CVE-2026-45567 Roxy-WI: Authentication bypass via 'api' substring in URL + unauthenticated /api/gpt

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, there is an authentication bypass vulnerability via 'api' substring in URL + unauthenticated /api/gpt. At time of publication, there are no publicly available patches...

CVE-2026-45566 Roxy-WI: Open redirect on /login?next= via basic-auth userinfo syntax bypass

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, the login flow allow-lists next URLs by rejecting strings containing https:// or http:// substrings, then constructs https://request.hostnexturl and the JS client redirects via...

CVE-2026-53473

A flaw was found in migration-planner-ui-app. An attacker can register a malicious discovery agent with a specially crafted credentialUrl containing JavaScript code. When an organizational user clicks this link in the user interface, the embedded malicious code executes within the user's browser...

CVE-2026-47347

Applications that use GeneralUtility::sanitizeLocalUrl to allow only local URLs are vulnerable to open redirect attacks if the URL is used after it has passed the aforementioned sanitization checks. This enables attackers to redirect users to external content and carry out phishing attacks. This...

CVE-2026-53437

Jenkins 2.567 and earlier, LTS 2.555.2 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins when it contains tab or newline characters between //, allowing attackers to perform phishing attacks...

CVE-2026-52750

Ghidra before 12.1 contains a command injection vulnerability in URL annotation handling on Windows where cmd.exe metacharacters are not properly escaped. Attackers can execute arbitrary commands under the Ghidra user's privileges by embedding malicious URLs in program comments that victims click...

CVE-2026-53472

A flaw was found in migration-planner. Insufficient validation of the AgentStatusUpdate.CredentialUrl field allows an authenticated attacker to store a malicious javascript: URL. When a victim views this URL in the Hybrid Cloud Console, it can lead to Cross-Site Scripting XSS, enabling script...

CVE-2026-53470

A flaw was found in migration-planner. An authenticated attacker could exploit an improper access control vulnerability in the /api/v1/sources/id/image-url endpoint. This flaw allows the attacker to bypass an ownership check and obtain presigned S3 URLs for Open Virtual Appliance OVA images...

CVE-2026-53473

A flaw was found in migration-planner-ui-app. An attacker can register a malicious discovery agent with a specially crafted credentialUrl containing JavaScript code. When an organizational user clicks this link in the user interface, the embedded malicious code executes within the user's browser...

CVE-2026-53473 Migration-planner-ui-app: stored xss via javascript: url in agent credential link

A flaw was found in migration-planner-ui-app. An attacker can register a malicious discovery agent with a specially crafted credentialUrl containing JavaScript code. When an organizational user clicks this link in the user interface, the embedded malicious code executes within the user's browser...

EUVD-2026-36029

A flaw was found in migration-planner-ui-app. An attacker can register a malicious discovery agent with a specially crafted credentialUrl containing JavaScript code. When an organizational user clicks this link in the user interface, the embedded malicious code executes within the user's browser...

CVE-2026-53473

A flaw was found in migration-planner-ui-app. An attacker can register a malicious discovery agent with a specially crafted credentialUrl containing JavaScript code. When an organizational user clicks this link in the user interface, the embedded malicious code executes within the user's browser...

EUVD-2026-36009

Ghidra before 12.1 contains an unsafe deserialization vulnerability in client-side Shared-Project RMI connection code that allows unauthenticated remote code execution. Attackers can craft a malicious project file with a ghidra:// URL that, when opened via File → Open Project, deserializes...

EUVD-2026-36008

Ghidra before 12.1 contains a command injection vulnerability in URL annotation handling on Windows where cmd.exe metacharacters are not properly escaped. Attackers can execute arbitrary commands under the Ghidra user's privileges by embedding malicious URLs in program comments that victims click...

CVE-2026-52750

Ghidra prior to 12.1 on Windows contains a command-injection in URL annotation handling: cmd.exe metacharacters are not properly escaped. This allows an attacker to execute arbitrary commands under the Ghidra user by embedding a malicious URL in a program comment and having a victim click it. Aff...

CVE-2026-47916

creationtimestamp| type| source ---|---|--- 2026-06-10 10:01:38+00:00| seen| https://bsky.app/profile/thehackerwire.bsky.social/post/3mnwhd7a6w72n...

CVE-2026-47906

creationtimestamp| type| source ---|---|--- 2026-06-10 09:06:07+00:00| seen| https://bsky.app/profile/hugovalters.bsky.social/post/3mnweavss3g27...

CVE-2025-8444

creationtimestamp| type| source ---|---|--- 2026-06-10 08:36:51+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mnwcmlm4e42l...

CVE-2026-9019

The Easy Image Collage plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'gridpropertiesborderColor' and 'gridimagesNattachmenturl' Parameters in all versions up to, and including, 1.13.6 due to insufficient input sanitization and output escaping. This makes it possible for...

CVE-2025-66273

creationtimestamp| type| source ---|---|--- 2026-06-10 05:23:12+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mnvxscvkvr26...