CVE-2026-32607 Discourse: Stored XSS via unescaped assignee name

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, when the hidden prioritizefullnameinux site setting is enabled defaults to false, requires console access to change, user...

CVE-2026-32607 Discourse: Stored XSS via unescaped assignee name

Discourse is an open-source discussion platform. From versions 2026.1.0-latest to before 2026.1.3, 2026.2.0-latest to before 2026.2.2, and 2026.3.0-latest to before 2026.3.0, when the hidden prioritizefullnameinux site setting is enabled defaults to false, requires console access to change, user...

CVE-2026-4315

A Cross-Site Request Forgery CSRF vulnerability in the WatchGuard Fireware OS WebUI could allow a remote attacker to trigger a denial-of-service DoS condition in the Fireware Web UI by convincing an authenticated administrator into visiting a malicious web page.This issue affects Fireware OS: 11....

CVE-2025-14213

Cato Networks’ Socket versions prior to 25 contain a command injection vulnerability that allows an authenticated attacker with access to the Socket web interface UI to execute arbitrary operating system commands as the root user on the Socket’s internal system...

CVE-2025-14213 Cato's Socket WebUI is vulnerable to OS Command Injection

Cato Networks’ Socket versions prior to 25 contain a command injection vulnerability that allows an authenticated attacker with access to the Socket web interface UI to execute arbitrary operating system commands as the root user on the Socket’s internal system...

EUVD-2026-17271

Multiple cross-site scripting XSS vulnerabilities in PaperCut NG/MF before 25.0.10 allow authenticated administrator users to inject arbitrary web script or HTML code via different UI fields. This could be used to compromise other admininistrator's sessions or perform unauthorized actions via the...

CVE-2026-4794 Multiple cross-site scripting (XSS) vulnerabilities in PaperCut NG/MF

Multiple cross-site scripting XSS vulnerabilities in PaperCut NG/MF before 25.0.10 allow authenticated administrator users to inject arbitrary web script or HTML code via different UI fields. This could be used to compromise other admininistrator's sessions or perform unauthorized actions via the...

PaperCut NG/MF 安全漏洞

PaperCut NG/MF is a printing management system developed by PaperCut Corporation. Versions of PaperCut NG/MF prior to 25.0.10 contained security vulnerabilities. These vulnerabilities stemmed from cross-site scripting vulnerabilities in multiple UI fields, which could allow for the injection of...

Pega Platform 安全漏洞

Pega Platform is an enterprise management platform developed by Pega, Inc. Versions of Pega Platform from 8.1.0 to 25.1.0 have security vulnerabilities. These vulnerabilities stem from cross-site scripting vulnerabilities in the user interface components, which may compromise confidentiality...

CVE-2026-33028 Nginx UI: Race Condition Leads to Persistent Data Corruption and Service Collapse

Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, the nginx-ui application is vulnerable to a Race Condition. Due to the complete absence of synchronization mechanisms Mutex and non-atomic file writes, concurrent requests lead to the severe corruption of the prima...

CVE-2026-33032

Nginx UI is a web user interface for the Nginx web server. In versions 2.3.5 and prior, the nginx-ui MCP Model Context Protocol integration exposes two HTTP endpoints: /mcp and /mcpmessage. While /mcp requires both IP whitelisting and authentication AuthRequired middleware, the /mcpmessage endpoi...

CVE-2026-33032 Nginx UI: Unauthenticated MCP Endpoint Allows Remote Nginx Takeover

Nginx UI is a web user interface for the Nginx web server. In versions 2.3.5 and prior, the nginx-ui MCP Model Context Protocol integration exposes two HTTP endpoints: /mcp and /mcpmessage. While /mcp requires both IP whitelisting and authentication AuthRequired middleware, the /mcpmessage endpoi...

EUVD-2026-17152

nginx-ui has Race Condition that Leads to Persistent Data Corruption and Service Collapse...

EUVD-2026-17194

nginx-ui Backup Restore Allows Tampering with Encrypted Backups...

CVE-2026-4315 WatchGuard Firebox Cross-Site Request Forgery (CSRF) in Fireware Web UI

A Cross-Site Request Forgery CSRF vulnerability in the WatchGuard Fireware OS WebUI could allow a remote attacker to trigger a denial-of-service DoS condition in the Fireware Web UI by convincing an authenticated administrator into visiting a malicious web page.This issue affects Fireware OS: 11....

Nginx UI 安全漏洞

Nginx UI is a web interface for Nginx developed by Jacky. Versions of Nginx UI 2.3.3 and earlier have security vulnerabilities. These vulnerabilities stem from insecure direct object references, allowing any authenticated user to access, modify, and delete resources of other users...

nginx-ui Vulnerable to DoS via Negative Integer Input in Logrotate Interval

An input validation vulnerability in the logrotate configuration allows an authenticated user to cause a complete Denial of Service DoS. By submitting a negative integer for the rotation interval, the backend enters an infinite loop or an invalid state, rendering the web interface unresponsive...

nginx-UI has Unencrypted Storage of DNS API Tokens and ACME Private Keys

Nginx-UI contains an Insecure Direct Object Reference IDOR vulnerability that allows any authenticated user to access, modify, and delete resources belonging to other users. The application's base Model struct lacks a userid field, and all resource endpoints perform queries by ID without verifyin...

PT-2026-29103

Name of the Vulnerable Software and Affected Versions Nginx UI versions prior to 2.3.4 Description Nginx UI, a web user interface for the Nginx web server, contains a flaw in its backup restore mechanism. Prior to version 2.3.4, attackers can manipulate encrypted backup archives and inject...

CVE-2026-4946 NSA Ghidra Auto-Analysis Annotation Command Execution

Ghidra versions prior to 12.0.3 improperly process annotation directives embedded in automatically extracted binary data, resulting in arbitrary command execution when an analyst interacts with the UI. Specifically, the @execute annotation which is intended for trusted, user-authored comments is...