VYPR

CVEs

38,009 total · page 1 of 761

  • CVE-2026-28701higJun 25, 2026
    risk 0.50cvss 7.7epss 0.01

    Various versions of Daktronics Controller Firmware could allow authenticated and unauthenticated remote users to escape the intended directory and enumerate arbitrary file system paths.

  • CVE-2026-12578higJun 25, 2026
    risk 0.51cvss 7.8epss

    The affected product is vulnerable to a deserialization of untrusted data, which may allow an attacker to execute arbitrary code.

  • CVE-2026-33560higJun 25, 2026
    risk 0.46cvss 7.1epss 0.00

    The DMP-5000 file service exposes authenticated arbitrary file upload functionality. There are exposed endpoints which allows authenticated users to upload files of any type without validation. No file extension filtering or content inspection is enforced which allows executable…

  • CVE-2026-31928higJun 25, 2026
    risk 0.53cvss 8.1epss 0.00

    The DMP-5000 devices are shipped with a default administrative web account with weak authentication controls, which are not required to be changed during initial configuration or operation. Using these accounts provides full system access.

  • CVE-2026-56414higJun 25, 2026
    risk 0.47cvss 7.2epss 0.00

    A vulnerability exists in H.View IP cameras certificate-related upload interfaces allow authenticated users to store arbitrary file content to fixed, persistent filesystem locations without validating file type, structure, or size. This design omission enables the placement of…

  • CVE-2026-55975higJun 25, 2026
    risk 0.47cvss 7.2epss 0.01

    A vulnerability exists in H.View IP cameras that could allow an authenticated user to supply unsanitized XML fields to the device's certificate generation interface, which are incorporated into a backend certificate creation command without proper input validation. This may…

  • CVE-2026-12897higJun 25, 2026
    risk 0.51cvss 7.8epss 0.00

    Horner Automation Cscape versions prior to 10.2 SP3 are vulnerable to an Out-of-Bounds Read vulnerability through parsing CSP files. Successful exploitation of this vulnerability could allow an attacker to disclose information and execute arbitrary code.

  • CVE-2026-54479higJun 25, 2026
    risk 0.47cvss 7.3epss 0.00

    The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows multiple endpoints to connect using the same session identifier. This implementation results in predictable session identifiers. This vulnerability may allow unauthorized users to…

  • CVE-2026-50176higJun 25, 2026
    risk 0.49cvss 7.5epss 0.00

    The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absence of rate limiting may allow an attacker to conduct denial-of-service attacks or brute-force attacks to gain unauthorized access.

  • CVE-2026-54329higJun 23, 2026
    risk 0.38cvss epss

    ### Impact A cross-tenant data injection vulnerability was identified in the Snipe-IT Accessories API when Full Multiple Companies Support (FMCS) is enabled. A low-privileged authenticated user belonging to one company can create an accessory record under another company by…

  • CVE-2026-54513higJun 23, 2026
    risk 0.39cvss epss 0.01

    ## Summary `BasicPolymorphicTypeValidator.Builder.allowIfSubTypeIsArray()` allowlists any array type based only on `clazz.isArray()`, without validating the array's component (element) type against the configured allowlist. A PTV built with `allowIfSubTypeIsArray()` plus an…

  • CVE-2026-54512higJun 23, 2026
    risk 0.39cvss epss 0.01

    `jackson-databind`'s `PolymorphicTypeValidator` (PTV) is the primary safety mechanism guarding polymorphic deserialization. When polymorphic typing is enabled and a type identifier contains generic parameters (i.e. the type ID string contains `<`),…

  • CVE-2026-55488higJun 23, 2026
    risk 0.45cvss epss 0.01

    ### Summary mEye contains an absolute path traversal vulnerability in multiple media file handlers that allows an attacker to read arbitrary files from the filesystem. The affected handlers accept a user-controlled filename parameter and construct filesystem paths using…

  • CVE-2026-55441higJun 23, 2026
    risk 0.45cvss epss 0.00

    ### Summary mise's trust feature gates config files (`mise.toml`, `.tool-versions`) through `trust_check`, but task-include files are loaded on a path that never reaches it. When a directory has a task-include dir (`mise-tasks/`, `.mise/tasks/`, …) but no config file, mise…

