CVE-2026-47349

Backend users with access to the Recycler module were able to restore soft-deleted records on pages or for tables they were not authorized to modify. This issue affects TYPO3 CMS versions before 10.4.57, 11.0.0-11.5.51, 12.0.0-12.4.46, 13.0.0-13.4.31 and 14.0.0-14.3.3...

CVE-2026-47348

Editors with access to create or modify page content were able to include HTML markup in page titles that were stored in the search index without sanitization. When displayed in frontend search results via the Indexed Search plugin, these titles were rendered without proper output encoding,...

CVE-2026-47351 TYPO3 CMS - Broken Access Control in Clipboard

Backend users were able to insert arbitrary records and files into the TYPO3 clipboard without proper read permission checks, which allowed users to gather information about records and files they were not authorized to view. This issue affects TYPO3 CMS versions 10.4.0-13.4.30 and 14.0.0-14.3.2...

CVE-2026-47350

Technical details about CVE-2026-47350 are not publicly available in the provided documents. Monitor for updates.

PT-2026-47743

Name of the Vulnerable Software and Affected Versions TYPO3 CMS versions 13.0.0 through 13.4.31 TYPO3 CMS versions 14.0.0 through 14.3.3 Description Backend users can move records to a different page even if they lack the necessary edit permissions on the source page. Recommendations Update TYPO3...

PT-2026-47738

Name of the Vulnerable Software and Affected Versions TYPO3 CMS versions prior to 10.4.57 TYPO3 CMS versions 11.0.0 through 11.5.50 TYPO3 CMS versions 12.0.0 through 12.4.45 TYPO3 CMS versions 13.0.0 through 13.4.30 TYPO3 CMS versions 14.0.0 through 14.3.2 Description Non-privileged backend users...

OpenStack Vitrage: Unauthorized Access to the Host can Lead to Eval Injection

In the query parser in OpenStack Vitrage before 12.0.1, 13.0.0, 14.0.0, and 15.0.0, a user allowed to access the Vitrage API may trigger code execution on the Vitrage service host as the user the Vitrage service runs under. This may result in unauthorized access to the host and further compromise...

EUVD-2026-3534

Vulnerability in the Oracle FLEXCUBE Universal Banking product of Oracle Financial Services Applications component: Relationship Pricing. Supported versions that are affected are 14.0.0.0.0-14.8.0.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to...

CVE-2025-8662

OpenAM OpenAM Consortium Edition contains a vulnerability that may cause it to malfunction as a SAML IdP due to a tampered request.This issue affects OpenAM: from 14.0.0 through 14.0.1...

PT-2025-35534

Name of the Vulnerable Software and Affected Versions: OpenAM versions 14.0.0 through 14.0.1 Description: OpenAM OpenAM Consortium Edition may malfunction as a SAML Identity Provider IdP due to a tampered request. Recommendations: At the moment, there is no information about a newer version that...

CVE-2025-48953

Umbraco is an ASP.NET content management system CMS. Starting in version 14.0.0 and prior to versions 15.4.2 and 16.0.0, it's possible to upload a file that doesn't adhere with the configured allowable file extensions via a manipulated API request. The issue is patched in versions 15.4.2 and...

PT-2025-17677 · Nih · Nih Brics

Name of the Vulnerable Software and Affected Versions: NIH BRICS aka Biomedical Research Informatics Computing System versions 14.0.0-67 and earlier Description: The issue allows users without the InET role to access the InET module by making direct requests to known endpoints. Recommendations: F...

Umbraco 跨站脚本漏洞

Umbraco is an open source Content Management System CMS written in C by the Danish company Umbraco. A cross-site scripting vulnerability exists in Umbraco version 14.0.0 and earlier, which originates from an authenticated user viewing certain localized back-end components and can easily lead to a...

Umbraco CMS 安全漏洞

Umbraco CMS is a content management system from Umbraco, Denmark. A security vulnerability exists in Umbraco CMS version 14.0.0 up to and including version 14.3.0, which stems from an improper access control issue that allows a low-privileged user to access the webhook API and retrieve informatio...

fabricauthenticator (>=0.0.2.5 <=1.3.4rc0), jupyterhub-ltiauthenticator (=1.3.0) +7 more potentially affected by CVE-2024-29033 via oauthenticator (>=14.0.0 <=16.2.1)

oauthenticator PYPI version =14.0.0, =0.0.2.5, =3.0.0, =1.0.2, =0.1.0, =1.1.9, =0.5.0, =0.2.25, =0.3.2 Source cves: CVE-2024-29033 Source advisory: OSV:GHSA-55M3-44XF-HG4H...

CVE-2023-47248 PyArrow, PyArrow: Arbitrary code execution when loading a malicious data file

Deserialization of untrusted data in IPC and Parquet readers in PyArrow versions 0.14.0 to 14.0.0 allows arbitrary code execution. An application is vulnerable if it reads Arrow IPC, Feather or Parquet data from untrusted sources for example user-supplied input files. This vulnerability only...

PT-2023-3609 · Orchid · Orchid

Name of the Vulnerable Software and Affected Versions: Orchid versions 14.0.0-alpha4 through 14.4.x Description: A vulnerability is present in the Orchid package, related to the deserialization of untrusted data from the state query parameter, which can result in remote code execution. The issue...

CVE-2020-2685

Vulnerability in the Oracle FLEXCUBE Universal Banking product of Oracle Financial Services Applications component: Infrastructure. Supported versions that are affected are 12.0.1-12.4.0 and 14.0.0-14.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HT...

CVE-2019-6654

On versions 14.0.0-14.1.2, 13.0.0-13.1.3, 12.1.0-12.1.5, and 11.5.1-11.6.5, the BIG-IP system fails to perform Martian Address Filtering As defined in RFC 1812 section 5.3.7 on the control plane management interface. This may allow attackers on an adjacent system to force BIG-IP into processing...

Design/Logic Flaw

On versions 14.0.0-14.1.2, 13.0.0-13.1.3, 12.1.0-12.1.5, and 11.5.1-11.6.5, the BIG-IP system fails to perform Martian Address Filtering As defined in RFC 1812 section 5.3.7 on the control plane management interface. This may allow attackers on an adjacent system to force BIG-IP into processing...