149 matches found
CVE-2026-33828 Windows Device Health Attestation (DHA) Elevation of Privilege Vulnerability
...
GO-2026-5002 Windows MDM management endpoint authentication bypass in github.com/fleetdm/fleet/v4
Windows MDM management endpoint authentication bypass in github.com/fleetdm/fleet/v4...
User Impersonation
Overview Affected versions of this package are vulnerable to User Impersonation due to improper validation of JWT aud and iss claims in the Windows MDM authentication flow. An attacker can enroll unauthorized devices by presenting a valid Microsoft-signed Azure AD token from any tenant. This is...
Security Bulletin: Security vulnerability in Python affects IBM Robotic Process Automation and IBM Robotic Process Automation for Cloud Pak
Summary A security vulnerability in Python affects IBM Robotic Process Automation and IBM Robotic Process Automation for Cloud Pak. Python is used by IBM Robotic Process Automation and IBM Robotic Process Automation for Cloud Pak as part of its deployment. This bulletin identifies the fixes...
Security Bulletin:Werkzeug safe_join function allows path segments with Windows device names containing file extensions or trailing spaces
Summary Werkzeug is a comprehensive WSGI web application library. Prior to version 3.1.5, Werkzeug's safejoin function allows path segments with Windows device names that have file extensions or trailing spaces. On Windows, there are special device names such as CON, AUX, etc that are implicitly...
Security Bulletin:Werkzeug Safe Join Function Vulnerability: Path Segments with Windows Device Names Prior to Version 3.1.4
Summary Werkzeug is a comprehensive WSGI web application library. Prior to version 3.1.4, Werkzeug's safejoin function allows path segments with Windows device names. On Windows, there are special device names such as CON, AUX, etc that are implicitly present and readable in every directory...
Security Bulletin:Safe Join Function Vulnerability Fixed in Werkzeug v3.1.6
Summary Werkzeug is a comprehensive WSGI web application library. Versions 3.1.5 and below, the safejoin function allows Windows device names as filenames if preceded by other path segments. This was previously reported as GHSA-hgf8-39gv-g3f2, but the added filtering failed to account for the fac...
Security Bulletin: IBM Watson Discovery Cartridge affected by vulnerability in werkzeug-3.1.5-py3-none-any.whl
Summary IBM Watson Discovery Cartridge affected by vulnerability in werkzeug-3.1.5-py3-none-any.whl Vulnerability Details CVEID:CVE-2026-27199 DESCRIPTION: Werkzeug is a comprehensive WSGI web application library. Versions 3.1.5 and below, the safejoin function allows Windows device names as...
Security Bulletin: Vulnerability in Werkzeug affects IBM Netezza Appliance
Summary The Werkzeug package is used by IBM Netezza Appliance . IBM Netezza Appliance has addressed the applicable CVE CVE-2026-21860 Vulnerability Details CVEID:CVE-2026-21860 DESCRIPTION: Werkzeug is a comprehensive WSGI web application library. Prior to version 3.1.5, Werkzeug's safejoin...
Security Bulletin: Vulnerability in Werkzeug affects IBM Netezza Appliance
Summary The Werkzeug package is used by IBM Netezza Appliance . IBM Netezza Appliance has addressed the applicable CVE CVE-2025-66221 Vulnerability Details CVEID:CVE-2025-66221 DESCRIPTION: Werkzeug is a comprehensive WSGI web application library. Prior to version 3.1.4, Werkzeug's safejoin...
Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to Improper Name Handling in Werkzeug [CVE-2026-27199]
Summary IBM Watson Speech Services Cartridge is vulnerable to Improper Name Handling in Werkzeug, due to a safejoin function, that allows Windows device names as filenames if preceded by other path segments, which can cause file reading to hang indefinately CVE-2026-27199. Werkzeug is used in our...
Security Bulletin: Maximo AI Service uses werkzeug-3.1.5-py3-none-any.wh which is vulnerable to CVE-2026-27199.
Summary Maximo AI Service uses werkzeug-3.1.5-py3-none-any.wh which is vulnerable to CVE-2026-27199. This bulletin contains information regarding the vulnerability and its fixture. Vulnerability Details CVEID:CVE-2026-27199 DESCRIPTION: Werkzeug is a comprehensive WSGI web application library...
Security Bulletin: There is a vulnerability in werkzeug-3.1.5-py3-none-any.whl used by IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2026-27199)
Summary There is a vulnerability in werkzeug-3.1.5-py3-none-any.whl used by IBM Maximo Manage application in IBM Maximo Application Suite. Vulnerability Details CVEID:CVE-2026-27199 DESCRIPTION: Werkzeug is a comprehensive WSGI web application library. Versions 3.1.5 and below, the safejoin...
Security Bulletin: IBM Cloud Pak for Data System (CPDS 1.0) is affected by improper handling of Windows device names due to Werkzeug
Summary Werkzeug is used by IBM Cloud Pak for Data System 1.0 as a WSGI web application library. CVE-2025-66221 affects Werkzeug's handling of Windows device names, which could lead to improper resource handling and potential availability impact on Windows systems. This vulnerability relates to t...
Security Bulletin: IBM Cloud Pak for Data System (CPDS 1.0) is affected by improper handling of Windows device names due to Werkzeug
Summary Werkzeug is used by IBM Cloud Pak for Data System 1.0 as a WSGI web application library. CVE-2026-21860 affects Werkzeug's handling of Windows device names, which could lead to improper resource handling and potential availability impact on Windows systems. This vulnerability relates to t...
Exposure of Data Element to Wrong Session
Overview Affected versions of this package are vulnerable to Exposure of Data Element to Wrong Session in the MDM command processing while handling SyncML status code. An attacker can obtain sensitive configuration data belonging to other devices such as WiFi credentials, VPN secrets, and...
Exposure of Data Element to Wrong Session
Overview Affected versions of this package are vulnerable to Exposure of Data Element to Wrong Session in the MDM command processing while handling SyncML status code. An attacker can obtain sensitive configuration data belonging to other devices such as WiFi credentials, VPN secrets, and...
CVE-2026-34391
Fleet is open source device management software. Prior to 4.81.1, a vulnerability in Fleet's Windows MDM command processing allows a malicious enrolled device to access MDM commands intended for other devices, potentially exposing sensitive configuration data such as WiFi credentials, VPN secrets...
Security Bulletin: IBM Maximo Application Suite - Predict Component was using vulnerable library werkzeug-3.1.4 which is vulnerable to CVE-2026-21860
Summary IBM Maximo Application Suite - Predict Component was using vulnerable library werkzeug-3.1.4-py3-none-any.whl which is vulnerable to CVE-2026-21860. This bulletin contains information addressing the vulnerability. Vulnerability Details CVEID:CVE-2026-21860 DESCRIPTION: Werkzeug is a...
CVE-2026-24295
Concurrent execution using shared resource with improper synchronization 'race condition' in Windows Device Association Service allows an authorized attacker to elevate privileges locally...