163353 matches found
CVE-2026-62353 TDengine: Authenticated Out-of-Bounds Read in SQL Lexer tGetToken
TDengine is a time-series database optimized for Internet of Things devices. Prior to 3.4.1.14, source/libs/parser/src/parTokenizer.c tGetToken incremented past a trailing backslash in a SQL string literal such as 'abc\ and read one byte beyond the null terminator, allowing an authenticated user...
CVE-2026-62351 TDengine: Unauthenticated Remote Denial of Service via Out-of-Bounds Read in transDecompressMsg
TDengine is a time-series database optimized for Internet of Things devices. Prior to 3.4.1.15, source/libs/transport/src/transComm.c transDecompressMsg read STransCompMsg.contLen when pHead-comp == 1 without first validating that the RPC packet contained the 8-byte STransCompMsg structure, causi...
CVE-2026-62349 TDengine: Off-by-One Buffer Overflow
TDengine is an open source, time-series database optimized for Internet of Things devices. In 3.4.1.6 and earlier, source/libs/parser/src/parUtil.c trimString checks space for only one byte before processing SQL string escape sequences %, , or \x, allowing a one-byte out-of-bounds write to the...
CVE-2026-46421 Supply chain compromise via malicious package versions (@cap-js/sqlite, @cap-js/postgres, @cap-js/db-service)
The SAP Cloud Application Programming Model is a tool for building enterprise-grade cloud applications, and cap-js/cds-dbs is the monorepo for SQL database services for that tool. On April 29, 2026, compromised versions of @cap-js/[email protected], @cap-js/[email protected], and @cap-js/[email protected]....
CVE-2026-62355 TDengine: Standard User permission unexpect
TDengine is an open source, time-series database optimized for Internet of Things devices. Prior to 3.4.1.15, a Data Reader adminuser on a TDengine Cloud DB instance could run create udf even though standard users should have read-only permissions for non-database objects and show dnodes and crea...
CVE-2026-26032 Apache Ivy: PackagerResolver path traversal vulnerability
The PackagerResolver of Apache Ivy is able to download online artifacts and to repackage them in a format defined by a packager.xml file. This repackaging is done by an Ant script, which is stored in a subdirectory of the configured "buildRoot" directory. This subdirectory is calculated based on...
CVE-2026-15746 Credential disclosure in Strands Agents Tools elasticsearch_memory tool
Strands Agents is an open-source Python SDK for building and running AI agents. The strands-agents-tools package provides pre-built tools for use with the SDK, including the elasticsearchmemory tool for agent memory storage. We identified CVE-2026-15746, a server-side request forgery SSRF issue i...
CVE-2026-12997 Gravity Forms <= 2.10.4 - Unauthenticated Arbitrary File Read via 'gform_uploaded_files' Parameter
The Gravity Forms plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 2.10.4 via the 'gformuploadedfiles' parameter parameter. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain...
CVE-2026-49987 Repomix: Command Injection (RCE) via `--remote-branch` Argument Injection
Repomix is a tool that packs repositories into AI-friendly files. Prior to 1.14.1, src/core/git/gitCommand.ts execGitShallowClone passes the --remote-branch value directly to git fetch and git checkout without validation or --end-of-options, allowing --upload-pack or other Git option injection th...
CVE-2026-62947 OpenWrt: ACL bypass and arbitrary root file read via cgi-io cgi-download
OpenWrt is a Linux operating system targeting embedded devices. Prior to 25.12.5, the cgi-download handler in cgi-io authorizes the requested path against the caller's ubus session file ACL before canonicalization, and rpcd session.c uses fnmatch without FNMPATHNAME, allowing traversal such as an...
CVE-2026-62948 OpenWrt odhcpd/LuCI: unauthenticated DHCPv6 client can inject lease-file lines via FQDN hostname → stored XSS in the LuCI admin UI
OpenWrt is a Linux operating system targeting embedded devices. Prior to 25.12.5, odhcpd writes a DHCPv6 client FQDN option 39 hostname into /tmp/odhcpd.leases through src/statefiles.c statefileswritestate6 and statefileswritestate4 without escaping, allowing newline injection of forged lease lin...
CVE-2026-40501 Cherry Studio RCE via SearchService nodeIntegration Misconfiguration
Cherry Studio versions 1.2.2 through 1.9.12, fixed in commit 1518530, contain a remote code execution vulnerability in SearchService that allows remote attackers to execute arbitrary code by delivering malicious JavaScript through controlled search provider content loaded into an Electron...
