Lucene search
K

4 matches found

Github Security Blog
Github Security Blog
added 2026/05/27 4:57 p.m.23 views

Pimcore has Unsafe PHP Deserialization in Multiple Locations Without allowed_classes Restriction

GM-374 Summary Multiple locations in Pimcore v11 call PHP's unserialize on data from database columns and filesystem files without the allowedclasses restriction, enabling object injection if an attacker can control the serialized data source. Affected Component - Package: pimcore/pimcore and...

6.3AI score0.00202EPSS
Exploits0References5Affected Software1
RedhatCVE
RedhatCVE
added 2026/05/14 2:21 a.m.9 views

CVE-2026-6832

Hermes WebUI contains an arbitrary file deletion vulnerability in the /api/session/delete endpoint that allows authenticated attackers to delete files outside the session directory by supplying an absolute path or path traversal payload in the sessionid parameter. Attackers can exploit unvalidate...

8.1CVSS5.9AI score0.00475EPSS
Exploits1References1
EUVD
EUVD
added 2026/04/22 12:31 a.m.6 views

EUVD-2026-24517

Hermes WebUI contains an arbitrary file deletion vulnerability in the /api/session/delete endpoint that allows authenticated attackers to delete files outside the session directory by supplying an absolute path or path traversal payload in the sessionid parameter. Attackers can exploit unvalidate...

8.1CVSS5.9AI score0.00475EPSS
Exploits1References7
NVD
NVD
added 2026/04/02 10:16 a.m.4 views

CVE-2026-33613

Due to the improper neutralisation of special elements used in an OS command, a remote attacker can exploit an RCE vulnerability in the generateSrpArray function, resulting in full system compromise. This vulnerability can only be attacked if the attacker has some other way to write arbitrary dat...

8.8CVSS0.005EPSS
Exploits0References2
Rows per page
Query Builder