9 matches found
EUVD-2026-42074
The GET /api/v1/public/:accessId/portfolio endpoint in ghostfolio accepts private access IDs without validating granteeUserId filtering, allowing unauthenticated access to full portfolio data. Attackers with a private access ID can retrieve sensitive portfolio information including holdings,...
EUVD-2026-40352
Vibe-Trading before 0.1.10 constructs the swarm run directory by joining a caller-supplied run identifier onto the runs base directory without validation in rundir agent/src/swarm/store.py. A crafted run identifier supplied through the MCP swarm tools causes the application to read arbitrary...
RHEL 10 : samba (RHSA-2026:28055)
The remote Redhat Enterprise Linux 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2026:28055 advisory. Samba is an open-source implementation of the Server Message Block SMB protocol and the related Common Internet File System CIFS protocol,...
CVE-2026-48917
Jenkins LDAP Plugin 807.v7d7de30930cf and earlier deserializes data from LDAP referrals without validation...
CVE-2026-34981
The whisperX API is a tool for enhancing and analyzing audio content. From 0.3.1 to 0.5.0, FileService.downloadfromurl in app/services/fileservice.py calls requests.geturl with zero URL validation. The file extension check occurs AFTER the HTTP request is already made, and can be bypassed by...
CVE-2020-37054
Navigate CMS 2.8.7 is affected by a cross-site request forgery vulnerability that lets attackers upload malicious extensions via a crafted HTML page. By abusing the extension upload functionality without additional validation, an authenticated administrator can be tricked into performing arbitrar...
CVE-2018-25152
CVE-2018-25152 affects Ecessa Edge EV150 10.7.4. A cross-site request forgery allows unauthenticated attackers to add superuser accounts by crafting a page that submits to /cgi-bin/pl_web.cgi/util_configlogin_act. The connected sources confirm the vulnerable component, the endpoint, and the impac...
CVE-2025-64447
CVE-2025-64447 involves a cookie validation flaw in Fortinet FortiWeb. Affected products are FortiWeb 8.0.0–8.0.1, 7.6.0–7.6.5, 7.4.0–7.4.10, 7.2.0–7.2.11, and 7.0.0–7.0.11. The root cause is insufficient validation and integrity checking of cookies, allowing an unauthenticated attacker to perfor...
CVE-2019-25022
An issue was discovered in Scytl sVote 2.1. An attacker can inject code that gets executed by creating an election-event and injecting a payload over an event alias, because the application calls Runtime.getRuntime.exec without validation...