CVE Catalog

A vulnerability in GLPI versions 0.78 prior to 10.0.25 and 11.0.0 prior to 11.0.7 allows technicians to delete arbitrary files from the filesystem, provided the webserver has write permissions on those files. This issue arises from insufficient restrictions on file deletion capabilities.

A denial-of-service vulnerability has been identified in Python's CPython implementation, specifically within the unicodedata.normalize() function. This issue arises when the function processes specially crafted Unicode input that includes long sequences of combining characters with alternating Canonical Combining Class values. Such input can cause the normalization process to exhibit quadratic time complexity, leading to excessive CPU usage. A payload of approximately 0.5MB can consume over 30 seconds of processing time. This vulnerability affects all normalization forms.

An integer underflow vulnerability has been identified in GoBGP version 4.3.0, specifically within the BGPUpdate.DecodeFromBytes function. This vulnerability allows attackers to cause a denial-of-service condition by sending a crafted BGP UPDATE message. The underflow occurs when the message length is improperly validated, enabling the manipulation of data processing boundaries.

A cross-site scripting (XSS) vulnerability has been identified in Rock RMS versions through 17.7.0. This issue allows for the execution of arbitrary JavaScript in the context of an administrator's browser session, potentially leading to unauthorized privilege escalation. The vulnerability arises from inadequate input sanitization in the Social Media Links feature of user profiles. When an administrator views a profile containing a crafted XSS payload, the payload executes and can escalate the profile owner's privileges to that of an administrator.

A command injection vulnerability has been identified in the 'app.py' component of Openlabs Docker Wkhtmltopdf Aas, affecting all versions prior to the latest commit '9f50579'. This vulnerability allows remote attackers to execute arbitrary commands on the server with root privileges. The issue arises from the application accepting user-supplied options via JSON POST requests, which are then used to construct a shell command for 'wkhtmltopdf' without proper validation or sanitization. Exploitation can be achieved by injecting commands through option values or keys, leading to unauthorized command execution.

A DLL hijacking vulnerability has been identified in Wassimulator CactusViewer version 2.3.0. This vulnerability allows attackers to escalate privileges and execute arbitrary code by placing a malicious DLL in the same directory as the CactusViewer executable. When the application is launched, it loads the malicious DLL, leading to unauthorized code execution in the context of the user running the application.

A cross-site scripting vulnerability has been identified in Backpack CRUD versions prior to 5.0.13, 4.1.69, and 4.0.63. This issue arises because error messages are not properly escaped, allowing attackers to inject malicious scripts. Under specific circumstances, this could be exploited to conduct phishing attacks, potentially leading to unauthorized access or information disclosure, especially in an admin panel context.

A vulnerability exists in Django's cache middleware that can lead to the improper caching of responses marked as private. This issue is present in Django versions 5.2 prior to 5.2.15 and 6.0 prior to 6.0.6. The problem arises because the `UpdateCacheMiddleware` does not handle `Cache-Control` response directives in a case-insensitive manner. As a result, remote attackers may be able to read responses that were incorrectly cached due to uppercase or mixed-case `Cache-Control` values. While this vulnerability has been identified in the current Django series, earlier unsupported versions may also be affected.

A vulnerability exists in Django's SMTP email backend that could lead to unencrypted email transmission. This issue is present in Django versions 6.0 prior to 6.0.6 and 5.2 prior to 5.2.15. The vulnerability arises when 'fail_silently=True' is set, allowing on-path attackers to intercept email content in cleartext. This occurs because the backend fails to properly manage a partially-initialized connection after a failed STARTTLS handshake, reusing it for sending emails without encryption.

A vulnerability exists in Django versions 6.0 prior to 6.0.6 and 5.2 prior to 5.2.15, in the `django.http.HttpRequest.get_signed_cookie` method. The issue arises from a non-injective salt derivation process, where the cookie name and salt argument are simply concatenated. This allows remote attackers to manipulate cookies by using different `(name, salt)` pairs that result in the same concatenation, potentially leading to unauthorized cookie acceptance in different contexts. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) may also be affected.

A vulnerability exists in the LightGlue model loading process of Hugging Face Transformers version 5.2.0. It allows an attacker-controlled model repository to execute arbitrary code during model initialization. This issue arises because the 'trust_remote_code' parameter, designed to prevent remote code execution, is overridden by untrusted serialized configuration data from the model's 'config.json' file. When a LightGlue model is loaded with 'trust_remote_code=False', the configuration file can still inject a 'trust_remote_code=True' value, which is then used to execute attacker-provided Python modules. This vulnerability is particularly concerning for environments such as API inference servers, research notebooks, CI/CD pipelines, and model evaluation workers, where it could lead to credential theft, unauthorized access to other services, or the deployment of backdoors.

