CVE Catalog
Browse the latest Common Vulnerabilities and Exposures (CVEs) with CVSS scores, affected products, and next-gen risk scores.
Directus SSRF Protection Bypass Vulnerability in File Import Feature
A server-side request forgery (SSRF) vulnerability has been identified in Directus versions prior to 12.0.0. The issue arises in the file-import-from-URL feature, where the SSRF protection can be bypassed using the address 0.0.0.0. The application's IP denial list treats 0.0.0.0 as a keyword for local interfaces but fails to block the literal address. This oversight allows authenticated users with file-upload permissions to exploit the vulnerability by having the server fetch internal services through the /files/import endpoint, with the response returned as a downloadable file.
LightRAG Authentication Bypass Vulnerability in API-Key-Only Mode
An authentication bypass vulnerability has been identified in LightRAG versions through 1.4.15, when deployed with the LIGHTRAG_API_KEY set but AUTH_ACCOUNTS unset. In this configuration, the X-API-Key protection can be bypassed, allowing remote unauthenticated attackers to access endpoints guarded by combined_auth. This includes document read, upload, deletion, graph mutation, and query endpoints. The vulnerability arises because the application falls back to a hardcoded DEFAULT_TOKEN_SECRET, which can be exploited to mint guest JWTs that bypass the API key requirement.
LightRAG CORS Vulnerability Allows Credentialed Requests from Any Origin
A vulnerability in LightRAG prior to version 1.5.4 allows any origin to make credentialed requests to the API, exploiting a misconfiguration of Cross-Origin Resource Sharing (CORS) settings. The server defaulted to CORS_ORIGINS='*' while allowing credentials, which Starlette's CORSMiddleware interpreted as whitelisting all origins for authenticated requests. This flaw enabled malicious websites to access sensitive user data and perform destructive actions within the application.
FastGPT Unauthenticated Cross-Tenant Data Access Vulnerability via Forged JWT
A vulnerability in FastGPT version 4.15.0-beta4 allows unauthenticated cross-tenant data access through the exploitation of the plugin-invoke JWT authentication mechanism. The vulnerability arises because the INVOKE_TOKEN_SECRET, which is supposed to secure the reverse-call endpoints, defaults to a constant string 'token' and is not properly set in official deployment templates. This flaw enables an attacker to self-sign a JWT and access sensitive user information or manipulate chat files across different tenants.
FastGPT Shared Axios SSRF Guard Bypass Vulnerability
A server-side request forgery (SSRF) vulnerability has been identified in FastGPT versions prior to 4.15.0-beta5. The issue arises because the application's shared SSRF guard only validates the initial request URL before it is sent via Axios, which by default follows redirects. This flaw allows an authenticated workflow user to manipulate an HTTP request node to call a user-controlled public URL that redirects to cloud metadata, loopback, or internal services that the guard would normally block if requested directly. The HTTP node then returns the response body to the workflow caller, effectively bypassing the SSRF protection.
FastGPT Cross-Tenant Data Disclosure Vulnerability via Unbound initialId Lookup
A vulnerability in FastGPT versions 4.14.17 prior to 4.15.0-beta5 allows low-privileged tenant users to access another tenant's dataset quotes or full-text content. This occurs through the POST /api/core/chat/record/getCollectionQuote endpoint, where the initialId lookup is not properly bound to the authorized context. An attacker can exploit this by using their own valid appId, chatId, chatItemDataId, and collectionId, while supplying a victim's dataset data id as initialId. The issue is rooted in the fact that the endpoint authenticates the chat and collection context but fails to restrict the initialId lookup to the same tenant, leading to unauthorized data access.
Cursor Cloud Agent Browser Sandbox Escape Vulnerability Allowing Code Execution
A vulnerability existed in browser-enabled Cursor Cloud Agent sessions prior to the fix on March 31, 2026. This issue allowed attacker-controlled web content to connect from inside the agent container to an unauthenticated local agent endpoint. Exploitation of this vulnerability enabled code execution within the affected Cloud Agent sandbox or session. Additionally, it allowed access to files, repository contents, environment variables, credentials, and GitHub App access tokens available to that session. The vulnerability could be exploited by loading attacker-controlled content in a browser-capable Cloud Agent configuration.
F5 NGINX Plus MQTT Filter Module Heap Buffer Over-Read Vulnerability Leading to Denial-of-Service
A heap buffer over-read vulnerability has been identified in NGINX Plus versions 37.0.0.1 to 37.0.2.1 and in the NGINX Plus 5.x version range prior to 5.9.0, when the Message Queuing Telemetry Transport (MQTT) filter module is enabled. This vulnerability allows remote, unauthenticated attackers to send requests that cause a heap buffer over-read in the NGINX worker process, leading to a process restart. This issue affects the data plane only, with no exposure to the control plane.
NGINX Agent and NGINX Instance Manager Path Traversal Vulnerability Allowing Unauthorized File Access
A vulnerability exists in the NGINX Agent's config_dirs directive, which can be managed through NGINX Instance Manager. This issue allows a low-privileged, remotely authenticated attacker to read and write files outside the designated secure directory, potentially crossing important security boundaries.
F5 BIG-IP HTTP/2 Memory Resource Exhaustion Vulnerability Leading to Denial-of-Service
A denial-of-service vulnerability has been identified in F5 BIG-IP systems when an HTTP/2 profile is active on a virtual server. Undisclosed requests can cause excessive memory usage, degrading system performance. This issue affects the Traffic Management Microkernel (TMM) process, which may require a manual or forced restart to recover. The vulnerability allows remote, unauthenticated attackers to disrupt service, creating a denial-of-service condition on the affected BIG-IP system.
NGINX Plus and NGINX Open Source ngx_http_ssi_module Heap Buffer Over-Read Vulnerability
A heap buffer over-read vulnerability has been identified in the ngx_http_ssi_module of NGINX Plus and NGINX Open Source. This issue arises when the Server-Side Includes (SSI), proxy_pass, and proxy_buffering off directives are configured. An unauthenticated attacker with man-in-the-middle capabilities to manipulate responses from an upstream server may exploit this vulnerability, potentially leading to limited memory modification or a restart of the NGINX worker process.
NGINX Ingress Controller Injection Vulnerability Allowing Arbitrary Configuration Directives
An injection vulnerability has been identified in the NGINX Ingress Controller, specifically in versions 3.6.0 to 3.7.2, 4.0.0 to 4.0.1, and 5.0.0 to 5.5.1. When the controller is used with Custom Resource Definitions (CRDs) or Ingress annotations, multiple user-controllable fields can be written into the generated NGINX configuration without proper sanitization. This flaw allows an authenticated attacker with permission to create or modify these CRDs or annotations to inject arbitrary NGINX configuration directives. The vulnerability is a control plane issue, with no exposure in the data plane.
Cloudreve WebDAV Path Traversal Vulnerability Allowing Access Outside Scoped Directory
A path traversal vulnerability has been identified in Cloudreve WebDAV accounts prior to version 4.16.1. The issue arises because the WebDAV request handler does not properly validate the request paths before joining them with the account's root directory. This flaw allows a WebDAV account rooted in a specific folder to access files outside of that folder. Additionally, if the WebDAV account has writable credentials, it can create, overwrite, move, or delete files outside the designated directory. The vulnerability is contained within the same user's namespace and does not affect other users' files or the operating system's filesystem.
Cloudreve Loopback URL SSRF Vulnerability in Remote Download Workflow
A server-side request forgery (SSRF) vulnerability has been identified in Cloudreve's remote download feature, prior to version 4.16.1. This issue allows non-admin users with remote download permissions to access internal URLs via the server's downloader. The vulnerability arises because the application fails to validate user-supplied URLs before processing them, leaving internal services exposed. Exploitation can be achieved by redirecting to loopback addresses or by directly accessing internal-only URLs, with the response being imported into the user's Cloudreve files.
Cloudreve OAuth Scope Bypass Vulnerability
A vulnerability in Cloudreve's OAuth implementation allows access tokens to bypass scope enforcement. This issue affects versions 4.12.0 through 4.16.0. The vulnerability arises because access tokens are issued without the 'client_id' claim, leading the JWT verifier to skip loading token scopes into the request context. As a result, low-scope tokens can access APIs requiring higher scopes, such as file management, sharing, workflow, user settings, WebDAV accounts, and potentially admin privileges.
NGINX Ingress Controller Denial-of-Service Vulnerability
A denial-of-service vulnerability has been identified in NGINX Ingress Controller versions 3.6.0 through 3.7.2, 4.0.0 through 4.0.1, and 5.0.0 through 5.5.1. When the Ingress Controller processes Ingress or TransportServer resources, an authenticated, remote attacker with permission to create or modify these resources can cause the Ingress Controller process to terminate. This leads to a persistent crash loop in the control plane, while the malformed resource remains in the cluster. There is no exposure in the data plane; the issue is confined to the control plane.
NGINX Plus and NGINX Open Source Heap Buffer Overflow Vulnerability via Regex Map Directive
A vulnerability allowing for a heap buffer overflow has been identified in NGINX Plus (versions 37.0.0.1 to 37.0.2.1) and NGINX Open Source (versions 1.31.2, 1.30.0 to 1.30.3) when the map directive employs regex matching. The issue arises if a string expression references the map's regex capture variables before the map output variable, or by using a non-cacheable variable in a string expression under certain conditions. This vulnerability can be exploited by an unauthenticated attacker, under conditions beyond their control, by sending crafted HTTP requests. The buffer overflow occurs in the NGINX worker process, potentially leading to a restart. Furthermore, on systems with Address Space Layout Randomization (ASLR) disabled or where ASLR can be bypassed, this vulnerability may allow for code execution.
Redash Open Redirect Vulnerability in Authentication Module
An open redirect vulnerability has been identified in Redash versions 5.0.2 through 26.3.0. The issue arises in the authentication module's get_next_path() function, which improperly handles user-supplied next parameters. While the function strips the scheme and netloc, it fails to normalize multiple leading slashes. This oversight allows crafted login URLs to redirect users to external, attacker-controlled sites after authentication. The vulnerability affects all authentication methods, including password login, Google OAuth, LDAP, and remote user authentication.
Fortinet FortiSIEM Cross-Site Scripting Vulnerability
A cross-site scripting (XSS) vulnerability has been identified in Fortinet FortiSIEM versions 7.4.0, 7.3.0 through 7.3.4, 7.2.0 through 7.2.6, and all versions of FortiSIEM 7.1, 7.0, 6.7, 6.6, 6.5, and 6.4. This vulnerability allows a privileged administrator to execute unauthorized commands by sending crafted requests that exploit improper handling of script-related HTML tags.
Cornac Path Traversal Vulnerability Allowing Arbitrary File Write
A path traversal vulnerability has been identified in Cornac versions prior to 2.6.0. This vulnerability, classified as a 'Tar Slip' issue, allows attackers to write arbitrary files outside the designated cache directory. The vulnerability arises from the _extract_archive() function in cornac/utils/download.py, which can be exploited by sending a crafted TAR archive that includes ../ sequences, absolute paths, or symlink/hardlink entries. The built-in dataset loaders can trigger this vulnerability by automatically downloading and extracting archives, which causes archive.extractall() to write files to unintended locations on the filesystem that are accessible to the running process.
Huawei HarmonyOS and EMUI Vibration Service Denial-of-Service Vulnerability
A denial-of-service vulnerability has been identified in the vibration service of Huawei's HarmonyOS and EMUI. This vulnerability affects several different versions and could lead to a disruption in service availability.
Huawei HarmonyOS and EMUI Permission Control Vulnerability in the File System
A permission control vulnerability has been identified in the file system of Huawei devices running HarmonyOS versions 4.3.1, 4.3.0, 4.2.0, 4.0.0, as well as EMUI versions 15.0.0, 14.2.0, and 14.0.0. This vulnerability could be exploited to improperly manage permissions, potentially leading to unauthorized access or modification of files.
Huawei HarmonyOS Design Defect Vulnerability in Expedition Mode Allowing Denial-of-Service
A design defect vulnerability has been identified in Expedition mode of Huawei's HarmonyOS 6.1.0. This vulnerability can be exploited to cause a denial-of-service, impacting the availability of the service.
Huawei HarmonyOS and EMUI Bluetooth Module Permission Control Vulnerability
A permission control vulnerability has been identified in the Bluetooth module of Huawei devices running HarmonyOS versions 4.3.1, 4.3.0, 4.2.0, 4.0.0, as well as EMUI versions 15.0.0, 14.2.0, and 14.0.0. This vulnerability could be exploited to affect the availability of the service.
Huawei HarmonyOS Permission Bypass Vulnerability in Card Module
A permission bypass vulnerability has been identified in the card module of Huawei devices running HarmonyOS 6.1.0. This vulnerability allows for unauthorized access or actions that could disrupt the normal functioning of the device.
Huawei HarmonyOS and EMUI Permission Control Vulnerability in the Settings Module
A permission control vulnerability has been identified in the Settings module of Huawei's HarmonyOS and EMUI. This vulnerability affects several different versions and could lead to unauthorized access or manipulation of settings, potentially compromising service confidentiality.
