363730 matches found
CVE-2026-9782 Quest NetVault Backup NVBUDeviceDrive SQL Injection Remote Code Execution Vulnerability
Quest NetVault Backup NVBUDeviceDrive SQL Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Quest NetVault Backup. Although authentication is required to exploit this vulnerability, the existing...
CVE-2026-9781 Quest NetVault Backup NVBURASDevice SQL Injection Remote Code Execution Vulnerability
Quest NetVault Backup NVBURASDevice SQL Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Quest NetVault Backup. Although authentication is required to exploit this vulnerability, the existing...
CVE-2026-9780 Quest NetVault Backup addclient3 Cross-Site Scripting Authentication Bypass Vulnerability
Quest NetVault Backup addclient3 Cross-Site Scripting Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of Quest NetVault Backup. User interaction is required to exploit this vulnerability in that the target must vis...
CVE-2026-7570 Quest NetVault Backup NVBUDashboard SQL Injection Remote Code Execution Vulnerability
Quest NetVault Backup NVBUDashboard SQL Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Quest NetVault Backup. Although authentication is required to exploit this vulnerability, the existing...
CVE-2026-39948 Cacti has SQL Injection via rfilter parameter in RLIKE clauses
Cacti is an open source performance and fault management framework. In versions 1.2.30 and prior, the rfilter request parameter is retrieved via the raw accessor grv rather than gfrv with FILTERVALIDATEISREGEX validation and concatenated directly into RLIKE SQL clauses in lib/htmlgraph.php and...
CVE-2026-39955 Cacti has Pre-Authentication SQL Injection via unanchored FILTER_VALIDATE_REGEXP in graph_view.php
Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior have pre-authentication SQL Injection via unanchored FILTERVALIDATEREGEXP in graphview.php. This issue has been fixed in version 1.2.31...
CVE-2026-39938 Cacti: Unauthenticated RCE on Graph Image
Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior have unauthenticated LFI through graphtheme and rrdtool IPC serialization hardening. This issue has been resolved in version 1.2.31...
CVE-2026-39900 Cacti: Reflected XSS via tab parameter in auth_profile.php JavaScript context
Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior are vulnerable to Reflected XSS via tab parameter in the authprofile.php JavaScript context. This issue has been fixed in version 1.2.31...
CVE-2026-39899 Cacti: Path Traversal via filename parameter in package_import.php
Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior are vulnerable to Path Traversal via filename parameter in packageimport.php. This issue has been fixed in version 1.2.31...
CVE-2026-39897 Cacti has a Reflected XSS Vulnerability via html_auth_footer
Cacti is an open source performance and fault management framework. Versions 1.2.30 and below contain a Reflected XSS vulnerability in the htmlauthfooter. This issue has been fixed in version 1.2.31...
CVE-2026-39894 Cacti: RRDtool metric shift via LC_NUMERIC locale comma decimal formatting
Cacti is an open source performance and fault management framework. In versions 1.2.30 and below, the locale-dependent decimal formatting in rrdtoolfunctionupdate can corrupt RRDtool metric values. The rrdtoolfunctionupdate function checks metric values with isnumeric and concatenates them into t...
CVE-2026-39893 Cacti: Pre-authentication SQL injection via rfilter RLIKE clause in graph_view.php
Cacti is an open source performance and fault management framework. In versions 1.2.30 and prior, the rfilter request variable was concatenated into a RLIKE SQL clause without sanitization. The endpoint does not require authentication graph viewing supports guest access via the configured guest...
CVE-2026-2050 GIMP HDR File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability
GIMP HDR File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page o...
CVE-2026-49979 Appsmith: SSRF via `POST /api/v1/admin/send-test-email` — JavaMail Bypasses WebClient IP Filter
Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 1.99, the POST /api/v1/admin/send-test-email endpoint accepts attacker-controlled smtpHost and smtpPort values and establishes a raw JavaMail TCP connection without any IP validation. This completely bypasses...