  • CVE-2026-54134higJun 23, 2026
    risk 0.45cvss epss

    ### Impact OctoPrint versions up until and including 1.11.7 as well as 2.0.0rc1 and 2.0.0rc2 contain a vulnerability that allows an attacker with the `FILE_UPLOAD` permission to exfiltrate files from the host that OctoPrint has read access to, by moving them into the upload…

  • CVE-2026-53925higJun 23, 2026
    risk 0.45cvss epss 0.00

    ### Summary The `secure_popen()` function in `glances/secure.py` interprets `>` (file redirection), `|` (pipe), and `&&` (command chaining) operators in command strings. These operators are applied without any validation on the target file path, piped command, or chained…

  • CVE-2026-55173higJun 23, 2026
    risk 0.38cvss epss

    ### Summary The fix for CVE-2026-33482 (GHSA-pmj8-r2j7-xg6c) is incomplete. That advisory reported that `sanitizeFFmpegCommand()` (`plugin/API/standAlone/functions.php`) failed to strip `$(...)` command substitution, allowing OS command injection at the `execAsync()` `sh -c`…

  • CVE-2026-45049higJun 23, 2026
    risk 0.45cvss epss

    ## Summary **Description** An Information Exposure Through Sent Data (CWE-201) issue in OpenAM's Cross-Domain Single Sign-On (CDSSO) servlet allows a logged-in user's raw OpenAM session token to be POSTed to an attacker-controlled URL. This impacts OpenAM Community Edition…

  • CVE-2026-45048higJun 23, 2026
    risk 0.45cvss epss

    ## Summary Description An insufficient authorization (CWE-285) and information exposure (CWE-200) issue in OpenAM's session management endpoint allows a low-privileged authenticated user to retrieve active session credentials belonging to other users, including those with…

  • CVE-2026-52812higJun 23, 2026
    risk 0.38cvss epss 0.00

    Summary Git LFS storage is content-addressed by OID alone (`/<oid[0]>/<oid[1]>/`) but per-repo authorization lives in the `lfs_object` table keyed `(repo_id, oid)`. `serveUpload` skips re-uploading when the OID file already exists on disk and inserts a new…

  • CVE-2026-52810higJun 23, 2026
    risk 0.38cvss epss 0.00

    ### Summary Git smart HTTP authorizes `POST …/git-receive-pack` using the client-supplied service query string (so `?service=git-upload-pack` is evaluated as read access) while routing still runs git receive-pack, allowing push where only read should be allowed. ### Details …

  • CVE-2026-52808higJun 23, 2026
    risk 0.38cvss epss 0.00

    ## Summary Three API endpoints — `PATCH /api/v1/repos/:owner/:repo/issue-tracker`, `PATCH /api/v1/repos/:owner/:repo/wiki`, and `POST /api/v1/repos/:owner/:repo/mirror-sync` — are gated by `reqRepoWriter()` rather than `reqRepoAdmin()`. The equivalent operations in the web…

  • CVE-2026-52807higJun 23, 2026
    risk 0.38cvss epss 0.00

    ### Summary The fix for GHSA-vgjm-2cpf-4g7c (DOM-based XSS via milestone selection) was only applied to `templates/repo/issue/view_content.tmpl` but not to `templates/repo/issue/new_form.tmpl`. An attacker can store an HTML/JavaScript payload in a milestone name, and when any…

  • CVE-2026-52805higJun 23, 2026
    risk 0.38cvss epss 0.00

    # Migration URL validation bypass via HTTP redirect to blocked internal endpoints ## Summary A Server-Side Request Forgery (SSRF) vulnerability exists in the repository migration functionality. The application validates only the initially submitted URL hostname, but `git clone…

  • CVE-2026-1840higJun 23, 2026
    risk 0.49cvss 7.5epss 0.01

    The Aclara Metrum Cellular Web Interface is vulnerable to unauthorized access due to the absence of authentication controls on critical system functions. This weakness exposes essential configuration settings, allowing attackers to alter operational parameters and trigger system…