Huawei HarmonyOS and EMUI Out-of-Bounds Read Vulnerability in Image Codec Module
A vulnerability allowing out-of-bounds read has been identified in the image codec module of Huawei's HarmonyOS and EMUI. This vulnerability affects several different versions and could lead to unauthorized access to service confidentiality.
Huawei HarmonyOS and EMUI Out-of-Bounds Read Vulnerability in Image Codec Module
A vulnerability allowing out-of-bounds read has been identified in the image codec module of Huawei HarmonyOS and EMUI. This vulnerability affects several different versions and ranges, including HarmonyOS4.3.0, HarmonyOS6.1.0, and various EMUI versions. Successful exploitation of this vulnerability may impact service confidentiality.
Huawei HarmonyOS Out-of-Bounds Read Vulnerability in Image Codec Module
A medium-severity out-of-bounds read vulnerability has been identified in the image codec module of HarmonyOS. This vulnerability affects several different versions and may lead to unauthorized access to service confidentiality.
Huawei HarmonyOS and EMUI Out-of-Bounds Read Vulnerability in Image Codec Module
A vulnerability allowing out-of-bounds read has been identified in the image codec module of Huawei HarmonyOS and EMUI. This vulnerability affects several different versions and may lead to unauthorized access to sensitive information, impacting service confidentiality.
Huawei HarmonyOS Out-of-Bounds Read Vulnerability in Image Codec Module
A medium-severity out-of-bounds read vulnerability has been identified in the image codec module of Huawei HarmonyOS devices. This vulnerability, present in HarmonyOS 6.1.0, can be exploited to affect service confidentiality.
ICU Scandinavia Boomerang Missing Authentication Vulnerability in Device Receiver Endpoints
A missing authentication vulnerability has been identified in ICU Scandinavia Boomerang, affecting all versions prior to 2.4.18.029. The flaw resides in the device receiver endpoints, where the absence of authentication allows unauthenticated remote attackers to access full facility configurations and write unauthorized data to the sensor database.
ICU Scandinavia Boomerang Information Disclosure Vulnerability
A vulnerability in ICU Scandinavia Boomerang allows for information disclosure by exposing sensitive credential files via static HTTP. This flaw affects all versions prior to 2.4.18.029. An unauthenticated remote attacker can retrieve plaintext service account and SMTP credentials by requesting specific XML files from the webroot.
CRI-O Home Environment Variable Injection Vulnerability Allowing Arbitrary Line Addition to /etc/passwd
A vulnerability exists in CRI-O due to an incorrect fix for a previous issue (CVE-2022-4318), allowing the vulnerability to be bypassed. An attacker who can set environment variables in a container can inject a newline character into the HOME variable. This injection enables the addition of arbitrary lines to the /etc/passwd file by using a specially crafted environment variable. The vulnerability is present in CRI-O versions prior to 1.26.0.
Samba pam_winbind Home Directory Ownership Vulnerability Allowing Denial-of-Service
A vulnerability exists in Samba's pam_winbind module, specifically in versions 4.19.x and 4.23.x, when the mkhomedir option is enabled. The module improperly changes the ownership of user home directories without checking if the path is a critical system directory, such as the root directory (/). This flaw can be exploited by non-root users with limited sudo privileges to alter the ownership of the root directory, leading to significant disruptions in system operations that rely on proper file ownership, such as SSH, sudo, and package management. While the ownership change does not allow writing to the root directory due to its default permissions, the incident still causes considerable operational issues.
Grav Form Plugin Arbitrary File Write Vulnerability
An arbitrary file write vulnerability has been identified in the Grav Form plugin, affecting versions prior to 9.1.8. The issue arises in the 'process.save.filename' parameter, which is initially validated against path traversal before being processed by Twig templates. However, this validation is not reapplied after rendering, creating a time-of-check to time-of-use (TOCTOU) vulnerability. Attackers can exploit this by submitting form data with path traversal sequences, which are then processed through Twig, allowing them to write arbitrary files, including PHP webshells, to the web root or other sensitive directories.
ImageMagick Memory Leak Vulnerability in TIFF Encoder
A memory leak vulnerability has been identified in ImageMagick versions prior to 7.1.2-26 and 6.9.13-51. The issue arises in the TIFF encoder when an invalid 'tiff:tile-geometry' is provided. Supplying malformed tile geometry parameters leads to allocated memory not being released, causing increased memory consumption.
