Vulnerabilites CVE

deepHas provides a test for the existence of a nested object key and optionally returns that key. A prototype pollution vulnerability exists in version 1.0.7 of the deephas npm package that allows an ...

Kimi Agent SDK is a set of libraries that expose the Kimi Code (Kimi CLI) agent runtime in applications. The vsix-publish.js and ovsx-publish.js scripts pass filenames to execSync() as shell command s...

Budibase is a low code platform for creating internal tools, workflows, and admin panels. In versions up to and including 3.26.3, a Creator-level user, who normally has no UI permission to invite user...

Inspektor Gadget is a set of tools and framework for data collection and system inspection on Kubernetes clusters and Linux hosts using eBPF. The `ig` binary provides a subcommand for image building, ...

TrustTunnel is an open-source VPN protocol with a rule bypass issue in versions prior to 0.9.115. In `tls_listener.rs`, `TlsListener::listen()` peeks 1024 bytes and calls `extract_client_random(...)`....

TrustTunnel is an open-source VPN protocol with a server-side request forgery and and private network restriction bypass in versions prior to 0.9.114. In `tcp_forwarder.rs`, SSRF protection for `allow...

malcontent discovers supply-chain compromises through. context, differential analysis, and YARA. Starting in version 1.8.0 and prior to version 1.20.3, malcontent could be made to create symlinks outs...

malcontent discovers supply-chain compromises through. context, differential analysis, and YARA. Starting in version 0.10.0 and prior to version 1.20.3, malcontent could be made to expose Docker regis...

A vulnerability was detected in D-Link DWR-M961 1.1.47. The impacted element is the function sub_4250E0 of the file /boafrm/formSmsManage of the component SMS Message. Performing a manipulation of the...

A security vulnerability has been detected in D-Link DWR-M961 1.1.47. The affected element is an unknown function of the file /boafrm/formLtefotaUpgradeFibocom. Such manipulation of the argument fota_...

A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated remote code execution.

A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated remote code execution.

A weakness has been identified in Totolink A7000R 4.1cu.4154. Impacted is the function setUpgradeFW of the file /cgi-bin/cstecgi.cgi. This manipulation of the argument FileName causes command injectio...

Tanium addressed an improper access controls vulnerability in Interact.

alsa-lib versions 1.2.2 up to and including 1.2.15.2, prior to commit 5f7fe33, contain a heap-based buffer overflow in the topology mixer control decoder. The tplg_decode_control_mixer1() function rea...

Umbraco Forms is a form builder that integrates with the Umbraco content management system. It's possible for an authenticated backoffice-user to enumerate and traverse paths/files on the systems file...

vCluster Platform provides a Kubernetes platform for managing virtual clusters, multi-tenancy, and cluster sharing. Prior to versions 4.6.0, 4.5.4, 4.4.2, and 4.3.10, when an access key is created wit...

An issue in N3uron Web User Interface v.1.21.7-240207.1047 allows a remote attacker to escalate privileges via the password hashing on the client side using the MD5 algorithm over a predictable string...

An issue in Shirt Pocket's SuperDuper! 3.11 and earlier allow a local attacker to modify the default task template to install an arbitrary package that can run shell scripts with root privileges and F...

A Server-Side Template Injection (SSTI) vulnerability in the /reporting/templates/preview/ endpoint of Amidaware Tactical RMM, affecting versions equal to or earlier than v1.3.1, allows low-privileged...

A stack overflow in the mk_http_index_lookup function (mk_server/mk_http.c) of monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted HTTP request to the serve...

An out-of-bounds read in the mk_mimetype_find function (mk_server/mk_mimetype.c) of monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted HTTP request to the ...

An out-of-bounds read in the header_cmp function (mk_server/mk_http_parser.c) of monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted HTTP request to the ser...

A NULL pointer dereference in the mk_http_range_parse function (mk_server/mk_http.c) of monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted HTTP request to ...

An out-of-bounds read in the mk_vhost_fdt_close function (mk_server/mk_vhost.c) of monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted HTTP request to the s...

A use-after-free in the mk_http_request_end function (mk_server/mk_http.c) of monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted HTTP request to the server...