  • CVE-2026-52801higJun 23, 2026
    risk 0.38cvss epss 0.01

    ### Summary The Gogs Mirror Settings functionality provide an alternative way from the well protected New Migration functionality for any authenticated users to import local repositories. This issue stems from a lack of validation of SaveAddress function. ### Details Here is…

  • CVE-2026-52800higJun 23, 2026
    risk 0.38cvss epss 0.00

    ## Summary In **Gogs 0.14.1**, organization team member management can be performed via **GET requests without CSRF protection**. If a victim who is an **organization owner** is logged in and is tricked into visiting a crafted link, an attacker-controlled user can be added to…

  • CVE-2026-52799higJun 22, 2026
    risk 0.38cvss epss 0.00

    ## Summary In Gogs 0.14.1, `GET /attachments/:uuid` returns the raw attachment file **without verifying whether the requester has view permission for the associated Issue/Comment/Release or the repository**. In a test environment with `REQUIRE_SIGNIN_VIEW = false`, we confirmed…

  • CVE-2026-52798higJun 22, 2026
    risk 0.38cvss epss 0.00

    # Summary Although `.ipynb` previews are sanitized on the server side via `/-/api/sanitize_ipynb`, the inserted content is **re-rendered on the client side without sanitization** using `marked()` on elements with the `.nb-markdown-cell` class. During this process, links…

  • CVE-2026-54353higJun 22, 2026
    risk 0.45cvss epss 0.00

    Summary Authenticated users with automation permissions can bypass Budibase's SSRF blacklist through DNS rebinding. The outbound fetch flow validates a hostname against the blacklist before the request is sent, but the actual socket connection later performs a separate DNS…

  • CVE-2026-54351higJun 22, 2026
    risk 0.45cvss epss 0.00

    ## Summary The webhook trigger endpoint in Budibase is publicly accessible and passes the full HTTP request body into automation execution parameters. A mass assignment vulnerability in `externalTrigger()` allows an attacker to overwrite the internal `appId` property by…

  • CVE-2026-49229higJun 22, 2026
    risk 0.45cvss epss

    ### Summary In OpenID multi-user mode, disabling a user only blocks future OpenID login for that identity. Existing Actual session tokens for the disabled user remain valid, so the user can continue calling authenticated server endpoints after an administrator has disabled the…

  • CVE-2026-50137higJun 22, 2026
    risk 0.45cvss epss 0.00

    ## Summary The Budibase server route `POST /api/attachments/:datasourceId/url` ([`packages/server/src/api/routes/static.ts`](https://github.com/Budibase/budibase/blob/56d2a984/packages/server/src/api/routes/static.ts)) is registered with **only** the `recaptcha` middleware.…

  • CVE-2026-50136higJun 22, 2026
    risk 0.38cvss epss 0.00

    The application server exposes an unauthenticated endpoint that generates S3 `PutObject` presigned URLs using credentials stored in a workspace datasource. The route is protected only by the recaptcha middleware and does not require authentication, table permission, datasource…

  • CVE-2026-50132higJun 22, 2026
    risk 0.38cvss epss 0.00

    ## Title **Chat Identity Link Hijacking — Attacker Can Silently Map Their Slack/Discord Identity to Any Authenticated Budibase User's Account** ## Severity **High** — CVSS 3.1: AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N = **7.3** ## Affected Product - **Product:** Budibase -…

  • CVE-2026-46608higJun 22, 2026
    risk 0.38cvss epss 0.00

    ### Summary The Glances XML-RPC server (`glances -s`) introduced a configurable CORS origin list in version 4.5.3 as a mitigation for CVE 2026-33533. However, the implementation silently falls back to `Access-Control-Allow-Origin: *` whenever `cors_origins` contains more than…

  • CVE-2026-46607higJun 22, 2026
    risk 0.38cvss epss 0.00

    ### Summary `glances/outdated.py` uses `pickle.load()` to read a version-check cache file stored at a predictable, world-accessible path (`~/.cache/glances/glances-version.db` or `$XDG_CACHE_HOME/glances/glances-version.db`). No integrity check, signature verification, or…

  • CVE-2026-46606higJun 22, 2026
    risk 0.38cvss epss 0.00

    ### Summary The Glances KVM/QEMU monitoring engine (`glances/plugins/vms/engines/virsh.py`) passes VM domain names, read directly from `virsh list --all` output, into f-string command templates that are processed by `secure_popen()`. `secure_popen()` is explicitly designed to…

