Skip to main content

Allegra

9 CVEs product

Monthly

CVE-2026-11443 MEDIUM This Month

Cross-site scripting in Allegra's downloadAttachment method enables authenticated remote attackers to inject and execute arbitrary JavaScript within a victim user's browser session. Exploitation requires an authenticated low-privilege attacker account and mandatory victim interaction - the target must visit a malicious page or open a crafted file - limiting the realistic attack surface. Reported by Zero Day Initiative (ZDI-CAN-28236 / ZDI-26-358), patched in Allegra 9.0.0. No public exploit code and no active exploitation (CISA KEV) identified at time of analysis.

Authentication Bypass XSS Allegra
NVD VulDB
CVSS 3.0
4.6
EPSS
0.1%
CVE-2026-11442 MEDIUM This Month

Directory traversal in Allegra's exportReport method exposes arbitrary server-side files to authenticated remote attackers, operating in the context of the underlying service account. The flaw affects all tracked versions per the CPE wildcard (cpe:2.3:a:allegra:allegra:*), with Alltena's 9.0.0 release notes referencing the fix. No public exploit code or CISA KEV listing has been identified at time of analysis, and no EPSS data was provided, but the CVSS 6.5 rating reflects a meaningful confidentiality risk for any internet-facing Allegra deployment where user accounts may be broadly provisioned.

Path Traversal Information Disclosure Allegra
NVD VulDB
CVSS 3.0
6.5
EPSS
1.5%
CVE-2025-6216 CRITICAL POC THREAT Emergency

Allegra project tracking software contains an authentication bypass in the password recovery token generation. Unauthenticated remote attackers can calculate the token expiration date and generate valid password reset tokens, allowing them to reset any user's password including administrators.

Authentication Bypass Allegra
NVD GitHub
CVSS 3.0
9.8
EPSS
25.4%
Threat
4.2
CVE-2025-3485 HIGH This Week

Directory traversal vulnerability in Allegra's extractFileFromZip method that allows authenticated attackers to execute arbitrary code on affected systems. The vulnerability stems from insufficient path validation, enabling remote code execution in the context of the running process. With a CVSS score of 8.8 and requiring only low-privilege authentication, this represents a significant risk to Allegra deployments, though exploitation requires prior authenticated access.

RCE Path Traversal Allegra
NVD
CVSS 3.1
8.8
EPSS
1.2%
CVE-2025-3486 HIGH This Month

Allegra isZipEntryValide Directory Traversal Remote Code Execution Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Path Traversal Allegra
NVD
CVSS 3.1
8.8
EPSS
1.5%
CVE-2024-5581 HIGH This Week

Allegra unzipFile Directory Traversal Remote Code Execution Vulnerability. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Path Traversal Allegra
NVD
CVSS 3.0
7.2
EPSS
2.3%
CVE-2024-5580 HIGH This Week

Allegra loadFieldMatch Deserialization of Untrusted Data Remote Code Execution Vulnerability. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization RCE Allegra
NVD
CVSS 3.0
7.2
EPSS
1.5%
CVE-2024-5579 HIGH This Week

Allegra renderFieldMatch Deserialization of Untrusted Data Remote Code Execution Vulnerability. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization RCE Allegra
NVD
CVSS 3.0
7.2
EPSS
1.5%
CVE-2024-30372 MEDIUM This Month

Allegra getLinkText Server-Side Template Injection Remote Code Execution Vulnerability. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Ssti Allegra
NVD
CVSS 3.1
6.3
EPSS
1.1%
EPSS 0% CVSS 4.6
MEDIUM This Month

Cross-site scripting in Allegra's downloadAttachment method enables authenticated remote attackers to inject and execute arbitrary JavaScript within a victim user's browser session. Exploitation requires an authenticated low-privilege attacker account and mandatory victim interaction - the target must visit a malicious page or open a crafted file - limiting the realistic attack surface. Reported by Zero Day Initiative (ZDI-CAN-28236 / ZDI-26-358), patched in Allegra 9.0.0. No public exploit code and no active exploitation (CISA KEV) identified at time of analysis.

Authentication Bypass XSS Allegra
NVD VulDB
EPSS 1% CVSS 6.5
MEDIUM This Month

Directory traversal in Allegra's exportReport method exposes arbitrary server-side files to authenticated remote attackers, operating in the context of the underlying service account. The flaw affects all tracked versions per the CPE wildcard (cpe:2.3:a:allegra:allegra:*), with Alltena's 9.0.0 release notes referencing the fix. No public exploit code or CISA KEV listing has been identified at time of analysis, and no EPSS data was provided, but the CVSS 6.5 rating reflects a meaningful confidentiality risk for any internet-facing Allegra deployment where user accounts may be broadly provisioned.

Path Traversal Information Disclosure Allegra
NVD VulDB
EPSS 25% 4.2 CVSS 9.8
CRITICAL POC THREAT Emergency

Allegra project tracking software contains an authentication bypass in the password recovery token generation. Unauthenticated remote attackers can calculate the token expiration date and generate valid password reset tokens, allowing them to reset any user's password including administrators.

Authentication Bypass Allegra
NVD GitHub
EPSS 1% CVSS 8.8
HIGH This Week

Directory traversal vulnerability in Allegra's extractFileFromZip method that allows authenticated attackers to execute arbitrary code on affected systems. The vulnerability stems from insufficient path validation, enabling remote code execution in the context of the running process. With a CVSS score of 8.8 and requiring only low-privilege authentication, this represents a significant risk to Allegra deployments, though exploitation requires prior authenticated access.

RCE Path Traversal Allegra
NVD
EPSS 2% CVSS 8.8
HIGH This Month

Allegra isZipEntryValide Directory Traversal Remote Code Execution Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Path Traversal Allegra
NVD
EPSS 2% CVSS 7.2
HIGH This Week

Allegra unzipFile Directory Traversal Remote Code Execution Vulnerability. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Path Traversal Allegra
NVD
EPSS 2% CVSS 7.2
HIGH This Week

Allegra loadFieldMatch Deserialization of Untrusted Data Remote Code Execution Vulnerability. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization RCE Allegra
NVD
EPSS 2% CVSS 7.2
HIGH This Week

Allegra renderFieldMatch Deserialization of Untrusted Data Remote Code Execution Vulnerability. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Deserialization RCE Allegra
NVD
EPSS 1% CVSS 6.3
MEDIUM This Month

Allegra getLinkText Server-Side Template Injection Remote Code Execution Vulnerability. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Ssti Allegra
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy