163619 matches found
CVE-2026-46515 Frogman: Multiple read-tier tools expose admin-grade data and arbitrary GraphQL execution
Frogman provides headless PBX control through MCP and HTTP API. Prior to 1.6.3, PERMREAD access was sufficient to call fmlistmanagers, fmlistpinsets, fmshowcontext, fmgetmcpconfig, fmbackupstatus, fmwhoscalling, fmrunsavedquery, and fmdiagnosetrunk, exposing AMI manager secrets, outbound dial PIN...
CVE-2026-46514 Frogman: Plaintext passwords and secrets persisted to audit log
Frogman provides headless PBX control through MCP and HTTP API. Prior to 1.6.2, fmresetpassword in Tools/ResetPassword.php:48-53 returned a plaintext password and fmaddextension in Tools/AddExtension.php:172 returned a plaintext secret; Frogman.class.php:2207-2211 used auditOutcome to JSON-encode...
CVE-2026-46353 BigBlueButton API checksum bypass via presentationUploadExternalUrl
BigBlueButton is an open-source virtual classroom. Prior to 3.0.21, bbb-web checksum validation could be bypassed when a presentationUploadExternalUrl parameter was supplied to API request handling in CreateMeeting.java and ValidationService.java, allowing a user to send valid requests to some...
CVE-2026-46377 Dasel: Index-out-of-range panic in dasel selector lexer on trailing backslash in quoted string
Dasel is a command-line tool and library for querying, modifying, and transforming data structures. From 3.0.0 until 3.10.1, the escape sequence handler in Tokenizer.parseCurRune in selector/lexer/tokenize.go increments past a trailing backslash in a quoted string such as "\ or '\ and then reads...
CVE-2026-15737 Sensitive content disclosure via OpenTelemetry spans in AgentCore Python SDK
AWS Bedrock AgentCore Python SDK is an open-source Python library that provides client tools for building AI agents on the Amazon Bedrock AgentCore platform. Unintended logging of sensitive user content in the OpenTelemetry instrumentation in AWS Bedrock AgentCore Python SDK versions 1.4.8 and...
CVE-2026-46687 Emlog Local File Inclusion (LFI)
Emlog is an open source website building system. In 2.6.13 and earlier, the article publishing interface stores a path-traversal template parameter from apicontroller.php without validation, and logcontroller.php later checks fileexists and calls include View::getView$template, allowing an...
CVE-2026-46686 Emlog Reflected Cross-Site Scripting
Emlog is an open source website building system. In 2.6.13 and earlier, the admin backend user search module's keyword parameter from admin/user.php is processed with addslashes but not HTML-escaped before being rendered into the value attribute in admin/views/user.php, allowing reflected...
CVE-2026-10590
A potential missing authentication vulnerability could allow a local privileged attacker to use WMI commands to arbitrarily trigger a System Management Interrupt handler...
CVE-2026-10589
A potential out of bounds write vulnerability could allow a local privileged attacker to execute code in System Management Mode...
CVE-2026-10588
A potential vulnerability could allow a local privileged attacker to disclose the address of protected System Management Mode memory...
CVE-2026-10587
A potential out-of-bounds write vulnerability could allow a local privileged attacker to modify power management settings in System Management Mode...
CVE-2026-14371
The Lenovo XClarity Integrator for Windows Admin Center plugin version 5.1.1 and below running on the WAC Gateway is vulnerable to Powershell Command Injection when establishing remote PowerShell commands...
CVE-2026-13104
A potential vulnerability was reported in Lenovo App Store, distributed exclusively in the Chinese market, that could allow a local authenticated user to execute arbitrary code with elevated privileges...
CVE-2026-13103
A potential path traversal vulnerability was reported in Lenovo App Store, distributed exclusively in the Chinese market, that could allow a local authenticated user to execute arbitrary code...
CVE-2026-9046
A potential insecure permissions vulnerability was reported in Legion Zone and the Lenovo App Store Windows applications, distributed exclusively in the Chinese market, that when installed on a non‑system partition, could allow a local user to execute arbitrary code...
CVE-2026-6511
During an internal security assessment, a potential improper access control vulnerability was discovered in Lenovo Smart Connect for Windows that could allow a local authenticated user to access files owned by a different user on the same system...
