366200 matches found
CVE-2026-54395
CVE-2026-54395 affects MISP (UiBeta event index view) with a reflected XSS in the advanced filter popup. The urlparams value is inserted into an inline JavaScript handler inside a single-quoted string; browsers HTML-decode attribute values before JS parsing, enabling an attacker to craft a URL th...
CVE-2026-54394
The CVE-2026-54394 entry describes a path traversal vulnerability in MISP's OrganisationsController::getOrgLogo. The vulnerable code constructs paths to organisation logos using fields like id, name, and uuid without enforcing that the resolved path stays under APP/files/img/orgs/. An attacker ab...
CVE-2026-12129
CodeAstro Human Resource Management System 1.0 is affected. The vulnerability resides in the Dashboard Interface component, specifically the /dashboard/add_tod endpoint, where manipulation of the todo_data argument leads to cross-site scripting. The issue is exploitable remotely, and exploits are...
CVE-2026-47264
CVE-2026-47264 affects Discourse releases 2026.1.0–2026.1.3, 2026.3.0–2026.3.0x (up to 2026.3.0-latest until 2026.3.1), and 2026.4.0–2026.4.0x (up to 2026.4.0-latest until 2026.4.1). The root cause is that DetailedTagSerializer#tag_group_names returned every tag group a tag belonged to without fi...
CVE-2026-47263
Summary: Discourse platforms affected by CVE-2026-47263 expose a channel via Webhook events due to a missing group_ids parameter in MessageBus.publish for /web_hook_events/, making the channel readable by any authenticated user (or anonymous users when login is disabled). Impact (as stated): Webh...
CVE-2026-45775
Discourse, a multi-site capable open-source discussion platform, has a path traversal vulnerability in its backup handling that could let an authenticated administrator on one site access backup files from another site on the same host. Affected version ranges include 2026.1.0-latest up to before...
CVE-2026-45085
CVE-2026-45085 affects Discourse with the chat plugin (calendar-capable variant also involved). The issues span four authorization/disclosure problems observed in versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1. They include:...
CVE-2026-44785
CVE-2026-44785 affects Discourse. The vulnerability arises because the AI "explain" helper validates can_see? only on the post being explained, allowing an authenticated user with access to the AI helper to read the raw contents of a hidden parent post by invoking Explain on a reply to it. Affect...
CVE-2026-44784
Discourse has a vulnerability where non-staff group owners can access a group’s outgoing SMTP credentials in plaintext via the group history log (/groups/:name/logs.json). Affected fields include email_password, email_username, smtp_server, smtp_port, and smtp_ssl_mode, with SMTP password being t...
CVE-2026-44783
Product/Component : Discourse (open-source discussion platform). Issue : A flaw in how replies to whispers is handled allows authenticated users outside the groups configured in whispers_allowed_groups to post into a topic’s staff-only whisper channel. The injected content is visible to whisperer...
CVE-2026-44782
Discourse (open-source) is affected. In versions 2026.1.0-latest–2026.1.3.x, 2026.3.0-latest–2026.3.0.x, and 2026.4.0-latest–2026.4.0.x, GroupPostSerializer used include_user_long_name? as the predicate for the :name attribute. AMS checks for include_name?, but the misnamed predicate was never in...
CVE-2026-44780
Summary of CVE-2026-44780 (Discourse) : The flaw arises in the ReviewableQueuedPostSerializer where, for posts arriving via incoming email, payload["raw_email"] was unconditionally included. This allowed category moderation group members in the review queue to access the full inbound email conten...
CVE-2026-44779
CVE-2026-44779 affects Discourse. From versions 2026.1.0-latest up to before 2026.1.4, 2026.3.0-latest up to before 2026.3.1, and 2026.4.0-latest up to before 2026.4.1, bot debug endpoints disclose whisper translation audit logs. The issue has been patched in 2026.1.4, 2026.3.1, 2026.4.1, and 202...
CVE-2026-44786
CVE-2026-44786 affects Discourse: versions 2026.1.0-latest to before 2026.1.4, 2026.3.0-latest to before 2026.3.1, and 2026.4.0-latest to before 2026.4.1 allow chat events from public category channels to be published to MessageBus without proper permission scoping, enabling any MessageBus subscr...
CVE-2026-54393
CVE-2026-54393 describes a stored XSS in MISP when the Overmind theme is active. The vulnerability stems from the setHomePage endpoint saving user-supplied paths via setSettingInternal(), bypassing validation in setSetting() (including validate_homepage that enforces a leading “/”). The attacker-...
CVE-2026-54362
The CVE concerns MISP's event template builder where an incorrect visibility condition allowed authenticated non-site-admin users to see galaxies outside their organisation. The root cause is a PHP comparison expression used instead of a query condition, causing enabled galaxies, including organi...
CVE-2026-53999
CVE-2026-53999 is covered by a connected advisory for Radius (Radius Kubernetes controller) describing a configuration-injection / cross-tenant resource deletion issue. The vulnerability arises when the controller deserializes a user-controllable radapp.io/status annotation without validating the...
