364744 matches found
CVE-2026-42952
Previously, there was no throttling on repeated authentication attempts to the charging station backend, which could allow an attacker to execute a denial-of-service attack...
CVE-2026-44383
Multiple connections to the backend using the same charging station ID are allowed, which could allow an attacker to deploy multiple instances of malicious OCPP clients to overwhelm the backend...
CVE-2026-55175
Spinnaker is an open source, multi-cloud continuous delivery platform. Prior to versions 2026.1.1, 2026.0.3, 2025.4.4, and 2025.3.4 on their respective release lines, Kustomize bake operations allow unsafe YAML tag processing in rosco manifests. This can lead to remote code execution on rosco pod...
CVE-2026-14480
OpenPLC Runtime v3 contains an authenticated arbitrary file write vulnerability in the legacy web UI program‑upload workflow. The application stores an attacker‑supplied filename progfile directly into the Programs.File database field and later uses this value as the destination path for an...
CVE-2026-15086
vulnerability in Drupal Raw Formatter Meta Tag Formatter allows . This issue affects Raw Formatter Meta Tag Formatter versions:...
CVE-2026-15087
vulnerability in Drupal Clean RESTful allows . This issue affects Clean RESTful versions:...
CVE-2026-15089
vulnerability in Drupal Commerce guest registration allows . This issue affects Commerce guest registration versions:...
CVE-2026-20744
The charging station websocket endpoint accepts connections without proper authentication, which could lead to privilege escalation...
CVE-2026-14286
Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority...
CVE-2026-11913
vulnerability in Drupal Mother May I allows . This issue affects Mother May I versions:...
CVE-2026-11914
vulnerability in Drupal Composer allows . This issue affects Composer versions:...
CVE-2026-11915
vulnerability in Drupal Brute force attack protection allows . This issue affects Brute force attack protection versions:...
CVE-2026-58590
Missing Authorization vulnerability in Drupal FlowDrop allows Forceful Browsing. This issue affects FlowDrop versions: from 0.0.0 to 1.6.0...
CVE-2026-58589
Missing Authorization vulnerability in Drupal FlowDrop allows Forceful Browsing. This issue affects FlowDrop versions: from 0.0.0 to 1.6.0...
CVE-2026-58588
Improper Neutralization of Input During Web Page Generation "Cross-site Scripting" vulnerability in Drupal Drupal Canvas allows Cross-Site Scripting XSS. This issue affects Drupal Canvas versions: from 0.0.0 to 1.4.2, from 1.5.0 to 1.5.2, from 1.6.0 to 1.6.1, from 1.7.0 to 1.7.1...
CVE-2026-58591
Improper Neutralization of Input During Web Page Generation "Cross-site Scripting" vulnerability in Drupal Colorbox allows Cross-Site Scripting XSS. This issue affects Colorbox versions: from 0.0.0 to 2.1.5, from 0.0.0 to 2.2.0...
CVE-2026-59155
Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. Prior to 2.2.5, the GET /api/v1/ddns and GET /api/v1/notification endpoints return full resource objects including plaintext third-party API credentials, including Cloudflare API tokens, TencentCloud...
CVE-2026-55883
Tilt defines dev environments as code for microservice apps on Kubernetes. From 0.24.0 through 0.37.3, the Tilt HUD WebSocket at /ws/view is gated by a CSRF token, but the token is served by the unauthenticated /api/websockettoken endpoint and the upgrader accepts clients that omit an Origin...
CVE-2026-58503
Frappe is a full-stack web application framework. Prior to 16.16.0 and 15.106.0, user enumeration could be performed via the resetpassword endpoint. This issue is fixed in versions 16.16.0 and 15.106.0...
CVE-2026-57584
Phalcon is a high-performance, full-stack PHP framework. Prior to 5.15.0, every Phalcon MVC application built with a default router registers a built-in route whose compiled PCRE pattern contains the nested quantifier /., and the same construct is produced by the /:params placeholder and the CLI...
