1609 matches found
CVE-2026-45283
Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.2, and 33.0.0 to before 33.0.1, the fileslock app did not properly validate the ownership of files when processing DAV lock and unlock requests. An authenticated user could lock or...
EUVD-2026-33708
Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.2, and 33.0.0 to before 33.0.1, the fileslock app did not properly validate the ownership of files when processing DAV lock and unlock requests. An authenticated user could lock or...
CVE-2026-45283
In Nextcloud Server, the files_lock app is vulnerable in versions 32.0.0 to before 32.0.2 and 33.0.0 to before 33.0.1. The root cause is improper validation of file ownership when processing DAV lock and unlock requests, allowing an authenticated user to lock or unlock files belonging to other us...
PT-2026-45527
Name of the Vulnerable Software and Affected Versions Nextcloud Server versions 32.0.0 through 32.0.1 Nextcloud Server versions 33.0.0 through 33.0.0 Nextcloud Enterprise Server versions prior to 31.0.14.4 Nextcloud Enterprise Server versions 32.0.0 through 32.0.1 Nextcloud Enterprise Server...
Nextcloud Temporary files lock 授权问题漏洞
NextCloud Temporary Files Lock is an open-source tool developed by NextCloud for locking temporary files, preventing others from editing them. In versions 32.0.0 to 32.0.2 and 33.0.0 to 33.0.1 of NextCloud Temporary Files Lock, there were authorization-related vulnerabilities. These vulnerabiliti...
CVE-2026-45058
electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. In 3.8.8 and earlier, there is persistent local-pty code execution via imported bookmarks or compromised sync targets. Affects users who import bookmark JSON files or who have electerm sync configured...
CVE-2026-8360 Gladinet Triofox Unchecked Return Value to NULL Pointer Dereference DOS
Function calls to WOSCommonUtil.dll!WOSSysInfoGetDeviceInterface in various DLLs i.e., WOSProfileMgrModule.dll, WOSWebDavModule.dll can return a NULL pointer i.e., when no user is logged into the Triofox Server Agent Management Console. The returned NULL pointer is not checked before being...
GHSA-WC7J-G8WX-M2QX Pimcore: Missing Authorization in WebDAV MOVE via unchecked asset move handling
Summary Pimcore's WebDAV asset endpoint exposes a MOVE operation through /asset/webdavpath without adding an authentication plugin in the WebDAV controller. The Tree::move implementation then performs asset mutation and deletion before checking a current Pimcore user or any asset permissions. An...
Pimcore: Missing Authorization in WebDAV MOVE via unchecked asset move handling
Summary Pimcore's WebDAV asset endpoint exposes a MOVE operation through /asset/webdavpath without adding an authentication plugin in the WebDAV controller. The Tree::move implementation then performs asset mutation and deletion before checking a current Pimcore user or any asset permissions. An...
CLSA-2026-1779893247 Fix of 5 CVEs
SECURITY UPDATE: add case sensitive attribute to LockOutRealm - debian/patches/CVE-2026-43513.patch: add case sensitive attribute to LockOutRealm - CVE-2026-43513 SECURITY UPDATE: fix the handling of invalid users with DIGEST authentication - debian/patches/CVE-2026-43512.patch: fix the handling ...
PT-2026-44148
Summary Pimcore's WebDAV asset endpoint exposes a MOVE operation through /asset/webdavpath without adding an authentication plugin in the WebDAV controller. The Tree::move implementation then performs asset mutation and deletion before checking a current Pimcore user or any asset permissions. An...
tomcat6: Fix of CVE-2026-41284
CVE-2026-41284: tomcat6: WebDAV LOCK/PROPFIND unbounded request body DoS...
CLSA-2026-1779374454 Fix of 7 CVEs
SECURITY UPDATE: multiple security fixes - debian/patches/CVE-2026-41284.patch: add a configurable maxRequestBodySize init-param to the WebDAV servlet to bound LOCK/PROPFIND XML request bodies; reject oversized bodies with 413 Request Entity Too Long. Includes the upstream...
GHSA-C656-JCX2-7PQJ zrok copy writes attacker-controlled WebDAV paths outside the destination root
Summary Alice runs zrok2 copy from a WebDAV or zrok drive controlled by Bob into a local filesystem target. Bob returns a DAV href such as /../outside.txt. The sync pipeline stores that path in the source inventory and passes it to FilesystemTarget.WriteStream, which joins it with the target root...
zrok copy writes attacker-controlled WebDAV paths outside the destination root
Summary Alice runs zrok2 copy from a WebDAV or zrok drive controlled by Bob into a local filesystem target. Bob returns a DAV href such as /../outside.txt. The sync pipeline stores that path in the source inventory and passes it to FilesystemTarget.WriteStream, which joins it with the target root...
PT-2026-41960
Name of the Vulnerable Software and Affected Versions zrok affected versions not specified Description A path traversal issue exists when using the zrok2 copy command to move files from a WebDAV or zrok drive to a local filesystem. An attacker can provide a malicious DAV href containing directory...
Path Traversal
zrok is vulnerable to Path Traversal. The vulnerability is due to failure to prevent symlink traversal in the WebDAV drive backend, which allows a remote attacker to access symbolic links pointing outside the shared root and read or, where permitted, modify arbitrary files on the host filesystem...
Updated tomcat packages fix security vulnerability
Unbounded read in WebDAV LOCK and PROPFIND handling. CVE-2026-41284 HTTP/2 request headers not validated. CVE-2026-41293 WebSocket authentication header exposure. CVE-2026-42498 Digest authenticator will authenticate any unknown user. CVE-2026-43512 LockOutRealm treats user names as case-sensitiv...
MGASA-2026-0139 Updated tomcat packages fix security vulnerability
Unbounded read in WebDAV LOCK and PROPFIND handling. CVE-2026-41284 HTTP/2 request headers not validated. CVE-2026-41293 WebSocket authentication header exposure. CVE-2026-42498 Digest authenticator will authenticate any unknown user. CVE-2026-43512 LockOutRealm treats user names as case-sensitiv...
BIT-TOMCAT-2026-41284 Apache Tomcat: Unbounded read in WebDAV LOCK and PROPFIND handling
Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0 through 11.0.21, from 10.1.0 through 10.1.54, from 9.0.0 through 9.0.117. Older, unsupported versions may also be affected. Users are recommended to upgrade to versio...