A use-after-free in the mk_string_char_search function (mk_core/mk_string.c) of monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted HTTP request to the serv...

An out-of-bounds read in the mk_ptr_to_buf in mk_core function (mk_memory.c) of monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted HTTP request to the serv...

An out-of-bounds read in the http_parser_transfer_encoding_chunked function (mk_server/mk_http_parser.c) of monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a craf...

birkir prime <= 0.4.0.beta.0 contains a cross-site request forgery vulnerability in its GraphQL endpoint that allows attackers to exploit GET-based query requests. Attackers can craft malicious GET re...

FluentCMS 2026 contains a stored cross-site scripting vulnerability that allows authenticated administrators to upload SVG files with embedded JavaScript via the File Management module. Attackers can ...

A vulnerability was found in Tenda AX12 Pro V2 16.03.49.24_cn. Affected by this issue is some unknown functionality of the component Telnet Service. Performing a manipulation results in hard-coded cre...

A weakness has been identified in Totolink A7000R 4.1cu.4154. The impacted element is the function setUploadUserData of the file /cgi-bin/cstecgi.cgi. Executing a manipulation of the argument FileName...

An authenticated buffer handling flaw in TP-Link VIGI C385 V1 Web API lacking input sanitization, may allow memory corruption leading to remote code execution. Authenticated attackers may trigger buff...

A missing authentication for critical function vulnerability in KiloView Encoder Series could allow an unauthenticated attacker to create or delete administrator accounts. This vulnerability can grant...

Cross Site Scripting vulnerability in tale v.2.0.5 allows an attacker to execute arbitrary code.

Some VX800v v1.0 web interface endpoints transmit sensitive information over unencrypted HTTP due to missing application layer encryption, allowing a network adjacent attacker to intercept this traffi...

Improper link resolution in USB HTTP access path in VX800v v1.0 allows a crafted USB device to expose root filesystem contents, giving an attacker with physical access read‑only access to system files...

Improper handling of exceptional conditions in VX800v v1.0 in SIP processing allows an attacker to flood the device with crafted INVITE messages, blocking all voice lines and causing a denial of servi...

Improper link resolution in the VX800v v1.0 SFTP service allows authenticated adjacent attackers to use crafted symbolic links to access system files, resulting in high confidentiality impact and limi...

A weakness in the web interface’s application layer encryption in VX800v v1.0 allows an adjacent attacker to brute force the weak AES key and decrypt intercepted traffic. Successful exploitation requi...

AutoGPT is a platform that allows users to create, deploy, and manage continuous artificial intelligence agents that automate complex workflows. Prior to autogpt-platform-beta-v0.6.44, AutoGPT Platfor...

The Icinga PowerShell Framework provides configuration and check possibilities to ensure integration and monitoring of Windows environments. In versions prior to 1.13.4, 1.12.4, and 1.11.2, permission...

Icinga 2 is an open source monitoring system. Starting in version 2.3.0 and prior to versions 2.13.14, 2.14.8, and 2.15.2, the Icinga 2 MSI did not set appropriate permissions for the `%ProgramData%\i...

Kata Containers is an open source project focusing on a standard implementation of lightweight Virtual Machines (VMs) that perform like containers. In versions prior to 3.26.0, when a container image ...

immich is a high performance self-hosted photo and video management solution. Prior to version 2.5.0, API keys can escalate their own permissions by calling the update endpoint, allowing a low-privile...

A vulnerability was identified in Bdtask Bhojon All-In-One Restaurant Management System up to 20260116. The impacted element is an unknown function of the file /hungry/addtocart of the component Add-t...

A vulnerability was determined in Bdtask Bhojon All-In-One Restaurant Management System up to 20260116. The affected element is an unknown function of the file /hungry/placeorder of the component Chec...

A vulnerability was found in Bdtask Bhojon All-In-One Restaurant Management System up to 20260116. Impacted is an unknown function of the file /dashboard/home/profile of the component User Information...

A HTML injection vulnerability exists in the file upload functionality of Cacti <= 1.2.29. When a file with an invalid format is uploaded, the application reflects the submitted filename back into an ...