Server
Monthly
Improper authorization in Devolutions Server's secure messages deletion endpoint exposes an Insecure Direct Object Reference (IDOR) flaw allowing any authenticated user to permanently delete secure messages belonging to other users simply by supplying a target message identifier. Affected versions are 2026.2.11 and 2026.1.22; patched releases 2026.1.23 and 2026.2.12 are available per the vendor advisory. No public exploit identified at time of analysis, and the low CVSS score of 3.1 reflects constrained impact (integrity only, no data disclosure) paired with high attack complexity.
Devolutions Server 2026.1.22.0 and 2026.2.11.0 exposes Azure Key Vault client secrets in cleartext within Recovery Kit response files, defeating an explicit 'exclude sensitive data' option that administrators rely on. Any party who obtains a copy of the generated response file can trivially read the credential without any decryption or tooling. No public exploit code exists and the vulnerability is not in CISA KEV; however, because successful exploitation yields a reusable cloud credential, the downstream blast radius in Azure environments substantially exceeds what the 3.3 CVSS base score suggests. A vendor-released patch is available.
Authorization bypass in Devolutions Server 2026.2.11 and 2026.1.22 lets an authenticated low-privileged user approve their own pending access request by calling the access request status endpoint directly, bypassing the mandatory approver review. Because access requests gate elevated access to protected resources, this effectively grants unauthorized privileged access (CVSS 7.1). There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the issue was disclosed and patched by the vendor.
Sensitive information disclosure in Devolutions Server 2026.1.x and 2026.2.x lets an authenticated low-privileged user read the private keys of SSH key and certificate PAM credentials belonging to other users. By supplying a credential identifier they should not have access to (an insecure direct object reference), the attacker retrieves secrets the PAM module is supposed to protect. No public exploit identified at time of analysis, and it is not on CISA KEV, but a vendor patch is available. Note: the supplied CVSS vector lists PR:N (unauthenticated) while the description explicitly requires an authenticated low-privileged user — treat this as an authenticated IDOR.
Account takeover in self-hosted Bitwarden Server before 2026.6.0 lets a low-privileged organization member steal any other member's vault key and a victim-scoped access token. The POST /auth-requests/admin-request handler never verifies that the email in the request body belongs to the authenticated caller (CWE-639), so an attacker can create a Trusted Device Encryption admin-approval request for a victim, bound to an attacker-controlled public key; once approved, the encrypted key material is retrievable from an unauthenticated endpoint. Publicly available exploit code exists (a VulnCheck advisory plus a public write-up), and the CVSS 4.0 base score of 9.3 reflects high confidentiality and integrity impact plus a cross-user scope change.
Denial of service in Tanium Server allows remote unauthenticated attackers to exhaust availability of the platform, per vendor advisory TAN-2026-016. The flaw is network-reachable with low complexity and no privileges or user interaction (CVSS 7.5, availability-only impact), and the CWE-789 classification indicates an uncontrolled/excessive memory allocation can be triggered remotely. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Multi-factor authentication bypass in Devolutions Server (DVLS) versions 2026.2.4 through 2026.2.8 lets an attacker who already holds valid user credentials authenticate without completing MFA, defeating an enforced 'MFA Required' policy. The flaw triggers when DVLS encounters an invalid default MFA value, causing the mandatory second factor to be skipped. It is vendor-reported with a patch available; no public exploit identified at time of analysis and EPSS exploitation probability is low (0.18%, 8th percentile).
JSON injection in Bitwarden Server's IntegrationTemplateProcessor.ReplaceTokens() allows authenticated organization members to corrupt event-integration payloads delivered to webhook, SIEM, Slack, Teams, or Datadog endpoints. Any organization running Bitwarden Server prior to 2026.5.0 that has configured event integrations referencing user-controlled tokens such as #ActingUserName# or #UserName# is exposed. A public proof-of-concept exists per VulnCheck and independent researcher disclosure; exploitation is constrained by authentication and specific integration-configuration prerequisites, reflected in the low CVSS 4.0 score of 2.3.
Broken access control in Bitwarden Server before 2026.5.0 exposes organization billing data to any authenticated user via an IDOR vulnerability in the PreviewInvoiceController endpoints. The missing ManageOrganizationBillingRequirement authorization check permits a valid session holder to supply an arbitrary organizationId and retrieve Stripe-derived billing details - including tax totals, subscription status, and customer data - for organizations they do not belong to. A public proof-of-concept exploit exists; no active exploitation has been confirmed by CISA KEV at the time of analysis.
Privilege escalation in self-hosted Bitwarden Server before 2026.5.0 lets an authenticated organization member holding a Custom role with the ManageUsers permission delete Admin accounts from the organization, undermining administrative control. The flaw stems from the bulk user-remove (DELETE) endpoint omitting the role-hierarchy guard that the single-user removal path enforces, so a lower-privileged user can strip Admins by submitting their organization-user IDs in a batch request. Publicly available exploit code exists (VulnCheck/researcher write-up), it is not listed in CISA KEV, and no EPSS score was provided in the input.
Improper input validation in the PAM AD discovery endpoints in Devolutions Server 2026.2.4.0 through 2026.2.7.0 allows an authenticated user with the UserGroupsView permission to coerce server-side authentication to an attacker-controlled host, exposing PAM provider credentials as a NTLMv2 challenge-response, via a crafted DomainName parameter.
