Monthly
(Externally Controlled Reference to a Resource in Another Sphere), (Authorization Bypass Through User-Controlled Key) vulnerability in Apache Camel K. Authorized users in a Kubernetes namespace can create a Build resource, controlling the Pod generation in a namespace of their choice, including the operator namespace. This issue affects Apache Camel K: from 2.0.0 before 2.8.1, from 2.9.0 before 2.9.2, from 2.10.0 before 2.10.1. Users are recommended to upgrade to version 2.10.1 (or 2.8.1 or 2.9.2), which fixes the issue.
Remote unauthenticated attackers can exploit a server-side request forgery (SSRF) vulnerability in Microsoft Partner Center to access internal resources and perform spoofing attacks. The vulnerability allows high-level information disclosure with limited integrity impact, requiring no user interaction or special privileges. Microsoft has released a security patch, and while CVSS rates this 8.2 (High), no active exploitation or public proof-of-concept has been identified at time of analysis.
Local file inclusion in VertiGIS FM's upload/download mechanism allows authenticated attackers to read arbitrary server files by manipulating file paths during upload, with potential for remote code execution if web.config is obtained and NTLM-relay attacks via UNC path resolution. VertiGIS FM version 10.5.00119 and earlier are affected, and the vulnerability requires valid application credentials to exploit.
OpenClaw versions before 2026.2.21 allow authenticated users with browser-tool access to bypass URL scheme validation and navigate to file:// URLs, enabling local file exfiltration through browser snapshot and extraction features. An attacker with valid credentials could read sensitive files accessible to the OpenClaw process and extract them from the system. No patch is currently available.
Improper symbolic link handling in Acronis Cyber Protect 17 for Windows (before build 41186) enables local attackers with limited privileges to escalate to system-level access through a race condition. An authenticated user can exploit this vulnerability to gain full control over the affected system, including reading sensitive data and modifying system configurations. No patch is currently available for this high-severity flaw.
Acronis Cyber Protect 17 for Windows before build 41186 allows local attackers with standard user privileges to escalate to system-level access through improper handling of symbolic links. An authenticated attacker can exploit this vulnerability to gain full control over the affected system, including the ability to read, modify, or delete sensitive data and execute arbitrary code. No patch is currently available for this vulnerability.
Android versions up to 16.0 contains a vulnerability that allows attackers to local escalation of privilege with no additional execution privileges needed (CVSS 7.8).
Jeesite versions up to 5.15.1. contains a vulnerability that allows attackers to xml external entity reference (CVSS 5.0).
OpenCC JFlow versions up to 20260129 contain an XML External Entity (XXE) injection vulnerability in the Workflow Engine's file handling component that allows authenticated remote attackers to read sensitive files or perform denial of service attacks. Public exploit code exists for this vulnerability, and the vendor has not yet provided a patch. The issue affects Java-based deployments and requires valid credentials to exploit.
O2OA versions up to 9.0.0 contain an XML external entity (XXE) injection vulnerability in the /x_program_center/jaxrs/mpweixin/check HTTP POST handler that allows authenticated remote attackers to read sensitive files or conduct denial-of-service attacks. Public exploit code is available for this vulnerability, and no patch has been released despite vendor notification. The attack requires valid credentials but can be executed over the network without user interaction.
(Externally Controlled Reference to a Resource in Another Sphere), (Authorization Bypass Through User-Controlled Key) vulnerability in Apache Camel K. Authorized users in a Kubernetes namespace can create a Build resource, controlling the Pod generation in a namespace of their choice, including the operator namespace. This issue affects Apache Camel K: from 2.0.0 before 2.8.1, from 2.9.0 before 2.9.2, from 2.10.0 before 2.10.1. Users are recommended to upgrade to version 2.10.1 (or 2.8.1 or 2.9.2), which fixes the issue.
Remote unauthenticated attackers can exploit a server-side request forgery (SSRF) vulnerability in Microsoft Partner Center to access internal resources and perform spoofing attacks. The vulnerability allows high-level information disclosure with limited integrity impact, requiring no user interaction or special privileges. Microsoft has released a security patch, and while CVSS rates this 8.2 (High), no active exploitation or public proof-of-concept has been identified at time of analysis.
Local file inclusion in VertiGIS FM's upload/download mechanism allows authenticated attackers to read arbitrary server files by manipulating file paths during upload, with potential for remote code execution if web.config is obtained and NTLM-relay attacks via UNC path resolution. VertiGIS FM version 10.5.00119 and earlier are affected, and the vulnerability requires valid application credentials to exploit.
OpenClaw versions before 2026.2.21 allow authenticated users with browser-tool access to bypass URL scheme validation and navigate to file:// URLs, enabling local file exfiltration through browser snapshot and extraction features. An attacker with valid credentials could read sensitive files accessible to the OpenClaw process and extract them from the system. No patch is currently available.
Improper symbolic link handling in Acronis Cyber Protect 17 for Windows (before build 41186) enables local attackers with limited privileges to escalate to system-level access through a race condition. An authenticated user can exploit this vulnerability to gain full control over the affected system, including reading sensitive data and modifying system configurations. No patch is currently available for this high-severity flaw.
Acronis Cyber Protect 17 for Windows before build 41186 allows local attackers with standard user privileges to escalate to system-level access through improper handling of symbolic links. An authenticated attacker can exploit this vulnerability to gain full control over the affected system, including the ability to read, modify, or delete sensitive data and execute arbitrary code. No patch is currently available for this vulnerability.
Android versions up to 16.0 contains a vulnerability that allows attackers to local escalation of privilege with no additional execution privileges needed (CVSS 7.8).
Jeesite versions up to 5.15.1. contains a vulnerability that allows attackers to xml external entity reference (CVSS 5.0).
OpenCC JFlow versions up to 20260129 contain an XML External Entity (XXE) injection vulnerability in the Workflow Engine's file handling component that allows authenticated remote attackers to read sensitive files or perform denial of service attacks. Public exploit code exists for this vulnerability, and the vendor has not yet provided a patch. The issue affects Java-based deployments and requires valid credentials to exploit.
O2OA versions up to 9.0.0 contain an XML external entity (XXE) injection vulnerability in the /x_program_center/jaxrs/mpweixin/check HTTP POST handler that allows authenticated remote attackers to read sensitive files or conduct denial-of-service attacks. Public exploit code is available for this vulnerability, and no patch has been released despite vendor notification. The attack requires valid credentials but can be executed over the network without user interaction.