CVE-2026-58587
Improper Neutralization of Input During Web Page Generation "Cross-site Scripting" vulnerability in Drupal Drupal Canvas allows Cross-Site Scripting XSS. This issue affects Drupal Canvas versions: from 0.0.0 to 1.4.2, from 1.5.0 to 1.5.2, from 1.6.0 to 1.6.1, from 1.7.0 to 1.7.1...
CVE-2026-55884
Tilt defines dev environments as code for microservice apps on Kubernetes. From 0.20.8 through 0.37.3, the Tilt HUD HTTP server registers handlers on a gorilla/mux router with no authenticating middleware. When the HUD is bound to a non-loopback address, an unauthenticated network caller can...
CVE-2026-55882
Tilt defines dev environments as code for microservice apps on Kubernetes. From 0.19.5 through 0.37.3, the Tilt HUD server mounts Go net/http/pprof handlers under /debug with no access control. When the HUD or apiserver listener is network-exposed, an unauthenticated caller can read process memor...
CVE-2026-55187
Mailpit is an email testing tool and API for developers. Prior to 1.30.2, the remediation shipped for CVE-2026-27808 is incomplete because the tools.IsInternalIP deny-list in internal/tools/net.go relies on Go's standard library classification helpers and does not block IPv6 transition mechanisms...
CVE-2026-55807
Server-Side Request Forgery SSRF vulnerability in Drupal Drupal core allows Server Side Request Forgery. This issue affects Drupal core versions: from 0.0.0 to 10.5.12, from 10.6.0 to 10.6.11, from 11.2.0 to 11.2.14, from 11.3.0 to 11.3.12, from 0.0.0 to 11.0., from 0.0.0 to 11.1...
CVE-2026-55806
URL Redirection to Untrusted Site 'Open Redirect' vulnerability in Drupal Drupal core allows Content Spoofing. This issue affects Drupal core versions: from 0.0.0 to 10.5.12, from 10.6.0 to 10.6.11, from 11.2.0 to 11.2.14, from 11.3.0 to 11.3.12, from 0.0.0 to 11.0., from 0.0.0 to 11.1...
CVE-2026-55809
Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Flag attendance field allows Object Injection. This issue affects Flag attendance field versions: from 0.0.0 to 1.2...
CVE-2026-55803
Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection. This issue affects Drupal core versions: from 0.0.0 to 10.5.12, from 10.6.0 to 10.6.11, from 11.2.0 to 11.2.14, from 11.3.0 to 11.3.12, from 0.0.0 to 11.0.,...
CVE-2026-55804
Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Drupal core allows Object Injection. This issue affects Drupal core versions: from 0.0.0 to 10.5.12, from 10.6.0 to 10.6.11, from 11.2.0 to 11.2.14, from 11.3.0 to 11.3.12, from 0.0.0 to 11.0.,...
CVE-2026-55808
Improper Neutralization of Input During Web Page Generation "Cross-site Scripting" vulnerability in Drupal Drupal core allows Cross-Site Scripting XSS. This issue affects Drupal core versions: from 0.0.0 to 10.5.12, from 10.6.0 to 10.6.11, from 11.2.0 to 11.2.14, from 11.3.0 to 11.3.12, from 0.0....
CVE-2026-55852
Frappe is a full-stack web application framework. Prior to 16.23.0 and 15.112.0, TarSlip RCE was possible in Package Import because tarfile members were not sufficiently checked before extraction. This issue is fixed in versions 16.23.0 and 15.112.0...
CVE-2026-55810
Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal Plotly.js Graphing allows Object Injection. This issue affects Plotly.js Graphing versions: from 0.0.0 to 3.0.2...
CVE-2026-47422
Frappe is a full-stack web application framework. Prior to 15.107.5 and 16.18.2, an endpoint in reportview lacked appropriate permission checks and that has since been fixed. This vulnerability is fixed in 15.107.5 and 16.18.2...
CVE-2026-48127
Frappe is a full-stack web application framework. Prior to 16.20.0 and 15.110.0, users without write access could attach files to any doctype through file-handling API endpoints such as addattachments. This issue is fixed in versions 16.20.0 and 15.110.0...
CVE-2026-49394
Frappe is a full-stack web application framework. Prior to 16.19.0, authorization bypass was possible via the updatepage endpoint in Workspace because public workspaces did not receive the required Workspace Manager edit check. This issue is fixed in version 16.19.0...