OS command injection in MariaDB Server (CWE-78) lets an attacker achieve remote code execution on Galera cluster nodes by embedding shell metacharacters in a joiner node's name, which the server passes unsanitized to the script defined in wsrep_notify_cmd. Affected branches are 10.6.1–10.6.26, 10.11.1–10.11.17, 11.4.1–11.4.11, 11.8.1–11.8.7, and 12.3.1, but only when wsrep_notify_cmd is configured. It carries a vendor CVSS of 9.8; however EPSS is very low (0.05%, 15th percentile) and SSVC marks exploitation as 'none', so there is no public exploit identified at time of analysis and it is not on CISA KEV.
Command injection (CWE-78) in Devolutions Server's built-in PAM provider password rotation templates allows an attacker with vault write access to execute arbitrary OS commands on systems managed by the affected PAM provider. Affected versions include 2026.2.4.0 and all releases at or below 2026.1.20.0, reported directly by the vendor Devolutions. No public exploit code has been identified and this vulnerability is not listed in CISA KEV at time of analysis, but the high-value nature of a PAM platform managing privileged credentials on downstream systems means the practical blast radius substantially exceeds what the CVSS C:L/I:L scores suggest.
Missing authorization on the deleted user groups API in Devolutions Server enables authenticated low-privileged users to enumerate metadata of deleted user groups via crafted API requests, bypassing intended access controls. Affected deployments include versions 2026.2.4.0 and 2026.1.20.0 and earlier, as confirmed by the vendor advisory DEVO-2026-0015. No public exploit exists and CISA SSVC confirms no active exploitation, placing this at low operational priority despite its network-accessible attack vector.
Cleartext credential exposure in Devolutions Server allows an authenticated low-privileged user to retrieve plaintext credentials stored for configured ticketing integrations via a crafted API request. Affected versions include Devolutions Server 2026.2.4.0 and all 2026.1.x releases up to and including 2026.1.20.0. No public exploit or active exploitation (CISA KEV) has been identified at time of analysis; the vulnerability was self-disclosed by Devolutions via advisory DEVO-2026-0015.
Improper access control in Devolutions Server 2026.1.19 and earlier allows an authenticated low-privilege user to delete PAM network discovery scan configurations that should be restricted to administrators. The CVSS vector (AV:N/AC:L/PR:L/UI:N) confirms exploitation requires only a valid low-privilege account over the network with no user interaction. No public exploit code exists and this vulnerability is not listed in the CISA KEV catalog at time of analysis.
Improper access control in Devolutions Server 2026.1.19 and earlier allows an authenticated user holding entry edit privileges to modify asset information beyond their authorized scope, bypassing the permission validation layer. The flaw resides in the permission validation component and enables privilege overreach within the platform's access control model - an authenticated low-privilege user can alter data they should have no write access to. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
Authenticated network-accessible denial of service in Tanium Server affects three active release branches, patched in versions 7.6.4.2190, 7.7.3.8274, and 7.8.2.1176. The vulnerability stems from a CWE-772 resource leak - allocated resources are not released after their effective lifetime, enabling a low-privileged authenticated attacker to exhaust server resources. A notable conflict exists in the available data: the CVSS vector reports C:H/I:N/A:N (high confidentiality impact, no availability impact) while the CVE description, ENISA EUVD tags, and vendor advisory title all characterize this as a denial of service; defenders should treat both confidentiality and availability as potentially affected until Tanium clarifies. No public exploit is identified and EPSS is low at 0.03%.
Improper authorization in the Active Directory browsing feature in Devolutions Server allows a low-privileged authenticated user to obtain authentication material associated with a stored PAM provider service account via authentication relay to an attacker-controlled server. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 * Devolutions Server 2025.3.20.0 and earlier
Missing authorization in the entry status management feature in Devolutions Server allows a non-administrator authenticated user to bypass the administrator-enforced Pending Approval flow and gain access to an entry's data via a crafted status change request. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 * Devolutions Server 2025.3.20.0 and earlier
Improper access control in the entry activity log feature in Devolutions Server allows an authenticated user with access to an entry but without the required permission to retrieve that entry's activity logs via a crafted API request. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 * Devolutions Server 2025.3.20.0 and earlier
Improper enforcement of the sealed-entry workflow in the entry sensitive-data retrieval feature in Devolutions Server allows an authenticated user with access to a sealed entry to retrieve its sensitive data without triggering the unseal audit notification via a crafted API request. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 * Devolutions Server 2025.3.20.0 and earlier
Improper access control in the entry documentation and attachment features in Devolutions Server allows an authenticated user with vault read access to retrieve the documentation and attachments of sealed entries via a crafted API request. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 * Devolutions Server 2025.3.20.0 and earlier
Missing authorization in the user profile update feature in Devolutions Server allows an authenticated Active Directory user to modify their own profile attributes via a crafted API request. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 * Devolutions Server 2025.3.20.0 and earlier
Unverified password change in Devolutions Server allows an attacker to change a user's password without providing the previous one via a crafted password change request. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 * Devolutions Server 2025.3.20.0 and earlier
Improper input validation in the external authentication provider flow in Devolutions Server allows an unauthenticated remote attacker to redirect victims to an attacker-controlled domain via a crafted login link. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 * Devolutions Server 2025.3.20.0 and earlier
Insufficient logging in the entry export feature in Devolutions Server allows an authenticated user with export permissions to export a sealed entry without triggering the unseal notification to administrators via a crafted export request. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 * Devolutions Server 2025.3.20.0 and earlier
Authorization bypass in the entry duplication feature in Devolutions Server allows an authenticated user with write access to any vault to copy documentation and attachments from an entry in a vault they cannot access via a crafted save request. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 * Devolutions Server 2025.3.20.0 and earlier
Missing authorization in the vault import feature in Devolutions Server 2026.1.16.0 and earlier allows a low-privileged authenticated user to create new vaults via a crafted import request.
