CVE Catalog

A NULL pointer dereference vulnerability has been identified in GPAC Project MP4Box versions prior to 26.02.0. The issue arises in the 'gf_ac4_pres_b_4_back_channels_present' function within 'media_tools/av_parsers.c'. When processing crafted AC-4 files, the parser fails to validate substream group references before accessing presentation data. This oversight allows for a NULL pointer dereference, leading to a segmentation fault and causing a denial-of-service condition.

A NULL pointer dereference vulnerability has been identified in the GPAC Project's MP4Box, specifically in versions prior to 26.02.0. The issue arises in the 'gf_odf_ac4_cfg_dsi_v1' function within 'odf/descriptors.c'. When processing crafted AC4 audio streams, the parser fails to properly validate the 'frame_rate_index', allowing for an out-of-bounds read that leads to a process crash. This vulnerability can be exploited by supplying a specially crafted AC4 file, causing a denial-of-service condition.

A heap buffer overflow vulnerability has been identified in GPAC MP4Box version 2.5-DEV-rev1644-g8e3b5e1dd-master, specifically within the 'm2tsdmx_send_packet' function of the MPEG-2 Transport Stream demuxer. This vulnerability allows attackers to cause a denial-of-service condition by processing a crafted MP4 file that exploits the demuxer's failure to properly validate data sizes before memory copy operations. The issue arises when the demuxer encounters corrupted packet structures, which can lead to an invalidly large copy size being used, triggering the heap buffer overflow.

A path traversal vulnerability has been identified in Vertex, a management tool for Private Tracker users. This issue affects versions through 0baf55aea6c5de297834d5cc11bacf5cc8ddea75. The vulnerability allows for multiple file traversals, enabling unauthorized access to files outside the intended directory. Exploitation can be achieved by manipulating the file path in requests, potentially leading to the disclosure of sensitive files such as '/etc/passwd'.

A vulnerability exists in Firefox for iOS Reader View due to improper escaping of HTML tags in JSON-LD metadata. This flaw allows a malicious page to inject markup that alters Reader View behavior and exposes sensitive URL parameters. These leaked parameters could be used to access internal pages, potentially enabling arbitrary JavaScript execution within an internal origin. The issue has been addressed in Firefox for iOS version 151.2.

A vulnerability in the Reader View of Firefox for iOS has been identified, allowing for arbitrary execution of JavaScript. This issue arises because the Reader View improperly ordered the replacement of page content with its HTML template, leaving room for exploitation. A malicious page could insert a placeholder string that would later be replaced with JSON-LD data, potentially leading to the execution of arbitrary JavaScript. This vulnerability affects Firefox for iOS versions prior to 151.2.

A vulnerability exists in the GPU driver development kit (DDK) within the Imagination Technologies graphics driver, specifically in DDK releases up to and including 26.1 RTM1. This vulnerability allows kernel software running in a guest or host virtual machine to send improper commands to the GPU firmware, triggering unauthorized writes to firmware memory outside the designated GPU memory boundaries. The issue arises from a logic error in address translation, which enables a compromised host kernel to perform arbitrary writes to firmware memory.

A deserialization vulnerability allowing object injection has been identified in QOS.CH Logback versions through 1.5.33 inclusive. This issue arises in the Logback-Core module's HardenedObjectInputStream, where an attacker can influence serialized data sent to SimpleSocketServer or SimpleSSLSocketServer, potentially leading to the instantiation of Proxy objects. While the HardenedObjectInputStream imposes strict limitations on deserialization and no practical method for achieving remote code execution or significant privilege escalation has been found, this vulnerability bypasses intended security measures.

A SQL injection vulnerability has been identified in itsourcecode Content Management System version 1.0. The issue resides in the file '/admin/add_sub_topic.php', where the 'topic_id' parameter is not properly sanitized, allowing attackers to inject malicious SQL queries. This vulnerability can be exploited remotely, potentially leading to unauthorized database access, data manipulation, and disruption of service.

