R 3.4.4 on Windows x64 contains a buffer overflow vulnerability in the GUI Preferences language menu field that allows local attackers to bypass DEP and ASLR protections. [CVSS 6.2 MEDIUM]
WinMPG iPod Convert 3.0 contains a buffer overflow vulnerability in the Register dialog that allows local attackers to crash the application by supplying an oversized payload. [CVSS 6.2 MEDIUM]
RAR Password Recovery 1.80 contains a buffer overflow vulnerability that allows local attackers to crash the application by supplying an oversized payload in the registration dialog. [CVSS 6.2 MEDIUM]
Outlook Password Recovery 2.10 contains a buffer overflow vulnerability that allows local attackers to crash the application by supplying an oversized payload. [CVSS 6.2 MEDIUM]
SQL Server Password Changer 1.90 contains a buffer overflow vulnerability that allows local attackers to crash the application by supplying an oversized payload. Attackers can inject 6000 bytes of data into the User Name and Registration Code field to trigger a denial of service condition. [CVSS 6.2 MEDIUM]
Folder Lock 7.7.9 contains a buffer overflow vulnerability in the serial number registration field that allows local attackers to crash the application by submitting an oversized payload. [CVSS 6.2 MEDIUM]
SpotIE Internet Explorer Password Recovery 2.9.5 contains a denial of service vulnerability in the registration key input field that allows local attackers to crash the application by supplying an excessively long string. [CVSS 6.2 MEDIUM]
Easy MP3 Downloader 4.7.8.8 contains a buffer overflow vulnerability that allows local attackers to crash the application by supplying an excessively long unlock code. [CVSS 6.2 MEDIUM]
InputMapper 1.6.10 contains a buffer overflow vulnerability in the username field that allows local attackers to crash the application by entering an excessively long string. [CVSS 5.5 MEDIUM]
curl's HTTP proxy connection reuse mechanism fails to validate credential changes, allowing an attacker to intercept or manipulate traffic by leveraging an existing proxy connection established with different authentication. This affects users whose applications reuse proxy connections across requests with varying credentials, enabling credential confusion attacks. Public exploit code exists for this vulnerability, though a patch is available.
SQL injection in itsourcecode University Management System 1.0 via the Name parameter in /att_add.php enables unauthenticated remote attackers to read, modify, or delete database contents. Public exploit code exists for this vulnerability, and no patch is currently available.
OAuth2 bearer token leakage in curl and .NET occurs when HTTP redirects are followed to a second hostname that matches entries in the .netrc configuration file, allowing attackers to obtain valid authentication tokens for unintended hosts. Public exploit code exists for this vulnerability affecting curl and .NET applications that rely on OAuth2 authentication with automatic redirect handling. This medium-severity vulnerability (CVSS 5.3) requires network access but no user interaction, and patches are available from vendors.
Denial of service in yauzl 3.2.0 (Node.js zip parsing library) allows remote attackers to crash applications by submitting malformed zip files with specially crafted NTFS timestamp fields that trigger an out-of-bounds buffer read. The vulnerability affects any Node.js application that processes untrusted zip uploads and extracts file modification dates. No patch is currently available.
Lenovo Vantage and Baiying DeviceSettingsSystemAddin contain an input validation flaw that allows authenticated local users to delete arbitrary registry keys with elevated privileges. This vulnerability affects systems where users have local access and could enable attackers to modify system configuration or disable security controls. No patch is currently available.
Lenovo Vantage and Baiying DeviceSettingsSystemAddin contains an input validation flaw that allows authenticated local users to modify arbitrary registry keys with system-level privileges. This vulnerability could enable privilege escalation or system configuration tampering by an attacker with local access. No patch is currently available.
Adobe Commerce and Magento versions 2.4.9-alpha3 through 2.4.4-p16 contain a path traversal vulnerability that allows high-privileged attackers to bypass security controls and access files outside intended directories. The vulnerability requires administrative credentials but no user interaction for exploitation, potentially exposing sensitive data. No patch is currently available for affected versions.
Network interface denial of service in Cisco IOS XR on NCS 5500/5700 routers allows unauthenticated remote attackers to disable packet processing by sending crafted traffic that triggers EPNI Aligner interrupt corruption during heavy transit conditions. Successful exploitation causes the network processing unit and ASIC to stop functioning, rendering affected interfaces unable to forward traffic. No patch is currently available for this medium-severity vulnerability.