A vulnerability exists in Django versions 5.2 prior to 5.2.15 and 6.0 prior to 6.0.6, where the `django.utils.cache.has_vary_header()` function does not remove leading or trailing whitespace from `Vary` header values before making comparisons. This oversight allows remote attackers to access cached responses by sending requests to URLs with whitespace-padded `Vary` header values. Earlier, unsupported Django versions (such as 5.0.x, 4.1.x, and 3.2.x) may also be affected but were not evaluated.

A vulnerability exists in ProjectsAndPrograms school-management-system due to the use of predictable passwords for students and teachers. Passwords are generated solely from the user's date of birth, without requiring a change upon first login. This allows attackers to easily guess or derive valid credentials, leading to unauthorized access. The vulnerability was confirmed in version 6b6fae5, while other versions may also be affected.

A stored cross-site scripting vulnerability has been identified in the ProjectsAndPrograms school-management-system. This issue allows authorized users, such as teachers or administrators, to inject malicious JavaScript into various attributes of student and teacher objects. The injected script is executed in the browsers of other users. Notably, when this vulnerability is combined with CVE-2025-11661, which provides unauthenticated access to backend endpoints, it can be exploited by remote attackers without any privileges to inject and execute arbitrary JavaScript.

A header injection vulnerability has been identified in Daphne versions prior to 4.2.2. The issue arises during the WebSocket handshake process, where Daphne reconstructs a raw HTTP request from Twisted's parsed headers. Twisted does not recognize certain byte sequences as header line separators, but Autobahn, which handles WebSocket handshakes, does. This discrepancy allows an attacker to inject additional headers into the ASGI scope passed to the application by exploiting the way headers are parsed and interpreted. Vulnerable header values could include authentication tokens and other sensitive information.

A denial-of-service vulnerability has been identified in Daphne versions prior to 4.2.2. The issue arises because Daphne did not impose limits on WebSocket message or frame sizes, allowing an unauthenticated remote attacker to send excessively large WebSocket messages or frames. This lack of restriction led to significant memory consumption on the server, causing a denial-of-service condition.

A denial-of-service vulnerability has been identified in FRRouting (FRR) versions stable/10.0 to stable/10.6. The issue arises from missing input validation in the rfapiRibBi2Ri() function within the rfapi_rib.c file. This vulnerability allows attackers to cause a denial-of-service by sending a crafted BGP UPDATE message.

A vulnerability exists in Django's UpdateCacheMiddleware component, specifically in versions 5.2 prior to 5.2.15 and 6.0 prior to 6.0.6. The issue arises because the middleware fails to include the 'Authorization' header in the 'Vary' response header for requests that contain the 'Authorization' header but lack 'Cache-Control: public'. This oversight allows remote attackers to access private cached responses through unauthenticated requests to the same URL. Additionally, earlier unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) may also be affected.

A vulnerability allowing HTML injection has been identified in the notification emails for 'Slow Redirect' and 'Cloned Website' Canarytokens in Thinkst Applied Research Canarytokens. This vulnerability enables interface manipulation and Cross-Site Scripting (XSS) in email clients that render HTML. The issue affects Canarytokens from Docker tag sha-c42435e prior to sha-bfda4df, and from Git commit c42435e prior to bfda4df.

A denial-of-service vulnerability has been identified in the lwext4 library version 1.0.0. The issue arises from an out-of-bounds read in the ext4_ext_binsearch_idx function, located in src/ext4_extent.c. This vulnerability allows attackers to cause a process crash by supplying a specially crafted ext4 filesystem image. The problem stems from inadequate validation of extent header fields before conducting a binary search over extent index entries. As a result, invalid pointer calculations can lead to out-of-bounds memory reads during the traversal of the extent tree.

A divide-by-zero vulnerability has been identified in the lwext4 library version 1.0.0. The issue arises in the ext4_block_set_lb_size function within the src/ext4_blockdev.c file. When the library processes a malformed ext4 filesystem image that contains a zero logical block size, the vulnerability is triggered. The ext4_mount function passes this invalid block size to ext4_block_set_lb_size without proper validation, leading to a Floating-Point Exception (FPE) under sanitizers or a runtime crash in standard builds. This vulnerability can be exploited by providing a crafted ext4 image to an application that uses lwext4 for mounting or image processing.

A NULL pointer dereference vulnerability has been identified in the GPAC Project's MP4Box, specifically in versions prior to 26.02.0. The issue arises in the 'gf_filter_pid_resolve_file_template_ex' function within 'filter_core/filter_pid.c'. When the software processes MP4 files containing specially crafted metadata with long URLs or HTML-like special characters, the function attempts to perform a string comparison using 'strncmp()'. This operation is conducted without ensuring that the pointer is valid, leading to a segmentation fault and causing a crash. The vulnerability can be exploited during DASH segmentation by supplying a crafted file, resulting in a denial-of-service condition.

A path traversal vulnerability has been identified in the Backup Task feature of Synology Hyper Backup, in versions prior to 4.1.2-4036. This vulnerability allows remote authenticated users to write specific files by improperly limiting the pathname to a restricted directory.

A path traversal vulnerability has been identified in the Backup.Repository web API component of Synology Hyper Backup, affecting versions prior to 4.1.2-4036. This vulnerability allows remote authenticated users with administrator privileges to write specific files containing non-sensitive information to restricted directories, through unspecified vectors.

A vulnerability in Synology Note Station Client versions prior to 2.2.4-703 allows man-in-the-middle attackers to intercept and obtain user credentials due to cleartext transmission of sensitive information.

A vulnerability has been identified in the MinGW DLL component of Synology Hyper Backup Explorer, prior to version 3.0.1-0156. This vulnerability allows local users to execute arbitrary code by exploiting an inclusion of functionality from an untrusted control sphere.

A vulnerability has been identified in Synology Active Backup for Business Recovery Media Creator versions prior to 2.5.0-2081. This vulnerability arises from an inclusion of functionality from an untrusted control sphere in the OpenSSL configuration, allowing local users to execute arbitrary code through unspecified vectors.

A stack buffer overflow vulnerability has been identified in the MBS Universal Gateway (UGW) web GUI, specifically in the UGW-A-Series and UGW-X-Series models, all running MBS Firmware prior to V6_0_0_7. This vulnerability allows remote attackers with user privileges to exploit the buffer overflow in the 'gdv-serverconfig' component, leading to arbitrary code execution with root privileges and full system access.

A stack buffer overflow vulnerability has been identified in the MBS Universal Gateway (UGW) web GUI, specifically in the UGW-A-Series and UGW-X-Series models, all running MBS Firmware prior to V6_0_0_7. This vulnerability allows remote attackers with user privileges to exploit the buffer overflow and execute arbitrary code with root privileges, leading to a full system compromise.

A stack buffer overflow vulnerability has been identified in the MBS Universal Gateways (UGW) web GUI and the underlying firmware, affecting version V6_0_0_5 and earlier. This vulnerability allows remote attackers with user privileges to execute arbitrary code with root privileges, potentially leading to a full system compromise. The issue arises from insufficient input validation and a lack of bounds checking in several CGI methods, which can be exploited by authorized attackers to manipulate memory and execute malicious code.

A vulnerability in the MBS Universal Gateways (UGW-A-Series, UGW-X-Series) web GUI allows remote attackers with user privileges to access arbitrary local files. This issue arises from inadequate validation of user-supplied input in the ugw-logread method. The vulnerability affects devices running MBS Firmware versions prior to 6.0.0.7.

A vulnerability exists in the MBS Universal Gateways (UGW-A-Series and UGW-X-Series) web GUI, specifically in versions through V6_0_0_5. The issue allows remote attackers with user privileges to terminate arbitrary processes. This exploitation stems from inadequate validation of user-supplied input in several CGI methods, which could lead to unauthorized process termination, among other impacts.

A vulnerability in the ugw-restoreinfo method allows remote attackers with user privileges to delete arbitrary local files. This issue arises from inadequate validation of user-controlled input. The vulnerability affects MBS Universal Gateways (UGW-A-Series and UGW-X-Series) running firmware versions prior to V6_0_0_7.

A vulnerability in the ugw-restore method allows remote attackers with user privileges to delete arbitrary local files on affected MBS Universal Gateway devices. This issue arises from inadequate validation of user-controlled input. The vulnerability affects several MBS Universal Gateway models running firmware versions prior to 6.0.0.7.

A vulnerability in the ugw-logstop method allows remote attackers with user privileges to delete arbitrary local files. This issue arises from inadequate validation of user-controlled input. The vulnerability affects MBS Universal Gateways (UGW-A-Series and UGW-X-Series) running firmware versions prior to V6_0_0_7.

A vulnerability in the ugw-delete-file method allows remote attackers with user privileges to delete arbitrary local files. This issue arises from inadequate validation of user-controlled input. The vulnerability affects MBS Universal Gateways in the UGW-A-Series and UGW-X-Series, all versions prior to 6.0.0.7.