CVE-2026-10673 Out-of-bounds write in ADIN2111/ADIN1110 OA SPI Ethernet RX frame reassembly
The Zephyr ADIN2111/ADIN1110 10BASE-T1S/T1L Ethernet driver drivers/ethernet/ethadin2111.c reassembles received Ethernet frames in OPEN Alliance OA SPI mode by copying device-supplied 64-byte data chunks into a fixed static buffer ctx-buf of size CONFIGETHADIN2111BUFFERSIZE default 1524 bytes. In...
CVE-2026-53517 Better Auth OAuth Provider: Refresh Token Rotation Race Condition Allows Concurrent Replay and Token Family Forking
Better Auth is an authentication and authorization library for TypeScript. From 1.4.8-beta.7 until 1.6.11, the @better-auth/oauth-provider POST /oauth2/token endpoint on the refreshtoken grant performs a non-atomic read, validate, revoke, and mint sequence on the oauthRefreshToken row, allowing...
CVE-2026-56687
Dell ThinOS 10, versions prior to 260510.2100, contain an Obsolete Feature in UI vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Unauthorized access...
CVE-2026-45337 Better Auth: Device authorization approve and deny accept any authenticated session while the user code is pending
Better Auth is an authentication and authorization library for TypeScript. From 1.6.0 until 1.6.11, the deviceAuthorization plugin treats any authenticated session as the owner of any pending device code because GET /device does not claim the row and POST /device/approve and POST /device/deny...
CVE-2026-56087
Dell ThinOS 10, versions prior to 260510.2100 contain a Protection Mechanism Failure vulnerability. An attacker with physical access could potentially exploit this vulnerability, leading to unauthorized access to encrypted data...
CVE-2026-53515 Better Auth: Privilege escalation via SSO provider registration: missing admin role check in @better-auth/sso
Better Auth is an authentication and authorization library for TypeScript. From 1.2.10 until 1.6.11, the @better-auth/sso plugin's POST /sso/register endpoint lets any organization member attach a new SSO provider to that organization because registerSSOProvider checks only for a membership row a...
CVE-2026-12382 Aap-gateway: missing requestheaderstoremove allows mtls bypass via subject header spoofing
A flaw was found in the AAP Gateway Envoy proxy configuration. The non-mTLS route to EDA event streams does not remove the Subject HTTP header from client requests, despite the source code defining requestHeadersToRemove for this header. An unauthenticated remote attacker can inject a spoofed...
CVE-2026-20298 Sensitive Information Disclosure through the storage/passwords REST Endpoint in Splunk Enterprise
In Splunk Enterprise versions below 10.4.1, 10.2.5, 10.0.8, and 9.4.13, and Splunk Cloud Platform versions below 10.5.2605.0, 10.4.2604.6, 10.3.2512.15, 10.2.2510.18, and 10.1.2507.24, a low-privileged user that does not hold the 'admin' or 'power' Splunk roles could view stored credential hashes...
CVE-2026-20296 SPL Command Safeguards Bypass through Cross-Site Request Forgery (CSRF) in Deployment Server in Splunk Enterprise
In Splunk Enterprise versions below 10.4.1, 10.2.5, 10.0.8, and 9.4.13, and Splunk Cloud Platform versions below 10.5.2605.0, 10.4.2604.7, 10.3.2512.16, 10.2.2510.18, and 10.1.2507.24, an attacker could trick a user that holds a role with the listdeploymentserver capability into running arbitrary...
CVE-2026-20297 Path Traversal through 'explicit_appname' in the App Install REST Endpoint in Splunk Enterprise
In Splunk Enterprise versions below 10.4.1, 10.2.5, 10.0.8, 9.4.13, and 9.3.14, and Splunk Cloud Platform versions below 10.5.2605.0, 10.4.2604.6, 10.2.2510.18, and 10.1.2507.24, a user who holds a role that contains the editlocalapps and installapps capabilities could cause a legitimate app...
CVE-2026-53518 Better Auth OAuth Provider: Race Condition in Authorization Code Exchange Enables Multi-Use Code Redemption
Better Auth is an authentication and authorization library for TypeScript. From 1.6.0 until 1.6.11, the @better-auth/oauth-provider POST /oauth2/token endpoint for the authorizationcode grant redeems a single-use authorization code through a non-atomic find-then-delete sequence, allowing two...
CVE-2026-53513 Better Auth: Server-side request forgery via unvalidated OIDC endpoints on @better-auth/sso provider registration
Better Auth is an authentication and authorization library for TypeScript. Prior to 1.6.11, the @better-auth/sso plugin's POST /sso/register and POST /sso/update-provider endpoints accept attacker-controlled oidcConfig.userInfoEndpoint, tokenEndpoint, and jwksEndpoint URLs when skipDiscovery: tru...