Improper handling of factor key state in the multi-factor authentication management feature in Devolutions Server allows an attacker with knowledge of a user's password to bypass the user's multi-factor authentication after the user reconfigures their factors. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0
Missing authorization in the PAM module of Devolutions Server allows authenticated users with a PAM license to retrieve OTP secret keys and recovery codes without additional permissions, leading to account compromise through crafted API requests. Affected versions include Devolutions Server 2025.3.16.0 and earlier, plus 2026.1.6.0 through 2026.1.11.0. No public exploit code or active exploitation has been identified; however, the low CVSS score and minimal EPSS percentile suggest limited real-world attack incentive despite the confidentiality impact.
Authentication bypass in Bitwarden Server versions prior to 2026.4.1 allows authenticated users with SCIM management privileges to retrieve or rotate organization SCIM API keys without master password re-authentication. An attacker with valid session credentials and SCIM management rights can obtain sensitive API keys that enable user provisioning control, potentially leading to unauthorized account creation, modification, or deletion within the organization. Public exploit code exists, and vendor patch v2026.4.1 addresses the issue via GitHub PR #7403.
{providerId}/clients/existing endpoint, allowing authenticated provider users to add any organization to their provider without the target's consent. Publicly available exploit code exists (detailed writeup by Sanjok Karki), and vendor-released patch v2026.4.0 fully addresses the issue via GitHub PR #7372. Self-hosted installations are unaffected due to endpoint access restrictions. CVSS 8.9 reflects high confidentiality, integrity, and availability impact with high attack complexity and high privilege requirements.
Bitwarden Server prior to v2026.4.1 allows any authenticated user to write ciphers (encrypted credentials) into arbitrary organizations via the POST /ciphers/import-organization endpoint by submitting an empty collections array, bypassing authorization checks. This missing authorization vulnerability (CWE-862) affects all authenticated users regardless of organization membership, enabling them to inject malicious credentials or pivot across organizations. Publicly available exploit code exists, and the vendor has released patched version 2026.4.1.
Sync-in Server is a secure, open-source platform for file storage, sharing, collaboration, and syncing. Prior to version 2.2.0, the /api/auth/login endpoint contains a logic flaw that allows unauthenticated remote attackers to enumerate valid usernames by measuring the application's response time. This issue has been patched in version 2.2.0.
Server-side request forgery (SSRF) in Devolutions Server gateway health check feature allows low-privileged authenticated users to bypass input validation and trigger arbitrary requests, potentially disclosing sensitive information from internal systems or network resources. Affected versions are 2026.1.1-2026.1.11 and 2025.3.1-2025.3.17. No public exploit code or active exploitation has been confirmed at time of analysis.
Improper access control in Devolutions Server 2026.1.6 through 2026.1.11 allows authenticated attackers to delete their own MFA factors via crafted API requests, reducing account protection to password-only authentication. This vulnerability enables account security degradation without proper authorization checks, potentially compromising accounts that rely on multi-factor authentication as a secondary defense.
Improper access control in Devolutions Server 2026.1.6 through 2026.1.11 allows authenticated users to bypass administrator-enforced MFA restrictions and remove their own multi-factor authentication via a crafted request. This authentication bypass undermines security policies designed to enforce MFA compliance, enabling threat actors with valid credentials to disable a critical security control and potentially maintain persistent access without secondary authentication verification. No public exploit code or active exploitation has been confirmed at time of analysis.
Devolutions Server versions 2026.1.6 through 2026.1.11 expose sensitive one-time password (OTP) keys in the MFA feature, allowing authenticated users with user management privileges to retrieve other users' OTP secrets via API requests. This information disclosure vulnerability enables account takeover by attackers who obtain valid credentials with user management roles, as OTP keys are sufficient to generate valid authentication codes and bypass multi-factor authentication protections.
Devolutions Server 2026.1.11 and earlier allows authenticated remote attackers to bypass two-factor authentication by reusing a partially authenticated session token, enabling unauthorized account access without completing the second authentication factor. The vulnerability affects all versions up to and including 2026.1.11, with no CVSS score or public exploit confirmation available at analysis time.
Devolutions Server versions 2026.1.11 and earlier allow authenticated remote attackers to bypass multi-factor authentication through improper validation of OAuth login requests, enabling account takeover without second-factor verification. CISA KEV status and exploit availability not confirmed at time of analysis.
Improper session code validation in Devolutions Server 2026.1.11 and earlier allows authenticated users to escalate privileges and impersonate other users, including administrators, by reusing session codes from external OAuth authentication flows. This authentication bypass affects all versions up to and including 2026.1.11 and requires an attacker to have valid credentials to exploit the vulnerability. No public exploit code or active exploitation has been confirmed at the time of analysis.
