CVE Catalog

A vulnerability exists in authentik's SAML Source ACS endpoint, prior to versions 2025.12.5, 2026.2.3, and 2026.5.1. The issue involves XML Signature Wrapping during the validation of upstream SAML responses. An attacker with any account at the upstream Identity Provider (IdP) can reuse a valid signed assertion to authenticate as another federated user. This vulnerability affects authentik deployments that use SAML Source for upstream SAML federation with signed assertions, or signed responses without signed assertions.

A vulnerability exists in CloudburstMC Protocol for Minecraft Bedrock Edition, in versions prior to 3.0.0.Beta12-20260420.182526-15. The issue arises from a partial lack of validation for FULL type authentication tokens, specifically in the EncryptionUtils methods that validate authentication payloads. This vulnerability affects publicly accessible software that relies on the affected versions of the protocol.

A reflected cross-site scripting vulnerability has been identified in authentik, an open-source identity provider, in versions prior to 2025.12.5 and 2026.2.3. The issue arises from the AutosubmitStage in the Simple Flow Executor (SFE), which was made more compatible with legacy browsers. This vulnerability allows an attacker to exploit the SFE by redirecting web requests containing tokens, hijacking sessions, or performing other malicious actions. The flaw is particularly concerning when an OAuth2 provider is configured with a broad regex in the redirect_uri or through the state value. The SFE's previous use of jQuery without proper input sanitization left it vulnerable to such exploits.

A vulnerability exists in the WS-Federation provider of authentik, an open-source identity provider, prior to version 2026.2.3. The issue arises because the provider validates the user-supplied wreply parameter using a raw string prefix check instead of proper URL parsing. This flaw allows an attacker to craft a login link with a wreply value from a different origin that bypasses the check, such as a URL pointing to attacker-controlled infrastructure. As a result, the victim's browser may inadvertently POST the signed WS-Federation login response to the attacker's server. The vulnerability has been patched in authentik versions 2025.12.5 and 2026.2.3.

An Insecure Direct Object Reference (IDOR) vulnerability has been identified in SourceCodester Human Resource Management version 1.0. The issue resides in the Employee View Page component, specifically within the detailview.php file. The vulnerability allows authenticated users to manipulate the employeeid parameter to access unauthorized employee records, including sensitive information from other users and administrative accounts. This lack of proper authorization checks could lead to unauthorized disclosure of confidential employee data and facilitate privilege escalation within the application.

A SQL injection vulnerability has been identified in Code-Projects Student Admission System version 1.0. The issue resides in the '/index.php' file, where the 'eid' and 'did' parameters are manipulated to inject malicious SQL queries. This vulnerability can be exploited remotely, allowing attackers to gain unauthorized access to the database, leak sensitive information, tamper with data, and potentially disrupt services.

A vulnerability allowing improper authentication has been identified in Sayan365 Student Management System versions prior to 7f3c9ce7d410332335c2affac93a385485051800. The issue arises from multiple endpoints, including 'edit_attendance.php' and 'edit_subject.php', which lack proper authentication checks. This vulnerability can be exploited remotely, allowing unauthorized users to access and modify attendance and subject records.

A vulnerability exists in NI-PAL versions through 26.3.0 on Windows, Linux, and Linux Real-Time. It involves improper input validation that may enable a local authenticated user to access arbitrary system memory, potentially leading to privilege escalation.

A denial-of-service vulnerability has been identified in the NI-PAL kernel driver, affecting versions through 26.3.0 on Windows, Linux, and Linux Real-Time. The issue arises from improper input validation, which may allow a local authenticated user to cause a crash by triggering a NULL pointer dereference.

A stored cross-site scripting vulnerability has been identified in GLPI versions prior to 11.0.7. This issue allows an unauthenticated user with write access to the knowledge base to inject an XSS payload into a knowledge base item.

A vulnerability exists in the ARMember Premium plugin for WordPress, in all versions through 7.3.1, due to an insecure password reset mechanism. When a user requests a password reset, the plugin saves a plaintext copy of the reset key in the 'arm_reset_password_key' user meta field, alongside the hashed key that WordPress core securely stores. This plaintext key can be used with the plugin's custom 'armrp' reset action to change the password for any user. This vulnerability allows unauthenticated attackers to extract the plaintext reset key and take over any user account, including those of administrators, especially when combined with other vulnerabilities like SQL Injection.

