Monthly
The payment withdrawal approval endpoint in xianyu-auto-reply executes state-changing financial approval actions in response to HTTP GET requests, violating the HTTP safe-method contract and enabling unintended approvals through automated link-prefetching clients. Any low-privileged authenticated user possessing a valid review token can approve withdrawal requests by issuing a GET to /api/v1/payment/withdraw/review?action=approve, and more critically, email clients or mail-security gateways that automatically prefetch URLs can trigger approvals silently when an administrator receives a notification email. A proof-of-concept has been publicly disclosed per CVSS 4.0 E:P; no CISA KEV listing or confirmed active exploitation was identified at time of analysis.
Cross-Site Request Forgery in DFIR-IRIS before version 2.4.28 enables a remote attacker to perform unauthorized state-changing actions on behalf of an authenticated victim user, with low integrity impact and no confidentiality or availability consequence. Disclosed by SBA Research as part of a coordinated multi-CVE advisory (alongside mass assignment CVE-2026-42540, excessive data exposure CVE-2026-42539, and false alert attribution CVE-2026-42547), this flaw is rooted in CWE-650 - the application trusts HTTP method semantics rather than enforcing proper anti-CSRF token validation. No public exploit code or active exploitation has been identified at time of analysis.
IBM WebSphere Application Server 9.0 and WebSphere Application Server Liberty 17.0.0.3 through 25.0.0.7 could allow a remote attacker to bypass security restrictions caused by a failure to honor. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Dell Avamar, versions prior to 19.10 SP1 with patch 338904, contains a Trusting HTTP Permission Methods on the Server-Side vulnerability in Security. Rated high severity (CVSS 8.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Fields which are in 'read only' state in Bank Statement Draft in Manage Bank Statements application, could be modified by MERGE method. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
IBM Aspera Faspex 5.0.0 through 5.0.9 could allow a user to bypass intended access restrictions and conduct resource modification. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
IBM Aspera Faspex 5.0.0 through 5.0.9 could allow a user to bypass intended access restrictions and conduct resource modification. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
IBM Security Verify Access 10.0.0 through 10.0.7 and IBM Application Gateway 20.01 through 24.03 could allow a remote attacker to obtain highly sensitive private information or cause a denial of. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Insecure method vulnerability in which allowed HTTP methods are disclosed. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The payment withdrawal approval endpoint in xianyu-auto-reply executes state-changing financial approval actions in response to HTTP GET requests, violating the HTTP safe-method contract and enabling unintended approvals through automated link-prefetching clients. Any low-privileged authenticated user possessing a valid review token can approve withdrawal requests by issuing a GET to /api/v1/payment/withdraw/review?action=approve, and more critically, email clients or mail-security gateways that automatically prefetch URLs can trigger approvals silently when an administrator receives a notification email. A proof-of-concept has been publicly disclosed per CVSS 4.0 E:P; no CISA KEV listing or confirmed active exploitation was identified at time of analysis.
Cross-Site Request Forgery in DFIR-IRIS before version 2.4.28 enables a remote attacker to perform unauthorized state-changing actions on behalf of an authenticated victim user, with low integrity impact and no confidentiality or availability consequence. Disclosed by SBA Research as part of a coordinated multi-CVE advisory (alongside mass assignment CVE-2026-42540, excessive data exposure CVE-2026-42539, and false alert attribution CVE-2026-42547), this flaw is rooted in CWE-650 - the application trusts HTTP method semantics rather than enforcing proper anti-CSRF token validation. No public exploit code or active exploitation has been identified at time of analysis.
IBM WebSphere Application Server 9.0 and WebSphere Application Server Liberty 17.0.0.3 through 25.0.0.7 could allow a remote attacker to bypass security restrictions caused by a failure to honor. Rated low severity (CVSS 3.7), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Dell Avamar, versions prior to 19.10 SP1 with patch 338904, contains a Trusting HTTP Permission Methods on the Server-Side vulnerability in Security. Rated high severity (CVSS 8.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Fields which are in 'read only' state in Bank Statement Draft in Manage Bank Statements application, could be modified by MERGE method. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
IBM Aspera Faspex 5.0.0 through 5.0.9 could allow a user to bypass intended access restrictions and conduct resource modification. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
IBM Aspera Faspex 5.0.0 through 5.0.9 could allow a user to bypass intended access restrictions and conduct resource modification. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
IBM Security Verify Access 10.0.0 through 10.0.7 and IBM Application Gateway 20.01 through 24.03 could allow a remote attacker to obtain highly sensitive private information or cause a denial of. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Insecure method vulnerability in which allowed HTTP methods are disclosed. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.