CVE-2026-55454 Appsmith: Caddy admin API exposed without authentication
Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 2.1, the bundled Caddy reverse-proxy's admin API — which has no authentication by default — is bound on 0.0.0.0:2019 inside the container. While this listener is not directly published to the host by...
CVE-2026-9779 ATEN Unizon doCryptoHugeFileToFile Improper Verification of Cryptographic Signature Remote Code Execution Vulnerability
ATEN Unizon doCryptoHugeFileToFile Improper Verification of Cryptographic Signature Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ATEN Unizon. Authentication is required to exploit this vulnerability. The...
CVE-2026-9778 ATEN Unizon ImportDeviceList Directory Traversal Remote Code Execution Vulnerability
ATEN Unizon ImportDeviceList Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ATEN Unizon. Authentication is required to exploit this vulnerability. The specific flaw exists within the...
CVE-2026-9777 ATEN Unizon restoreDB Directory Traversal Remote Code Execution Vulnerability
ATEN Unizon restoreDB Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ATEN Unizon. Authentication is required to exploit this vulnerability. The specific flaw exists within the restoreDB...
CVE-2026-9776 ATEN Unizon writeFileToHttpServletResponse Directory Traversal Information Disclosure Vulnerability
ATEN Unizon writeFileToHttpServletResponse Directory Traversal Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of ATEN Unizon. Authentication is not required to exploit this vulnerability. The specific fl...
CVE-2026-9775 ATEN Unizon uploadSSL Directory Traversal Arbitrary File Deletion Vulnerability
ATEN Unizon uploadSSL Directory Traversal Arbitrary File Deletion Vulnerability. This vulnerability allows remote attackers to delete arbitrary files on affected installations of ATEN Unizon. Authentication is required to exploit this vulnerability. The specific flaw exists within the uploadSSL...
CVE-2026-9774 ATEN Unizon updateLicense Directory Traversal Arbitrary File Deletion Vulnerability
ATEN Unizon updateLicense Directory Traversal Arbitrary File Deletion Vulnerability. This vulnerability allows remote attackers to delete arbitrary files on affected installations of ATEN Unizon. Authentication is required to exploit this vulnerability. The specific flaw exists within the...
CVE-2026-55455 Appsmith: SSRF in REST API / GraphQL datasource plugins via insufficient host denylist
Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 2.1, the outbound HTTP host filter applied by WebClientUtils used by the REST API and GraphQL datasource plugins validates hosts against an exact-match string denylist. The comprehensive address-class check...
CVE-2026-10043 MosaicML Composer Deserialization of Untrusted Data Remote Code Execution Vulnerability
MosaicML Composer Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of MosaicML Composer. User interaction is required to exploit this vulnerability in that the target must visit a...
CVE-2026-9773 Unraid Web Server ToggleState Command Injection Remote Code Execution Vulnerability
Unraid Web Server ToggleState Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Unraid. Authentication is required to exploit this vulnerability. The specific flaw exists within ToggleState.php...
CVE-2026-9772 Unraid Web Server FileUpload Command Injection Remote Code Execution Vulnerability
Unraid Web Server FileUpload Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Unraid. Authentication is required to exploit this vulnerability. The specific flaw exists within FileUpload.php. T...
CVE-2026-50189 Appsmith: RCE via Supervisord XML-RPC Admin Interface Exposed via /supervisor Caddy Route
Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 2.1, Appsmith's bundled supervisord exposes an XML-RPC interface on port 9001, reachable from outside the container via a Caddy reverse-proxy route at /supervisor/ on the public ingress. Combined with the...
CVE-2026-10642 Unbounded TX busy-loop DoS in Zephyr PL011 UART driver under CTS hardware flow control
The Zephyr PL011 UART driver drivers/serial/uartpl011.c contains an unbounded software loop in pl011irqtxenable that repeatedly invokes the interrupt-driven application callback while the TX interrupt mask bit PL011IMSCTXIM is set, to work around the controller's level-transition TX-interrupt...
