CVE-2026-42089

Yeoman Environment provides an API to discover, create, and run generators, and to configure where and how a generator is resolved. Versions 2.9.0 through 6.0.0 install missing local generator packages from caller-supplied package names without user confirmation. In downstream consumers that pass...

UBUNTU-CVE-2026-41074

RT is an open source, enterprise-grade issue and ticket tracking system. Versions 6.0.0 through 6.0.2 contain a Cross-Site Request Forgery CSRF vulnerability. An attacker who can induce a logged-in RT user to visit a malicious web page can trigger arbitrary state-changing actions in RT on that...

CVE-2026-29190 Karapace: Path Traversal in Backup Reader

Karapace is an open-source implementation of Kafka REST and Schema Registry. Prior to version 6.0.0, there is a Path Traversal vulnerability in the backup reader backup/backends/v3/backend.py. If a malicious backup file is provided to Karapace, an attacker may exploit insufficient path validation...

Apache Superset Improper Authorization allows low-privileged users to bypass access controls

An Improper Authorization vulnerability exists in Apache Superset that allows a low-privileged user to bypass data access controls. When creating a dataset, Superset enforces permission checks to prevent users from querying unauthorized data. However, an authenticated attacker with permissions to...

CVE-2025-12466

The issue CVE-2025-12466 affects Drupal Simple OAuth (OAuth2) & OpenID Connect module, specifically versions 6.0.0 through 6.0.6 (before 6.0.7). Root cause is an authentication bypass via an alternate path or channel, enabling bypass of login/authentication. Impact is authenticated bypass risk as...

AZL-36943 CVE-2023-33187 affecting package highlight 4.18-1

Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to type="text" via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates type="password" inputs...

Contec SolarView Compact 命令注入漏洞

Contec SolarView Compact is an application system from Contec Japan. It provides photovoltaic power generation measurement system. A security vulnerability exists in Contec SolarView Compact version 6.00 and earlier versions. An attacker can exploit the vulnerability to execute commands via...

CVE-2020-9294

An improper authentication vulnerability in FortiMail 5.4.10, 6.0.7, 6.2.2 and earlier and FortiVoiceEntreprise 6.0.0 and 6.0.1 may allow a remote unauthenticated attacker to access the system as a legitimate user by requesting a password change via the user interface...

IBM Security Identity Manager Cross-Site Scripting Vulnerability (CNVD-2020-10482)

IBM Security Identity Manager ISIM is a suite of identity management and governance solutions from IBM in the United States. The solution automates the creation, modification, re-authentication and termination of user privileges throughout the user lifecycle and supports policy-based password...

CVE-2019-4451

IBM Security Identity Manager 6.0.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 163493...

IBM Sterling B2B Integrator XML External Entity Injection Vulnerability (CNVD-2019-08291)

IBM Sterling B2B Integrator is a suite of software from IBM USA that integrates critical B2B processes, transactions and relationships. The software supports secure integration of complex B2B processes with diverse partner communities. An XML external entity injection vulnerability exists in IBM...

Arbitrary File Read Vulnerability in Metinfo Version 6.0.0

MetInfo is a content management system developed using PHP and Mysql. An arbitrary file read vulnerability exists in Metinfo version 6.0.0. An attacker can exploit the vulnerability to read sensitive files on a website...

CVE-2017-3868

A vulnerability in the web-based management interface of Cisco UCS Director could allow an unauthenticated, remote attacker to conduct a cross-site scripting XSS attack against a user of the web-based management interface of an affected device. More Information: CSCvc44344. Known Affected Release...