Authorization Bypass

Signal K Server is vulnerable to Authorization Bypass. The vulnerability is due to misleading access request UI and trust of spoofable X-Forwarded-For headers, allowing attackers to impersonate trusted devices and request elevated permissions that administrators may unknowingly approve...

CVE-2025-31962

CVE-2025-31962 affects HCL BigFix IVR 4.2 Web UI authentication component. The root cause is insufficient session expiration, enabling an authenticated attacker to maintain prolonged access to protected API endpoints due to overly long session lifetimes. Documented impact is unauthorized access t...

CVE-2025-31962 HCL BigFix IVR is impacted by an insufficient session expiration vulnerability

Insufficient session expiration in the Web UI authentication component in HCL BigFix IVR version 4.2 allows an authenticated attacker to gain prolonged unauthorized access to protected API endpoints due to excessive expiration periods...

GHSA-9MVJ-F7W8-PVH2 vulnerabilities

Vulnerabilities for packages: rancher-api-ui, jupyter-base-notebook...

KLA90843 SUI vulnerability in Microsoft Browser

A spoofing vulnerability was found in Microsoft Browser. Malicious users can exploit this vulnerability to spoof user interface. Original advisories CVE-2025-62224 Related products Microsoft-Edge CVE list CVE-2025-62224 warning KB list Solution Install necessary updates from the Settings and more...

PT-2026-1575

Name of the Vulnerable Software and Affected Versions HCL BigFix IVR version 4.2 Description The Web UI authentication component suffers from insufficient session expiration. This allows an authenticated attacker to maintain unauthorized access to protected API endpoints for an extended duration...

CVE-2020-36907

CVE-2020-36907 affects Aerohive HiveOS NetConfig UI. An unauthenticated attacker can trigger a denial-of-service by sending crafted parameters to action.php5, causing a 5-minute web interface disruption. The CVE is described with network-based access, low attack complexity, and no privileges requ...

HP LaserJet Printers Improper Neutralization of Input During Web Page Generation (CVE-2021-41184)

Certain HP Enterprise LaserJet and HP LaserJet Managed Printers are potentially vulnerable to denial of service due to WS-Print request and potential injections of Cross Site Scripting via jQuery-UI. This plugin only works with Tenable.ot. Please visit https://www.tenable.com/products/tenable-ot...

HP LaserJet Printers Improper Neutralization of Input During Web Page Generation (CVE-2021-41182)

Certain HP Enterprise LaserJet and HP LaserJet Managed Printers are potentially vulnerable to denial of service due to WS-Print request and potential injections of Cross Site Scripting via jQuery-UI. This plugin only works with Tenable.ot. Please visit https://www.tenable.com/products/tenable-ot...

MAL-2026-50 Malicious code in faceplate-ui (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 06d59e051a3b111ec2ba70071d0c2273f89c30a8eb1c6de75cb69d2eefc08b17 The package faceplate-ui was found to contain malicious code. Source: ghsa-malware 760b2fdc48604bbd4ed6a6251e192cec01c7f27dc59320b0a6e7f5fec3d1c13f A...

Bagisto has HTML Filter Bypass that Enables Stored XSS

Summary A stored Cross-Site Scripting XSS vulnerability exists in Bagisto 2.3.8 within the CMS page editor. Although the platform normally attempts to sanitize tags, the filtering can be bypassed by manipulating the raw HTTP POST request before submission. As a result, arbitrary JavaScript can be...

PT-2026-7648

Name of the Vulnerable Software and Affected Versions Google Chrome versions prior to 145.0.7632.45 Description A flaw exists in Google Chrome's file input handling that could allow a remote attacker to perform UI spoofing. This requires convincing a user to interact with a specially crafted HTML...

EUVD-2025-205817

Discourse is an open source discussion platform. Prior to versions 3.5.3, 2025.11.1, and 2025.12.0, an attacker who knows part of a username can find the user and their full name via UI or API, even when enablenames is disabled. Versions 3.5.3, 2025.11.1, and 2025.12.0 contain a fix...

PT-2025-54189

Discourse is an open source discussion platform. Prior to versions 3.5.3, 2025.11.1, and 2025.12.0, an attacker who knows part of a username can find the user and their full name via UI or API, even when enable names is disabled. Versions 3.5.3, 2025.11.1, and 2025.12.0 contain a fix...

CVE-2025-36228

IBM Aspera Faspex 5 5.0.0 through 5.0.14.1 may allow inconsistent permissions between the user interface and backend API allowed users to access features that appeared disabled, potentially leading to misuse...

CVE-2025-68927 Improper Neutralization of HTML Tags in a Web Page in libredesk

Libredesk is a self-hosted customer support desk. Prior to version 0.8.6-beta, LibreDesk is vulnerable to stored HTML injection in the contact notes feature. When adding notes via POST /api/v1/contacts/id/notes, the backend automatically wraps user input in tags. However, by intercepting the...

CVE-2025-36228

IBM Aspera Faspex 5 5.0.0 through 5.0.14.1 may allow inconsistent permissions between the user interface and backend API allowed users to access features that appeared disabled, potentially leading to misuse...

CVE-2025-36228

IBM Aspera Faspex 5 5.0.0 through 5.0.14.1 may allow inconsistent permissions between the user interface and backend API allowed users to access features that appeared disabled, potentially leading to misuse...

CVE-2025-36228

CVE-2025-36228 affects IBM Aspera Faspex 5 (versions 5.0.0–5.0.14.1). The issue is inconsistent permissions between the UI and backend API, allowing users to access features that appeared disabled and potentially leading to misuse. Red Hat, CIRCL, NVD, and other feeds corroborate the same descrip...

CVE-2025-36228 Incorrect Execution-Assigned Permissions in IBM Aspera Faspex

IBM Aspera Faspex 5 5.0.0 through 5.0.14.1 may allow inconsistent permissions between the user interface and backend API allowed users to access features that appeared disabled, potentially leading to misuse...