CVE-2026-53765 chrome-devtools-mcp: daemon.pid write follows symlinks in /tmp fallback runtime directory
Chrome DevTools for agents chrome-devtools-mcp lets your coding agent control and inspect a live Chrome browser. From 0.20.0 until 1.1.0, The chrome-devtools-mcp daemon writes its PID file with fs.writeFileSync to a deterministic runtime path. On typical macOS environments, and on Linux sessions...
CVE-2026-53766 chrome-devtools-mcp: validatePath() does not canonicalize symlinks before enforcing roots
Chrome DevTools for agents chrome-devtools-mcp lets your coding agent control and inspect a live Chrome browser. From 0.24.0 until 1.1.0, McpContext.validatePath enforces workspace roots by checking whether path.resolvefilePath textually falls under one of the configured root paths. path.resolve...
CVE-2026-52794 Sentry: Inefficient Regular Expression Complexity in sentry
Sentry is an error tracking and performance monitoring tool. From 24.4.0 until 26.5.2, a Regular Expression Denial of Service ReDoS vulnerability exists in Sentry's event ingestion pipeline, where a regex applied to attacker-controlled fields on incoming events can be made to consume...
CVE-2026-55570 SiYuan: Stored XSS results to Electron RCE in SiYuan marketplace via unescaped `data-obj` attribute (Bypass for CVE-2026-45375's patch)
SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, it does not escape the untrusted fields name, version, author, description when they are serialized into the data-obj HTML attribute of each marketplace card. Because the attribute is single-quoted and the value is...
CVE-2026-54759 SiYuan: Lute HTML sanitizer allows `<iframe>` tags in Bazaar package README, leading to arbitrary command execution via SiYuan Electron client
SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, Lute's HTML sanitizer does not remove elements. Combined with the SiYuan Electron client's permissive security configuration, an attacker can include a malicious in a Bazaar package README that executes arbitrary...
CVE-2026-47110 Tiptap for PHP < 2.1.1 DoS via Malformed href Attribute
Tiptap for PHP before version 2.1.1 contains an input validation vulnerability that allows authenticated attackers to cause a denial of service by submitting Tiptap JSON with the attrs.href field set to an array instead of a string, causing an unhandled TypeError in the Link::isAllowedUri functio...
CVE-2026-50551 SiYuan: Stored XSS to RCE via Unsanitized Attribute View Asset Cell Content
SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, SiYuan contains a stored cross-site scripting XSS vulnerability in the Attribute View database asset cell renderer that escalates to remote code execution RCE in the Electron desktop client. This vulnerability is fixed...
CVE-2026-54158 SiYuan: Stored XSS to RCE via attribute-view cell rendering in genAVValueHTML()
SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, the attribute-view database cell renderer genAVValueHTML interpolates cell content raw in four of its branches: text, url, phone, and mAsset. A cell value like or " breaks out of its surrounding tag and runs arbitrary...
CVE-2026-54070 SiYuan: Stored XSS in Bazaar marketplace via package README event handlers
SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, renderPackageREADME in kernel/bazaar/readme.go renders a Bazaar package README from Markdown to HTML with the lute engine and SetSanitizetrue. The lute sanitizer is an event-handler blocklist: allowAttr rejects only...
CVE-2026-54069 SiYuan: Unauthenticated Admin API Access via Blanket chrome-extension:// Origin Allowlist
SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, SiYuan Note's kernel HTTP server unconditionally trusts all chrome-extension:// origins, granting RoleAdministrator access to every installed browser extension without any authentication. Combined with the default empt...
