417732 matches found
EUVD-2026-39479
Trivy is a security scanner. Prior to 0.71.0, when Trivy scans a Helm chart archive .tgz, its custom tar unpacker reads each entry with io.ReadAlltr and no size limit. An attacker who can place a malicious .tgz file in the scanned path can craft a small compressed archive that decompresses to...
EUVD-2026-39478
Zephyr's IPv6 network stack can be prevented from receiving or processing future incoming packets by sending a small number of maliciously fragmented IPv6 packets. When such a packet is handled by the fragment-header processing path, the associated RX network packet buffer allocated from a memory...
EUVD-2026-39477
Trivy is a security scanner. Prior to 0.71.1, when Trivy downloads an OCI artifact, it uses the org.opencontainers.image.title annotation from the artifact manifest as the destination filename without validation. An attacker who can make Trivy fetch an attacker-controlled artifact can supply a...
EUVD-2026-39476
A flaw was found in Keycloak. A realm administrator with the "manage-realm" role can exploit this vulnerability by submitting an arbitrary filesystem path as a keystore parameter when creating a key provider component. This allows the administrator to probe arbitrary filesystem paths, determining...
EUVD-2026-39475
A flaw was found in org.keycloak.authorization. An authenticated user with a granted User-Managed Access UMA permission ticket for one resource can exploit this by using a specific permission request prefix to bypass per-resource access control. This allows the user to gain unauthorized access to...
EUVD-2026-39474
A flaw was found in Keycloak's client registration service. A remote attacker, possessing a previously issued Registration Access Token RAT, could exploit this vulnerability to re-enable a client that an administrator had explicitly disabled. This bypasses security controls, allowing the attacker...
EUVD-2026-39473
A flaw was found in Keycloak. A remote attacker with administrative privileges, specifically those with manage-client permission or access to client registration endpoints, could bypass client Uniform Resource Identifier URI validation. This is achieved by registering a malicious client with a...
EUVD-2026-39472
A flaw was found in Keycloak. A missing authorization check in the GroupResource.addChild endpoint within the Admin REST API allows an authenticated user with limited administrative privileges to reparent any existing group. When Fine-Grained Admin Permissions v2 FGAPv2 is enabled, an attacker wi...
EUVD-2026-39471
A flaw was found in Keycloak Policy Enforcer. This vulnerability allows any authenticated user to bypass all authorization policies, including role, scope, and User-Managed Access UMA permission checks. By including the configured access-denied page path within a request URL, either as a path...
EUVD-2026-39470
ToolJet is the open-source foundation am AI-native platform for building and deploying internal tools, workflows and AI agents. Prior to 3.20.1780-lts, the authenticated endpoint POST /api/data-sources/decrypt returns the decrypted plaintext for any credential whose credentialid is supplied in th...
EUVD-2026-39469
ToolJet is the open-source foundation am AI-native platform for building and deploying internal tools, workflows and AI agents. Prior to 3.20.178-lts, there's an SSRF in the RestAPI data source component. The RestAPI data source executes HTTP requests server-side, and its private IP filter only...
EUVD-2026-39468
Permissions where checked incorrectly during room creation, allowing attackers to create rooms of types they shouldn't be allowed to create...
EUVD-2026-39467
ToolJet is the open-source foundation am AI-native platform for building and deploying internal tools, workflows and AI agents. Prior to 3.20.178-lts, any authenticated user with builder role free tier can overwrite a globally-shared marketplace plugin with arbitrary JavaScript that executes...
EUVD-2026-39466
Outline is a service that allows for collaborative documentation. Prior to 1.8.0, the AuthenticationHelper.canAccess function uses ctx.originalUrl to verify if an API key or OAuth token has the required scopes for a request. It extracts the resource by splitting the URL by / and taking the last...
EUVD-2026-39465
Halo is an open source website building tool. Prior to 2.24.3, a path traversal vulnerability in the backup download endpoint allows authenticated administrators to read arbitrary files from the server filesystem. The backup download endpoint GET...
EUVD-2026-39464
LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. Prior to 0.8.4-rc1, the fix for CVE-2024-11171 commit bb58a2d0 added limits: fileSize to createMulterInstance in the file upload routes. However, the POST /api/convos/import endpoint uses a separate multer instance that w...
EUVD-2026-39463
LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. Prior to 0.8.4-rc1, there is a vulnerability in LibreChat's markdown artifact preview pipeline. The marked library v15.0.12 does not HTML-escape double-quote characters in image alt text when a custom renderer falls throu...