Medium severity vulnerability in Home Assistant MCP. #
Medium severity vulnerability in StudioCMS. The POST /studiocms_api/dashboard/create-reset-link endpoint allows any authenticated user with admin privileges to generate a password reset token for any other user, including the owner account. The handler verifies that the caller is an admin but does not enforce role hierarchy, nor does it validate that the target userId matches the caller's identity. Combined with the POST /studiocms_api/d...
Gutena Forms WordPre versions up to 1.6.1 is affected by authorization bypass through user-controlled key (CVSS 6.8).
LenovoProductivitySystemAddin in Lenovo Vantage and Baiying contains an input validation flaw that enables local authenticated users to terminate arbitrary processes with elevated privileges. This medium-severity vulnerability (CVSS 6.8) requires local access and valid credentials but poses a significant availability risk. No patch is currently available.
JetBrains Hub versions prior to 2026.1 contain an authentication bypass vulnerability where attackers with valid credentials can gain unauthorized access to accounts through sign-in mismatches when SSO is disabled and two-factor authentication is not configured. An authenticated attacker can exploit this to achieve both confidentiality and integrity violations. No patch is currently available for this vulnerability.
An SQL injection vulnerability has been reported to affect Video Station. If an attacker gains local network access who have also gained an administrator account, they can then exploit the vulnerability to execute unauthorized code or commands.
Improper BIOS initialization in certain ThinkPad models enables local privileged users to modify system data and execute arbitrary code with high integrity impact. The vulnerability requires elevated privileges and local access, posing a risk to organizations where administrative users may be compromised or untrusted. No patch is currently available.
Dell Alienware Command Center versions before 6.12.24.0 suffer from improper privilege management that allows local attackers with low privileges to escalate their access on affected systems. An attacker with physical or local system access combined with user interaction could gain elevated privileges, potentially compromising system integrity and confidentiality. No patch is currently available for this vulnerability.
An improper certificate validation vulnerability has been reported to affect Video Station. If an attacker gains local network access who have also gained an administrator account, they can then exploit the vulnerability to compromise the security of the system.
web-based project management software. versions up to 17.2.0 is affected by cross-site scripting (xss) (CVSS 6.5).
### Summary OliveTin’s live EventStream broadcasts execution events and action output to authenticated dashboard subscribers without enforcing per-action authorization. A low-privileged authenticated user can receive output from actions they are not allowed to view, resulting in broken access control and sensitive information disclosure. I validated this on OliveTin 3000.10.2. ### Details The issue is in the live event streaming path. EventStream() only checks whether the caller may access the dashboard, then registers the user as a stream subscriber: - service/internal/api/api.go:776 After subscription, execution events are broadcast to all connected clients without checking whether each recipient is authorized to view logs for the action: - service/internal/api/api.go:846 OnExecutionStarted - service/internal/api/api.go:869 OnExecutionFinished - service/internal/api/api.go:1047 OnOutputChunk The event payload includes action output through: - service/internal/api/api.go:295 internalLogEntryToPb - service/internal/api/api.go:302 Output By contrast, the normal log APIs do apply per-action authorization checks: - service/internal/api/api.go:518 GetLogs - service/internal/api/api.go:585 GetActionLogs - service/internal/api/api.go:544 isLogEntryAllowed Root cause: - the subscription path enforces only coarse dashboard access - execution callbacks broadcast to every connected client - no per-recipient ACL check is applied before sending action metadata or output I validated the issue using: - an admin user with full ACLs - an alice user with no ACLs - a protected action that outputs TOPSECRET=alpha-bravo-charlie Despite having no relevant ACLs, alice still receives the ExecutionFinished event for the privileged action, including the protected output. ### PoC Tested version: ``` - 3000.10.2 ``` 1. Fetch and check out 3000.10.2 in a clean worktree: ```bash git -C OliveTin fetch origin tag 3000.10.2 git -C OliveTin worktree add /home/kali/CVE/OliveTin-3000.10.2 3000.10.2 ``` 2. Copy the PoC test into the clean