372419 matches found
CVE-2024-58358
SurrealDB versions before 2.1.0 are affected by a denial-of-service flaw in the role conversion logic. The issue lets privileged owner users define users with nonexistent roles; signing in with a user assigned an invalid role can trigger an uncaught panic, crashing the server. The vulnerability i...
CVE-2024-58357
CVE-2024-58357 affects SurrealDB versions before 2.1.0. The vulnerability is an uncaught exception in the Rust rand::time() function that panics when unwrap is called on a None result from timestamp_opt. Authorized clients can repeatedly invoke rand::time() to trigger server panics, causing denia...
CVE-2024-58356
SurrealDB prior to version 2.1.4 is affected by a permission-bypass issue. When using DEFINE TABLE ... OVERWRITE on tables defined with TYPE RELATION, the PERMISSIONS clause is not applied, so tightened permissions may not take effect and an authorized client could continue to access data. Affect...
CVE-2023-54366
CVE-2023-54366 affects SurrealDB prior to 1.0.1, where default table permissions are set to FULL instead of NONE. This misconfiguration allows attackers with database access or unauthenticated users on publicly exposed instances to perform uncontrolled SELECT, CREATE, UPDATE, and DELETE operation...
CVE-2026-16117
The CVE concerns @fastify/http-proxy (affected: up to 11.5.0) where URL prefix rewriting fails when the prefix segment is URL-encoded. Fastify decodes paths for route matching, but request.url keeps the original encoded form. The prefixRewrite step compares against the decoded prefix using a lite...
CVE-2026-16119
CVE-2026-16119 affects nextlevelbuilder GoClaw up to 3.13.2, specifically the WebSocket Approval Endpoint’s internal/tools/exec_approval.go, function RequestApproval. A manipulation can cause incorrect authorization, and the attack can be carried out remotely. The exploit has been made public, wi...
CVE-2026-59173
CVE-2026-59173 affects Apache Traffic Server versions 9.0.0–9.1.13 and 10.0.0–10.1.2. It describes an Uncontrolled Resource Consumption (DoS) scenario associated with HTTP/2 flow-control behavior. Upstream remediation is to upgrade to 9.1.14 or 10.1.3, which fixes the issue. The CVE entry consist...
CVE-2026-15631
The CVE affects the Node.js package @fastify/http-proxy, versions 9.4.0 through 11.5.0. A WebSocket routing flaw in WebSocketProxy.findUpstream lets the WHATWG URL constructor collapse dot segments, causing crafted upgrade requests with path traversal to bypass the configured rewrite prefix and r...
CVE-2026-9147
CVE-2026-9147 affects uproot 5.7.4 and prior. The issue arises when uproot dynamically generates Python class source code from ROOT TStreamerInfo records and compiles it at runtime. Some file-controlled streamer metadata fields (e.g., streamer element names) are interpolated into the generated Py...
CVE-2026-16158
Affected component: @fastify/reply-from. Versions 8.3.1 up to, but not including, 12.6.4 construct an internal URL cache key by concatenating destination and source paths without a delimiter, enabling cross-upstream data access when getUpstream selects an upstream from request data. This can caus...
CVE-2026-16097
CVE-2026-16097 affects Shibby Tomato 1.28, specifically the Scheduler Name Handler’s sub_42537C function. Manipulating the argument a1 yields a stack-based buffer overflow, with remote execution possible. The issue is noted as superseded by FreshTomato. CVSS metrics in the accompanying data indic...
CVE-2026-16096
CVE-2026-16096 affects Shibby Tomato 1.28 RT-N5x MIPSR2 Build 124. a stack-based overflow in the function sub_40BB50 of /proc/webmon_recent_domains can be triggered remotely. CVSS metrics indicate high impact to confidentiality, integrity, and availability (network vector, low access/privilege re...
CVE-2026-16095
The CVE-2026-16095 issue affects Shibby Tomato 1.28 RT-N5x MIPSR2 Build 124. Affects the function setup_conntrack in /sbin/rc. Manipulating the argument ct_tcp_timeout can cause an out-of-bounds write, with a remote attacker able to trigger it. The project is superseded by FreshTomato. No remedia...
CVE-2026-16088
Summary : CVE-2026-16088 affects halo-dev halo up to version 2.24.2. The vulnerability targets the Download function in MigrationEndpoint.java within the Files Backup Endpoint, where input manipulation enables path traversal. This allows remote exploitation, and public exploits have surfaced. Det...
CVE-2026-16085
The vulnerability CVE-2026-16085 affects Sipeed PicoClaw up to version 0.2.9. It resides in the function NewContextBuilder in pkg/agent/context.go, where manipulation can cause inclusion of functionality from an untrusted control sphere. The attack is local, and the exploit has been publicly disc...
CVE-2026-16084
Affected software/hardware: Sipeed PicoClaw (up to version 0.2.9). Vulnerable component: function web_fetch in pkg/tools/integration/web.go. Root cause: manipulation enabling server-side request forgery (SSRF). Impact: remote exploitation possible with low attack complexity and network access; ab...
CVE-2026-47871
The CVE-2026-47871 issue affects VMware Avi Load Balancer and is a directory traversal vulnerability caused by flaws in file path validation. Affected versions and fixed milestones are: 32.1.1 (fixed in 32.1.2); 31.1.1–31.2.2 (fixed in 31.2.2-2p3); 30.1.1–30.2.6 (fixed in 30.2.7); and 22.1.1–22.1...
CVE-2026-47870
CVE-2026-47870 affects VMware Avi Load Balancer. A malicious authenticated user with network access can potentially execute remote code due to a privilege-escalation flaw. Affected versions and fixes shown in public records: 32.1.1 (fixed in 32.1.2); 31.1.1–31.2.2 (fixed in 31.2.2-2p3); 30.1.1–30...
CVE-2026-47869
CVE-2026-47869 describes a remote code execution flaw in VMware Avi Load Balancer. An authenticated user with network access can inject and execute code. Affected versions and fixed releases: 32.1.1 (fixed in 32.1.2); 31.1.1–31.2.2 (fixed in 31.2.2-2p3); 30.1.1–30.2.6 (fixed in 30.2.7); 22.1.1–22...
CVE-2026-47868
CVE-2026-47868 concerns VMware Avi Load Balancer. A local privilege escalation allows a user with local access to run code as root. Affected versions are: 32.1.1 (fixed in 32.1.2); 31.1.1–31.2.2 (fixed in 31.2.2-2p3); 30.1.1–30.2.6 (fixed in 30.2.7); 22.1.1–22.1.7 (fixed in 30.2.7). CVSSv3.1 base...