364611 matches found
CVE-2026-61461 Dify < 1.16.0-rc1 SQL Injection via MyScale Vector Store search_by_full_text
Dify before 1.16.0-rc1 contains a SQL injection vulnerability in the MyScale vector store backend that allows attackers to execute arbitrary SQL by supplying unsanitized search parameters to the searchbyfulltext method without escaping or parameterization. Attackers can inject malicious SQL throu...
CVE-2026-5801 SQLi in Semtek Informatics' SEM-PMP
Improper neutralization of special elements used in an SQL command 'SQL injection' vulnerability in Semtek Informatics Software Consulting Trade Ltd. Co. SEM-PMP allows Command Line Execution through SQL Injection. This issue affects SEM-PMP: through 23042026...
CVE-2026-53450 Coturn: IPv4-mapped 127.0.0.1 bypasses default loopback peer protection
Coturn is a free open source implementation of TURN and STUN Server. Prior to 4.13.0, coturn rejects loopback peers by default unless allow-loopback-peers is enabled, but the default loopback guard can be bypassed by using the IPv4-mapped IPv6 peer address ::ffff:127.0.0.1 in a TURN...
CVE-2026-53449 Coturn: Arbitrary File Write via CLI psd Command
Coturn is a free open source implementation of TURN and STUN Server. Prior to 4.13.0, the psd print sessions dump CLI command in coturn takes a filename argument and directly passes it to fopen with no path validation. An authenticated admin with CLI access can overwrite arbitrary files writable ...
CVE-2026-53448 Coturn: SQL Injection in HTTPS Admin Panel Delete Operations
Coturn is a free open source implementation of TURN and STUN Server. Prior to 4.12.0, the coturn HTTPS admin panel passes HTTP query parameters directly into SQL queries via snprintf string interpolation without sanitization. The issecurestring filter that protects the STUN protocol path is not...
CVE-2025-30008 HestiaCP < 1.9.5 Stored XSS via DNS Record Management Interface
HestiaCP before 1.9.5 contains a stored cross-site scripting vulnerability that allows authenticated low-privilege users to inject arbitrary HTML by creating a DNS record with a double-quote followed by a script payload in the value field. The application fails to apply htmlspecialchars encoding ...
CVE-2025-30007 HestiaCP < 1.9.5 Authenticated OS Command Injection via DNS Record Management
HestiaCP before 1.9.5 contains an authenticated OS command injection vulnerability that allows low-privilege authenticated users to execute arbitrary commands as root by injecting a single-quote character into unvalidated DNS record types. Attackers can exploit insufficient input validation in...
CVE-2026-59151 Prowler: SAML Domain Claiming Enables Cross-Tenant Account Takeover
Prowler is a cloud security platform. Prior to 5.30.3, Prowler's SAML authentication flow trusted the email domain asserted in a SAMLResponse when deciding which tenant should receive the final token, and the ACS finish logic in api/src/backend/api/v1/views.py recalculated the tenant from...
CVE-2026-56668 ZITADEL: Unauthorized Token Privilege Escalation in OAuth2 Token Exchange
ZITADEL is an open source identity management platform. Prior to 4.15.3, ZITADEL's OAuth2 Token Exchange endpoint for urn:ietf:params:oauth:grant-type:token-exchange does not verify that the subject token belongs to the requesting client or that requested scopes remain within the original token's...
CVE-2026-56666 ZITADEL: Auto-linking by email: IdP-side email verification is not checked
ZITADEL is an open source identity management platform. Prior to 4.15.3, ZITADEL's external identity provider handler checks that the local user's email is verified but does not verify that the external IdP confirmed ownership of the same email before auto-linking by email, allowing a permissive...
CVE-2026-2397 SQLi in AdamPOS' MobilMen 20T
Improper neutralization of special elements used in an SQL command 'SQL injection' vulnerability in Adam Retail Automation Ltd. MobilMen 20T allows SQL Injection. This issue affects MobilMen 20T: from v3 through 10072026. NOTE: The vendor was contacted early about this disclosure but did not...
CVE-2026-56667 ZITADEL: Stored XSS via Default URI Redirect in Login V2
ZITADEL is an open source identity management platform. Prior to 4.15.3, ZITADEL Login V2 OIDC and SAML FailedPrecondition error paths return loginSettings.defaultRedirectUri to router.push without applying the isSafeRedirectUri check, allowing an organization or instance administrator to store a...
CVE-2026-56665 ZITADEL: Missing Token Expiration (`exp`) Validation in JWT IdP Provider
ZITADEL is an open source identity management platform. Prior to 3.4.12 and 4.15.2, ZITADEL is an open source identity management platform. From 3.0.0-rc.1 through 3.4.11 and from 4.0.0-rc.1 through 4.15.1, ZITADEL's external JWT Identity Provider validation in internal/idp/providers/jwt/session....