A user-controlled key authorization bypass vulnerability in HYPR Server versions 9.5.2 through 10.7.1 enables authenticated attackers to escalate privileges through improper authorization checks. An attacker with low-level privileges can manipulate cryptographic keys or authorization tokens to gain high-level access, compromising confidentiality, integrity, and availability of the authentication system. This vulnerability requires local or physical access to the system and valid user credentials, limiting its immediate threat scope but representing a critical risk in multi-tenant or shared infrastructure deployments.
An incorrect privilege assignment vulnerability in HYPR Server allows authenticated users to escalate their privileges through an unspecified mechanism. HYPR Server versions 10.5.1 through 10.6.x are affected, with the vulnerability resolved in version 10.7 and later. An attacker with valid user credentials can exploit this flaw to gain elevated permissions, potentially compromising the entire authentication infrastructure managed by the HYPR Server instance.
JetAudio jetCast Server 2.0 contains a stack-based buffer overflow vulnerability in the Log Directory configuration field that allows local attackers to overwrite structured exception handling pointers.
Devolutions Server contains an improper certificate validation vulnerability in its PAM propagation WinRM connections that allows network attackers to conduct man-in-the-middle (MITM) attacks by exploiting disabled TLS certificate verification. This vulnerability affects Devolutions Server versions prior to 2026.1, enabling attackers positioned on the network path to intercept and manipulate WinRM communications without detection. The vulnerability is classified under CWE-295 (Improper Certificate Validation) and carries significant information disclosure and server compromise risks, particularly in environments where PAM propagation relies on WinRM for credential delivery and privileged session management.
Tanium addressed an uncontrolled resource consumption vulnerability in Tanium Server. [CVSS 6.5 MEDIUM]
Tanium addressed a local privilege escalation vulnerability in Tanium Server. [CVSS 6.7 MEDIUM]
Tanium addressed a local privilege escalation vulnerability in Tanium Module Server. [CVSS 6.7 MEDIUM]
Tanium addressed an improper access controls vulnerability in Tanium Server. [CVSS 4.3 MEDIUM]
An uncontrolled search path element vulnerability has been found on 4D and 4D server Windows executables applications, affecting version 19 R8 100218. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
A broken authentication vulnerability in 4D SAS 4D Server software v17, v18, v19 R7, and earlier allows attackers to send crafted TCP packets containing requests to perform arbitrary actions. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
An information disclosure vulnerability in 4D SAS 4D Server Application v17, v18, v19 R7 and earlier allows attackers to retrieve password hashes for all users via eavesdropping. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Gotify server is a simple server for sending and receiving messages in real-time per WebSocket. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
A SQL injection issue in the web API in TrueConf Server 5.2.0.10225 (fixed in 5.2.6.10025) allows remote unauthenticated attackers to execute arbitrary SQL commands, ultimately leading to remote code. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A SQL injection issue in a database stored function in TrueConf Server 5.2.0.10225 (fixed in 5.2.6.10025) allows a low-privileged database user to execute arbitrary SQL commands as the database. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. This Improper Privilege Management vulnerability could allow attackers to escalate privileges to gain unauthorized elevated access.
Permissions were not properly verified in the API on projects using version control in Git. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity.
NoMachine Server is affected by Integer Overflow. Rated high severity (CVSS 8.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.
NoMachine Server is affected by Buffer Overflow. Rated high severity (CVSS 8.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.
Nextcloud is an open-source, self-hosted productivity platform. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.
Nextcloud is an open-source, self-hosted productivity platform. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.
When configuring Octopus Server if it is configured with an external SQL database, on initial configuration the database password is written to the OctopusServer.txt log file in plaintext. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
When configuring Octopus Server if it is configured with an external SQL database, on initial configuration the database password is written to the OctopusServer.txt log file in plaintext. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Affected versions of Octopus Server are prone to an authenticated SQL injection vulnerability in the Events REST API because user supplied data in the API request isn’t parameterised correctly. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Cleartext storage of sensitive information in multiple versions of Octopus Server where in certain situations when running import or export processes, the password used to encrypt and decrypt. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
An issue was discovered in Octopus Deploy 3.4. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Bitwarden Server 1.35.1 allows SSRF because it does not consider certain IPv6 addresses (ones beginning with fc, fd, fe, or ff, and the :: address) and certain IPv4 addresses (0.0.0.0/8, 127.0.0.0/8,. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The Bitwarden server through 1.32.0 has a potentially unwanted KDF. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A persistent cross-site scripting (XSS) vulnerability in Octopus Server 3.4.0 through 2019.10.5 allows remote authenticated attackers to inject arbitrary web script or HTML. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
The Customer's Tomedo Server in Version 1.7.3 communicates to the Vendor Tomedo Server via HTTP (in cleartext) that can be sniffed by unauthorized actors. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In Octopus Tentacle versions 3.0.8 to 5.0.0, when a web request proxy is configured, an authenticated user (in certain limited OctopusPrintVariables circumstances) could trigger a deployment that. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In Octopus Deploy versions 2018.8.4 to 2019.7.6, when a web request proxy is configured, an authenticated user (in certain limited special-characters circumstances) could trigger a deployment that. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In Traccar Server version 4.2, protocol/SpotProtocolDecoder.java might allow XXE attacks. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.