CVE-2026-53516 Better Auth: Account takeover via OAuth auto-link to unverified pre-registered email
Better Auth is an authentication and authorization library for TypeScript. Prior to 1.6.11, Better Auth's OAuth callback auto-link gate in handleOAuthUserInfo accepts implicit account linking when the OAuth provider asserts emailverified: true without requiring the local user row's emailVerified...
CVE-2026-14961 CVE-2026-14961
Pegatron Tdelo64.sys exposes a privileged device interface, \.\TdeIo, that fails to properly restrict access to sensitive IOCTL functionality. The driver's IOCTL dispatcher does not validate caller privileges or verify user-supplied kernel memory addresses before performing memory operations. By...
CVE-2026-62389 ws < 8.21.1 Default maxFragments Allows Memory Exhaustion DoS
ws before 8.21.1 contains a memory exhaustion vulnerability in lib/receiver.js where the fragment guard only triggers when fragment count reaches maxFragments, allowing attackers to exhaust memory by sending incomplete fragmented WebSocket messages. Attackers can send a text frame with FIN=0...
CVE-2026-59258 immich < 3.0.3 Shared Album Editor Ownership Takeover via updateUser
immich before 3.0.3 contains a broken access control vulnerability in the PUT /albums/:id/user/:userId endpoint that allows shared album editors to modify member roles without owner-only restrictions. Attackers with editor access can demote the album owner to editor and promote themselves to owne...
CVE-2026-59255 BloodHound Missing Authorization on Custom Node Management API
BloodHound through 9.4.0, fixed in commit 8f79035, contains a missing authorization vulnerability in the custom-nodes API endpoints that allows any authenticated user to modify the global graph schema. Attackers with valid session tokens can create, update, or delete custom node types affecting a...
CVE-2026-58660 Kanboard BoardAjaxController Missing Ownership Check via Drag-and-Drop
Kanboard through 1.2.52, fixed in commit 564cc30, BoardAjaxController save method used by the kanban board drag-and-drop endpoint validates the caller's role on the attacker-supplied projectid but never verifies that the supplied taskid actually belongs to that project. Because task identifiers a...
CVE-2026-58658 GPUStack Unauthenticated Information Disclosure via Worker Endpoints
GPUStack through 2.2.1, fixed in commit 4e20551, contains an unauthenticated information disclosure vulnerability that allows unauthenticated attackers to access sensitive inference logs and modify worker configuration by exploiting unprotected /serveLogs and /debug endpoints on the worker port...
CVE-2026-50562 FastGPT: Untrusted PR artifacts are pushed and deployed by privileged preview workflows
FastGPT is a knowledge-based AI application platform. At commit 22ebfacbb43311e9b73294040ae0eb87390c6bba and earlier, artifacts built from untrusted pull request code in .github/workflows/preview-docs-build.yml and .github/workflows/preview-fastgpt-build.yml can be downloaded by privileged...
CVE-2026-1563 Pega Platform versions 8.1.0 through 25.1.2 are affected by an Reflected Cross-site scripting (XSS) vulnerability in a user interface component. Requires a high privileged user with a developer role.
Pega Platform versions 8.1.0 through 25.1.2 are affected by an Reflected Cross-site scripting XSS vulnerability in a user interface component. Requires a high privileged user with a developer role...
CVE-2026-1562 Pega Platform versions 8.1.0 through 25.1.2 are affected by an Stored Cross-site scripting (XSS) vulnerability in a user interface component. Requires a high privileged user with a developer role.
Pega Platform versions 8.1.0 through 25.1.2 are affected by an Stored Cross-site scripting XSS vulnerability in a user interface component. Requires a high privileged user with a developer role...
CVE-2025-32781 Apollo: Apollo Portal release endpoint allows cross-application configuration disclosure via releaseId
Apollo is a reliable configuration management system suitable for microservice configuration management scenarios. Prior to 2.5.0, Apollo Portal does not verify application and namespace permissions when an authenticated user requests a release by ID through GET /envs/env/releases/releaseId while...
CVE-2026-59954 Apollo ConfigService access key authentication bypass via appId parsing and non-canonical matching
Apollo is a reliable configuration management system suitable for microservice configuration management scenarios. Prior to 2.5.2, Apollo ConfigService may allow unauthorized access to configuration data when AccessKey or management key authentication is enabled because ConfigService can accept a...
CVE-2026-59955 Apollo ConfigService access key authentication bypass via raw config file appId parsing
Apollo is a reliable configuration management system suitable for microservice configuration management scenarios. Prior to 2.5.2, Apollo ConfigService may allow unauthorized access to raw configuration data when AccessKey or management key authentication is enabled because requests under...