CVE-2026-56664 ZITADEL: Missing Token Lifecyle Validation (`exp` and `iat`) in JWT IdP Provider
ZITADEL is an open source identity management platform. Prior to 3.4.12 and 4.15.2, ZITADEL's external JWT Identity Provider validation in internal/idp/providers/jwt/session.go skips the maximum token age freshness check when an incoming token omits the iat claim, allowing arbitrarily old tokens...
CVE-2026-55672 ZITADEL: Missing client_id binding in OIDC authorization code exchange and refresh token flows (RFC 6749 Section 4.1.3 violation)
ZITADEL is an open source identity management platform. Prior to 3.4.12 and 4.15.2, ZITADEL's OAuth2 and OIDC CodeExchange, RefreshToken, and device token flows fail to verify that the requesting client matches the client that initiated the authorization flow, allowing intercepted grants or refre...
CVE-2026-55671 ZITADEL: Server-Side Request Forgery (SSRF) and Denylist Bypass in Outgoing HTTP Components
ZITADEL is an open source identity management platform. From 4.0.0-rc.1 through 4.15.1, ZITADEL's HTTP notification channels, OIDC BackChannel Logout, and SAML metadata URL fetches do not consistently validate user-defined URLs against protected denylist handling, allowing server-side requests to...
CVE-2026-55670 ZITADEL: Cross-Tenant User Leakage via Recycled Identifiers
ZITADEL is an open source identity management platform. Prior to 4.15.1, ZITADEL's event store validation can retain the original resource owner for a deleted user identifier, causing a later user recreated with the same identifier in another organization to be provisioned under the original...
CVE-2026-57476 Deloitte AI Assist for Customer unauthenticated RAG corpus read and write
Deloitte AI Assist for Customer exposed unauthenticated API endpoints that allowed an attacker with knowledge of additional parameters to read from or inject content into the retrieval-augmented generation RAG corpus. On 2026-03-25, AI Assist for Customer restricted network access and enforced...
CVE-2026-57475 Deloitte AI Assist for Customer unauthenticated configuration write
Deloitte AI Assist for Customer accepted unauthenticated POST requests through public-facing API endpoints that allowed a remote attacker to make limited additions to the configuration. These additions were not used by the system. On 2026-03-25, AI Assist for Customer restricted network access an...
CVE-2026-57474 Deloitte AI Assist for Customer information disclosure
Deloitte AI Assist for Customer disclosed some configuration information through public-facing API endpoints that accepted unauthenticated requests. This information could reduce an attacker’s reconnaissance effort. On 2026-03-25, AI Assist for Customer restricted network access and enforced...
CVE-2026-2398 IDOR in AdamPOS' MobilMen 20T
Authorization bypass through User-Controlled key vulnerability in Adam Retail Automation Ltd. MobilMen 20T allows Privilege Escalation. This issue affects MobilMen 20T: from v3 through 10072026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way...
CVE-2026-55669 ZITADEL: Missing Token Audience Validation (`aud`) in JWT IdP Provider
ZITADEL is an open source identity management platform. Prior to 3.4.12 and 4.15.2, ZITADEL's external JWT Identity Provider validates a token's signature and issuer iss but not the audience aud claim, allowing a validly signed token from a trusted issuer for another relying party to be accepted ...
CVE-2026-55781 NanaZip: Unbounded memory allocation (DoS) in NanaZip UFS parser via unvalidated fs_bsize/fs_fsize superblock fields
NanaZip is the 7-Zip derivative intended for the modern Windows experience. Prior to 6.5.1749.0, NanaZip's UFS and FFS image handler in NanaZip.Codecs.Archive.Ufs.cpp validates the superblock block size only against the MINBSIZE lower bound and does not validate the fsfsize fragment size, allowin...
CVE-2026-55780 NanaZip: Uncaught exception / unbounded allocation in NanaZip .NET single-file Extract() via unvalidated entry Size
NanaZip is the 7-Zip derivative intended for the modern Windows experience. Prior to 6.5.1749.0, NanaZip's .NET single-file bundle handler in NanaZip.Codecs.Archive.DotNetSingleFile.cpp sizes its extraction buffer from the bundle entry Size field, which is only checked for sign and is not validat...
CVE-2026-55783 NanaZip: NULL pointer dereference in Extract() of all seven NanaZip custom archive handlers when extracting/testing the whole archive
NanaZip is the 7-Zip derivative intended for the modern Windows experience. Prior to 6.5.1749.0, NanaZip's seven in-house IInArchive handlers in NanaZip.Codecs unconditionally dereference the caller-supplied Indices array inside Extract when the archive engine signals extract everything by passin...