A SQL injection vulnerability has been identified in itsourcecode Content Management System version 1.0. The issue arises in the file '/admin/update_ss_img.php', where the 'topic_id' parameter is not properly sanitized, allowing attackers to inject malicious SQL queries. This vulnerability can be exploited remotely, potentially leading to unauthorized database access, data manipulation, and disruption of service.

A SQL injection vulnerability has been identified in the itsourcecode Content Management System version 1.0. The issue resides in the save_comment.php file, where the 'name' parameter can be manipulated to inject malicious SQL queries. This vulnerability allows for remote exploitation, as the application does not properly sanitize user input before executing SQL commands. Exploitation can lead to unauthorized database access, data manipulation, and potential disruption of service.

A broken access control vulnerability has been identified in SourceCodester Pharmacy Sales and Inventory System version 1.0. The issue resides in the 'sell_statement' function of 'application/controllers/ShowForm.php', where improper access controls allow unauthenticated users to view sensitive sales records. This vulnerability can be exploited remotely, and a similar issue exists in the 'supplier_payment' endpoint, exposing supplier payment information.

A directory traversal vulnerability has been identified in SourceCodester Pet Grooming Management Software version 1.0. The issue resides within an unknown function of the file '/admin/', where the application fails to properly validate and sanitize user-submitted data. This oversight allows remote attackers to traverse directories and access sensitive file and directory information, particularly within the '/admin/include', '/admin/operation', and '/admin/assets' directories.

A SQL injection vulnerability has been identified in the Online House Rental System version 1.0, specifically within the manage_payment.php file. This vulnerability arises from inadequate validation of the 'id' parameter, allowing remote attackers to inject malicious SQL queries. The exploitation of this vulnerability could lead to unauthorized database access, data manipulation, and exposure of sensitive information.

A SQL injection vulnerability has been identified in the Online House Rental System version 1.0, specifically within the manage_tenant.php file. This vulnerability arises from inadequate validation of the 'id' parameter, allowing remote attackers to inject malicious SQL queries. The exploitation of this vulnerability could lead to unauthorized access to the database, manipulation of data, and exposure of sensitive information.

A SQL injection vulnerability has been identified in the Online House Rental System version 1.0. The issue arises in the '/ajax.php' file, specifically within an unknown function handling the 'login' action. The vulnerability allows remote attackers to inject malicious SQL code through the 'username' parameter, which is then executed in SQL queries without proper validation or sanitization. This flaw could lead to unauthorized database access, data manipulation, and exposure of sensitive information.

A Server-Side Request Forgery (SSRF) vulnerability has been identified in the UrlImageConverter component of Apache Fesod (Incubating) versions prior to 2.0.2-incubating. This vulnerability allows attackers to send outbound network requests to internal or otherwise restricted resources by exploiting a user-supplied image URL.

A vulnerability exists in Trac d.o.o. Process Database Manager (PDBM) version 1.0.0.0, where a static, hard-coded secret is embedded in the PDBM.exe executable. This secret is utilized in the application's encryption routines, including the decryption of credentials stored in the configuration file. Since the secret is identical across all installations, an attacker with local high privileges can extract it from the binary. Once the secret is obtained, it can be used to decrypt the administrative password saved in the configuration file, allowing authentication as the specified user. This user has full access to PDBM's management interface and operational functions, potentially leading to unauthorized actions within the application and connected ICS/OT environments.

A vulnerability exists in older Orca heat pump devices that communicate with the Orca server over an unencrypted and unauthenticated HTTP connection on a non-secure port. This vulnerability arises from missing authentication, clear-text transmission of data, and lack of input validation on aggregated data. As a result, an attacker can impersonate a legitimate device, inject malicious payloads, and exploit a stored cross-site scripting (XSS) vulnerability in the Orca user portal. The injected scripts can execute in the context of the user's browser, leading to cookie theft from the heat pump's web control interface.