tree: ```bash cp OliveTin/service/internal/api/event_stream_leak_test.go \ OliveTin-3000.10.2/service/internal/api/ ``` 3. Run the targeted PoC test: ```bash cd OliveTin-3000.10.2/service go test ./internal/api -run TestEventStreamLeaksUnauthorizedExecutionOutput -count=1 -timeout 30s -v ``` 4. Optional: save validation output: ```bash go test ./internal/api -run TestEventStreamLeaksUnauthorizedExecutionOutput -count=1 -timeout 30s -v \ 2>&1 | tee /tmp/olivetin_eventstream_3000.10.2.log ``` Observed validation output: ```bash === RUN TestEventStreamLeaksUnauthorizedExecutionOutput time="2026-03-01T04:44:59-05:00" level=info msg="Action requested" actionTitle=secret-action tags="[]" time="2026-03-01T04:44:59-05:00" level=info msg="Action parse args - Before" actionTitle=secret-action cmd="echo 'TOPSECRET=alpha-bravo-charlie'" time="2026-03-01T04:44:59-05:00" level=info msg="Action parse args - After" actionTitle=secret-action cmd="echo 'TOPSECRET=alpha-bravo-charlie'" time="2026-03-01T04:44:59-05:00" level=info msg="Action started" actionTitle=secret-action timeout=1 time="2026-03-01T04:44:59-05:00" level=info msg="Action finished" actionTitle=secret-action exit=0 outputLength=30 timedOut=false --- PASS: TestEventStreamLeaksUnauthorizedExecutionOutput (0.00s) PASS ok github.com/OliveTin/OliveTin/internal/api 0.025s ``` What this proves: - admin can execute the protected action - alice has no ACLs - alice still receives the streamed completion event for the protected action - protected action output is exposed through the event stream ### Impact This is an authenticated broken access control / information disclosure vulnerability. A low-privileged authenticated user can subscribe to EventStream and receive: - action execution metadata - execution tracking IDs - initiating username - live output chunks - final command output Who is impacted: - multi-user OliveTin deployments - environments where privileged actions produce secrets, tokens, internal system details, or other sensitive operational output - deployments where lower-privileged authenticated users can access the dashboard and subscribe to live events This bypasses intended per-action log/view restrictions for protected actions.
libcurl incorrectly reuses authenticated connections when processing Negotiate authentication requests, allowing an attacker with valid credentials to access resources authenticated under different user accounts. An authenticated attacker can exploit this connection pooling logic error to bypass authentication checks by reusing an existing connection that was authenticated with different credentials. This affects libcurl implementations using Negotiate authentication where multiple users access the same server.
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 16.11 versions up to 18.7.6 is affected by allocation of resources without limits or throttling (CVSS 6.5).
Shescape versions prior to 2.1.10 fail to properly escape square-bracket glob patterns in Bash, BusyBox sh, and Dash, allowing attackers to manipulate shell arguments into multiple filesystem expansions instead of literal strings. Applications using the library's escape() function are vulnerable to argument injection attacks where an attacker-controlled value like "secret[12]" could expand to match multiple files, bypassing intended pathname restrictions. No patch is currently available for affected deployments.
A security vulnerability in Copyparty (CVSS 6.5). Remediation should follow standard vulnerability management procedures.
Unauthenticated attackers can arbitrarily unsubscribe email addresses from Mailchimp audiences through the MC4WP: Mailchimp for WordPress plugin (versions up to 4.11.1) by manipulating the unvalidated _mc4wp_action POST parameter, requiring only publicly exposed form IDs. This missing authorization vulnerability allows bulk email removal operations without authentication, impacting any WordPress site using the affected plugin with a connected Mailchimp account. No patch is currently available to address this issue.
Incorrect security UI in Downloads in Google Chrome on Android versions up to 146.0.7680.71 contains a security vulnerability.
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 9.3 versions up to 18.7.6 is affected by allocation of resources without limits or throttling (CVSS 6.5).
OpenProject versions prior to 17.2.0 allow authenticated users with BCF import permissions to read arbitrary files from the server through path traversal in crafted .bcf archive uploads. An attacker can manipulate the Snapshot field in markup.bcf to reference absolute or traversal paths (such as /etc/passwd), enabling unauthorized file disclosure within the application's read permissions. This vulnerability requires valid project member credentials and no patch is currently available.
