{
"Source": "CVE FEED",
"Title": "CVE-2026-33159 - Craft CMS: Unauthenticated users could execute project configuration sync operations that should be restricted trusted users",
"Content": "CVE ID :CVE-2026-33159
Published : March 24, 2026, 5:28 p.m. | 47 minutes ago
Description :Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, guest users can access Config Sync updater index, obtain signed data, and execute state-changing Config Sync actions (regenerate-yaml, apply-yaml-changes) without authentication. This issue has been patched in versions 4.17.8 and 5.9.14.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "24 Mar 2026",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
"Source": "CVE FEED",
"Title": "CVE-2026-33159 - Craft CMS: Unauthenticated users could execute project configuration sync operations that should be restricted trusted users",
"Content": "CVE ID :CVE-2026-33159
Published : March 24, 2026, 5:28 p.m. | 47 minutes ago
Description :Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, guest users can access Config Sync updater index, obtain signed data, and execute state-changing Config Sync actions (regenerate-yaml, apply-yaml-changes) without authentication. This issue has been patched in versions 4.17.8 and 5.9.14.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "24 Mar 2026",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
{
"Source": "CVE FEED",
"Title": "CVE-2026-33158 - Craft CMS: Low-privilege users could read private asset contents when editing an asset (IDOR)",
"Content": "CVE ID :CVE-2026-33158
Published : March 24, 2026, 5:26 p.m. | 50 minutes ago
Description :Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, a low-privileged authenticated user can read private asset content by calling assets/edit-image with an arbitrary assetId that they are not authorized to view. The endpoint returns image bytes (or a preview redirect) without enforcing a per-asset view authorization check, leading to potential unauthorized disclosure of private files. This issue has been patched in versions 4.17.8 and 5.9.14.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "24 Mar 2026",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
"Source": "CVE FEED",
"Title": "CVE-2026-33158 - Craft CMS: Low-privilege users could read private asset contents when editing an asset (IDOR)",
"Content": "CVE ID :CVE-2026-33158
Published : March 24, 2026, 5:26 p.m. | 50 minutes ago
Description :Craft CMS is a content management system (CMS). From version 4.0.0-RC1 to before version 4.17.8 and from version 5.0.0-RC1 to before version 5.9.14, a low-privileged authenticated user can read private asset content by calling assets/edit-image with an arbitrary assetId that they are not authorized to view. The endpoint returns image bytes (or a preview redirect) without enforcing a per-asset view authorization check, leading to potential unauthorized disclosure of private files. This issue has been patched in versions 4.17.8 and 5.9.14.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "24 Mar 2026",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
{
"Source": "CVE FEED",
"Title": "CVE-2026-33157 - Craft CMS: Potential authenticated Remote Code Execution via malicious attached Behavior",
"Content": "CVE ID :CVE-2026-33157
Published : March 24, 2026, 5:22 p.m. | 54 minutes ago
Description :Craft CMS is a content management system (CMS). From version 5.6.0 to before version 5.9.13, a Remote Code Execution (RCE) vulnerability exists in Craft CMS, it can be exploited by any authenticated user with control panel access. This is a bypass of a previous fix. The existing patches add cleanseConfig() to assembleLayoutFromPost() and various FieldsController actions to strip Yii2 behavior/event injection keys ("as" and "on" prefixed keys). However, the fieldLayouts parameter in ElementIndexesController::actionFilterHud() is passed directly to FieldLayout::createFromConfig() without any sanitization, enabling the same behavior injection attack chain. This issue has been patched in version 5.9.13.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "24 Mar 2026",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
"Source": "CVE FEED",
"Title": "CVE-2026-33157 - Craft CMS: Potential authenticated Remote Code Execution via malicious attached Behavior",
"Content": "CVE ID :CVE-2026-33157
Published : March 24, 2026, 5:22 p.m. | 54 minutes ago