ImageMagick Memory Leak Vulnerability in ICON Decoder
A memory leak vulnerability has been identified in ImageMagick versions prior to 7.1.2-26 and 6.9.13-51. The issue arises in the ICON decoder when a memory allocation fails, leading to leaked memory. This vulnerability could be exploited by processing a crafted ICON file that triggers the allocation failure, potentially causing a denial-of-service condition.
ImageMagick Memory Leak Vulnerability in MIFF Encoder
A memory leak vulnerability has been identified in ImageMagick versions prior to 7.1.2-26 and 6.9.13-51. The issue arises in the MIFF encoder when a memory allocation fails during image processing, leading to a denial-of-service condition.
ImageMagick Memory Leak Vulnerability in YUV Decoder
A memory leak vulnerability has been identified in ImageMagick versions prior to 7.1.2-26 and in the 6.9.x series prior to 6.9.13-51. The issue arises in the YUV decoder when the software fails to open a blob, leading to a memory leak. This vulnerability can be exploited repeatedly, causing resource exhaustion and a denial-of-service condition.
ImageMagick Memory Leak Vulnerability in TIFF Encoder
A memory leak vulnerability has been identified in ImageMagick versions prior to 7.1.2-26, specifically within the TIFF encoder. This vulnerability arises when memory allocation fails, leading to a small memory leak. Attackers can exploit this issue by triggering allocation failures during the processing of TIFF images, causing memory exhaustion and resulting in a denial-of-service condition.
ImageMagick Memory Leak Vulnerability in JNG Encoder
A memory leak vulnerability has been identified in ImageMagick versions prior to 7.1.2-26. This issue occurs in the JNG encoder when a blob cannot be opened. Attackers can exploit this vulnerability by sending malformed JNG files that disrupt blob operations, leading to resource exhaustion.
ImageMagick Memory Leak Vulnerability in Hough Lines Operation
A memory leak vulnerability has been identified in ImageMagick versions prior to 7.1.2-26 and 6.9.13-51. The issue arises in the hough lines operation, where a specific operation failure leads to a small but notable memory leak.
ImageMagick Memory Leak Vulnerability in Log Colorspace Transformation
A memory leak vulnerability has been identified in ImageMagick versions prior to 7.1.2-26 and 6.9.13-51. The issue occurs during color transformation to the log colorspace, where a small amount of memory is not released if the operation fails.
ImageMagick Memory Leak Vulnerability in TIFF Encoder
A memory leak vulnerability has been identified in ImageMagick versions prior to 7.1.2-26 and in the 6.x series prior to 6.9.13-51. The issue arises in the TIFF encoder when a temporary file cannot be created, leading to a small but notable memory leak.
ImageMagick Information Disclosure Vulnerability via Identify Command
An information disclosure vulnerability exists in ImageMagick versions prior to 7.1.2-26 and 6.9.13-51. When the identify command is used to display a profile with non-printable values, a single byte can be read past the profile boundary. This issue arises with debug output enabled.
ImageMagick Use-After-Free Vulnerability in Freetype Initialization
A use-after-free vulnerability has been identified in ImageMagick versions prior to 7.1.2-26 and 6.9.13-51. This vulnerability arises when the initialization of freetype fails, leading the application to continue using memory that has already been freed. The issue can be triggered during image processing, potentially causing a denial-of-service condition.
ImageMagick Policy Bypass Vulnerability in Script Operation
A policy bypass vulnerability has been identified in ImageMagick versions prior to 7.1.2-26 and in the 6.9.13-x series prior to 6.9.13-51. The vulnerability arises in the '-script' operation, where missing security policy checks allow files to be read from paths that the security policy would normally restrict.
ImageMagick Heap-Based Buffer Over-Write Vulnerability via X11 Import
A heap-based buffer over-write vulnerability has been identified in ImageMagick versions prior to 7.1.2-26 and 6.9.13-51. This vulnerability occurs during an X11 import when a crafted window title is used, leading to heap memory corruption and a denial-of-service condition.
Grav API Plugin File Upload Extension Bypass Vulnerability Allowing Remote Code Execution
A file upload extension bypass vulnerability has been identified in the Grav API plugin (getgrav/grav-plugin-api) versions prior to 1.0.3. The issue resides in the API media controller, specifically within the HandlesMediaUploads::validateFileExtension() method, which only checks the final file extension. This flaw allows users with api.media.write permission to upload files with double extensions, such as shell.php.jpg, circumventing the blocklist of dangerous extensions. If the web server executes the file as PHP, this could lead to remote code execution.