Incorrect security UI in WebAppInstalls in Google Chrome versions up to 146.0.7680.71 contains a security vulnerability.
Splunk Enterprise and Cloud Platform versions below specified thresholds fail to properly restrict access to the passwords configuration API endpoint, allowing low-privileged users without admin or power roles to retrieve hashed or plaintext credential values from passwords.conf. This information disclosure vulnerability could enable attackers to obtain sensitive authentication credentials for further system compromise. No patch is currently available.
web-based management interface of AOS-CX Switches is affected by url redirection to untrusted site (open redirect) (CVSS 6.5).
Open Forms versions prior to 3.3.13 and 3.4.5 allow authenticated attackers to access arbitrary form submissions through submission reference enumeration or manipulation in the cosigning workflow. An attacker with valid credentials can guess or modify cosigner codes to retrieve submissions they should not have access to, resulting in unauthorized information disclosure.
Unauthorized budget assignment deletion in OpenProject prior to 17.2.0 allows any authenticated user to remove work package budget associations due to insufficient authorization checks being performed after the deletion operation. This improper access control enables users without proper permissions to manipulate budget data, potentially disrupting project financial tracking and resource allocation. A patch is available in version 17.2.0 and later.
Insufficient policy enforcement in ChromeDriver in Google Chrome versions up to 146.0.7680.71 contains a security vulnerability.
Stored cross-site scripting in the Astra WordPress theme through versions 4.12.3 allows authenticated contributors and higher-privileged users to inject malicious scripts into post meta fields that execute when pages are viewed. The vulnerability stems from improper sanitization of background-related meta fields and missing output escaping in CSS property handling. Attackers with contributor-level access can compromise page content and redirect or manipulate user sessions.
Stored XSS in the weForms WordPress plugin allows authenticated users with Subscriber-level access to inject malicious scripts through REST API form submissions, bypassing the sanitization applied to frontend submissions. The vulnerability exists in versions up to 1.6.27 due to inconsistent input validation between the AJAX handler and REST API endpoint, enabling attackers to execute arbitrary JavaScript in the context of other users' browsers. No patch is currently available.
Stored XSS in the WP ULike WordPress plugin up to version 5.0.1 allows authenticated users with Contributor access or higher to inject malicious scripts into pages through the shortcode template attribute, which executes when visitors view affected content. The vulnerability stems from improper use of html_entity_decode() that circumvents WordPress sanitization filters, requiring at least one like on a post to trigger payload execution. No patch is currently available.
Authenticated contributors to WordPress sites running Happy Addons for Elementor up to version 3.21.0 can modify display conditions of published templates due to improper authorization checks in the `ha_condition_update` AJAX action and missing capability validation in `ha_get_current_condition`. The vulnerability allows attackers to alter template visibility rules and potentially inject unescaped content into HTML attributes, affecting site content delivery and potentially enabling stored XSS attacks.
Stored XSS in Gravity Forms WordPress plugin through version 2.9.28.1 allows authenticated subscribers and above to inject malicious JavaScript via the form creation endpoint, which executes when administrators interact with the Form Switcher dropdown. The vulnerability stems from inadequate input sanitization and missing output escaping in the form title field. No patch is currently available.
Stored XSS in Dear Flipbook WordPress plugin through version 2.4.20 allows authenticated users with Author privileges or higher to inject malicious scripts via PDF page labels due to inadequate input sanitization. These injected scripts execute in the browsers of any user viewing the affected pages. No patch is currently available for this vulnerability.
FastGPT's Python Sandbox in versions 4.14.7 and earlier allows authenticated users to bypass file write restrictions by remapping standard output to arbitrary file descriptors via fcntl, enabling unauthorized file creation and modification within the container. The vulnerability exploits a gap between static detection and seccomp filtering, where remapped stdout still satisfies the write syscall rules. An attacker with sandbox access could create or overwrite arbitrary files despite the intended file system restrictions.
Improper access control in Splunk Enterprise and Cloud Platform versions below specified thresholds allows low-privileged users without admin or power roles to extract sensitive information from job search logs through the MongoClient logging channel. Affected versions include Enterprise 10.2.1, 10.0.4, 9.4.9, and 9.3.10, as well as corresponding Cloud Platform releases. No patch is currently available for this medium-severity vulnerability.