CVE-2026-54057
Kitty (cross-platform GPU-based terminal) is affected in versions prior to 0.47.3. The issue arises in the OSC 21 (color-control) query reply, which may reflect attacker-controlled bytes—including newlines—into the shell input without sanitization. This can enable local command injection or input...
CVE-2026-54056
Kitty (GPU-based terminal) vulnerability CVE-2026-54056 affects versions 0.47.0–0.47.1 where a remote drag-and-drop via kitten dnd staging can overwrite or truncate arbitrary files writable by the local user. The attack chains a staged remote text/uri-list, exploiting a race in staging where a st...
CVE-2026-54055
Kitty (cross‑platform GPU terminal) contains a local privilege escalation vulnerability in its file transmission protocol prior to 0.47.2. A TOCTOU race between symlink validation and file creation allows a child process in the terminal to cause an attack to write to arbitrary files because os.op...
CVE-2026-42851
CVE-2026-42851 (Kitty terminal) : In versions prior to 0.47.0, a program that writes bytes to a Kitty terminal can trigger execution of attacker-supplied Python inside the Kitty process with the user’s privileges. This is a local issue with high impact to confidentiality, integrity, and availabil...
CVE-2026-54361
CVE-2026-54361 affects MISP and stems from mass assignment flaws in collections, tag collections, event delegations, and shadow attributes. Several controller actions accepted user-supplied fields that should be server-controlled (e.g., id, org_id, orgc_id, user_id), enabling an authenticated att...
CVE-2026-42850
CVE-2026-42850 affects the Kitty terminal (GPU-based, cross-platform). In versions prior to 0.47.0, an injection is possible through a crafted kitty error that is echoed back to the terminal with CRLF and executed by the user’s shell. The attack requires the victim to connect to the attacker (e.g...
CVE-2026-54360
CVE-2026-54360 affects MISP: the mass assignment in the sharing group creation flow (SharingGroupsController::add) allows an authenticated user to submit an existing group’s id, causing a create() followed by save() to update that group. This could enable takeover or alteration of sharing groups ...
CVE-2026-54359
The CVE-2026-54359 entries describe an insecure default in MISP where Security.check_sec_fetch_site_header is disabled, allowing CSRF-like abuse where a remote unauthenticated attacker could induce an authenticated user’s browser to issue state-changing requests (POST/PUT/AJAX) to MISP automation...
CVE-2026-54358
The CVE concerns MISP where an organization administrator can target site administrator accounts within the same organization via the administrative email function due to a faulty authorization check that fails to exclude site-admin recipients from queries. This allows privileged account-manageme...
CVE-2026-54357
CVE-2026-54357 describes an improper authorization flaw in MISP where an authenticated organization administrator could access or modify user settings of site administrators within the same organization. The underlying issue is that access-control checks scoped administrative actions by organizat...
CVE-2026-43872
CVE-2026-43872 affects the open-source personal finance app Actual prior to version 26.5.0 , where several endpoints are vulnerable to a path traversal flaw. The root cause is not explicitly detailed in the provided documents beyond the vulnerability class; the issue is resolved by upgrading to 2...
CVE-2026-42890
CVE-2026-42890 affects the macOS desktop application Actual (version 25.x, Electron 39.2.7). The ELECTRON_RUN_AS_NODE fuse was not disabled, allowing a local attacker who can place a file on disk or influence command-line arguments to invoke Actual.app with ELECTRON_RUN_AS_NODE=1. This converts t...
CVE-2026-50552
Koel (open-source music streaming) is affected prior to version 9.7.1 by a Server-Side Request Forgery (SSRF) in the radio station creation endpoint (POST /api/radio/stations). The url validation rules are declared without bail, allowing the HasAudioContentType rule to issue HTTP requests even af...
CVE-2026-47260
Koel (pre-9.3.5) is vulnerable to SSRF via unvalidated podcast enclosure URLs extracted from RSS feeds. The SafeUrl rule validates only the feed URL, not enclosure URLs, which are stored directly in the database and later fetched with Http::sink()->get() when playing an episode, enabling full-...
CVE-2026-50287
AgenticMail MCP HTTP mode (via --http or MCP_HTTP=1) exposed the /mcp endpoint without HTTP authentication, enabling an unauthenticated remote client to initialize a session and call master-key tools. Affected component: @agenticmail/mcp; impact includes potential exposure of administrative/gatew...
CVE-2026-42604
The CVE concerns Actual Budget’s sync-server (local-first Personal Finance tool). Versions ≤ 26.4.0 expose the full OpenID Connect configuration, including the OAuth2 client_secret, via POST /openid/config to callers who know the bootstrap password. The endpoint lacks authentication and rate limi...
CVE-2026-53726
Parse Server contains a vulnerability in the relation query operator $relatedTo. Before versions 8.6.80 and 9.9.1-alpha.6, an unauthenticated client with public API credentials could read membership of a Relation field protected by protectedFields or object ACLs, potentially enumerating objects l...