CVE-2026-55782 NanaZip: Unbounded memory allocation (DoS) in NanaZip WebAssembly parser via attacker-controlled section/name length fields
NanaZip is the 7-Zip derivative intended for the modern Windows experience. Prior to 6.5.1749.0, NanaZip's WebAssembly archive handler in NanaZip.Codecs.Archive.WebAssembly.cpp allocates buffers from attacker-controlled 32-bit section and custom-name length fields without validating them against...
CVE-2026-3251 XSS in Webremium's Mezunum Satiyorum
Improper neutralization of input during web page generation 'cross-site scripting' vulnerability in Webremium Istanbul Web Design Mezunum Satiyorum allows Stored XSS. This issue affects Mezunum Satiyorum: from 1.2.504 through 10072026. NOTE: The vendor was contacted early about this disclosure bu...
CVE-2026-57167 PeerTube: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
PeerTube is an ActivityPub-federated video streaming platform. Prior to 8.2.2, server-side-rendered video watch pages embed a schema.org JSON-LD block by JSON.stringify-ing video metadata without escaping less-than, greater-than, or slash characters, allowing a value containing the byte sequence...
CVE-2026-59193 Grav CMS — Improper Handling of Highly Compressed Data in Installer::unZip()
Grav is a file-based Web platform. Prior to 2.0.0, an authenticated admin.super user can crash Grav or fill the disk by uploading a specially crafted ZIP archive through the Direct Install tool because Installer::unZip calls ZipArchive::extractTo without limits on uncompressed size, entry count, ...
CVE-2026-59190 Grav Admin Plugin — IDOR Privilege Escalation via saveUser()
grav-plugin-admin is an HTML user interface that provides a way to configure Grav and create and modify pages. In 1.10.52 and earlier, an authenticated attacker with admin.users permission can change the password of any user account, including the super administrator, by sending a direct POST...
CVE-2026-1667 SEO Plugin by Squirrly SEO <= 14.0.0 - Unauthenticated Arbitrary Post Creation and Stored Cross-Site Scripting via savePost()
The SEO Plugin by Squirrly SEO plugin for WordPress is vulnerable to Arbitrary Post Creation and Stored Cross-Site Scripting in all versions up to, and including, 14.0.0 due to a leak of an API token and insufficient input sanitization and output escaping. This makes it possible for unauthenticat...
CVE-2026-58493 grav-plugin-database: DSN Parameter Injection via Unsanitized Configuration Values in Connection String Construction
grav-plugin-database is the database plugin for Grav CMS. Prior to 1.2.0, Database::call builds PDO DSN strings by directly concatenating user-configurable YAML values from fields such as host, dbname, charset, server, database, directory, and filename without sanitization or validation, allowing...
CVE-2026-58492 grav-plugin-database: SQL Injection in PDO::tableExists() due to Unsanitized Table Name Interpolation
grav-plugin-database is the database plugin for Grav CMS. Prior to 1.2.0, the PDO::tableExists method interpolates its table argument directly into a raw SQL query string without sanitization, escaping, quoting, or whitelisting, allowing attacker-controlled table names passed by consuming plugin ...
CVE-2026-55890 Grav: Stored CSS injection via Markdown image ?style=… reaches MediaObjectTrait::style()
Grav is a file-based Web platform. Prior to 2.0.0-rc.9, Grav's incomplete fix for stored XSS through the Markdown media attribute action CVE-2026-42841 leaves the sibling MediaObjectTrait::style method reachable through the same Markdown excerpt-action pipeline, allowing an editor to save Markdow...
CVE-2026-15377 Eleveo Call Recording Software sendlogfile improper authorization
A vulnerability was determined in Eleveo Call Recording Software 9.7.0. Affected by this vulnerability is an unknown functionality of the file /callrec/sendlogfile. This manipulation causes improper authorization. The attack may be initiated remotely. The exploit has been publicly disclosed and m...
CVE-2026-55885 Grav: Admin Backup Zip File Exposes Account Credentials and Configuration Secrets
Grav is a file-based Web platform. Prior to 1.7.53, an authenticated administrator with backup permissions can download a ZIP archive containing the full Grav installation root, including user/accounts/admin.yaml with the administrator password hash and user/config with site configuration, throug...
CVE-2026-53653 Grav: Unauthenticated denial of service via unbounded image derivative dimensions
Grav is a file-based Web platform. Prior to 1.7.53 and 2.0.0-rc.8, Grav allows an unauthenticated visitor to exhaust server memory and CPU by requesting image derivatives with oversized dimensions through URL query image actions such as forceResize in Grav::fallbackUrl, which passes request...
CVE-2026-54919 cpp-httplib: TLS certificate chain verification bypassed for IP-literal hosts on Mbed TLS and wolfSSL backends
cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library. In affected Mbed TLS backend versions from 0.31.0 through 0.46.1 and wolfSSL backend versions from 0.33.0 through 0.46.1, when cpp-httplib is built with CPPHTTPLIBMBEDTLSSUPPORT or CPPHTTPLIBWOLFSSLSUPPORT and a...