A SQL injection vulnerability has been identified in the ARMember Premium plugin for WordPress, affecting all versions through 7.3.1. The issue arises in the 'sSortDir_0' parameter of the 'get_private_content_data' AJAX action, where user-supplied input is inadequately sanitized. This allows authenticated attackers with Subscriber-level access and above to manipulate SQL queries, potentially extracting sensitive information from the database. Exploitation requires the 'User Private Content' addon, which is disabled by default.

A SQL injection vulnerability has been identified in the ARMember Premium plugin for WordPress, affecting all versions through 7.3.1. The issue arises in the 'arm_directory_paging_action' AJAX action, where insufficient escaping of user-supplied 'order' and 'orderby' parameters allows unauthenticated attackers to inject additional SQL queries. This exploitation could lead to unauthorized access to sensitive database information.

A server-side request forgery (SSRF) vulnerability has been identified in Medplum versions prior to 5.1.14. This vulnerability allows authenticated users to make unauthorized internal network requests through the subscription worker. By creating FHIR Subscription resources with arbitrary endpoint URLs, attackers can direct these requests to internal services such as cloud metadata endpoints, internal databases, or container orchestration services. This could lead to the exfiltration of IAM credentials and patient health records, as the POST body would contain full FHIR resource payloads.

A vulnerability allowing out-of-bounds read has been identified in FastNetMon Community Edition versions through 1.2.9. The issue arises in the IPv4 packet parser, where the Internet Header Length (IHL) field is not properly validated before the parser advances the reading pointer. This oversight can lead to reading 40 bytes beyond the end of the validated packet, potentially causing information disclosure from adjacent process memory and type confusion in downstream protocol parsers. The vulnerability is accessible through any packet capture interface.

A vulnerability in the Elixir Tesla library, specifically in versions 0.8.0 prior to 1.18.3, allows for multipart header injection through unescaped Content-Disposition parameter values. The issue arises in the Tesla.Multipart module, where the 'part_headers_for_disposition' function interpolates disposition parameters without validating for carriage return, line feed, or double-quote characters. This lack of validation enables an attacker to close quoted parameters prematurely or inject additional headers and body bytes into multipart requests. The vulnerability can be exploited by passing untrusted input into certain disposition parameters, such as filename or field name, through the 'add_field', 'add_file', or 'add_file_content' functions.

A denial-of-service vulnerability has been identified in the Elixir Tesla library, specifically in versions 1.3.0 prior to 1.18.3. The issue arises in the Tesla.Adapter.Mint module, where the URL scheme of outgoing requests is converted into a BEAM atom without proper validation. This unchecked conversion allows an attacker to create permanent atoms by manipulating the scheme, leading to exhaustion of the atom table. Since BEAM atoms are not garbage-collected and the atom table has a fixed limit of approximately 1,048,576 entries, this exploitation can cause the Elixir virtual machine to crash, disrupting the entire application.

A CRLF injection vulnerability has been identified in the Elixir Tesla library, specifically in versions 0.8.0 prior to 1.18.3. This vulnerability allows HTTP header injection through the `Tesla.Multipart.add_content_type_param/2` function, which appends user-supplied strings to the multipart `content_type_params` list without proper validation for carriage return or line feed characters. As a result, a parameter containing ` ` can split the header line and inject arbitrary headers into the outgoing HTTP request. Applications that forward untrusted input into `add_content_type_param/2` are affected.

A vulnerability in the Elixir Tesla library, specifically in versions 1.4.0 prior to 1.18.3, has been identified. The issue arises in the FollowRedirects middleware, which improperly handles the case sensitivity of HTTP headers. This flaw allows for the leakage of authorization credentials to third-party origins during cross-origin redirects. The middleware is supposed to strip sensitive headers like Authorization and Host when following redirects to different domains. However, it uses a case-sensitive comparison against a lowercase filter list, failing to recognize headers set with their canonical casing as defined by the RFC standards. As a result, headers such as 'Authorization' are not filtered out and can be forwarded to the redirect destination, potentially exposing bearer tokens or other sensitive information. An attacker who can influence the Location response seen by the client can exploit this vulnerability, leading to unauthorized access to the leaked credentials.