A SQL injection vulnerability has been identified in the Online Blood Bank Management System version 1.0. The issue arises in the '/admin/campsdetails.php' file, where the 'hospital' parameter is not properly validated, allowing attackers to inject malicious SQL queries. This vulnerability can be exploited remotely, leading to unauthorized database access, data manipulation, and potential leakage of sensitive information.

A SQL injection vulnerability has been identified in the Online Blood Bank Management System version 1.0. The issue resides in the file '/admin/viewrequest.php', where the 'id' parameter is manipulated to inject malicious SQL queries. This vulnerability can be exploited remotely, without any authentication or authorization.

A CSV injection vulnerability has been identified in SourceCodester Pharmacy Sales and Inventory System versions through 1.0. The issue arises in the supplier creation interface, specifically within the 'create_supplier' function of the '/Export_csv/export' file. The vulnerability allows for the injection of malicious formulas into CSV exports by exploiting unsanitized user input in fields such as 'Address', 'Company Name', 'Mobile', and 'Previous Due'. When the exported CSV file is opened in spreadsheet applications like Microsoft Excel or WPS Spreadsheet, these formulas are executed, potentially leading to unauthorized actions.

A cross-site scripting (XSS) vulnerability has been identified in SourceCodester Pharmacy Sales and Inventory System version 1.0. The issue arises in the 'create_generic_name' function within the file '/ShowForm/create_generic_name/main'. The vulnerability allows remote attackers to inject malicious scripts through the 'generic_name' parameter, which are then executed in the context of the user's browser.

A cross-site scripting (XSS) vulnerability has been identified in SourceCodester Pharmacy Sales and Inventory System version 1.0. The issue arises in the 'create_medicine_presentation' function within the '/ShowForm/create_medicine_presentation/main' file. The vulnerability allows remote attackers to inject malicious scripts through the 'medicine_presentation' parameter, which are then executed in the context of the user's browser.

A cross-site scripting (XSS) vulnerability has been identified in SourceCodester Pharmacy Sales and Inventory System version 1.0. The issue arises in the 'create_supplier' function within the file '/ShowForm/create_supplier/main'. The vulnerability allows remote attackers to inject malicious scripts by manipulating the 'company_name' parameter, which is then output to the web page without proper encoding or filtering. This flaw could be exploited to execute arbitrary scripts in the context of the user's browser, potentially leading to unauthorized actions or the theft of sensitive information such as cookies or session tokens.

A cross-site scripting (XSS) vulnerability has been identified in SourceCodester Pharmacy Sales and Inventory System version 1.0. The issue arises in the 'create_medicine_name' function within the '/ShowForm/create_medicine_name/main' file. The vulnerability allows remote attackers to inject malicious scripts through the 'medicine_name' parameter, which are then executed in the context of the user's browser. This exploitation can lead to unauthorized actions being performed on behalf of the user, such as stealing cookies or session tokens.

A stored cross-site scripting vulnerability has been identified in the Process Experience Studio component of DELMIA Service Process Engineer. This vulnerability affects releases from 3DEXPERIENCE R2024x to R2026x, allowing attackers to execute arbitrary script code in the context of the user's browser session.

A reflected cross-site scripting vulnerability has been identified in the login API of Stormshield Network Security (SNS) appliances. This issue affects versions 4.3.0 to 4.3.41, 4.8.0 to 4.8.15, and 5.0.0 to 5.0.5. The vulnerability allows an attacker to execute a script on the victim's machine, potentially leading to the theft of cookies or other sensitive information, as well as unauthorized modifications to page behavior, such as redirecting the victim to malicious websites.

A deserialization vulnerability allowing unauthenticated remote code execution has been identified in Teamwork Cloud (No Magic Releases 2022x to 2026x) and Magic Collaboration Studio (CATIA Magic Releases 2022x to 2026x).