Traccar Traccar Server version 4.0 and earlier contains a CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability in ComputedAttributesHandler.java that can result in Remote. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
In the webmail component in IceWarp Server 11.3.1.5, there was an XSS vulnerability discovered in the "language" parameter. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Improper authorization in Devolutions Server's secure messages deletion endpoint exposes an Insecure Direct Object Reference (IDOR) flaw allowing any authenticated user to permanently delete secure messages belonging to other users simply by supplying a target message identifier. Affected versions are 2026.2.11 and 2026.1.22; patched releases 2026.1.23 and 2026.2.12 are available per the vendor advisory. No public exploit identified at time of analysis, and the low CVSS score of 3.1 reflects constrained impact (integrity only, no data disclosure) paired with high attack complexity.
Devolutions Server 2026.1.22.0 and 2026.2.11.0 exposes Azure Key Vault client secrets in cleartext within Recovery Kit response files, defeating an explicit 'exclude sensitive data' option that administrators rely on. Any party who obtains a copy of the generated response file can trivially read the credential without any decryption or tooling. No public exploit code exists and the vulnerability is not in CISA KEV; however, because successful exploitation yields a reusable cloud credential, the downstream blast radius in Azure environments substantially exceeds what the 3.3 CVSS base score suggests. A vendor-released patch is available.
Authorization bypass in Devolutions Server 2026.2.11 and 2026.1.22 lets an authenticated low-privileged user approve their own pending access request by calling the access request status endpoint directly, bypassing the mandatory approver review. Because access requests gate elevated access to protected resources, this effectively grants unauthorized privileged access (CVSS 7.1). There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the issue was disclosed and patched by the vendor.
Sensitive information disclosure in Devolutions Server 2026.1.x and 2026.2.x lets an authenticated low-privileged user read the private keys of SSH key and certificate PAM credentials belonging to other users. By supplying a credential identifier they should not have access to (an insecure direct object reference), the attacker retrieves secrets the PAM module is supposed to protect. No public exploit identified at time of analysis, and it is not on CISA KEV, but a vendor patch is available. Note: the supplied CVSS vector lists PR:N (unauthenticated) while the description explicitly requires an authenticated low-privileged user — treat this as an authenticated IDOR.
Account takeover in self-hosted Bitwarden Server before 2026.6.0 lets a low-privileged organization member steal any other member's vault key and a victim-scoped access token. The POST /auth-requests/admin-request handler never verifies that the email in the request body belongs to the authenticated caller (CWE-639), so an attacker can create a Trusted Device Encryption admin-approval request for a victim, bound to an attacker-controlled public key; once approved, the encrypted key material is retrievable from an unauthenticated endpoint. Publicly available exploit code exists (a VulnCheck advisory plus a public write-up), and the CVSS 4.0 base score of 9.3 reflects high confidentiality and integrity impact plus a cross-user scope change.
Denial of service in Tanium Server allows remote unauthenticated attackers to exhaust availability of the platform, per vendor advisory TAN-2026-016. The flaw is network-reachable with low complexity and no privileges or user interaction (CVSS 7.5, availability-only impact), and the CWE-789 classification indicates an uncontrolled/excessive memory allocation can be triggered remotely. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Multi-factor authentication bypass in Devolutions Server (DVLS) versions 2026.2.4 through 2026.2.8 lets an attacker who already holds valid user credentials authenticate without completing MFA, defeating an enforced 'MFA Required' policy. The flaw triggers when DVLS encounters an invalid default MFA value, causing the mandatory second factor to be skipped. It is vendor-reported with a patch available; no public exploit identified at time of analysis and EPSS exploitation probability is low (0.18%, 8th percentile).
JSON injection in Bitwarden Server's IntegrationTemplateProcessor.ReplaceTokens() allows authenticated organization members to corrupt event-integration payloads delivered to webhook, SIEM, Slack, Teams, or Datadog endpoints. Any organization running Bitwarden Server prior to 2026.5.0 that has configured event integrations referencing user-controlled tokens such as #ActingUserName# or #UserName# is exposed. A public proof-of-concept exists per VulnCheck and independent researcher disclosure; exploitation is constrained by authentication and specific integration-configuration prerequisites, reflected in the low CVSS 4.0 score of 2.3.
Broken access control in Bitwarden Server before 2026.5.0 exposes organization billing data to any authenticated user via an IDOR vulnerability in the PreviewInvoiceController endpoints. The missing ManageOrganizationBillingRequirement authorization check permits a valid session holder to supply an arbitrary organizationId and retrieve Stripe-derived billing details - including tax totals, subscription status, and customer data - for organizations they do not belong to. A public proof-of-concept exploit exists; no active exploitation has been confirmed by CISA KEV at the time of analysis.
Privilege escalation in self-hosted Bitwarden Server before 2026.5.0 lets an authenticated organization member holding a Custom role with the ManageUsers permission delete Admin accounts from the organization, undermining administrative control. The flaw stems from the bulk user-remove (DELETE) endpoint omitting the role-hierarchy guard that the single-user removal path enforces, so a lower-privileged user can strip Admins by submitting their organization-user IDs in a batch request. Publicly available exploit code exists (VulnCheck/researcher write-up), it is not listed in CISA KEV, and no EPSS score was provided in the input.
Improper input validation in the PAM AD discovery endpoints in Devolutions Server 2026.2.4.0 through 2026.2.7.0 allows an authenticated user with the UserGroupsView permission to coerce server-side authentication to an attacker-controlled host, exposing PAM provider credentials as a NTLMv2 challenge-response, via a crafted DomainName parameter.