A denial-of-service vulnerability has been identified in the Elixir Tesla library, specifically in versions 0.6.0 prior to 1.18.3. The issue arises in the middleware components 'Tesla.Middleware.DecompressResponse' and 'Tesla.Middleware.Compression', which, when included in a Tesla middleware pipeline, decompress HTTP response bodies eagerly and without any size limit. This flaw allows an attacker to send a small, compressed payload that, once decompressed, expands into a massive amount of memory, effectively crashing or freezing the application. The vulnerability exploits the absence of a size cap on decompressed data, particularly with gzip encoding, where a response can be inflated by approximately 1000 times per compression layer, leading to exponential data amplification and memory exhaustion.

A vulnerability exists in AIOHTTP versions prior to 3.14.0, where cookies set with the 'cookies' parameter on requests are sent after following a cross-origin redirect. This behavior can lead to the unintentional leakage of sensitive data if an attacker is able to control the redirect. The issue has been patched in version 3.14.0. For users unable to upgrade, a workaround is to use a 'Cookie' header in the 'headers' parameter, which is not vulnerable.

A denial-of-service vulnerability has been identified in React Router versions 7.0.0 through 7.14.x and in @remix-run/server-runtime versions 2.10.0 through 2.17.4. This issue arises in React Router Framework Mode applications and Remix applications, where certain crafted requests can lead to excessive server resource consumption. The problem is caused by unbounded path expansion in the __manifest endpoint, which degrades response times and can cause service unavailability for users. Notably, this vulnerability does not affect applications using React Router's Declarative Mode ('<BrowserRouter>') or Data Mode ('createBrowserRouter'/'<RouterProvider>').

A vulnerability in React Router versions 7.0.0 through 7.14.1, when used in Framework Mode, could allow unauthorized remote code execution (RCE) through external requests. This issue arises only if the application code contains a prototype pollution vulnerability, which can be exploited in a two-step attack, with the second step triggering unauthorized RCE on the remote server. Applications using Declarative Mode or Data Mode are not affected.

A vulnerability exists in authentik, an open-source identity provider, in versions prior to 2025.12.5 and 2026.2.3. The issue arises in the SAML source response processor, specifically in the 'ResponseProcessor.parse()' method', which fails to validate the 'Conditions' element on assertions. This oversight allows the replay of expired assertions and the acceptance of assertions meant for other service providers.

A moderate open redirect vulnerability has been identified in React Router versions 7.0.0 prior to 7.14.1 and 6.7.0 prior to 6.30.4. The issue arises when certain URLs passed to the redirect function are interpreted as protocol-relative URLs, allowing redirection to external domains. The impact of this vulnerability depends on the application's validation of URLs before processing the redirect. Notably, this issue does not affect applications using Declarative Mode with <BrowserRouter>.

A response header injection vulnerability has been identified in CrowCpp Crow versions through 1.3.1. This issue allows for HTTP response header injection or response splitting, as the application does not validate response header values before including them in the HTTP response. The vulnerability arises because user-supplied header values can be directly added to the response header map without proper sanitization, allowing carriage return and line feed characters to be injected and interpreted as separate header lines.

A logic flaw in the Pterodactyl Client API prior to version 1.12.3 allows users to bypass assigned limits for database allocations. This vulnerability arises from a broken database locking mechanism in the controllers, which fails to properly lock database operations. As a result, multiple simultaneous requests can exploit this flaw to create more databases than permitted, potentially disrupting the web interface.

A denial-of-service vulnerability has been identified in the Wire iOS client, prior to version 4.16.0. The issue arises when the application receives a crafted Proteus external message containing an encrypted payload shorter than 16 bytes. This flaw causes the app to crash automatically upon message receipt, without any user interaction. The malicious message remains in the conversation, causing the app to enter a crash loop upon relaunch. The application cannot be reopened until the local state is wiped, such as by reinstalling the app. Version 4.16.0 addresses this vulnerability by introducing the necessary length check, and is available through the App Store.