A denial-of-service vulnerability has been identified in Apache Fluss (incubating) versions prior to 0.9.1. The issue arises because the Netty LengthFieldBasedFrameDecoder is configured with Integer.MAX_VALUE as the maximum frame length. This allows unauthenticated remote attackers to send specially crafted frame headers that exhaust the JVM heap memory on both TabletServer and CoordinatorServer, leading to a denial-of-service condition.

A vulnerability in Apache Airflow's KubernetesExecutor prior to version 3.2.2 allows JWT tokens used by worker pods for authentication with the Execution API to be exposed as command-line arguments in the pod specification. This issue enables an authenticated user with Kubernetes read-only access in the Airflow namespace to extract the JWT from the pod details and use it to access state-mutating Execution API endpoints. As a result, the user could trigger DAG runs, clear task runs, and read or write Variables, Connections, or XComs, effectively impersonating a running task. This vulnerability is part of a larger issue also addressed by CVE-2026-27173, and users should upgrade to Apache Airflow 3.2.2 or later to mitigate it.

A vulnerability allowing the exposure of sensitive information through metadata has been identified in Apache ActiveMQ Broker, ActiveMQ, and ActiveMQ All. This issue affects brokers configured with a network connector that has syncDurableSubs set to true. An unauthenticated attacker can exploit this vulnerability by sending a BrokerInfo command, which prompts the broker to disclose a list of all durable topic subscriptions. The response includes client identifiers, subscription names, topic destinations, and JMS selector expressions. The broker fails to authenticate the connection before responding, leading to unauthorized information disclosure. This vulnerability exists in Apache ActiveMQ Broker versions prior to 5.19.7 and from 6.0.0 prior to 6.2.6, as well as in Apache ActiveMQ and Apache ActiveMQ All versions within the same ranges.

A vulnerability exists in Apache Airflow's EmailOperator and the associated 'airflow.utils.email' helpers, specifically in versions 2.0.0 prior to 3.2.2. The issue arises when deployments are configured with 'smtp_starttls=True' and 'smtp_ssl=False', allowing an attacker to intercept the SMTP STARTTLS connection. In this scenario, the attacker could present a self-signed certificate, leading the Airflow worker to complete the STARTTLS handshake without verification. This exploitation could result in the interception of SMTP AUTH credentials and the contents of forwarded messages, particularly in environments where the SMTP relay is on a less-trusted network segment than the worker.

A vulnerability exists in Apache ActiveMQ versions prior to 5.19.7 and 6.0.0 prior to 6.2.6, where default Jolokia authorization settings improperly granted low-privilege web-login accounts access to broker management operations intended for admins. This allowed these users to execute commands such as addQueue and removeQueue. The vulnerability arises from incorrect default permissions that enable non-admin users to perform administrative tasks via Jolokia.

A path traversal vulnerability has been identified in the Apache MINA SSHD component 'sshd-git'. This vulnerability arises from inadequate path validation in several git operations, including 'git-upload-pack' and 'git-receive-pack'. As a result, users authenticated via SSH can access git repositories located outside the designated git server root directory. This issue affects Apache MINA SSHD versions 2.0.0 through 2.17.1, as well as pre-release milestones 3.0.0-M1 to 3.0.0-M3, but only in applications that utilize 'sshd-git'.

A vulnerability in Apache Airflow's authentication managers, FabAuthManager and KeycloakAuthManager, allowed previously-issued JSON Web Tokens (JWT) to remain valid after a user logged out. The logout process did not properly invoke the token revocation function, leaving the JWT accepted by the API server until it naturally expired. This issue could be exploited by an attacker with access to a JWT of a logged-out user, enabling them to make authenticated API calls as that user. The vulnerability affects Apache Airflow versions prior to 3.2.2.

