163253 matches found
CVE-2026-62843 File Browser: Archive builder turns backslash filenames into path traversal (zip-slip)
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. From 2.63.6 to 2.63.16, File Browser's archive builder uses strings.ReplaceAllnameInArchive, "", "/", which turns a POSIX filename such as ....\evil.sh into the...
CVE-2026-9007 Reflected XSS in HCL Notes
Improper neutralization of input during web page generation 'cross-site scripting' vulnerability in HCL Notes from HCL Software allows reflected Cross-Site Scripting XSS. Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of another user. This issue affects...
CVE-2026-55242 ERPNext: Server-Side Template Injection (SSTI) in Batch autonaming via Stock Settings.naming_series_prefix
ERPNext is a free and open source Enterprise Resource Planning tool. Prior to 15.111.0 and 16.22.0, an authenticated user with a standard operational role can trigger server-side template injection through a configuration field, resulting in unauthorized disclosure of data outside the user's norm...
CVE-2026-50147 Metabase: Arbitrary File Read via MySQL Connection Property Injection
Metabase is an open-source business intelligence and embedded analytics tool. From 1.57.0 until 1.57.19.1, 1.58.14.1, 1.59.10, and 1.60.4, an attacker who can configure a Metabase database connection can read arbitrary files from the Metabase server's filesystem by adding unsafe JDBC parameters t...
CVE-2026-44986 Penpot: Pre-authenticated account takeover via team-invitation token + prepare-register-profile
Penpot is an open-source design tool for design and code collaboration. Prior to 2.14.5, Penpot exposed teamsinvitations.clj invitation tokens from create-team-invitations, embedded an existing profile id in auth.clj prepare-register-profile, and had auth.clj register-profile issue a session base...
CVE-2026-60005 NGINX ngx_http_slice_module vulnerability
NGINX Plus and NGINX Open Source have a vulnerability in the ngxhttpslicemodule module. When the slice directive and unnamed regex captures are configured or when a background cache update happens, unauthenticated attackers can send requests that may cause uninitialized memory access in the NGINX...
CVE-2026-47160 Vaultwarden: Server-side request forgery (SSRF) via Icon Endpoint Decimal/Hex/Octal IP Bypass
Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.36.0, Vaultwarden's /icons/domain/icon.png endpoint used src/httpclient.rs checks including shouldblockaddress and postresolve that missed decimal, hexadecimal, and octal IP representations, allowing SSRF through the...
CVE-2026-47164 Vaultwarden: SSO Email Auto-Link Can Bind an Existing Local Account to an Attacker-Controlled IdP Identity
Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.36.0, Vaultwarden's SSO login flow checked the IdP emailverified claim only for new-user creation and not when SSOSIGNUPSMATCHEMAIL=true linked an IdP identity to an existing local account, allowing an attacker-controlled Id...
CVE-2026-47159 Vaultwarden: Authentication Flow Information Disclosure in SSO Discovery Allows Organization Enumeration and Pre-Validation Token Exposure
Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.36.0, Vaultwarden's SSO discovery and pre-validation flow returned organization-related SSO metadata including organizationIdentifier values for arbitrary email addresses and allowed a valid pre-validation JWT to be obtained...
CVE-2026-46709 Tabby: Drag-and-drop path injection still allows RCE via shell command substitution (incomplete fix for CVE-2026-45038)
Tabby formerly Terminus is a highly configurable terminal emulator. Prior to 1.0.234, Tabby inserts dropped file paths from tabby-electron/src/pathDrop.ts into the active shell without neutralizing command substitution metacharacters such as $… and …, so the incomplete CVE-2026-45038 fix for...
CVE-2026-41580 Stirling-PDF: Reflected XSS through crafted PDF metadata fields (Title and Author)
Stirling-PDF is a locally hosted web application that facilitates various operations on PDF files. Prior to 2.0.0, Stirling-PDF's /get-info-on-pdf endpoint rendered PDF Title and Author metadata fields without proper HTML encoding or sanitization, allowing a crafted PDF to execute...
CVE-2026-61828 nixos/mysql : `services.mysql` is configured with insecure authentication by default when used with `mysql` or `percona-server`
Nixpkgs is a collection of software packages that can be installed with the Nix package manager. Prior to the 25.11 and 26.05 channel fixes, the NixOS module for MySQL services.mysql initializes the MySQL database in a way that allows local users, such as unprivileged web or CGI processes on the...
CVE-2026-54563 Cloudreve: Path Traversal / Broken Access Control in Cloudreve WebDAV (`/dav`) — scoped DAV credential escapes its configured account root
Cloudreve is a self-hosted file management and sharing system. Prior to 4.16.1, a Cloudreve WebDAV account rooted at a configured folder can send paths such as /dav/%2e%2e/outside.txt because stripPrefix in pkg/webdav/webdav.go joins the decoded request suffix to the account root with...
CVE-2026-56434 NGINX ngx_http_ssi_module vulnerability
NGINX Plus and NGINX Open Source have a vulnerability in the ngxhttpssimodule module. This vulnerability may exist when the Server-Side Includes SSI, proxypass, and proxybuffering off directives are configured. With this configuration, an unauthenticated attacker with man-in-the-middle MITM abili...