A vulnerability in the aiohttp library's CookieJar component, present in versions prior to 3.14.0, allows for arbitrary code execution when the CookieJar.load() method is used with untrusted input. Although this issue is unlikely to impact many applications, as most will use this function with the user's own data, it poses a risk if an application loads files controlled by an attacker without proper sanitization.

A client-side Cross-Site Scripting (XSS) vulnerability has been identified in React Router versions 7.7.0 through 7.13.1. This issue arises when using the unstable React Server Components (RSC) APIs, specifically in the handling of redirects from untrusted sources. Applications not utilizing these unstable RSC APIs are not affected. The vulnerability has been patched in version 7.13.2.

A cross-site scripting (XSS) vulnerability has been identified in Northern.tech CFEngine Enterprise versions 3.24.3 prior to 3.24.4 and 3.27.0 prior to 3.27.1. The issue arises in the Mission Portal due to an incorrect content-type HTTP header in some API endpoints. This flaw allows low-privilege users to inject malicious JavaScript that could be executed by an admin user, potentially leading to unauthorized privilege escalation.

A client-side Cross-Site Scripting (XSS) vulnerability has been identified in React Router versions 7.7.0 prior to 7.13.2. This issue arises when using the unstable React Server Components (RSC) APIs, specifically in the handling of redirects from untrusted sources. Applications not utilizing these unstable RSC APIs are not affected.

A cross-site scripting (XSS) vulnerability has been identified in usememos Memos version 0.26.0. This issue allows remote attackers to inject malicious scripts that could be executed in the context of the user's browser. The vulnerability arises from the application's Markdown rendering component, which improperly sanitizes user-generated content. Specifically, the 'SANITIZE_SCHEMA' configuration permits harmful 'style' attributes on 'span' elements and unsandboxed 'iframe' embeds. As a result, an authenticated user could craft a memo that, when viewed by others, overlays the entire application interface with attacker-controlled content, potentially leading to credential theft by spoofing login prompts.

A denial-of-service vulnerability has been identified in SolarWinds Web Help Desk. When exploited, this vulnerability can cause the Web Help Desk server to crash due to inadequate memory management. This issue affects Web Help Desk version 2026.2.

A remote code execution vulnerability exists in the Content Visibility for Divi Builder plugin for WordPress, affecting all versions through 4.02. The vulnerability arises from improper handling of the 'cvdb_content_visibility_check' parameter in the 'et_pb_text' shortcode. This flaw allows authenticated attackers with Contributor-level access or higher to execute arbitrary code on the server.

A JIT miscompilation vulnerability has been identified in the JavaScript engine of Mozilla Firefox. This issue can lead to incorrect execution of JavaScript code, potentially allowing for exploitation in certain scenarios. The vulnerability affects Firefox versions prior to 151.0.3.

A vulnerability has been identified in Mozilla Firefox related to incorrect boundary conditions in the Graphics: Text component. This issue could potentially lead to unspecified consequences. The vulnerability affects Firefox versions prior to 151.0.3.

A critical authentication bypass vulnerability has been identified in nextlevelbuilder GoClaw versions through 3.11.3. When the 'GOCLAW_GATEWAY_TOKEN' is unset, the 'resolveAuth' function in 'internal/http/auth.go' grants admin privileges to unauthenticated requests. This flaw allows remote exploitation by invoking sensitive HTTP endpoints or executing tools with elevated privileges. Additionally, webhook handlers for Feishu and Pancake bypass signature verification if their respective secrets are not configured, enabling the acceptance of forged payloads as legitimate.

A vulnerability exists in nextlevelbuilder GoClaw versions through 3.11.3, specifically in the Team Task Completion Handler. The issue arises in the function 'TeamTasksTool.executeComplete' within 'internal/tools/team_tasks_lifecycle.go'. This vulnerability allows a team member to complete another member's in-progress task, bypassing authorization checks. The manipulation can be executed remotely, and the exploit is publicly available.

A SQL injection vulnerability has been identified in DedeCMS version 5.7.88. The issue arises in the RemoveXSS function within the file plus/carbuyaction.php. The vulnerability can be exploited remotely by manipulating the postname or des arguments. This flaw allows for unauthorized SQL code execution, potentially leading to database manipulation or data exposure.