CVE-2026-39903 Simple Machines Forum Authorization Bypass via AttachmentApprove.php
Simple Machines Forum 2.1 prior to 2.1.8 and 3.0 prior to 3.0 Alpha 5 contains an authorization bypass vulnerability in Sources/Actions/AttachmentApprove.php where a single-character operator error causes the permission check to always pass regardless of user permissions. An authenticated...
CVE-2026-59180 Apprise forwards configured auth headers across cross-origin HTTP redirects
Apprise is an open source library which allows you to send a notification to almost all of the most popular notification services available. Prior to 1.11.0, Apprise HTTP-based notification plugins and HTTP attachment and config loaders in apprise/attachment/http.py and apprise/config/http.py...
CVE-2026-55687 ESF-IDF: Stack-Based Out-of-Bounds Write in JPEG Decoder DQT Marker Parsing
ESF-IDF is the Espressif Internet of Things IOT Development Framework. Versions 6.0.1, 5.5.4, 5.4.4, 5.3.5, and possibly prior contain an out-of-bounds write in jpegparsedqtmarker in components/espdriverjpeg/jpegparsemarker.c because the attacker-controlled DQT marker Tq nibble is used as an inde...
CVE-2026-54063 Excelize: Unbounded Row Index Allocation in Worksheet Parser (checkSheet OOM/Panic DoS)
Excelize is a Go language library for reading and writing Microsoft Excel spreadsheets. Prior to 2.11.0, the checkSheet function in github.com/xuri/excelize/v2 uses an attacker-controlled XML attribute value directly as the length argument to makexlsxRow, row without validating it against the Exc...
CVE-2026-59162 Excelize: Negative shared-string index causes panic in GetCellValue and GetRows
Excelize is a Go language library for reading and writing Microsoft Excel spreadsheets. Prior to 2.11.0, Excelize parses shared-string cell values with strconv.Atoi and checks only the upper bound before indexing the shared string slice, allowing an XLSX file containing a shared-string cell with ...
CVE-2026-59161 Excelize: Streaming GetRows row-bound bypass causes attacker-controlled allocation
Excelize is a Go language library for reading and writing Microsoft Excel spreadsheets. Prior to 2.11.0, the streaming worksheet reader used by Rows and GetRows does not enforce the TotalRows limit on the row r attribute, allowing a small XLSX file with a row number above 1048576 and no cell...
CVE-2026-59154 Wekan: Checklist direct DDP updates can write checklist data into private boards
Wekan is open source kanban built with Meteor. Prior to 9.64, Wekan has a cross-board authorization bypass in the direct Meteor collection allow rules for Checklists and ChecklistItems because updates are authorized only against the current source doc.cardId and do not inspect the destination...
CVE-2026-15376 Eleveo Call Recording Software statisticReportAction.do improper authorization
A vulnerability was found in Eleveo Call Recording Software 9.7.0. Affected is an unknown function of the file /callrec/statisticReportAction.do. The manipulation results in improper authorization. The attack can be launched remotely. The exploit has been made public and could be used. The vendor...
CVE-2026-53657 Lima: An arbitrary user in a QEMU VM could gain the root privilege in the VM via the guest agent socket
Lima launches Linux virtual machines, typically on macOS, for running containerd. Prior to 2.1.3, on an instance of Lima running with the qemu driver, an arbitrary user in the VM could access /run/lima-guestagent.sock when the guest agent is enabled, which could result in running arbitrary comman...
CVE-2026-56675 9router: Reverse proxy locality collapse allows unauthenticated access to 9router /v1 APIs
9Router is an AI router & token saver. Prior to 0.5.2, 9router treats loopback requests as trusted and allows /v1/ access without an API key, so a same-host reverse proxy that forwards public traffic to the backend through 127.0.0.1 causes src/dashboardGuard.js to misclassify external requests as...
CVE-2026-55638 9router: Unauthenticated LLM proxy access via /codex rewrite authorization bypass
9Router is an AI router & token saver. Prior to 0.5.2, 9router protects /v1, /v1beta, /api/v1, and /api/v1beta in src/dashboardGuard.js but omits /codex before next.config.mjs rewrites /codex/ to /api/v1/responses. A remote unauthenticated attacker can send requests to /codex/ to bypass the API-k...
CVE-2026-55641 9router: Unauthenticated `/v1` proxy access via `Host`-header spoofing → open AI relay + SSRF
9Router is an AI router & token saver. Prior to 0.5.2, 9router determines whether a /v1 LLM proxy request is local by reading the client-controlled Host header, allowing a remote unauthenticated attacker to send Host: localhost and bypass API-key authentication. In the default configuration, this...