OS command injection in MariaDB Server (CWE-78) lets an attacker achieve remote code execution on Galera cluster nodes by embedding shell metacharacters in a joiner node's name, which the server passes unsanitized to the script defined in wsrep_notify_cmd. Affected branches are 10.6.1–10.6.26, 10.11.1–10.11.17, 11.4.1–11.4.11, 11.8.1–11.8.7, and 12.3.1, but only when wsrep_notify_cmd is configured. It carries a vendor CVSS of 9.8; however EPSS is very low (0.05%, 15th percentile) and SSVC marks exploitation as 'none', so there is no public exploit identified at time of analysis and it is not on CISA KEV.
Command injection (CWE-78) in Devolutions Server's built-in PAM provider password rotation templates allows an attacker with vault write access to execute arbitrary OS commands on systems managed by the affected PAM provider. Affected versions include 2026.2.4.0 and all releases at or below 2026.1.20.0, reported directly by the vendor Devolutions. No public exploit code has been identified and this vulnerability is not listed in CISA KEV at time of analysis, but the high-value nature of a PAM platform managing privileged credentials on downstream systems means the practical blast radius substantially exceeds what the CVSS C:L/I:L scores suggest.
Missing authorization on the deleted user groups API in Devolutions Server enables authenticated low-privileged users to enumerate metadata of deleted user groups via crafted API requests, bypassing intended access controls. Affected deployments include versions 2026.2.4.0 and 2026.1.20.0 and earlier, as confirmed by the vendor advisory DEVO-2026-0015. No public exploit exists and CISA SSVC confirms no active exploitation, placing this at low operational priority despite its network-accessible attack vector.
Cleartext credential exposure in Devolutions Server allows an authenticated low-privileged user to retrieve plaintext credentials stored for configured ticketing integrations via a crafted API request. Affected versions include Devolutions Server 2026.2.4.0 and all 2026.1.x releases up to and including 2026.1.20.0. No public exploit or active exploitation (CISA KEV) has been identified at time of analysis; the vulnerability was self-disclosed by Devolutions via advisory DEVO-2026-0015.
Improper access control in Devolutions Server 2026.1.19 and earlier allows an authenticated low-privilege user to delete PAM network discovery scan configurations that should be restricted to administrators. The CVSS vector (AV:N/AC:L/PR:L/UI:N) confirms exploitation requires only a valid low-privilege account over the network with no user interaction. No public exploit code exists and this vulnerability is not listed in the CISA KEV catalog at time of analysis.
Improper access control in Devolutions Server 2026.1.19 and earlier allows an authenticated user holding entry edit privileges to modify asset information beyond their authorized scope, bypassing the permission validation layer. The flaw resides in the permission validation component and enables privilege overreach within the platform's access control model - an authenticated low-privilege user can alter data they should have no write access to. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
Authenticated network-accessible denial of service in Tanium Server affects three active release branches, patched in versions 7.6.4.2190, 7.7.3.8274, and 7.8.2.1176. The vulnerability stems from a CWE-772 resource leak - allocated resources are not released after their effective lifetime, enabling a low-privileged authenticated attacker to exhaust server resources. A notable conflict exists in the available data: the CVSS vector reports C:H/I:N/A:N (high confidentiality impact, no availability impact) while the CVE description, ENISA EUVD tags, and vendor advisory title all characterize this as a denial of service; defenders should treat both confidentiality and availability as potentially affected until Tanium clarifies. No public exploit is identified and EPSS is low at 0.03%.
Improper authorization in the Active Directory browsing feature in Devolutions Server allows a low-privileged authenticated user to obtain authentication material associated with a stored PAM provider service account via authentication relay to an attacker-controlled server. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 * Devolutions Server 2025.3.20.0 and earlier
Missing authorization in the entry status management feature in Devolutions Server allows a non-administrator authenticated user to bypass the administrator-enforced Pending Approval flow and gain access to an entry's data via a crafted status change request. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 * Devolutions Server 2025.3.20.0 and earlier
Improper access control in the entry activity log feature in Devolutions Server allows an authenticated user with access to an entry but without the required permission to retrieve that entry's activity logs via a crafted API request. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 * Devolutions Server 2025.3.20.0 and earlier
Improper enforcement of the sealed-entry workflow in the entry sensitive-data retrieval feature in Devolutions Server allows an authenticated user with access to a sealed entry to retrieve its sensitive data without triggering the unseal audit notification via a crafted API request. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 * Devolutions Server 2025.3.20.0 and earlier
Improper access control in the entry documentation and attachment features in Devolutions Server allows an authenticated user with vault read access to retrieve the documentation and attachments of sealed entries via a crafted API request. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 * Devolutions Server 2025.3.20.0 and earlier
Missing authorization in the user profile update feature in Devolutions Server allows an authenticated Active Directory user to modify their own profile attributes via a crafted API request. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 * Devolutions Server 2025.3.20.0 and earlier
Unverified password change in Devolutions Server allows an attacker to change a user's password without providing the previous one via a crafted password change request. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 * Devolutions Server 2025.3.20.0 and earlier
Improper input validation in the external authentication provider flow in Devolutions Server allows an unauthenticated remote attacker to redirect victims to an attacker-controlled domain via a crafted login link. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 * Devolutions Server 2025.3.20.0 and earlier
Insufficient logging in the entry export feature in Devolutions Server allows an authenticated user with export permissions to export a sealed entry without triggering the unseal notification to administrators via a crafted export request. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 * Devolutions Server 2025.3.20.0 and earlier
Authorization bypass in the entry duplication feature in Devolutions Server allows an authenticated user with write access to any vault to copy documentation and attachments from an entry in a vault they cannot access via a crafted save request. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0 * Devolutions Server 2025.3.20.0 and earlier
Missing authorization in the vault import feature in Devolutions Server 2026.1.16.0 and earlier allows a low-privileged authenticated user to create new vaults via a crafted import request.
