Skip to main content
CVE-2026-49738 LOW PATCH GHSA Monitor

Path traversal in TYPO3 CMS's GeneralUtility::isAllowedAbsPath() allows authenticated administrator-level users to define File Abstraction Layer (FAL) storage roots that resolve to directories outside the project root. Affected versions span all active TYPO3 branches: before 10.4.57, 11.0.0-11.5.51, 12.0.0-12.4.46, 13.0.0-13.4.31, and 14.0.0-14.3.3. No public exploit code has been identified at time of analysis, and this vulnerability is not listed in the CISA KEV catalog; the CVSS 4.0 score of 2.1 reflects the severe privilege and prerequisite constraints that substantially limit real-world impact.

Path Traversal
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-11621 LOW Monitor

Unrestricted file upload in Dcat-Admin up to 2.2.3-beta allows remote attackers with high privileges - or potentially with authentication bypass - to upload arbitrary files via the editorMDUpload function at the /admin/dcat-api/editor-md/upload endpoint on the User Setting Page. The vulnerability stems from improper access control (CWE-284) on the editormd-image-file parameter, enabling upload of potentially malicious file types. Publicly available exploit code exists (CVSS E:P confirmed), though no active exploitation is listed in CISA KEV. The low CVSS 4.0 base score of 2.0 reflects constrained impact scope, but the 'Authentication Bypass' tag warrants additional scrutiny of the effective privilege requirement.

Authentication Bypass File Upload
NVD VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-0410 LOW PATCH Monitor

Integrity controls on multiple NETGEAR router firmware lines can be subverted by authenticated administrators on the local network through improper input validation (CWE-20), enabling privilege escalation beyond the intended administrative authorization boundary and permitting unauthorized modifications to router software and functionality. Twenty distinct NETGEAR SKUs across the R7000, RAX, RAXE, and XR1000 series are confirmed affected per ENISA EUVD-2026-35452, each with specific patched firmware thresholds now released by the vendor. No public exploit exists at time of analysis (CVSS E:U), and multiple CVSS constraints - adjacent-only attack vector, high complexity, and high privilege requirement - substantially limit the realistic threat population.

Authentication Bypass R7000 Rax20 Rax35V2 Rax41 +16
NVD VulDB
CVSS 4.0
1.9
EPSS
0.1%
Prev Page 16 of 16

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy