kubernetes cgroup hierarchy. A...

CVE-2025-32421

Next.js CVE-2025-32421 describes a race-condition in the Pages Router that, under certain misconfigurations, can cause endpoints to serve pageProps data instead of HTML. Affected versions are pre-14.2.24 and pre-15.1.6; patch versions 14.2.24 and 15.1.6 strip the x-now-route-matches header to mit...

CVE-2025-1688

Milestone Systems has discovered a security vulnerability in Milestone XProtect installer that resets system configuration password after the upgrading from older versions using specific installers. The system configuration password is an additional, optional protection that is enabled on the...

CVE-2023-36542

Apache NiFi 0.0.2 through 1.22.0 include Processors and Controller Services that support HTTP URL references for retrieving drivers, which allows an authenticated and authorized user to configure a location that enables custom code execution. The resolution introduces a new Required Permission fo...

CVE-2025-24959

zx is a tool for writing better scripts. An attacker with control over environment variable values can inject unintended environment variables into process.env. This can lead to arbitrary command execution or unexpected behavior in applications that rely on environment variables for...

Improper Neutralization of Input in Advanced User Interface for Jolt

Apache NiFi 0.7.0 through 1.23.2 include the JoltTransformJSON Processor, which provides an advanced configuration user interface that is vulnerable to DOM-based cross-site scripting. If an authenticated user, who is authorized to configure a JoltTransformJSON Processor, visits a crafted URL, the...