Improper handling of factor key state in the multi-factor authentication management feature in Devolutions Server allows an attacker with knowledge of a user's password to bypass the user's multi-factor authentication after the user reconfigures their factors. This issue affects : * Devolutions Server 2026.1.6.0 through 2026.1.16.0
Missing authorization in the PAM module of Devolutions Server allows authenticated users with a PAM license to retrieve OTP secret keys and recovery codes without additional permissions, leading to account compromise through crafted API requests. Affected versions include Devolutions Server 2025.3.16.0 and earlier, plus 2026.1.6.0 through 2026.1.11.0. No public exploit code or active exploitation has been identified; however, the low CVSS score and minimal EPSS percentile suggest limited real-world attack incentive despite the confidentiality impact.
Authentication bypass in Bitwarden Server versions prior to 2026.4.1 allows authenticated users with SCIM management privileges to retrieve or rotate organization SCIM API keys without master password re-authentication. An attacker with valid session credentials and SCIM management rights can obtain sensitive API keys that enable user provisioning control, potentially leading to unauthorized account creation, modification, or deletion within the organization. Public exploit code exists, and vendor patch v2026.4.1 addresses the issue via GitHub PR #7403.
{providerId}/clients/existing endpoint, allowing authenticated provider users to add any organization to their provider without the target's consent. Publicly available exploit code exists (detailed writeup by Sanjok Karki), and vendor-released patch v2026.4.0 fully addresses the issue via GitHub PR #7372. Self-hosted installations are unaffected due to endpoint access restrictions. CVSS 8.9 reflects high confidentiality, integrity, and availability impact with high attack complexity and high privilege requirements.
Bitwarden Server prior to v2026.4.1 allows any authenticated user to write ciphers (encrypted credentials) into arbitrary organizations via the POST /ciphers/import-organization endpoint by submitting an empty collections array, bypassing authorization checks. This missing authorization vulnerability (CWE-862) affects all authenticated users regardless of organization membership, enabling them to inject malicious credentials or pivot across organizations. Publicly available exploit code exists, and the vendor has released patched version 2026.4.1.
Sync-in Server is a secure, open-source platform for file storage, sharing, collaboration, and syncing. Prior to version 2.2.0, the /api/auth/login endpoint contains a logic flaw that allows unauthenticated remote attackers to enumerate valid usernames by measuring the application's response time. This issue has been patched in version 2.2.0.
Server-side request forgery (SSRF) in Devolutions Server gateway health check feature allows low-privileged authenticated users to bypass input validation and trigger arbitrary requests, potentially disclosing sensitive information from internal systems or network resources. Affected versions are 2026.1.1-2026.1.11 and 2025.3.1-2025.3.17. No public exploit code or active exploitation has been confirmed at time of analysis.
Improper access control in Devolutions Server 2026.1.6 through 2026.1.11 allows authenticated attackers to delete their own MFA factors via crafted API requests, reducing account protection to password-only authentication. This vulnerability enables account security degradation without proper authorization checks, potentially compromising accounts that rely on multi-factor authentication as a secondary defense.
Improper access control in Devolutions Server 2026.1.6 through 2026.1.11 allows authenticated users to bypass administrator-enforced MFA restrictions and remove their own multi-factor authentication via a crafted request. This authentication bypass undermines security policies designed to enforce MFA compliance, enabling threat actors with valid credentials to disable a critical security control and potentially maintain persistent access without secondary authentication verification. No public exploit code or active exploitation has been confirmed at time of analysis.
Devolutions Server versions 2026.1.6 through 2026.1.11 expose sensitive one-time password (OTP) keys in the MFA feature, allowing authenticated users with user management privileges to retrieve other users' OTP secrets via API requests. This information disclosure vulnerability enables account takeover by attackers who obtain valid credentials with user management roles, as OTP keys are sufficient to generate valid authentication codes and bypass multi-factor authentication protections.
Devolutions Server 2026.1.11 and earlier allows authenticated remote attackers to bypass two-factor authentication by reusing a partially authenticated session token, enabling unauthorized account access without completing the second authentication factor. The vulnerability affects all versions up to and including 2026.1.11, with no CVSS score or public exploit confirmation available at analysis time.
Devolutions Server versions 2026.1.11 and earlier allow authenticated remote attackers to bypass multi-factor authentication through improper validation of OAuth login requests, enabling account takeover without second-factor verification. CISA KEV status and exploit availability not confirmed at time of analysis.
Improper session code validation in Devolutions Server 2026.1.11 and earlier allows authenticated users to escalate privileges and impersonate other users, including administrators, by reusing session codes from external OAuth authentication flows. This authentication bypass affects all versions up to and including 2026.1.11 and requires an attacker to have valid credentials to exploit the vulnerability. No public exploit code or active exploitation has been confirmed at the time of analysis.
A user-controlled key authorization bypass vulnerability in HYPR Server versions 9.5.2 through 10.7.1 enables authenticated attackers to escalate privileges through improper authorization checks. An attacker with low-level privileges can manipulate cryptographic keys or authorization tokens to gain high-level access, compromising confidentiality, integrity, and availability of the authentication system. This vulnerability requires local or physical access to the system and valid user credentials, limiting its immediate threat scope but representing a critical risk in multi-tenant or shared infrastructure deployments.