CVE-2026-54736
Phalcon is a high-performance, full-stack PHP framework. Prior to 5.14.1, Phalcon\Encryption\Crypt::decrypt compares the attacker-supplied HMAC tag against the freshly computed HMAC using PHP/Zephir identity comparison, which lowers to a byte-wise comparison that returns early on the first...
CVE-2026-49213
TypeBot is a chatbot builder tool. Prior to 3.17.2, Typebot's shared SSRF validator in packages/lib/src/ssrf/validateHttpReqUrl.ts can be bypassed with the IPv6 unspecified address :: because validateIPAddress blocks local, metadata, and private ranges but does not block :: or its expanded form. ...
CVE-2026-52747
ModSecurity is an open source, cross platform web application firewall WAF engine for Apache, IIS and Nginx. Prior to 3.0.16, the multipart/form-data request body parser in libmodsecurity silently removes embedded line breaks from non-file form-field values before exporting them to ARGS and...
CVE-2026-52761
ModSecurity is an open source, cross platform web application firewall WAF engine for Apache, IIS and Nginx. From 3.0.0 through 3.0.15, the t:utf8toUnicode transformation in src/actions/transformations/utf8tounicode.cc produces wrong output on i386 architecture because snprintf uses sizeof on a...
CVE-2026-49844
Improper encoding of non-finite floating-point values during MapMessage JSON serialization in Apache Log4j API produces output that is not valid JSON. This issue affects Apache Log4j API versions 2.13.1 through 2.25.4 and version 2.26.0. The fix for CVE-2026-34481 did not cover all code paths: wh...
CVE-2026-15083
Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Drupal ECA: Event - Condition - Action allows Object Injection. This issue affects ECA: Event - Condition - Action versions: from 0.0.0 to 2.1.20, from 3.0.0 to 3.0.12, from 3.1.0 to 3.1.4...
CVE-2026-42219
Frappe is a full-stack web application framework. Prior to 16.19.0 and 15.109.0, path traversal via downloadbackups was possible due to lack of hardening. This issue is fixed in versions 16.19.0 and 15.109.0...
CVE-2026-15085
Improper Neutralization of Input During Web Page Generation "Cross-site Scripting" vulnerability in Drupal AI SEO/GEO Analyzer allows Stored XSS. This issue affects AI SEO/GEO Analyzer versions: from 0.0.0 to 1.1.3...
CVE-2026-47199
Frappe is a full-stack web application framework. Prior to 16.18.3 and 15.108.0, checksafesqlquery permitted SELECT INTO OUTFILE queries, which could potentially work on self-hosted sites if database permissions are not well aligned and MySQL FILE privileges are available. This issue is fixed in...
CVE-2026-44795
Spinnaker is an open source, multi-cloud continuous delivery platform. Prior to 2026.1.0, 2026.0.3, 2025.4.4, and 2025.3.3, unsafe YAML processing bypasses safe deserialization when using CloudFormation deployments or CloudFoundry baking. The use of a non-safe constructor allows arbitrary loading...
CVE-2026-41482
Frappe is a full-stack web application framework. Prior to 16.18.3, possible path traversal and local file inclusion were possible through secure local resource access in the Chrome PDF Generator. This issue is fixed in version 16.18.3...
CVE-2026-15084
Improper Neutralization of Input During Web Page Generation "Cross-site Scripting" vulnerability in Drupal UI Patterns SDC in Drupal UI allows Stored XSS. This issue affects UI Patterns SDC in Drupal UI versions: from 2.0.0 to 2.0.17...
CVE-2026-13242
Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in Drupal Geolocation Field allows SQL Injection. This issue affects Geolocation Field versions: from 0.0.0 to 3.15.0...
CVE-2026-13239
Missing Authorization vulnerability in Drupal WissKI allows Forceful Browsing. This issue affects WissKI versions: from 0.0.0 to 4.2.0...
CVE-2026-13241
Missing Authorization vulnerability in Drupal Paragraphs allows Forceful Browsing. This issue affects Paragraphs versions: from 0.0.0 to 1.21.0...