CVE-2026-12043
CVE-2026-12043 affects the AWS Common Runtime aws-c-http library due to improper handling of HPACK dynamic table size updates, which can cause memory corruption on a connecting client via a crafted sequence of HTTP/2 HEADERS frames. The vulnerability could lead to arbitrary code execution on vuln...
CVE-2026-53725
Parse Server up to version 9.9.1-alpha.5 contains a vulnerability in MFA handling: when _User get is denied by Class-Level Permissions, the /login and /verifyPassword endpoints may bypass CLP/protectedFields sanitization and return raw database rows, exposing MFA data (MFA TOTP secrets and recove...
CVE-2026-53724
CVE-2026-53724 – Parse Server Stored XSS (trailing-dot bypass) affects Parse Server prior to versions 8.6.79 and 9.9.1-alpha.4. A trailing dot on a filename bypasses the default file upload extension blocklist by making the extension parser yield an empty string, allowing the attacker-controlled ...
CVE-2026-49854
The CVE entry corresponds to the Tornado project vulnerability described in GHSA-CX3H-4QPV-8HC9. Affected component: Tornado’s optional native extension tornado.speedups. Root cause: the C function behind websocket_mask reads four bytes from the mask unconditionally, without validating that the P...
CVE-2026-48154
The CVE entry CVE-2026-48154 is informed by a GitHub advisory for gorest (Go REST API boilerplate). It documents a CWE-362 race condition in InMemorySecret2FA, where a package-level map[uint64]Secret2FA is accessed concurrently without synchronization across login and 2FA flows, leading to fatal ...
CVE-2026-50099
CVE-2026-50099 affects Naxclow IoT platform firmware. During WiFi association, the device prints host network SSID, PSK, and negotiated WPA keys in cleartext to an exposed UART console on production hardware. UART pads are labeled, run with default serial settings, and drop to an interactive RT-T...
CVE-2026-50008
Parse Server (versions 9.8.0–before 9.9.1-alpha.3) is affected by a bypass in the routeAllowList option. The allow-list check is enforced as Express middleware against the outer HTTP request URL, but the /batch handler dispatches sub-requests to the internal router without re-running the allow-li...
CVE-2026-10715
Camaleon CMS 2.9.2 contains an improper authorization vulnerability in the administrator draft autosave endpoint. A low-privileged authenticated user can send an arbitrary post_id to POST /admin/post_type//drafts and overwrite the draft of another user’s post. Affected component: draft autosave f...
CVE-2026-47138
CVE-2026-47138 : Parse Server suffers pre-authentication DoS via adversarial client version header input causing polynomial backtracking in the request-header parser. Affected before fixes in versions up to 8.6.76/9.9.0-alpha.1; patched in 8.6.77 and 9.9.1-alpha.1. An unauthenticated attacker wit...
CVE-2026-47248
CVE-2026-47248 – Parse Server GraphQL schema disclosure via Did you mean …? validation messages What is affected: Parse Server (Node.js) GraphQL endpoint exposes schema metadata to unauthenticated callers through Did you mean …? suggestions embedded in GraphQL validation errors. Root cause: Valid...
CVE-2026-50244
CVE-2026-50244 affects the Naxclow IoT Platform. The registration endpoint accepts signed requests with a batch prefix and a caller-supplied account identifier without ownership validation, allowing an attacker to mint new sequential device identifiers and read the batch’s current high-water coun...
CVE-2026-42932
The CVE-2026-42932 entry concerns the Naxclow IoT Platform where identifier generation uses fixed manufacturing prefixes with sequential counters, creating a fully predictable and enumerable identifier space. An exposed endpoint reveals the current identifier high-water mark, enabling enumeration...
CVE-2026-42947
CVE-2026-42947 affects Naxclow IoT Platform. A flaw in the onboarding workflow lets an attacker replay a confirm-then-bind sequence to silently reassign a device to an arbitrary account, because endpoints validate request signatures but do not verify legitimate ownership. Practical consequence: a...
CVE-2026-47236
CVE-2026-47236 affects the Solidtime open‑source time-tracking app prior to version 0.12.2. The root cause is insufficient access control in the Jetstream-backed team page: invitations:view and members:view permissions gate the official APIs, but the Jetstream page authorizes access with only bel...
CVE-2026-50108
The CVE-2026-50108 entry concerns the Naxclow IoT Platform API where device relay registration details are returned with a persistent credential without verifying the requester’s identity. An actor who can present a platform-valid request signature can retrieve credentials for arbitrary devices a...
CVE-2026-42306
CVE-2026-42306 affects Moby/Docker: a race condition during docker cp mount setup could redirect a bind mount target to an arbitrary host path, potentially overwriting host files or causing denial of service. Affected are Docker Engine prior to 29.5.1, Docker Daemon 28.5.2 and earlier, and Moby D...