CVE-2026-60065 NGINX Plus ngx_stream_mqtt_filter_module vulnerability
When NGINX Plus is configured to use the Message Queuing Telemetry Transport MQTT filter module ngxstreammqttfiltermodule, unauthenticated attackers can send requests with conditions beyond the attacker's control to cause a heap buffer over-read in the NGINX worker process, leading to a restart...
CVE-2026-52865 NGINX Ingress Controller vulnerability
When NGINX Ingress Controller processes Ingress or TransportServer resources, an authenticated, remote attacker with permission to create or modify Ingress or TransportServer resources can cause the NGINX Ingress Controller process to terminate. Impact: The NGINX Ingress Controller control plane...
CVE-2026-42533 NGINX Map directive and Regex matching vulnerability
A vulnerability exists in NGINX Plus and NGINX Open Source when a map directive uses regex matching and a string expression references the map's regex capture variables before referencing the map output variable. Alternatively, the same result could be achieved by using a non-cacheable variable i...
CVE-2026-60062 NGINX Agent Vulnerability
The NGINX Agent configdirs directive allows a low-privileged attacker to gain limited read and write access to files outside of the designated secure directory. The configdirs directive required for this issue can also be configured through NGINX Instance Manager. A successful exploit may allow a...
CVE-2026-55723 NGINX Ingress Controller vulnerability
When NGINX Ingress Controller is configured with Custom Resource Definitions CRDs or Ingress annotations, an injection vulnerability exists in the configuration generator of NGINX Ingress Controller. Multiple user-controllable fields are written into the generated NGINX configuration without...
CVE-2026-59762 BIG-IP HTTP/2 vulnerability
When an HTTP/2 profile is configured on a virtual server, undisclosed requests can cause an increase in memory resource utilization. Impact: System performance can degrade until the TMM process is either forced to restart or is manually restarted. This vulnerability allows a remote,...
CVE-2026-61644 FastGPT: /api/core/chat/record/getCollectionQuote can disclose cross-tenant dataset text due to an unbound initialId lookup
FastGPT is a knowledge-based AI application platform. From 4.14.17 until 4.15.0-beta5, the POST /api/core/chat/record/getCollectionQuote endpoint authenticates the caller's chat and collection context, but the initialId center-node lookup is not bound to that authorized context. A low-privileged...
CVE-2026-61836 Directus: Authorization-dependent response served from unsegmented cache key
Directus is a real-time API and App dashboard for managing SQL database content. Prior to 12.0.0, when response caching is enabled, the cache-key derivation in api/src/utils/get-cache-key.ts includes version, path, query, and accountability.user but omits authorization context such as share, role...
CVE-2026-61740 LightRAG: Authentication bypass: hardcoded DEFAULT_TOKEN_SECRET and public /auth-status defeat LIGHTRAG_API_KEY protection
LightRAG provides simple and fast retrieval-augmented generation. Prior to 1.5.4, when LightRAG is deployed with LIGHTRAGAPIKEY set but AUTHACCOUNTS unset, X-API-Key protection can be bypassed because lightrag/api/auth.py falls back to a hardcoded DEFAULTTOKENSECRET, /auth-status and /login can...
CVE-2026-58559
DoS vulnerability in the vibration service. Impact: Successful exploitation of this vulnerability may affect availability...
CVE-2026-58558
Permission control vulnerability in the file system. Impact: Successful exploitation of this vulnerability may affect service confidentiality...
CVE-2026-58556
Permission control vulnerability in the Bluetooth module. Impact: Successful exploitation of this vulnerability may affect availability...
CVE-2026-15779 Samba-winbind: samba: pam_winbind mkhomedir chowns critical system paths without validation
A flaw was found in samba's pamwinbind. When mkhomedir is enabled, pamwinbind chowns the target account's home directory without validating the path is not a critical system directory such as /. On affected systems, accounts with / as their home directory a common default for system accounts can...
CVE-2026-15809 Github.com/cri-o/cri-o: fix bypass for cve-2022-4318 — /etc/passwd injection via home env
A flaw was found in CRI-O. The fix for a previous vulnerability CVE-2022-4318 was incorrect, allowing it to be bypassed. An attacker capable of setting environment variables on a container can inject a newline character into the HOME environment variable. This issue allows the addition of arbitra...
CVE-2026-58557
Design defect vulnerability in Expedition mode. Impact: Successful exploitation of this vulnerability may affect availability...
CVE-2026-58554
Permission control vulnerability in the Settings module. Impact: Successful exploitation of this vulnerability may affect service confidentiality...
CVE-2026-58555
Permission bypass vulnerability in the card module. Impact: Successful exploitation of this vulnerability may affect availability...
CVE-2026-58553
Out-of-bounds read vulnerability in the image codec module. Impact: Successful exploitation of this vulnerability may affect service confidentiality...
CVE-2026-58552
Out-of-bounds read vulnerability in the image codec module. Impact: Successful exploitation of this vulnerability may affect service confidentiality...
