3753 matches found
CVE-2026-16158
Affected component: @fastify/reply-from. Versions 8.3.1 up to, but not including, 12.6.4 construct an internal URL cache key by concatenating destination and source paths without a delimiter, enabling cross-upstream data access when getUpstream selects an upstream from request data. This can caus...
iboss Secure Web Gateway - Stored Cross-Site Scripting
A cross-site scripting vulnerability has been found in iboss Secure Web Gateway up to version 10.1. The vulnerability affects the /login file of the Login Portal component, where manipulation of the redirectUrl parameter leads to cross-site scripting. The attack can be launched remotely and the...
WordPress Calls to Action <=2.4.3 - Authenticated Reflected XSS
Calls to Action plugin before 2.5.1 for WordPress contains stored XSS caused by unsanitized input in open-tab parameter in wp-admin/edit.php and wp-cta-variation-id parameter in ab-testing-call-to-action-example/, letting remote attackers inject arbitrary web script or HTML, exploit requires...
PT-2026-60935
Impact: @fastify/reply-from versions from 8.3.1 up to but not including 12.6.4 build the internal URL cache key by concatenating the destination and source path without a delimiter. Different destination and source pairs can therefore produce the same key while resolving to different upstream URL...
EUVD-2026-45154
Improper Handling of Insufficient Privileges vulnerability in Apache Accumulo. An authenticated, but low-privileged user without system permissions may issue a remote command to gracefully shutdown system components compaction-coordinator, compactor, gc, manager, monitor, tserver, or sserver,...
CVE-2026-15737
CVE-2026-15737 affects the AWS Bedrock AgentCore Python SDK. Unintended logging of sensitive user content occurs in the OpenTelemetry instrumentation for SDK versions 1.4.8 and 1.5.0, where raw user prompts and complete agent responses were written into OpenTelemetry span attributes on every invo...
JLSEC-2026-772 A vulnerability has been found in OSGeo gdal up to 3.13.0dev-4. Affected by this issue is the...
A vulnerability has been found in OSGeo gdal up to 3.13.0dev-4. Affected by this issue is the function GDSDfldsrch of the file frmts/hdf4/hdf-eos/GDapi.c of the component Grid File Handler. The manipulation leads to heap-based buffer overflow. An attack has to be approached locally. The exploit h...
Missing Release of Memory after Effective Lifetime
Overview Magick.NET-Q8-arm64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package are...
CVE-2026-15702
A security vulnerability has been detected in tamagui up to 2.3.0. This affects the function updateConfig of the file code/core/web/src/config.ts. Such manipulation leads to improperly controlled modification of object prototype attributes. The attack may be performed from remote. Upgrading to...
CVE-2026-48815
A flaw was found in sigstore. The certificateOIDs option, intended to restrict which certificates can sign artifacts, is accepted by the public application programming interface API but is not used during the verification process. This allows unauthorized certificates to be accepted, bypassing...
CVE-2026-48758
A flaw was found in the @sigstore/core component. The preAuthEncoding function incorrectly uses Node.js 'ascii' encoding when converting Pre-Authentication Encoding PAE strings to bytes. This encoding truncates Unicode characters to their low byte, allowing an attacker to substitute characters in...
CVE-2026-49488 Apache OpenMeetings: Arbitrary File Read
Improper Limitation of a Pathname to a Restricted Directory 'Path Traversal' vulnerability in Apache OpenMeetings. This issue affects Apache OpenMeetings: from 5.0.0 before 9.1.0. An attacker with moderator rights in any room can read arbitrary files accessible to the OS account running the OM...
CVE-2026-58319 Apache Doris: Improper Authentication in Frontend HTTP API
Certain Apache Doris FE HTTP REST administrative APIs were accessible without proper authentication. An unauthenticated attacker with network access to the FE HTTP service could perform unauthorized administrative operations, potentially affecting cluster integrity and availability and leading to...
PT-2026-60107
Name of the Vulnerable Software and Affected Versions n8n-mcp versions prior to 2.57.4 Description In multi-tenant HTTP mode, an authenticated tenant can access local default-scope workflow versions backups instead of being restricted to their own tenant scope. This issue allows an authenticated...
Security Bulletin: Vulnerability in follow-redirects bundled with IBM Fusion and IBM Fusion HCI
Summary IBM Fusion and IBM Fusion HCI include the follow-redirects library, which is affected by an information exposure vulnerability. CVE-2026-40895 Vulnerability Details CVEID:CVE-2026-40895 DESCRIPTION: follow-redirects is an open source, drop-in replacement for Node's http and https modules...
CVE-2026-15525
CVE-2026-15525 affects the kLOsk adloop package up to version 0.9.0. The vulnerability is in the function _validate_urls in src/adloop/ads/write.py, where manipulating the argument final_url can trigger a server-side request forgery (SSRF). The issue can be exploited remotely and the exploit is p...
CVE-2026-15522 tugcantopaloglu godot-mcp run_project index.js validatePath path traversal
A security flaw has been discovered in tugcantopaloglu godot-mcp 2.0.0. Affected by this vulnerability is the function validatePath of the file build/index.js of the component runproject. The manipulation of the argument projectPath results in path traversal. Attacking locally is a requirement. T...
Linux Distros Unpatched Vulnerability : CVE-2026-54919
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. In affected Mbed TLS backend versions from 0.31.0 through 0.46.1 and wolfSSL...
PT-2026-57679
URL path injection via unencoded user-supplied identifiers vulnerability in Apache Gravitino. This issue affects Apache Gravitino: from 1.0.0 before 1.2.1. Users are recommended to upgrade to version 1.2.1, which fixes the issue...
PT-2026-60047
Impact read character string and read string in src/zeroconf/ protocol/incoming.py sliced self.dataself.offset : self.offset + length and advanced self.offset by the declared length without checking it against self. data len. Python's slice silently returns fewer bytes when the end index runs pas...