CVE-2026-45576 zrok copy writes attacker-controlled WebDAV paths outside the destination root
zrok is software for sharing web services, files, and network resources. From 0.4.23 until 2.0.3, zrok2 copy stores attacker-controlled WebDAV or zrok drive paths such as /../outside.txt in the source inventory and passes them to FilesystemTarget.WriteStream, allowing the sync pipeline to write...
CVE-2026-63088 stoatchat < 0.14.0 SSRF via DNS-based IP Blocklist Bypass
stoatchat before 0.14.0 contains a server-side request forgery SSRF vulnerability that allows unauthenticated network-accessible attackers to bypass the DNS-based IP blocklist by exploiting incomplete address validation in the urlisblacklisted function, which inspects only the first resolved...
CVE-2026-45795 Janssen Project: JWE Request Object Signature Verification Bypass in jans-auth-server
The Janssen Project is an open-source identity and access management IAM platform. Prior to 2.0.0, jans-auth-server accepts unsigned JWE request objects because JwtAuthorizationRequest skips inner signature validation when jwe.getSignedJWTPayload returns null, and...
CVE-2026-45612 rz-libdemangle: Out of bound read in rust demangler
rz-libdemangle is a Rizin library for demangling symbols. Prior to 6bf56d3, the Rust demangler in src/rust/rustv0.c can perform an out-of-bounds read when the demangler structure is not yet initialized. This issue is fixed in commit 6bf56d3...
CVE-2026-55548 Yamcs: Insecure Direct Object Reference (IDOR) in PacketsApi allows unprivileged users to dump all telemetry packets
Yamcs is a mission control framework. Prior to 5.12.8 and 5.13.2, the PacketsApi.exportPackets endpoint in yamcs-core/src/main/java/org/yamcs/http/api/PacketsApi.java failed to enforce object-level ReadPacket privileges when a request omitted specific packet names: with an empty name list the...
CVE-2026-46621 Yamcs: Authenticated Remote Code Execution (RCE) via Jython Algorithm Code Injection
Yamcs is a mission control framework. Prior to 5.12.7, the Yamcs script evaluation engine for Python algorithms dynamically compiled and evaluated user-controlled algorithm text using Jython through the JSR-223 ScriptEngine API without enforcing a secure sandbox, so an authenticated user with the...
CVE-2026-46562 Yamcs: Remote Code Execution via Mission Database algorithm override
Yamcs is a mission control framework. Prior to 5.12.7, the Nashorn ScriptEngine used to evaluate user-supplied JavaScript algorithm text in yamcs-core/src/main/java/org/yamcs/algorithms/ScriptAlgorithmExecutorFactory.java was constructed without a ClassFilter, so a user with the...
CVE-2026-44632 Yamcs: Server-Side Code Injection (RCE) via Janino Expression Engine in `JavaExprAlgorithmExecutionFactory`
Yamcs is a mission control framework. Prior to 5.12.7, a server-side code injection vulnerability existed in the Yamcs algorithm evaluation engine org.yamcs.algorithms.JavaExprAlgorithmExecutionFactory, which dynamically compiled and evaluated user-controlled algorithm text through the Janino...
CVE-2026-63086 text-generation-inference 3.3.7 SSRF via fetch_image in multimodal chat completions
text-generation-inference through 3.3.7 contains a server-side request forgery SSRF vulnerability in the OpenAI-compatible multimodal chat completions endpoint that allows unauthenticated network attackers to coerce the server into issuing arbitrary HTTP GET requests by supplying a crafted imageu...
CVE-2026-55407 Buffa: Memory Exhaustion Denial of Service in decode_unknown_field via Unbounded Allocation
Buffa is a pure-Rust Protocol Buffers implementation with first-class protobuf editions support. Prior to 0.8.0, the decodeunknownfield function in buffa's protobuf decoder allocated heap memory in proportion to untrusted input unknown fields in the serialized protobuf without enforcing an...
CVE-2026-55406 Buffa: Use-After-Free in OwnedView via Unsound 'static Lifetime Promotion in Deref
Buffa is a pure-Rust Protocol Buffers implementation with first-class protobuf editions support. Prior to 0.7.0, a soundness bug in the OwnedView type allowed safe Rust code to trigger a use-after-free: the OwnedView::decode constructor transmuted a borrowed slice to &'static u8, and the Deref...
