81 matches found
CVE-2026-6130
A flaw has been found in chatboxai chatbox up to 1.20.0. This impacts the function StdioClientTransport of the file src/main/mcp/ipc-stdio-transport.ts of the component Model Context Protocol Server Management System. Executing a manipulation of the argument args/env can lead to os command...
CVE-2026-41477
Deskflow is a keyboard and mouse sharing app. In 1.20.0, 1.26.0.134, and earlier, Deskflow daemon runs as SYSTEM and exposes an IPC named pipe with WorldAccessOption enabled. The daemon processes privileged commands without authentication, allowing any local unprivileged user to execute arbitrary...
CVE-2026-41477
Deskflow is a keyboard and mouse sharing app. In 1.20.0, 1.26.0.134, and earlier, Deskflow daemon runs as SYSTEM and exposes an IPC named pipe with WorldAccessOption enabled. The daemon processes privileged commands without authentication, allowing any local unprivileged user to execute arbitrary...
CVE-2026-6130 chatboxai chatbox Model Context Protocol Server Management System ipc-stdio-transport.ts StdioClientTransport os command injection
A flaw has been found in chatboxai chatbox up to 1.20.0. This impacts the function StdioClientTransport of the file src/main/mcp/ipc-stdio-transport.ts of the component Model Context Protocol Server Management System. Executing a manipulation of the argument args/env can lead to os command...
CVE-2026-6130
CVE-2026-6130 affects chatboxai up to version 1.20.0, impacting the StdioClientTransport function in src/main/mcp/ipc-stdio-transport.ts within the Model Context Protocol Server Management System. The root cause is a flaw where manipulating the argument list (args/env) enables os command injectio...
CVE-2026-30870
PowerSync Service is the server-side component of the PowerSync sync engine. In version 1.20.0, when using new sync streams with config.edition: 3, certain subquery filters were ignored when determining which data to sync to users. Depending on the sync stream configuration, this could result in...
CVE-2026-30870
PowerSync Service is the server-side component of the PowerSync sync engine. In version 1.20.0, when using new sync streams with config.edition: 3, certain subquery filters were ignored when determining which data to sync to users. Depending on the sync stream configuration, this could result in...
CVE-2026-30870 Some sync filters in PowerSync Service ignored using `config.edition: 3`
PowerSync Service is the server-side component of the PowerSync sync engine. In version 1.20.0, when using new sync streams with config.edition: 3, certain subquery filters were ignored when determining which data to sync to users. Depending on the sync stream configuration, this could result in...
CVE-2026-30870 Some sync filters in PowerSync Service ignored using `config.edition: 3`
PowerSync Service is the server-side component of the PowerSync sync engine. In version 1.20.0, when using new sync streams with config.edition: 3, certain subquery filters were ignored when determining which data to sync to users. Depending on the sync stream configuration, this could result in...
GHSA-Q6WC-XX4M-92FJ PowerSync: Some sync filters ignored on 1.20.0 using `config.edition: 3`
Impact In version 1.20.0, when using new sync streams with config.edition: 3, certain subquery filters were ignored when determining which data to sync to users. Depending on the sync stream configuration, this could result in authenticated users syncing data that should have been restricted. Onl...
CVE-2026-28443
OpenReplay is a self-hosted session replay suite. Prior to version 1.20.0, the POST /projectId/cards/search endpoint has a SQL injection in the sort.field parameter. This issue has been patched in version 1.20.0...
PT-2026-24089
Name of the Vulnerable Software and Affected Versions PowerSync versions prior to 1.20.1 Description The PowerSync Service, a server-side component of the PowerSync sync engine, had an issue in version 1.20.0 where subquery filters were ignored when determining data synchronization for users with...
CVE-2026-28443
OpenReplay is a self-hosted session replay suite. Prior to version 1.20.0, the POST /projectId/cards/search endpoint has a SQL injection in the sort.field parameter. This issue has been patched in version 1.20.0...
CVE-2026-28443 OpenReplay: SQL injection in cards/search via unvalidated sort field parameter
OpenReplay is a self-hosted session replay suite. Prior to version 1.20.0, the POST /projectId/cards/search endpoint has a SQL injection in the sort.field parameter. This issue has been patched in version 1.20.0...
CVE-2026-28443
OpenReplay is a self-hosted session replay suite. Prior to version 1.20.0, the POST /projectId/cards/search endpoint has a SQL injection in the sort.field parameter. This issue has been patched in version 1.20.0...
CVE-2026-28443 OpenReplay: SQL injection in cards/search via unvalidated sort field parameter
OpenReplay is a self-hosted session replay suite. Prior to version 1.20.0, the POST /projectId/cards/search endpoint has a SQL injection in the sort.field parameter. This issue has been patched in version 1.20.0...
CVE-2026-28443 OpenReplay: SQL injection in cards/search via unvalidated sort field parameter
OpenReplay is a self-hosted session replay suite. Prior to version 1.20.0, the POST /projectId/cards/search endpoint has a SQL injection in the sort.field parameter. This issue has been patched in version 1.20.0...
EUVD-2026-9880
OpenReplay is a self-hosted session replay suite. Prior to version 1.20.0, the POST /projectId/cards/search endpoint has a SQL injection in the sort.field parameter. This issue has been patched in version 1.20.0...
PT-2026-23518
Name of the Vulnerable Software and Affected Versions OpenReplay versions prior to 1.20.0 Description OpenReplay is a self-hosted session replay suite. The /projectId/cards/search API endpoint is susceptible to SQL injection due to a flaw in the sort.field parameter. This allows for potential...
CVE-2026-0974 Orderable <= 1.20.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Plugin Installation
The Orderable – WordPress Restaurant Online Ordering System and Food Ordering Plugin plugin for WordPress is vulnerable to unauthorized plugin installation due to a missing capability check on the 'installplugin' function in all versions up to, and including, 1.20.0. This makes it possible for...