A vulnerability exists in the Apache Airflow Event Log detail endpoint `GET /api/v2/eventLogs/{event_log_id}` prior to version 3.2.2. This endpoint retrieves audit-log rows by numeric ID, after only a basic Audit Log permission check. In contrast, the collection endpoint `GET /api/v2/eventLogs` enforces per-DAG permission scoping. As a result, an authenticated user with audit-log read permission for one DAG could access audit-log entries for other DAGs by guessing or enumerating event log IDs. This issue affects deployments that depend on per-DAG audit-log scoping.

A vulnerability exists in Apache ActiveMQ in versions prior to 5.19.7 and in the 6.0.0 series prior to 6.2.6. This vulnerability stems from incomplete authorization, which allows authenticated connections with the appropriate permissions to remove existing destinations. The issue is present in Apache ActiveMQ Broker, Apache ActiveMQ All, and Apache ActiveMQ, all within the specified version ranges.

A code injection vulnerability has been identified in Apache ActiveMQ Broker, ActiveMQ All, and ActiveMQ. This issue arises from improper input validation in non-parenthesized discovery wrappers, which allows authenticated attackers to bypass security measures and execute arbitrary code on the broker's JVM. The vulnerability is exploited through the Jolokia JMX-HTTP bridge, where the default access policy permits execution operations on ActiveMQ MBeans. By crafting a specific discovery URI, an attacker can manipulate the VM transport's brokerConfig parameter to load a remote Spring XML application context. This exploitation takes place before the BrokerService validates the configuration, leading to unauthorized code execution via bean factory methods such as Runtime.exec().

A vulnerability exists in Apache Airflow's log server JWT authorization process, specifically in versions 3.0.0 prior to 3.2.2. The issue arises because the log server applies Python's 'str.lstrip()' method to the requested path segment when verifying the JWT's 'sub' claim. This method strips characters from the left side of the string, allowing a JWT issued for a DAG named 'dag_a' to authorize log access to any other DAG whose name started with any combination of the characters '{d, a, g, _}'. As a result, an authenticated Airflow worker could potentially access and read logs from other DAGs that shared a similar name prefix, thereby leaking task outputs and error traces across DAG boundaries. This vulnerability affects deployments with multi-team, shared-executor, and shared-worker topologies that rely on per-DAG log access scoping.

A vulnerability exists in Apache Airflow's scheduler-side deadline-reference decoder, specifically in versions prior to 3.2.2. The issue arises because the decoder imports and dispatches arbitrary class paths from DAG-author-controlled serialized state without any allowlist or plugin-registry validation. In environments where DAG-author code is less trusted than the scheduler process, a DAG author could embed a custom 'DeadlineReference' that references an attacker-controlled module path. This would lead the scheduler to import the specified class and instantiate it with an active SQLAlchemy session. The vulnerability is particularly concerning in single-host deployments where the DAG bundle can be imported by the scheduler.

A vulnerability exists in Apache Solr versions 9.4.0 through 9.10.1 and 10.0.0, where hardcoded credentials in the Basic Authentication setup tool enable remote attackers to gain full administrative access to the cluster. This is achieved through publicly known default credentials that are silently installed alongside the user-specified account. The vulnerability arises when the 'bin/solr auth enable' command is used to bootstrap Basic Authentication, creating template users with default passwords that can be exploited. Clusters that have not used this command or have assigned strong passwords to the template users after bootstrapping are not affected.

A code injection vulnerability allowing remote code execution has been identified in Apache ActiveMQ Broker, ActiveMQ All, and ActiveMQ Classic. This issue arises from improper input validation and control over code generation. The Jolokia JMX-HTTP bridge is exposed by default on the web console, and the access policy allows execution operations on all ActiveMQ MBeans. An authenticated attacker can exploit this by sending a crafted discovery URI that triggers the VM transport's brokerConfig parameter, using the 'masterslave://' URL to load a Spring XML application context. This exploitation occurs because Spring's ResourceXmlApplicationContext instantiates singleton beans before the BrokerService can validate the configuration, leading to arbitrary code execution on the broker's JVM through methods like Runtime.exec().