An incorrect privilege assignment vulnerability in HYPR Server allows authenticated users to escalate their privileges through an unspecified mechanism. HYPR Server versions 10.5.1 through 10.6.x are affected, with the vulnerability resolved in version 10.7 and later. An attacker with valid user credentials can exploit this flaw to gain elevated permissions, potentially compromising the entire authentication infrastructure managed by the HYPR Server instance.
JetAudio jetCast Server 2.0 contains a stack-based buffer overflow vulnerability in the Log Directory configuration field that allows local attackers to overwrite structured exception handling pointers.
Devolutions Server contains an improper certificate validation vulnerability in its PAM propagation WinRM connections that allows network attackers to conduct man-in-the-middle (MITM) attacks by exploiting disabled TLS certificate verification. This vulnerability affects Devolutions Server versions prior to 2026.1, enabling attackers positioned on the network path to intercept and manipulate WinRM communications without detection. The vulnerability is classified under CWE-295 (Improper Certificate Validation) and carries significant information disclosure and server compromise risks, particularly in environments where PAM propagation relies on WinRM for credential delivery and privileged session management.
Tanium addressed an uncontrolled resource consumption vulnerability in Tanium Server. [CVSS 6.5 MEDIUM]
Tanium addressed a local privilege escalation vulnerability in Tanium Server. [CVSS 6.7 MEDIUM]
Tanium addressed a local privilege escalation vulnerability in Tanium Module Server. [CVSS 6.7 MEDIUM]
Tanium addressed an improper access controls vulnerability in Tanium Server. [CVSS 4.3 MEDIUM]
An uncontrolled search path element vulnerability has been found on 4D and 4D server Windows executables applications, affecting version 19 R8 100218. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
A broken authentication vulnerability in 4D SAS 4D Server software v17, v18, v19 R7, and earlier allows attackers to send crafted TCP packets containing requests to perform arbitrary actions. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
An information disclosure vulnerability in 4D SAS 4D Server Application v17, v18, v19 R7 and earlier allows attackers to retrieve password hashes for all users via eavesdropping. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Gotify server is a simple server for sending and receiving messages in real-time per WebSocket. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
A SQL injection issue in the web API in TrueConf Server 5.2.0.10225 (fixed in 5.2.6.10025) allows remote unauthenticated attackers to execute arbitrary SQL commands, ultimately leading to remote code. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A SQL injection issue in a database stored function in TrueConf Server 5.2.0.10225 (fixed in 5.2.6.10025) allows a low-privileged database user to execute arbitrary SQL commands as the database. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. Rated critical severity (CVSS 9.9), this vulnerability is remotely exploitable, low attack complexity. This Improper Privilege Management vulnerability could allow attackers to escalate privileges to gain unauthorized elevated access.
Permissions were not properly verified in the API on projects using version control in Git. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity.
NoMachine Server is affected by Integer Overflow. Rated high severity (CVSS 8.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.
NoMachine Server is affected by Buffer Overflow. Rated high severity (CVSS 8.8), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.
Nextcloud is an open-source, self-hosted productivity platform. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.
Nextcloud is an open-source, self-hosted productivity platform. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.
When configuring Octopus Server if it is configured with an external SQL database, on initial configuration the database password is written to the OctopusServer.txt log file in plaintext. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
When configuring Octopus Server if it is configured with an external SQL database, on initial configuration the database password is written to the OctopusServer.txt log file in plaintext. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Affected versions of Octopus Server are prone to an authenticated SQL injection vulnerability in the Events REST API because user supplied data in the API request isn’t parameterised correctly. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Cleartext storage of sensitive information in multiple versions of Octopus Server where in certain situations when running import or export processes, the password used to encrypt and decrypt. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
An issue was discovered in Octopus Deploy 3.4. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Bitwarden Server 1.35.1 allows SSRF because it does not consider certain IPv6 addresses (ones beginning with fc, fd, fe, or ff, and the :: address) and certain IPv4 addresses (0.0.0.0/8, 127.0.0.0/8,. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
The Bitwarden server through 1.32.0 has a potentially unwanted KDF. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A persistent cross-site scripting (XSS) vulnerability in Octopus Server 3.4.0 through 2019.10.5 allows remote authenticated attackers to inject arbitrary web script or HTML. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
The Customer's Tomedo Server in Version 1.7.3 communicates to the Vendor Tomedo Server via HTTP (in cleartext) that can be sniffed by unauthorized actors. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
In Octopus Tentacle versions 3.0.8 to 5.0.0, when a web request proxy is configured, an authenticated user (in certain limited OctopusPrintVariables circumstances) could trigger a deployment that. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In Octopus Deploy versions 2018.8.4 to 2019.7.6, when a web request proxy is configured, an authenticated user (in certain limited special-characters circumstances) could trigger a deployment that. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
In Traccar Server version 4.2, protocol/SpotProtocolDecoder.java might allow XXE attacks. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.
Traccar Traccar Server version 4.0 and earlier contains a CWE-94: Improper Control of Generation of Code ('Code Injection') vulnerability in ComputedAttributesHandler.java that can result in Remote. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
In the webmail component in IceWarp Server 11.3.1.5, there was an XSS vulnerability discovered in the "language" parameter. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.