Monthly
MIME type restriction bypass in TYPO3 CMS 14.2.0-14.3.5 allows unauthenticated attackers to upload files of arbitrary MIME types through forms configured with FileUpload or ImageUpload elements, circumventing the allowedMimeTypes restriction entirely. The flaw originates from a lifecycle ordering defect in the server-side form framework: MimeTypeValidator is registered before concrete form definition properties are applied, so it is absent from the validation pipeline at runtime. No public exploit code and no CISA KEV listing have been identified at time of analysis, but the network-accessible, zero-prerequisite-auth nature of the bypass elevates practical risk wherever affected forms are publicly exposed.
OpenClaw before 2026.3.31 contains a logic error in Discord component interaction routing that misclassifies group direct messages as direct messages in extensions/discord/src/monitor/agent-components-helpers.ts. Attackers can exploit this misclassification to bypass group DM policy enforcement or trigger incorrect session handling.
Contao is an Open Source CMS. Rated medium severity (CVSS 6.6), this vulnerability is remotely exploitable. No vendor patch available.
TYPO3 is an open source, PHP based web content management system. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
An attacker can upload an arbitrary file instead of a plant image. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Rated low severity (CVSS 2.6), this vulnerability is remotely exploitable.
IBM Cognos Controller 11.0.0 and 11.0.1 could allow an authenticated user to upload insecure files, due to insufficient file type distinction. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
When importing resources using Web Workers, error messages would distinguish the difference between `application/javascript` responses and non-script responses. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
If an attacker can trick an authenticated user into loading a maliciously crafted .zip file onto Advantech WebAccess version 8.4.5, a web shell could be used to give the attacker full control of the. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Pairing in Bluetooth® Core v5.2 and earlier may permit an unauthenticated attacker to acquire credentials with two pairing devices via adjacent access when the unauthenticated user initiates. Rated medium severity (CVSS 6.3), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
MIME type restriction bypass in TYPO3 CMS 14.2.0-14.3.5 allows unauthenticated attackers to upload files of arbitrary MIME types through forms configured with FileUpload or ImageUpload elements, circumventing the allowedMimeTypes restriction entirely. The flaw originates from a lifecycle ordering defect in the server-side form framework: MimeTypeValidator is registered before concrete form definition properties are applied, so it is absent from the validation pipeline at runtime. No public exploit code and no CISA KEV listing have been identified at time of analysis, but the network-accessible, zero-prerequisite-auth nature of the bypass elevates practical risk wherever affected forms are publicly exposed.
OpenClaw before 2026.3.31 contains a logic error in Discord component interaction routing that misclassifies group direct messages as direct messages in extensions/discord/src/monitor/agent-components-helpers.ts. Attackers can exploit this misclassification to bypass group DM policy enforcement or trigger incorrect session handling.
Contao is an Open Source CMS. Rated medium severity (CVSS 6.6), this vulnerability is remotely exploitable. No vendor patch available.
TYPO3 is an open source, PHP based web content management system. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
An attacker can upload an arbitrary file instead of a plant image. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Rated low severity (CVSS 2.6), this vulnerability is remotely exploitable.
IBM Cognos Controller 11.0.0 and 11.0.1 could allow an authenticated user to upload insecure files, due to insufficient file type distinction. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
When importing resources using Web Workers, error messages would distinguish the difference between `application/javascript` responses and non-script responses. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
If an attacker can trick an authenticated user into loading a maliciously crafted .zip file onto Advantech WebAccess version 8.4.5, a web shell could be used to give the attacker full control of the. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
Pairing in Bluetooth® Core v5.2 and earlier may permit an unauthenticated attacker to acquire credentials with two pairing devices via adjacent access when the unauthenticated user initiates. Rated medium severity (CVSS 6.3), this vulnerability is no authentication required, low attack complexity. No vendor patch available.