| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| The "tarfile" module would still apply normalization of AREGTYPE (\x00) blocks to DIRTYPE, even while processing a multi-block member such as GNUTYPE_LONGNAME or GNUTYPE_LONGLINK. This could result in a crafted tar archive being misinterpreted by the tarfile module compared to other implementations. |
| Shopware is an open commerce platform. /api/_info/config route exposes information about active security fixes. This vulnerability is fixed in 2.0.16, 3.0.12, and 4.0.7. |
| Shopware is an open commerce platform. /api/_info/config route exposes information about licenses. This vulnerability is fixed in 7.8.1 and 6.10.15. |
| Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, an authorization bypass in the poll plugin allowed authenticated users to vote on, remove votes from, or toggle the open/closed status of polls they did not have access to. By passing post_id as an array (e.g. post_id[]=&post_id[]=), the authorization check resolves to the accessible post while the poll lookup resolves to a different post's poll. This affects the vote, remove_vote, and toggle_status endpoints in DiscoursePoll::PollsController. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. |
| Shescape is a simple shell escape library for JavaScript. Prior to 2.1.10, Shescape#escape() does not escape square-bracket glob syntax for Bash, BusyBox sh, and Dash. Applications that interpolate the return value directly into a shell command string can cause an attacker-controlled value like secret[12] to expand into multiple filesystem matches instead of a single literal argument, turning one argument into multiple trusted-pathname matches. This vulnerability is fixed in 2.1.10. |
| Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.9 and 8.6.35, an attacker can exploit LiveQuery subscriptions to infer the values of protected fields without directly receiving them. By subscribing with a WHERE clause that references a protected field (including via dot-notation or $regex), the attacker can observe whether LiveQuery events are delivered for matching objects. This creates a boolean oracle that leaks protected field values. The attack affects any class that has both protectedFields configured in Class-Level Permissions and LiveQuery enabled. This vulnerability is fixed in 9.6.0-alpha.9 and 8.6.35. |
| A flaw has been found in Alfresco Activiti up to 7.19/8.8.0. Affected by this issue is the function deserialize/createObjectInputStream of the file activiti-core/activiti-engine/src/main/java/org/activiti/engine/impl/variable/SerializableType.java of the component Process Variable Serialization System. This manipulation causes deserialization. Remote exploitation of the attack is possible. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. |
| In Splunk Enterprise versions below 10.2.0, 10.0.3, 9.4.9, and 9.3.10, and Splunk Cloud Platform versions below 10.2.2510.5, 10.1.2507.16, 10.0.2503.11, and 9.3.2411.123, a low-privileged user that does not hold the "admin" or "power" Splunk roles could access the `/splunkd/__raw/servicesNS/-/-/configs/conf-passwords` REST API endpoint, which exposes the hashed or plaintext password values that are stored in the passwords.conf configuration file due to improper access control. This vulnerability could allow for the unauthorized disclosure of sensitive credentials. |
| In Splunk Enterprise versions below 10.2.1 and 10.0.4, and Splunk Cloud Platform versions below 10.2.2510.5, 10.1.2507.16, and 10.0.2503.12, a low-privileged user that does not hold the "admin" or "power" Splunk roles could retrieve the Observability Cloud API access token through the Discover Splunk Observability Cloud app due to improper access control.
This vulnerability does not affect Splunk Enterprise versions below 9.4.9 and 9.3.10 because the Discover Splunk Observability Cloud app does not come with Splunk Enterprise. |
| Shopware is an open commerce platform. Prior to 6.7.8.1 and 6.6.10.15, the Store API login endpoint (POST /store-api/account/login) returns different error codes depending on whether the submitted email address belongs to a registered customer (CHECKOUT__CUSTOMER_AUTH_BAD_CREDENTIALS) or is unknown (CHECKOUT__CUSTOMER_NOT_FOUND). The "not found" response also echoes the probed email address. This allows an unauthenticated attacker to enumerate valid customer accounts. The storefront login controller correctly unifies both error paths, but the Store API does not — indicating an inconsistent defense. This vulnerability is fixed in 6.7.8.1 and 6.6.10.15. |
| Black is the uncompromising Python code formatter. Black provides a GitHub action for formatting code. This action supports an option, use_pyproject: true, for reading the version of Black to use from the repository pyproject.toml. A malicious pull request could edit pyproject.toml to use a direct URL reference to a malicious repository. This could lead to arbitrary code execution in the context of the GitHub Action. Attackers could then gain access to secrets or permissions available in the context of the action. Version 26.3.0 fixes this vulnerability. |
| Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.34 and 9.6.0-alpha.8, the email verification endpoint (/verificationEmailRequest) returns distinct error responses depending on whether an email address belongs to an existing user, is already verified, or does not exist. An attacker can send requests with different email addresses and observe the error codes to determine which email addresses are registered in the application. This is a user enumeration vulnerability that affects any Parse Server deployment with email verification enabled (verifyUserEmails: true). This vulnerability is fixed in 8.6.34 and 9.6.0-alpha.8. |
| Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by an Improper Input Validation vulnerability that could result in a security feature bypass, with limited impact to integrity. Exploitation of this issue does not require user interaction. |
| Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by an Improper Input Validation vulnerability that could lead to application denial-of-service. An attacker could exploit this vulnerability by providing specially crafted input, causing limited impact to application availability. Exploitation of this issue does not require user interaction. |
| The Guest posting / Frontend Posting / Front Editor WordPress plugin before 5.0.6 allows passing a URL parameter to regenerate a .json file based on demo data that it initially creates. If an administrator modifies the demo form and enables admin notifications in the Guest posting / Frontend Posting / Front Editor WordPress plugin before 5.0.6's settings, it is possible for an unauthenticated attacker to export and download all of the form data/settings, including the administrator's email address. |
| When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer
performs a redirect to a second URL, curl could leak that token to the second
hostname under some circumstances.
If the hostname that the first request is redirected to has information in the
used .netrc file, with either of the `machine` or `default` keywords, curl
would pass on the bearer token set for the first host also to the second one. |
| Improper Input Validation in Zoom Rooms for Windows before 6.6.5 in Kiosk Mode may allow an authenticated user to conduct an escalation of privilege via local access. |
| Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, a user could access another user's private activity due to insufficient authorization checks in the user actions endpoint. Versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2 contain a patch. |
| The Download Manager plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'reviewUserStatus' function in all versions up to, and including, 3.3.49. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve sensitive information for any user on the site including email addresses, display names, and registration dates. |
| OPEXUS eComplaint and eCASE before version 10.1.0.0 include the secret verification code in the HTTP response when requesting a password reset via 'ForcePasswordReset.aspx'. An attacker who knows an existing user's email address can reset the user's password and security questions. Existing security questions are not asked during the process. |