EUVD-2026-39462
LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. Prior to 0.8.4-rc1, the POST /api/files/images endpoint allows any authenticated user to upload files into any agent's toolresources e.g., context, executecode without verifying ownership or EDIT permission on the target...
EUVD-2026-39461
LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. Prior to 0.8.4-rc1, the DELETE /api/messages/:conversationId/:messageId endpoint allows any authenticated user to delete any other user's messages. The validateMessageReq middleware only validates that the conversationId...
EUVD-2026-39460
LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. Prior to 0.8.4-rc1, LibreChat allows users to configure custom OpenAI-compatible API endpoints by setting a baseURL. This URL is used to construct HTTP requests without any SSRF validation — no private IP check, no scheme...
EUVD-2026-39459
HTMLy CMS through 3.1.1 contains a path traversal vulnerability that allows low-privileged authenticated attackers to relocate arbitrary files by supplying directory traversal sequences in the oldfile parameter at the admin autosave endpoint. Attackers can pass unsanitized traversal sequences...
EUVD-2026-39458
LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. Prior to 0.8.4-rc1, the fix for CVE-2025-7105 added forkIpLimiter and forkUserLimiter rate limiters to POST /api/convos/fork to prevent rapid-fire conversation duplication. However, the POST /api/convos/duplicate endpoint...
EUVD-2026-39457
LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. Prior to 0.8.5, LibreChat's MCP OAuth implementation does not validate that the resource parameter from OAuth Protected Resource metadata RFC 9728 matches the configured MCP server URL, allowing a malicious MCP server to...
EUVD-2026-39456
LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. Prior to 0.8.4-rc1, the POST /api/auth/2fa/backup/regenerate endpoint regenerates all 2FA backup codes without requiring any TOTP token or existing backup code verification. An attacker with a stolen session token can...
EUVD-2026-39455
socat versions 1.8.0.0 through 1.8.1.1 contain a heap-based buffer overflow vulnerability that allows a malicious SOCKS5 proxy server to overwrite adjacent heap memory by exploiting a sign-extension flaw in the DOMAINNAME reply parser. During connection setup, the domain name length byte is read...
EUVD-2026-39454
LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. Prior to 0.8.4-rc1, the GET /api/auth/2fa/enable endpoint can be called by an authenticated user or attacker with a stolen session even when 2FA is already fully enabled on the account. This endpoint overwrites the existi...
EUVD-2026-39453
Missing authentication for critical function vulnerability in HYPR Passwordless on Windows allows Credentials Interception. This issue affects HYPR Passwordless: before 11.1.1...
EUVD-2026-39452
Vim is an open source, command line text editor. Prior to 9.2.0653, the treecountwords function in src/spellfile.c fills in the word-count fields of a spell-file word trie by walking it iteratively with a depth counter. The counter is bounded only by the trie structure itself; it is never checked...
EUVD-2026-39451
Vim is an open source, command line text editor. Prior to 9.2.0662, the dumpprefixes function in src/spell.c walks a spell-file prefix trie iteratively with a depth counter while dumping the prefixes that apply to a word. The counter is bounded only by the trie structure itself; it is never check...
EUVD-2026-39450
Vim is an open source, command line text editor. Prior to 9.2.0663, a Vimscript code injection vulnerability exists in s:NetrwLocalRmFile in the netrw plugin runtime/pack/dist/opt/netrw/autoload/netrw.vim when deleting a local file from the browser. A filename derived from the buffer's directory...
EUVD-2026-39449
Vim is an open source, command line text editor. Prior to 9.2.0670, gettextprops in src/textprop.c reads a uint16 property count stored inline after a line's text and returns it as the number of 32-byte textpropT entries that follow. The only check is a floor that guarantees room for a single...
EUVD-2026-39448
Vim is an open source, command line text editor. Prior to 9.2.0671, when Vim opens a file encrypted with the VimCrypt04! or VimCrypt05! method xchacha20poly1305, requires the +sodium feature whose body is shorter than a single libsodium secretstream header, an unsigned length calculation underflo...
EUVD-2026-39447
The K2 article gallery upload path accepts a zip/tar archive, extracts it under /media/k2/galleries//, and only renames image files gif/jpg/jpeg/png/webp to safe names — non-image files including .php are extracted as-is and remain executable via direct HTTP access...