CVE-2026-54068 SiYuan: Unauthenticated SQLite Data Exfiltration via Template Injection in /api/icon/getDynamicIcon
SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, the /api/icon/getDynamicIcon endpoint is explicitly excluded from authentication in SiYuan's kernel router router.go, "不需要鉴权" -- no auth needed. When called with type=8 and a valid block id parameter, this endpoint...
CVE-2026-54067 SiYuan: Stored XSS to RCE via CSS-snippet <style> breakout in renderSnippet()
SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, CSS snippet body containing breaks out of its surrounding tag when renderSnippet interpolates it via insertAdjacentHTML. A payload like runs arbitrary JavaScript in the renderer. On Electron desktop builds the renderer...
CVE-2026-54066 SiYuan: Path Traversal via Double URL Encoding in /assets/*path (publish mode arbitrary file─read)
SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, the patch for CVE-2026-41894 "Path Traversal via Double URL Encoding" sanitized the /export/ route but the identical root cause remains in the /assets/path route. In publish mode anonymous read-only HTTP endpoint,...
CVE-2026-55762 Rocket.Chat: Any Authenticated User Can Permanently Deregister Workspace from Rocket.Chat Cloud via Unprotected `/api/v1/fingerprint` Endpoint
Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, and 7.10.13, the POST /api/v1/fingerprint REST endpoint enforces authentication authRequired: true but performs no authorization check. Any authenticated user —...
CVE-2026-55759 Rocket.Chat: Apple Sign-In skips JWT claims validation, allowing expired and cross-audience token replay
Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, and 7.10.13, Rocket.Chat's Apple Sign-In handler verifies JWT signatures but skips claims validation. Any Apple-signed JWT with a non-empty iss is accepted...
CVE-2026-55666 Rocket.Chat: Email Parameter Fallback Leads To Account Takeover Within Apple OAuth
Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, and 7.10.13, in apps/meteor/app/apple/server/loginHandler.ts, handleIdentityToken parses a JWT issued by Apple during the OAuth flow. The try block checks for an...
CVE-2026-49278 Rocket.Chat: Livechat Visitor Profile Disclosure Leaks Bearer Token and Enables Visitor Impersonation
Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12, in the visitors.info endpoint, https://developer.rocket.chat/apidocs/get-visitor-information-by-id-1, token is returned in the response. It...
CVE-2026-49277 Rocket.Chat: OAuth access and refresh tokens remain valid after account deactivation
Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12, Rocket.Chat does not revoke OAuth bearer or refresh tokens when a user is deactivated. A deactivated user can continue using an existing OAuth...
CVE-2026-45757 Rocket.Chat: users.deactivateIdle` deactivates accounts without revoking existing login tokens
Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12, Rocket.Chat allows users deactivated through users.deactivateIdle to keep using already-issued login tokens. A user that an administrator has...
CVE-2026-33543 FOSSBilling: Authentication bypass allows unauthenticated administrator creation
FOSSBilling is a free, open-source billing and client management system. Versions 0.7.2 and prior expose a guest API endpoint, /api/guest/staff/create, intended for initial administrator bootstrap. Due to a flawed admin-existence check, the endpoint remains usable after an administrator already...
CVE-2026-46423 Rocket.Chat: SAML signature validation skipped when IdP certificate field is empty
Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11, Rocket.Chat's SAML service provider implementation silently skips both SAML Response and Assertion signature validation when the configured Id...
CVE-2026-45689 Rocket.Chat: Pre-Auth NoSQL Injection in OAuth2 Token Endpoint leading to Arbitrary User ATO
Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11, an unauthenticated network attacker obtains a valid Rocket.Chat OAuth access token for an arbitrary user by sending a single HTTP POST with...
CVE-2026-45688 Rocket.Chat: Pre-Auth NoSQL Injection in CAS Login Handler leading to Arbitrary CAS/SAML User Session Hijack
Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, and 7.10.11, Rocket.Chat's CAS login handler forwards the client-supplied options.cas.credentialToken value straight into a MongoDB findOneid: ... query...