  • CVE-2026-44795higJun 22, 2026
    risk 0.45cvss epss

    ### Impact There's an unsafe YAML processing vulnerability that bypasses safe deserialization. This impacts users when when performing: * CloudFormation deployments * CloudFoundry Baking The usage of a non-safe constructor use allows arbitrary loading of Java classes leading to…

  • CVE-2026-41573higJun 22, 2026
    risk 0.45cvss epss

    OpenAM (Open Identity Platform) is an open-source IAM platform providing SSO, OAuth2, SAML, and OpenID Connect capabilities. The CREST REST API layer exposes user query endpoints under `/json/{realm}/users`. In `IdentityResourceV1.queryCollection()`, the HTTP query parameter…

  • CVE-2026-33692higJun 22, 2026
    risk 0.38cvss epss

    ## Vulnerability Details **CWE**: CWE-538 - Insertion of Sensitive Information into Externally-Accessible File or Directory The official `docker-compose.yml` (line 61) mounts the entire project root directory as the Apache document root: ```yaml volumes: -…

  • CVE-2026-25119higJun 22, 2026
    risk 0.38cvss epss 0.01

    ## Summary When `ENABLE_REVERSE_PROXY_AUTHENTICATION` is enabled, Gogs accepts the configured authentication header (default: `X-WEBAUTH-USER`) directly from client requests without validating that the request originated from a trusted reverse proxy. Any remote attacker who can…

  • CVE-2026-55878higJun 19, 2026
    risk 0.38cvss epss

    ### Description The `ux:install` console command installs files from a recipe kit by copying paths listed in a `copy-files` map. The only guard against malicious paths was `Path::isRelative()`, which returns `true` for paths like `../../../etc`. `Path::join()` then resolves the…

  • CVE-2026-55692higJun 19, 2026
    risk 0.38cvss epss

    ### Summary With $wgEmbedVideoRequireConsent enabled (the default), the urls for videos are stored in a json-ified data attribute`data-mw-iframeconfig`. When given a malformed url or id, the data-mw-iframeconfig attribute can be escaped via single quotes, allowing for…

  • CVE-2026-55446higJun 19, 2026
    risk 0.38cvss epss 0.00

    ### Summary An attacker can send a `/api/v1/files/upload/` request without any authentication token/cookies and abuse a very long multipart form boundary to make the langflow app unusable for all users for an indefinite amount of time. ### Details…

  • CVE-2026-55660higJun 19, 2026
    risk 0.38cvss epss

    TinaCMS registers window message listeners — the useTina overlay handler, the OAuth authentication popup handler, and the admin↔preview iframe GraphQL reducer — that act on event.data without verifying event.origin or event.source, and post messages using non-specific…

  • CVE-2026-54074higJun 19, 2026
    risk 0.38cvss epss

    ## Description ### Summary `@tinacms/cli` contains a Remote Code Execution vulnerability in its Forestry-to-Tina migration command. The internal helper `addVariablesToCode` unquotes any value matching the marker `"__TINA_INTERNAL__:::(.*?):::"` inside the stringified…

  • CVE-2026-55691higJun 19, 2026
    risk 0.38cvss epss

    ### Summary The user supplied class value is fed directly into the sprintf call that creates HTML. You can add a quote to escape the class and then inject arbitrary html/javascript to the final output. ### Details The template [here](https://github.com/StarCitizenWiki/mediawiki-…

  • CVE-2026-55690higJun 19, 2026
    risk 0.38cvss epss

    ### Summary When passing an unknown service name to embedvideo, an error message is rendered containing the invalid service name. The service name is not sanitized and can contain HTML. ### Details There is a hardcoded list of allowed services in a switch statement inside…

  • CVE-2026-55091higJun 19, 2026
    risk 0.38cvss epss

    ### Summary `convert()` builds the nested tree by using each flat record's `id` and `parent` field values directly as object keys, with no guard against `__proto__` / `constructor` / `prototype`. A record whose `parent` is the string `"__proto__"` makes `temp[parent]` resolve…