CVE-2026-58551
Out-of-bounds read vulnerability in the image codec module. Impact: Successful exploitation of this vulnerability may affect service confidentiality...
CVE-2026-58550
Out-of-bounds read vulnerability in the image codec module. Impact: Successful exploitation of this vulnerability may affect service confidentiality...
CVE-2026-58549
Out-of-bounds read vulnerability in the image codec module. Impact: Successful exploitation of this vulnerability may affect service confidentiality...
CVE-2026-61872 ImageMagick before 7.1.2-26 Memory Leak via TIFF Encoder
ImageMagick before 7.1.2-26 and 6.9.13-51 contains a memory leak in the TIFF encoder when an invalid tiff:tile-geometry is specified. Supplying malformed tile geometry parameters causes allocated memory not to be released, which can lead to increased memory consumption...
CVE-2026-61871 ImageMagick before 7.1.2-26 Memory Leak in ICON decoder
ImageMagick before 7.1.2-26 and 6.9.13-51 contains a memory leak in the ICON decoder that occurs when a memory allocation fails. Processing a crafted ICON file that triggers an allocation failure leaks memory, which may lead to a denial of service...
CVE-2026-61868 ImageMagick before 7.1.2-26 Memory Leak in YUV Decoder
ImageMagick before 7.1.2-26 and 6.9.x before 6.9.13-51 contains a memory leak in the YUV decoder that occurs when opening of the blob fails. Repeated triggering can lead to resource exhaustion denial of service...
CVE-2026-61867 ImageMagick before 7.1.2-26 Memory Leak in TIFF Encoder
ImageMagick before 7.1.2-26 contains a memory leak vulnerability in the TIFF encoder when memory allocation fails. Attackers can trigger allocation failures during TIFF image processing to cause memory exhaustion and denial of service...
CVE-2026-61865 ImageMagick before 7.1.2-26 Memory Leak in Hough Lines
ImageMagick before 7.1.2-26 and 6.9.13-51 contains a memory leak in the hough lines operation: when a specific operation fails, a small memory leak occurs...
CVE-2026-61864 ImageMagick before 7.1.2-26 Memory Leak in Log Colorspace
ImageMagick before 7.1.2-26 and 6.9.13-51 contains a memory leak in color transformation to the log colorspace: when the operation fails, a small amount of memory is not released...
CVE-2026-61862 ImageMagick before 7.1.2-26 Information Disclosure via identify
ImageMagick before 7.1.2-26 and 6.9.13-51 contains an information disclosure vulnerability: when a profile is displayed with the identify command and the profile value is not printable, a single byte at the end of the profile can be printed read past the profile boundary. This behavior occurs whe...
CVE-2026-61860 ImageMagick before 7.1.2-26 Use-After-Free via freetype
ImageMagick before 7.1.2-26 and 6.9.13-51 contains a use-after-free vulnerability that occurs when freetype initialization fails: the method does not exit and continues to use memory that was already freed. This can be triggered during image processing and may lead to a denial of service...
CVE-2026-61464 ImageMagick before 7.1.2-26 Heap Buffer Over-Write via X11
ImageMagick before 7.1.2-26 and 6.9.13-51 contains a heap-based buffer over-write vulnerability that occurs when running an X11 import with a crafted window title, which can result in heap memory corruption and denial of service...
CVE-2026-61457 Grav before 1.0.3 Remote Code Execution via File Upload Extension Bypass
The Grav API plugin getgrav/grav-plugin-api before 1.0.3 contains a file upload extension bypass in the API media controller. HandlesMediaUploads::validateFileExtension inspects only the final file extension via pathinfo$filename, PATHINFOEXTENSION, so a user with api.media.write permission can...
CVE-2026-61452 Grav before 2.0.4 Improper Session Invalidation JWT Access Tokens
The Grav API plugin getgrav/grav-plugin-api before 2.0.4 contains an improper session invalidation vulnerability where JWT access tokens are issued without a jti JWT ID claim and therefore cannot be revoked server-side. Unlike refresh tokens, access tokens remain valid for their full lifetime...
CVE-2026-61451 Grav before 1.0.4 Password Reset Token Poisoning via admin_base_url
The Grav API plugin grav-plugin-api before 1.0.4 does not validate the origin of the client-supplied adminbaseurl field in the POST /api/v1/auth/forgot-password endpoint. The sanitizeHttpUrl function only checks that the URL scheme is http/https and never verifies the host against the server's ow...
CVE-2026-61446 PraisonAI before 1.6.78 Remote Code Execution via Plugin Auto-Discovery
PraisonAI praisonaiagents before 1.6.78 contains a remote code execution vulnerability in the plugin manager, which loads and executes arbitrary Python .py files from project-level and user-home .praisonai/plugins/ directories using importlib specfromfilelocation and execmodule without code...
CVE-2026-61443 PraisonAI before 1.6.78 Remote Code Execution via SkillTools
PraisonAI before 1.6.78 contains a remote code execution vulnerability in SkillTools.runskillscript that executes scripts without path containment validation. Attackers can supply absolute file paths to execute arbitrary scripts from any filesystem location, including those outside the intended...