EUVD-2026-39446
Vim is an open source, command line text editor. From 9.1.1784 until 9.2.0678, when the bundled zip plugin autoload/zip.vim falls back to PowerShell to browse, read, extract, update or delete entries in a zip archive, it builds the PowerShell command by inserting archive entry names that are quot...
EUVD-2026-39445
A Joomla user with K2 "create item" rights Author tier by default can submit an article whose embedVideo POST field contains a raw tag; K2 stores it verbatim and renders it unescaped to any visitor of the article page...
EUVD-2026-39444
List::SomeUtils::XS versions before 0.59 for Perl have a heap buffer overflow in the pairwise function. pairwise collects the values returned by the block into a heap buffer sized to the longer input array, then grows the buffer before each copy with a single quadrupling alloc = 2 instead of a...
EUVD-2026-39443
The K2 frontend item.checkin task accepts an unauthenticated sigProFolder query parameter and uses it directly to address a JFolder::delete call under /media/k2/galleries/...
EUVD-2026-39442
The K2 frontend article-attachment upload path accepts files whose extension is .php, and Apache's standard modphp matches .php$ and executes them under the K2 web user. A K2 Author can upload a shell.php, then fetch /media/k2/attachments/shell.php and execute arbitrary PHP code in the web...
EUVD-2026-39441
Vim is an open source, command line text editor. From 9.2.0320 until 9.2.0679, a crafted undo or swap file can store a virtual-text property whose offset and length point outside the line's property data. When Vim restores or displays such a line it converts the offset into a pointer and reads th...
EUVD-2026-39440
The K2 frontend article-save handler accepts an attachmentNexisting POST field that is concatenated with JPATHSITE/ and passed to JFile::copy. JPath::clean does NOT strip .., and there is no allow-list of source paths. An Author can therefore copy configuration.php or any other file readable by t...
EUVD-2026-39439
K2 ≤ 2.26 renders the k2users.image column directly into HTML src attributes via two distinct templates, in both cases without HTML escaping...
EUVD-2026-39438
K2 ≤ 2.24 contains a mass-assignment defect in the K2 system user plugin plguserk2. A Registered Joomla user, by including the field K2UserForm=1 in a standard comusers profile.save POST, can write arbitrary values into the notes, image, and plugins columns of their own row in the k2users table —...
EUVD-2026-39437
Vim is an open source, command line text editor. Prior to 9.2.0698, the single-byte branch of spellsoundfoldsofo in src/spell.c translates a word through a spell file's SOFO sound-folding byte map into a caller-owned result buffer. Its copy loop advances the output index ri with no upper bound an...
EUVD-2026-39436
Vim is an open source, command line text editor. Prior to 9.2.0699, Vim's Python omni-completion runtime/autoload/python3complete.vim and the legacy pythoncomplete.vim executes reconstructed function and class definitions from the current buffer with exec as part of populating the completion...
EUVD-2026-39435
CWE-617 Reachable Assertion vulnerability exists that could allow an authenticated attacker to trigger a denial-of-service condition, impacting system availability when a specially crafted request is sent to a vulnerable network-exposed service...
EUVD-2026-39434
CWE-78 Neutralization of Special Elements used in an OS Command 'OS Command Injection' vulnerability exists that could allow unauthorized execution of commands with elevated privileges, impacting system integrity, confidentiality, and availability when a privileged authenticated user interacts wi...
EUVD-2026-39433
CWE-476 NULL Pointer Dereference vulnerability exists that could cause a denial-of-service condition, rendering the device’s HMI and configuration functionality unavailable when malformed requests are received over exposed network interfaces...
EUVD-2026-39432
3X-UI is a web control panel for managing Xray-core servers. Prior to 3.3.1, an authenticated administrator can abuse the database import functionality to achieve arbitrary file write on the host by modifying Xray configuration values stored in the database. This can be leveraged to obtain code...
EUVD-2026-39431
CWE-732 Incorrect Permission Assignment for Critical Resource vulnerability that could cause unauthorized disclosure of password hashes and potential account compromise when an attacker with privileged local access reads improperly protected system files...
EUVD-2026-39430
CWE-522 Insufficiently Protected Credentials vulnerability that could cause unauthorized access and exposure of sensitive information when unauthenticated attacker accesses credentials stored within firmware or system files. With this credential an attacker could subsequently compromise the devic...