A SQL injection vulnerability has been identified in DedeCMS version 5.7.88. The issue arises in the function dede_htmlspecialchars within the file plus/flink.php. The vulnerability can be exploited remotely, and public exploits are available.

A vulnerability exists in the Graph Explorer proxy server in versions 1.1.0 prior to 3.0.1. When certificate files are missing, the server defaults to HTTP instead of HTTPS, potentially allowing remote attackers to intercept sensitive information from requests meant to be secure.

A privilege escalation vulnerability has been identified in PlayStation 4 firmware versions 13.00 through 13.02. This vulnerability allows an attacker to escape the BD-J (Blu-ray Disc Java) sandbox by using a malformed JAR file. The issue arises because the BD-J security policy improperly canonicalizes file paths, enabling untrusted code to be executed with elevated permissions.

A denial-of-service vulnerability has been identified in the Dräger Atlan A350 software, specifically in versions 1.00 through 1.01. The issue arises from improper input handling that allows attackers to disrupt device operation by sending specially crafted, non-Medibus-compliant data through the Medibus interface. This malformed data can overload the internal processor, causing a gradual disruption in device functionality over several hours. The impact includes loss of data transmission, delayed updates of real-time monitoring curves, and discrepancies between displayed airway pressure values and the corresponding screen curves.

A buffer overflow vulnerability has been identified in Dräger CC-Vision Basic versions prior to 7.5.3 and Dräger CC-Vision E-Cal versions prior to 7.2.5.0. The vulnerability arises from an out-of-bounds write issue when the applications load .gdt files. A crafted .gdt file can exploit this flaw during file parsing, potentially allowing an attacker to crash the application or execute malicious code on the underlying system.

A denial-of-service vulnerability has been identified in Dräger Infinity M300 patient-worn monitors running software versions VG2.x and earlier. This vulnerability allows attackers with access to the hospital or Infinity Network to repeatedly cause the devices to reboot. After several reboots, the device enters a fail state that requires a manual restart. Exploitation of this vulnerability disrupts wireless network connectivity, temporarily halts patient monitoring, and interrupts alarm functionality, all of which must be manually restored.

A denial-of-service vulnerability has been identified in the Dräger Perseus A500 software, specifically in versions 2.00 through 2.02. This vulnerability arises from improper input handling that allows external attackers to disrupt service by sending specially crafted data that does not comply with Medibus standards, through the Medibus interface. The malformed data can overload the device's internal processor, causing it to warm restart. This interruption drops the ventilation pressure to ambient levels, disrupting patient ventilation for several seconds before normal therapy resumes.

A vulnerability exists in Dräger SC Monitoring devices, including the SC 6002XL, SC 6802XL, SC 7000, SC 8000, and SC 9000 XL models, all software versions. These devices contain hard-coded plaintext credentials in the source code, along with a denial-of-service vulnerability. This issue allows local and remote attackers to compromise the integrity of the devices. A local attacker with direct access can use the hard-coded credentials to access service and clinical accounts, enabling them to alter device configurations. Meanwhile, a remote attacker can send malformed network packets that cause the device to repeatedly reboot, leading to a loss of network connectivity and disruption of patient monitoring.

A denial-of-service vulnerability has been identified in Dräger Infinity M300 patient-worn monitors running software versions VG2.3.1 and earlier. This vulnerability allows network-adjacent attackers to repeatedly cause device reboots by sending malicious requests over the Infinity Network. Exploitation of this issue forces the device into a fail state that requires a manual restart, leading to a loss of wireless connectivity and disruption of patient monitoring functionality.

A stack-based buffer overflow vulnerability has been identified in CZ.NIC BIRD Internet Routing Daemon versions through 2.19.0. The issue arises in the BGP AS_PATH mask matching implementation, where the as_path_match() function uses a fixed-size stack array that can be exceeded by improperly validated AS_PATH segments. This vulnerability is triggered when RFC 8654 BGP Extended Messages are enabled, allowing an established BGP peer to send a long AS_PATH with more than 2048 expanded ASNs. The overflow causes the daemon to crash.