CVE-2026-45793 Composer: Github Actions issued GITHUB_TOKEN disclosure in GitHub Actions logs
Composer is a dependency Manager for the PHP language. Prior to 1.10.28, 2.2.28, and 2.9.8, Composer\IO\BaseIO::loadConfiguration validates GitHub OAuth tokens with the regex ^.A-Za-z0-9+$ and interpolates rejected tokens into an UnexpectedValueException; GitHub Actions GITHUBTOKEN values using t...
CVE-2026-20187 Cisco RoomOS Security Hardening Release - Exceptional Conditions Handling Vulnerabilities
As part of Cisco's ongoing commitment to proactive security and product quality, the Cisco RoomOS engineering team has conducted a comprehensive internal security review. This review resulted in a software hardening release that addresses multiple internally discovered vulnerabilities. The...
CVE-2026-20158 Cisco RoomOS Security Hardening Release - Resource Lifetime Management Vulnerabilities
As part of Cisco's ongoing commitment to proactive security and product quality, the Cisco RoomOS engineering team has conducted a comprehensive internal security review. This review resulted in a software hardening release that addresses multiple internally discovered vulnerabilities. The...
CVE-2026-20153 Cisco RoomOS Security Hardening Release - Input Validation Vulnerabilities
As part of Cisco's ongoing commitment to proactive security and product quality, the Cisco RoomOS engineering team has conducted a comprehensive internal security review. This review resulted in a software hardening release that addresses multiple internally discovered vulnerabilities. The...
CVE-2026-20157 Cisco RoomOS Security Hardening Release - Missing Encryption Vulnerabilities
As part of Cisco's ongoing commitment to proactive security and product quality, the Cisco RoomOS engineering team has conducted a comprehensive internal security review. This review resulted in a software hardening release that addresses multiple internally discovered vulnerabilities. The...
CVE-2026-20156 Cisco RoomOS Security Hardening Release - Buffer Management Vulnerabilities
As part of Cisco's ongoing commitment to proactive security and product quality, the Cisco RoomOS engineering team has conducted a comprehensive internal security review. This review resulted in a software hardening release that addresses multiple internally discovered vulnerabilities. The...
CVE-2026-20146 Cisco Identity Services Engine Path Traversal Vulnerability
A vulnerability in Cisco Identity Services Engine ISE and Cisco ISE Passive Identity Connector ISE-PIC could allow an authenticated, remote attacker to perform path traversal attacks on the underlying operating system to either read or delete arbitrary files. To exploit this vulnerability, the...
CVE-2026-20150 Cisco RoomOS Security Hardening Release - Access Control Vulnerabilities
As part of Cisco's ongoing commitment to proactive security and product quality, the Cisco RoomOS engineering team has conducted a comprehensive internal security review. This review resulted in a software hardening release that addresses multiple internally discovered vulnerabilities. The...
CVE-2026-52843 Lightpanda: fetch() and XMLHttpRequest attach session cookies to cross-origin requests regardless of credentials mode
Lightpanda is a headless browser designed for AI and automation. Prior to 0.2.9, Lightpanda fetch and XMLHttpRequest unconditionally attached session cookies to every HTTP request, ignoring credentials: omit, credentials: same-origin, credentials: include, and XMLHttpRequest.withCredentials,...
CVE-2026-48799 Postiz: Unauthenticated arbitrary lifetime PRO grant via Nowpayments webhook
Postiz is an AI social media scheduling tool. Prior to 2.21.8, Postiz fails to verify Nowpayments IPN callback authenticity against the payment provider shared secret and reads the target subscription identifier from the untrusted request body, allowing a low-privileged account to grant arbitrary...
CVE-2026-45804 Diffusers: TOCTOU Trust Remote Code Bypass
Diffusers is the a library for pretrained diffusion models. Prior to 0.38.0, Diffusers' DiffusionPipeline.frompretrained flow can bypass the trustremotecode guard because download validates modelindex.json and custom pipeline code before later loading from a cached folder that can change, allowin...
CVE-2026-47703 AdGuard Home: DoQ-to-UDP State Reduction and Source-Port Oracle
AdGuard Home is a network-wide software for blocking ads and tracking. Prior to 0.107.75, AdGuard Home's client-triggered DoQ forwarding path to a udp:// upstream reduced backend UDP DNS state by producing dnsid=0 or txid=0 and exposed a quoted-port ICMP source-port oracle, weakening DNS response...
CVE-2026-62843 File Browser: Archive builder turns backslash filenames into path traversal (zip-slip)
File Browser is a file managing interface for uploading, deleting, previewing, renaming, and editing files within a specified directory. From 2.63.6 to 2.63.16, File Browser's archive builder uses strings.ReplaceAllnameInArchive, "", "/", which turns a POSIX filename such as ....\evil.sh into the...