A stack-based buffer overflow vulnerability has been identified in the MBS Universal Gateway (UGW) web GUI, specifically in the UGW-A-Series and UGW-X-Series models, all running MBS Firmware prior to V6_0_0_7. This vulnerability allows remote attackers with user privileges to execute arbitrary code with root privileges, potentially leading to a full system compromise. The issue arises from several CGI methods that lack proper input validation and bounds checking, enabling authorized attackers to exploit the buffer overflow.

A vulnerability exists in MBS Universal Gateways (UGW) web GUI and firmware versions through V6_0_0_5. It involves a hardcoded default password for a service account, which an unauthenticated remote attacker can extract from the firmware image. This password allows full access to the affected devices. The vulnerability is part of a broader set of security issues in the UGW web GUI, including insufficient input validation in several CGI methods, which could lead to arbitrary file deletion, unauthorized file inclusion, process termination, and exploitation of stack-based buffer overflows for arbitrary code execution with root privileges, resulting in a complete system compromise.

An integer overflow vulnerability has been identified in the Cilium eBPF library, specifically in versions through 0.21.0. The issue arises in the BTF (BPF Type Format) string-table offset validation within the `loadRawSpec` function of `btf/btf.go`. When a BTF record is malformed, it can set a string offset to a value that points beyond the actual data, leading the parser to panic instead of gracefully handling the error. This vulnerability can be exploited by manipulating BTF metadata in an ELF file, causing a runtime error that disrupts the parsing process. The problem has been publicly disclosed and could potentially be exploited in the wild.

A time-of-check time-of-use (TOCTOU) race condition vulnerability has been identified in SWUpdate versions prior to 2026.05. This vulnerability allows local unprivileged attackers to escalate privileges to root or install untrusted content using a signed update. The issue arises during the update process, where an attacker can manipulate script files to execute malicious code with elevated privileges.

A deserialization vulnerability allowing for an allow-list bypass has been identified in Apache MINA versions 2.0.29, 2.0.13, and 2.2.8. This vulnerability arises when the serialized stream includes a TC_PROXYCLASSDESC, indicating a java.lang.reflect.Proxy. The default implementation of resolveProxyClass in ObjectInputStream is then called, which retrieves each interface name and constructs the proxy class. This process bypasses the accepted classes list, potentially allowing unauthorized classes to be deserialized and used.

A vulnerability exists in the firmware of Phoenix Contact CHARX SEC-3xxx charging controllers, allowing unauthenticated adjacent attackers to download log files from the controller. This could lead to the disclosure of restricted information. The vulnerability affects CHARX SEC-3000, SEC-3050, SEC-3100, and SEC-3150 models, all running firmware prior to 1.9.0.

A privilege escalation vulnerability has been identified in the Mojoomla School Management plugin for WordPress, affecting versions through 93.2.0. This vulnerability allows users with low-level privileges to gain higher privileges, potentially leading to full control of the website.

A SQL injection vulnerability has been identified in the Mojoomla School Management plugin for WordPress, affecting versions through 93.2.0. This vulnerability allows attackers to manipulate SQL queries, potentially leading to unauthorized data access or modification.

A vulnerability allowing incorrect authorization has been identified in ABB T-MAC Plus versions 4.0 through 24. This issue could potentially be exploited to bypass authorization mechanisms, leading to unauthorized actions or access within the application.

A cross-site scripting vulnerability has been identified in ABB T-MAC Plus versions 4.0 through 24. This issue arises from improper handling of input during web page generation, allowing for the injection of malicious scripts.

A vulnerability in ABB T-MAC Plus versions 4.0 through 24 allows for authorization bypass through user-controlled keys. This could potentially be exploited to manipulate authorization processes, leading to unauthorized actions or access within the application.

A vulnerability exists in ABB T-MAC Plus versions 4.0 through 24, allowing files or directories to be accessed by external parties.

A vulnerability exists in MLflow versions prior to 3.11.0, where AI Gateway secrets can resolve environment variable references. This flaw allows low-privileged authenticated users in basic-auth deployments, or unauthenticated users in default deployments without basic-auth, to exfiltrate sensitive server-side environment credentials to an attacker-controlled endpoint. The issue stems from the 'api_key' field in gateway secrets accepting '$ENV_VAR' references, which are resolved at runtime and sent in authentication headers to the specified 'api_base'. Exploitation could lead to the leakage of critical credentials, such as cloud artifact credentials, potentially causing artifact poisoning and cross-boundary code execution in downstream environments.

A reflected cross-site scripting vulnerability has been identified in the Fox-Themes Prague WordPress plugin, affecting versions through 2.2.8. This vulnerability allows attackers to inject malicious scripts that are executed when users visit the affected site.