CVE-2026-45695 Kopia: Unauthenticated RCE via SSH ProxyCommand Injection when --insecure --without-password is used
Kopia is a cross-platform backup tool for Windows, macOS, and Linux with fast incremental backups, client-side end-to-end encryption, compression, and data deduplication. Prior to 0.23.0, Kopia's HTTP server started with --without-password accepts unauthenticated requests to /api/v1/repo/exists a...
CVE-2026-55440 Microsoft UFO: COMMAND_RESULTS handler creates unowned sessions, allowing authenticated session-squatting denial of service
Microsoft UFO open-source framework for intelligent automation across devices and platforms. Prior to 3.0.7, the COMMANDRESULTS handler in ufo/server/ws/handler.py called getorcreatesession in ufo/server/services/sessionmanager.py without ownerclientid, allowing an authenticated client to create ...
CVE-2026-63082 Perfect Support Ticketing System 1.7 Broken Access Control via Agent Assignment
Perfect Support Ticketing & Document Management System through 1.7 contains a broken access control vulnerability that allows authenticated attackers with Agent-level privileges to manipulate the Support Agent assignment field of tickets by bypassing intended authorization checks. Attackers can a...
CVE-2026-12379 URL Redirection to Untrusted Site ('Open Redirect') vulnerability in the Dashboard OAuth/OIDC implementation of Axivion
An Open Redirect vulnerability CWE-601 exists in the OAuth/OIDC authentication implementation of the Axivion Dashboard. The login flow did not properly restrict the post-authentication redirect to the application's own origin, so a user who follows a crafted login link can be sent to an untrusted...
CVE-2026-54568 Microsoft UFO: Missing Authorization in DEVICE_INFO_REQUEST Allows a DEVICE Client to Read Another Device's system_info
Microsoft UFO open-source framework for intelligent automation across devices and platforms. From 3.0.0 until 3.0.6, a client connected to the UFO WebSocket server as a DEVICE could call DEVICEINFOREQUEST with another device's targetid and receive that device's server-side systeminfo through...
CVE-2026-57206 SimpleChat plugin validation endpoints missing authentication and authorization
SimpleChat is a secure AI conversation application with personal and group workspaces for document-grounded interactions. Prior to 0.241.206, several plugin validation routes in application/singleapp/pluginvalidationendpoint.py, including POST /api/admin/plugins/test-instantiation, GET...
CVE-2026-57205 SimpleChat: Authenticated users can access other users' profile metadata through user IDOR endpoints
SimpleChat is a secure AI conversation application with personal and group workspaces for document-grounded interactions. Prior to 0.241.203, the authenticated GET /api/user/info/ and GET /api/user/profile-image/ endpoints in application/singleapp/routebackendusers.py accepted a caller-supplied...
CVE-2026-54733 moodle-local_o365: Authentication bypass via unverified JWT signature in Teams SSO endpoint
The Microsoft 365 and Microsoft Entra ID Plugins for Moodle provide Office 365 and Azure Active Directory integration for Moodle. Prior to 4.5.6, 5.0.5, and 5.1.1, the Microsoft Office 365 Integration plugin localo365 Teams SSO endpoint ssologin.php base64-decodes a JWT payload and authenticates...
CVE-2026-59867 Kiota: Generation-time SSRF + remote/local file inclusion via unrestricted $ref
Kiota is an OpenAPI based HTTP Client code generator. Prior to 1.32.5, Kiota resolved OpenAPI $ref values by fetching remote https URLs and reading local absolute or out-of-tree file paths, allowing kiota generate on an attacker-controlled or attacker-influenced description to perform build-time...
CVE-2026-59864 Kiota: Path/URL injection into generated Copilot plugin manifest via x-ai-* extensions
Kiota is an OpenAPI based HTTP Client code generator. Prior to 1.32.5, kiota plugin add and kiota plugin generate with -t APIPlugin emitted attacker-controlled statictemplate.file values from x-ai-adaptive-card and x-ai-capabilities into generated Microsoft 365 Copilot and Teams plugin manifests...
CVE-2026-14890 CVE-2026-14890
SGLang uses an expert-parallel backup subsystem that exposes a ZeroMQ PULL socket on a routable network interface that does not contain authentication or deserialization safeguards, allowing an attacker to provide a malicious pickle file that results in unauthenticated remote code execution when...
