Search Results (2285 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2025-1686 1 Pebbletemplates 1 Pebble Templates 2026-06-05 6.8 Medium
Versions of the package io.pebbletemplates:pebble from 0 and before 4.1.0 are vulnerable to External Control of File Name or Path via the include tag. A high privileged attacker can access sensitive local files by crafting malicious notification templates that leverage this tag to include files like /etc/passwd or /proc/1/environ. Workaround This vulnerability can be mitigated by disabling the include macro in Pebble Templates: java new PebbleEngine.Builder() .registerExtensionCustomizer(new DisallowExtensionCustomizerBuilder() .disallowedTokenParserTags(List.of("include")) .build()) .build();
CVE-2025-8886 1 Usta 1 Aybs 2026-06-05 6.7 Medium
Incorrect Permission Assignment for Critical Resource, Exposure of Sensitive Information to an Unauthorized Actor, Missing Authorization, Incorrect Authorization vulnerability in Usta Information Systems Inc. Aybs Interaktif allows Privilege Abuse, Authentication Bypass. This issue affects Aybs Interaktif: from 2024 through 28082025.
CVE-2026-20175 1 Cisco 1 Cisco Finesse 2026-06-05 6.1 Medium
A vulnerability in Cisco Finesse could allow an unauthenticated, remote attacker to load arbitrary files from remote locations into an active user session on an affected device, possibly leading to browser-based attacks. This vulnerability is due to insufficient validation of user-supplied input for HTTP requests that are sent to an affected device. An attacker who has knowledge of the address of the affected device could exploit this vulnerability by persuading a user to click a crafted link that contains the affected device address. A successful exploit could allow the attacker to conduct browser-based attacks and execute arbitrary script code in the context of the affected interface or access sensitive information on the affected device.
CVE-2026-50209 1 Acer 3 Connect M6e 5g, Connect M6e 5g Firmware, Connect M6e 5g Portable Wifi Router 2026-06-05 7.8 High
Broadcast events allow malicious software to rewrite the device's default Mobile Device Management (MDM) endpoint address, shifting administrative ownership to an external attacker.
CVE-2026-10702 1 Mozilla 1 Firefox 2026-06-04 4.3 Medium
JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability was fixed in Firefox 151.0.3.
CVE-2026-40605 1 Tautulli 1 Tautulli 2026-06-04 N/A
Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Prior to version 2.17.1, a path traversal vulnerability in the cache deletion endpoint allows authenticated API access to delete directories outside the configured cache path. This can cause arbitrary data loss and service disruption. Version 2.17.1 fixes the issue.
CVE-2021-4481 1 Draeger 1 Protector Software 2026-06-03 8.2 High
Dräger Protector Software prior to version 6.4.2 contains a local privilege escalation vulnerability due to insecure file system permissions that allows local attackers to execute arbitrary code with elevated privileges. Attackers can replace binaries or loaded modules on the host system to execute code with NT SYSTEM privileges.
CVE-2026-34352 1 Tigervnc 1 Tigervnc 2026-06-03 8.5 High
In TigerVNC before 1.16.2, Image.cxx in x0vncserver allows other users to observe or manipulate the screen contents, or cause an application crash, because of incorrect permissions.
CVE-2021-4480 1 Draeger 1 Protector Software 2026-06-03 8.2 High
Dräger Protector Software prior to version 6.4.2 contains a local privilege escalation vulnerability due to insecure file system permissions that allows local attackers to execute arbitrary code with elevated privileges. Attackers can replace binaries or loaded modules on the host system to execute code with NT SYSTEM privileges.
CVE-2026-45353 2 Electerm, Electerm Project 2 Electerm, Electerm 2026-06-03 7.8 High
electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. From 3.0.6 to 3.8.8, This vulnerability is fixed in 3.9.0.
CVE-2026-41412 1 Alfio-event 1 Alf.io 2026-06-03 4.9 Medium
alf.io is an open source ticket reservation system for conferences, trade shows, workshops, and meetups. Prior to version 2.0-M5-2606, the alf.io extension sandbox injects a fully-functional HTTP client (`simpleHttpClient`) into every extension script's scope. The `postFileAndSaveResponse()` method accepts an arbitrary filesystem path as its `file` parameter and reads the file contents using `new FileInputStream(file)` with no path validation, directory restriction, or allowlist. A malicious extension script can read any file accessible to the JVM process user and exfiltrate it to an attacker-controlled server via HTTP POST. Version 2.0-M5-2606 patches the issue.
CVE-2024-5618 1 Apinizer 1 Apinizer 2026-06-03 9.9 Critical
Incorrect Permission Assignment for Critical Resource vulnerability in PruvaSoft Informatics Apinizer Management Console allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Apinizer Management Console: before 2024.05.1.
CVE-2024-3375 1 Havelsan 1 Dialogue 2026-06-03 9.4 Critical
Incorrect Permission Assignment for Critical Resource vulnerability in Havelsan Inc. Dialogue allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Dialogue: from v1.83 before v1.83.1 or v1.84.
CVE-2026-10694 1 Sourcecodester 1 Online Food Ordering System 2026-06-03 7.3 High
A vulnerability was detected in SourceCodester Online Food Ordering System 2.0. Affected by this issue is the function include of the file /index.php. The manipulation of the argument page results in file inclusion. The attack can be launched remotely. The exploit is now public and may be used.
CVE-2026-10621 1 Collibra 2 Collibra Platform (on-prem), Collibra Platform (saas) 2026-06-03 7.5 High
Path traversal in restore handler in Collibra Agent, allows an attacker to write arbitrary files via a crafted ZIP archive. Collibra Agent fails to properly validate and canonicalize file path during ZIP extraction, this can allow an attacker to write files outside the intended extraction directory.
CVE-2026-30905 1 Zoom 2 Workplace Vdi Plugin, Workplace Virtual Desktop Infrastructure 2026-06-03 7.8 High
External Control of File Name or Path in the Zoom Workplace VDI Plugin Windows Universal Installer before version 6.6.11 may allow an authenticated user to conduct an escalation of privilege via local access.
CVE-2026-27788 1 Fsastech 1 Serverview Agents For Windows 2026-06-02 N/A
Incorrect permission assignment for critical resource issue exists in ServerView Agents for Windows V11.60.04 and earlier. If this vulnerability is exploited, a local authenticated attacker who can log in to the server where the affected product is installed may obtain SYSTEM privilege.
CVE-2026-28264 1 Dell 2 Powerprotect Agent, Powerprotect Data Manager 2026-06-02 3.3 Low
Dell PowerProtect Agent Service, version(s) prior to 20.1, contain(s) an Incorrect Permission Assignment for Critical Resource vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Information exposure.
CVE-2026-10558 1 Sourcecodester 1 Pizzafy Ecommerce System 2026-06-02 6.3 Medium
A vulnerability was detected in SourceCodester Pizzafy Ecommerce System 1.0. Impacted is an unknown function of the file /admin/index.php. Performing a manipulation of the argument page results in file inclusion. The attack is possible to be carried out remotely. The exploit is now public and may be used.
CVE-2026-10559 1 Sourcecodester 1 Pizzafy Ecommerce System 2026-06-02 6.3 Medium
A flaw has been found in SourceCodester Pizzafy Ecommerce System 1.0. The affected element is an unknown function of the file /index.php. Executing a manipulation of the argument page can lead to file inclusion. The attack may be performed from remote. The exploit has been published and may be used.