A vulnerability in Apache Airflow prior to version 3.2.2 allows for the bypass of nested sensitive-key masking in rendered-template fields. When a rendered field exceeded the maximum templated field length, Airflow converted the structure to a string before redaction, losing the context of nested keys such as 'password', 'token', 'secret', or 'api_key'. This resulted in plaintext values being saved into 'rendered_fields', potentially exposing sensitive information. The issue affects deployments where DAG authors use structured JSON with nested sensitive keys. This vulnerability is related to CWE-200 and is a continuation of an earlier issue addressed in CVE-2025-68438, which did not fully cover nested sensitive keywords.

A vulnerability in Apache Airflow's XCom PATCH endpoint allowed authenticated users with XCom write permission to overwrite entries under reserved key names, such as 'return_value'. This exploitation was possible because the PATCH endpoint did not enforce the same key validation as the POST endpoint, creating a bypass. Additionally, the endpoint accepted serialized payloads that could be interpreted as code, leading to remote code execution when the affected task was deferred. This issue impacts deployments where untrusted users can write to XCom on Dags that defer to them.

A vulnerability in Apache Airflow's Variable response masker allows for the bypass of nested-key redaction for sensitive key names such as 'password', 'token', 'secret', and 'api_key'. This issue arises when the JSON value's nesting depth exceeds the masker's recursion limit, causing the masker to return the original nested item before verifying the key name. As a result, an authenticated user with Variable read permission could access plaintext secret values stored under sensitive keys that are deeply nested. This vulnerability affects deployments with sensitive data in complex JSON Variables and represents a gap in the previous fix for CVE-2026-32690, which only addressed shallower nesting. Users who upgraded for CVE-2026-32690 should now upgrade to Apache Airflow 3.2.2 or later to address this issue.

A cross-site scripting vulnerability has been identified in Apache ActiveMQ and Apache ActiveMQ Web. The issue arises in the MessageServlet of the ActiveMQ web console API, which improperly neutralizes input during web page generation. Specifically, the servlet copies all JMS message properties into HTTP response headers without validation. This flaw can be exploited to overwrite and inject security headers by manipulating JMS messages returned by the servlet. The vulnerability affects Apache ActiveMQ versions prior to 5.19.7 and 6.0.0 versions prior to 6.2.6, as well as Apache ActiveMQ Web versions prior to 5.19.7 and 6.0.0 versions prior to 6.2.6.

A shell metacharacter injection vulnerability has been identified in Apache Airflow versions 3.0.0 prior to 3.2.2. The issue arises from the official documentation example for the BashOperator, which demonstrated how to pass parameters using Jinja templating without any warning about quoting or sanitization. This oversight could lead to exploitation in deployments where users have the 'Dag.can_trigger' permission, such as typical multi-team environments or hosted offerings that expose a trigger API. An authenticated user could inject malicious commands through the 'conf' field of the trigger API, potentially executing arbitrary commands on the worker via 'os.exec'.

An authorization bypass vulnerability has been identified in Apache Airflow's bulk Task Instances API, specifically in versions 3.2.0 prior to 3.2.2. The issue arises because the API evaluated authorization based on the DAG ID in the URL path, while the actual operation was performed using DAG IDs extracted from the request body. This flaw allowed an authenticated user with edit permissions on one DAG to modify the Task Instance state of any other DAG by manipulating the request body. The vulnerability impacts deployments that use per-DAG edit scopes to maintain Task Instance state separation between teams.

A vulnerability exists in Apache Airflow's JWTRefreshMiddleware, where the JWT authentication cookie is set without the Secure flag. This issue affects deployments running the Airflow API server behind an HTTPS-terminating reverse proxy, such as nginx, Envoy, or a managed load balancer that terminates TLS and forwards plaintext to the API server. In these scenarios, the absence of the Secure flag allows a network-positioned attacker to capture and replay the JWT cookie over unencrypted HTTP requests to the same host, compromising session integrity.