CVE-2026-59863 Kiota: Workspace-config poisoning: out-of-repo file write + generation-time SSRF
Kiota is an OpenAPI based HTTP Client code generator. Prior to 1.32.5, Kiota honored a poisoned .kiota/workspace.json workspace configuration without validating per-client or per-plugin outputPath values during kiota client generate and kiota plugin generate, allowing a malicious repository or pu...
CVE-2026-59862 Kiota: Code Generation Literal Injection in the Python Generator
Kiota is an OpenAPI based HTTP Client code generator. Prior to 1.32.0, Kiota's Python generator let attacker-controlled enum value descriptions from x-ms-enum.values.description flow through KiotaBuilder.SetEnumOptions into Documentation.DescriptionTemplate and...
CVE-2026-59861 Kiota: Code Generation Literal Injection in Kiota Ruby Generator
Kiota is an OpenAPI based HTTP Client code generator. Prior to 1.32.0, Kiota's Ruby generator embedded OpenAPI default fields, property names, and other schema-derived strings through CodeMethodWriter.cs and SanitizeForQuotedLiteral in Writers/StringExtensions.cs into Ruby double-quoted literals...
CVE-2026-59237 IDOR in Prospero Flow CRM Order API allows cross-tenant read and modification of orders
Authorization Bypass Through User-Controlled Key CWE-639 in the Order and OrderItem REST API controllers in Roskus Prospero Flow CRM before 5.5.3 allows a remote, authenticated user to read, modify, and delete orders and order items belonging to any other company tenant via a sequential numeric i...
CVE-2026-59860 Kiota: XML Doc-Comment Newline Breakout Code Injection
Kiota is an OpenAPI based HTTP Client code generator. Prior to 1.32.3, Kiota is affected by a code-generation injection vulnerability in the C XML documentation-comment sink the description, externalDocs label, and externalDocs link fields emitted as /// … comments. When text from an OpenAPI...
CVE-2026-14254 Improper Restriction of Excessive Authentication Attempts in Delphix Continuous Data
A race condition in the account lockout mechanism in Delphix Continous Data allowed the lockout threshold to be bypassed through concurrent authentication requests. Parallel login attempts were processed before the failed-login counter and lockout status were updated, defeating brute-force...
CVE-2026-5674 Pipewire: pipewire: sandbox escape and arbitrary code execution via malicious library loading
A flaw was found in PipeWire, a multimedia server. This vulnerability allows an attacker to escape sandboxed applications, such as Flatpak, by exploiting PipeWire's PulseAudio compatibility layer. An attacker with minimal permissions within a sandboxed environment can load a malicious library,...
CVE-2026-56456 HCL DFXAnalytics is affected by an Internal File Path Disclosure vulnerability.
HCL DFXAnalytics is affected by an Internal File Path Disclosure vulnerability. The application dashboard inadvertently leaks sensitive information regarding its internal file structure and directory paths through unhandled error messages, system logs, or debugging output, which could allow a...
CVE-2026-56455 HCL DFXAnalytics is affected by a Buffer Overflow vulnerability that can lead to a Denial of Service (DoS).
HCL DFXAnalytics is affected by a Buffer Overflow vulnerability that can lead to a Denial of Service DoS. The application fails to properly validate input sizes, allowing an attacker to pass an excessive amount of information into a memory container, which can cause the system to crash or become...
CVE-2026-56454 HCL DFXAnalytics is affected by a Deprecated Protocol vulnerability due to the use of TLS 1.0 and TLS 1.1.
HCL DFXAnalytics is affected by a Deprecated Protocol vulnerability due to the use of TLS 1.0 and TLS 1.1. These legacy protocols contain numerous cryptographic design flaws that expose data to interception and decryption. To remediate this risk, the application must disable all support for TLS 1...
CVE-2026-56453 HCL DFXAnalytics is affected by an Account Takeover via Response Manipulation vulnerability.
HCL DFXAnalytics is affected by an Account Takeover via Response Manipulation vulnerability. A remote attacker can intercept and alter the contents of the server's HTTP responses before they reach the client application, allowing them to manipulate the authentication or authorization logic to...
CVE-2026-35145 HCL DFXAnalytics is affected by a Missing HTTP Strict-Transport-Security Header vulnerability.
HCL DFXAnalytics is affected by a Missing HTTP Strict-Transport-Security Header vulnerability. The application fails to implement the HTTP Strict Transport Security HSTS policy within its responses, which could allow a remote attacker to downgrade the communication channel to an unencrypted...