10525 matches found
CVE-2026-30041
CVE-2026-30041 affects FastStone Image Viewer v8.3 and earlier, due to an integer overflow in the PSD parser component caused by invalid height handling, which leads to a heap-based buffer overflow. Exploitation with a crafted PSD file could allow arbitrary code execution or cause a DoS. Public s...
GO-2026-5286 Gitea: Stored XSS via glTF `extensionsRequired` in Gitea 3D File Viewer in code.gitea.io/gitea
Gitea: Stored XSS via glTF extensionsRequired in Gitea 3D File Viewer in code.gitea.io/gitea...
OHIF Viewers DICOM
ADVISORY SUMMARY Successful exploitation of this vulnerability in a custom integration version could allow an attacker to steal an authenticated clinician's token via a crafted link. 2. RECOMMENDED PRACTICES CISA recommends users take defensive measures to minimize the risk of exploitation of...
AlmaLinux 8 : evince (ALSA-2026:28998)
The remote AlmaLinux 8 host has packages installed that are affected by a vulnerability as referenced in the ALSA-2026:28998 advisory. atril: evince: xreader: PDF /GoToR action argv injection enables single-click RCE via --gtk-module dlopen CVE-2026-46529 Tenable has extracted the preceding...
DRUPAL-CONTRIB-2026-059
The module adds support for the mirador viewer in WissKI and enables annotations on images via the mirador viewer. It does not sufficiently check the submitted parameters via a route and writes these to the session object without further checks, which can lead to Access Bypass. This vulnerability...
Important: Red Hat Security Advisory: evince security update
An update for evince is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from th...
RLSA-2026:27819 Important: evince security update
The evince packages provide a simple multi-page document viewer for Portable Document Format PDF, PostScript PS, Encapsulated PostScript EPS files, and, with additional back-ends, also the Device Independent File format DVI files. Security Fixes: atril: evince: xreader: PDF /GoToR action argv...
SUSE CVE-2026-10601
A user with Viewer permissions can use specially crafted requests to the Tempo and Loki data source plugins to reach unintended backend endpoints. Depending on the backend configuration this can expose data source credentials, leak internal responses, or trigger administrative actions on the...
PT-2026-52172
Name of the Vulnerable Software and Affected Versions WissKI versions 0.0.0 through 4.2.0 Description A missing authorization issue in the wisski mirador submodule allows forceful browsing and access bypass. The module fails to sufficiently validate parameters submitted via a route before writing...
RHEL 8 : evince (RHSA-2026:28998)
The remote Redhat Enterprise Linux 8 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2026:28998 advisory. The evince packages provide a simple multi-page document viewer for Portable Document Format PDF, PostScript PS, Encapsulated PostScript EPS files,...
CVE-2026-46552
NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, shared-base sessions were granted the same base-member capabilities as authenticated viewers. Using only the shared-base UUID xc-shared-base-id, an attacker could enumerate base members and invite an arbitrary email in...
CVE-2026-44960
A stored XSS can be exploited by leveraging the usernames as an attack vector. When an admin user viewed the audit log details for affected entries, any malicious JavaScript payload embedded in the username would be executed due to missing output sanitisation. Proper escaping has been added to th...
Astra Linux – Vulnerability in Firefox
Clickjacking issue, information disclosure in the PDF Viewer component. This vulnerability was fixed in Firefox 147, Firefox ESR 140.7, Thunderbird 147, and Thunderbird 140.7...
PT-2026-51652
An integer overflow in the PSD parser compnent of FastStone Image Viewer v8.3 allows attackers to execute arbitrary code or cause a Denial of Service DoS via supplying a crafted PSD file...
CVE-2026-10601
A flaw was found in the Tempo and Loki datasource plugins. A remote attacker with a Viewer role could exploit a path traversal vulnerability by manipulating user-supplied input in URL paths. This could allow the attacker to capture sensitive administrator-configured datasource credentials, invoke...
CVE-2026-42129
A user with Viewer permissions can use a path traversal in the Loki data source plugin to reach administrative Loki endpoints and read sensitive backend configuration and internal service information...
CVE-2026-10601
A user with Viewer permissions can use specially crafted requests to the Tempo and Loki data source plugins to reach unintended backend endpoints. Depending on the backend configuration this can expose data source credentials, leak internal responses, or trigger administrative actions on the...
CVE-2026-10601
A user with Viewer permissions can use specially crafted requests to the Tempo and Loki data source plugins to reach unintended backend endpoints. Depending on the backend configuration this can expose data source credentials, leak internal responses, or trigger administrative actions on the...
EUVD-2026-38242
The Tempo and Loki datasource plugins construct backend HTTP requests by interpolating user-supplied input into URL paths without sanitization, enabling path traversal. A Viewer-role user can: 1 capture admin-configured datasource credentials secureJsonData custom headers by traversing to an...
CVE-2026-10601
A user with Viewer permissions can use specially crafted requests to the Tempo and Loki data source plugins to reach unintended backend endpoints. Depending on the backend configuration this can expose data source credentials, leak internal responses, or trigger administrative actions on the...