Description :Craft CMS is a content management system (CMS). From version 5.6.0 to before version 5.9.13, a Remote Code Execution (RCE) vulnerability exists in Craft CMS, it can be exploited by any authenticated user with control panel access. This is a bypass of a previous fix. The existing patches add cleanseConfig() to assembleLayoutFromPost() and various FieldsController actions to strip Yii2 behavior/event injection keys ("as" and "on" prefixed keys). However, the fieldLayouts parameter in ElementIndexesController::actionFilterHud() is passed directly to FieldLayout::createFromConfig() without any sanitization, enabling the same behavior injection attack chain. This issue has been patched in version 5.9.13.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "24 Mar 2026",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
{
"Source": "CVE FEED",
"Title": "CVE-2026-33340 - LoLLMs WEBUI has unauthenticated Server-Side Request Forgery (SSRF) in /api/proxy endpoint",
"Content": "CVE ID :CVE-2026-33340
Published : March 24, 2026, 5:16 p.m. | 59 minutes ago
Description :LoLLMs WEBUI provides the Web user interface for Lord of Large Language and Multi modal Systems. A critical Server-Side Request Forgery (SSRF) vulnerability has been identified in all known existing versions of `lollms-webui`. The `@router.post("/api/proxy")` endpoint allows unauthenticated attackers to force the server into making arbitrary GET requests. This can be exploited to access internal services, scan local networks, or exfiltrate sensitive cloud metadata (e.g., AWS/GCP IAM tokens). As of time of publication, no known patched versions are available.
Severity: 9.1 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "24 Mar 2026",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
"Source": "CVE FEED",
"Title": "CVE-2026-33340 - LoLLMs WEBUI has unauthenticated Server-Side Request Forgery (SSRF) in /api/proxy endpoint",
"Content": "CVE ID :CVE-2026-33340
Published : March 24, 2026, 5:16 p.m. | 59 minutes ago
Description :LoLLMs WEBUI provides the Web user interface for Lord of Large Language and Multi modal Systems. A critical Server-Side Request Forgery (SSRF) vulnerability has been identified in all known existing versions of `lollms-webui`. The `@router.post("/api/proxy")` endpoint allows unauthenticated attackers to force the server into making arbitrary GET requests. This can be exploited to access internal services, scan local networks, or exfiltrate sensitive cloud metadata (e.g., AWS/GCP IAM tokens). As of time of publication, no known patched versions are available.
Severity: 9.1 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "24 Mar 2026",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
{
"Source": "CVE FEED",
"Title": "CVE-2025-11571 - Command Execution vulnerability in Simplicity Installer",
"Content": "CVE ID :CVE-2025-11571
Published : March 24, 2026, 5:16 p.m. | 1 hour ago
Description :Vulnerable endpoints accept user-controlled input through a URL in JSON format which enables command execution. The commands allowed to execute can open executables. However, the commands cannot pass parameters or arguments.
To successfully execute this attack, the attacker needs to be on the same network.
Severity: 2.1 | LOW
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "24 Mar 2026",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
"Source": "CVE FEED",
"Title": "CVE-2025-11571 - Command Execution vulnerability in Simplicity Installer",
"Content": "CVE ID :CVE-2025-11571
Published : March 24, 2026, 5:16 p.m. | 1 hour ago
Description :Vulnerable endpoints accept user-controlled input through a URL in JSON format which enables command execution. The commands allowed to execute can open executables. However, the commands cannot pass parameters or arguments.
To successfully execute this attack, the attacker needs to be on the same network.
Severity: 2.1 | LOW
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "24 Mar 2026",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
{
"Source": "CVE FEED",
"Title": "CVE-2026-33334 - Vikunja Desktop: Any frontend XSS escalates to Remote Code Execution due to nodeIntegration",
"Content": "CVE ID :CVE-2026-33334
Published : March 24, 2026, 4:16 p.m. | 2 hours ago
Description :Vikunja is an open-source self-hosted task management platform. Starting in version 0.21.0 and prior to version 2.2.0, the Vikunja Desktop Electron wrapper enables `nodeIntegration` in the renderer process without `contextIsolation` or `sandbox`. This means any cross-site scripting (XSS) vulnerability in the Vikunja web frontend -- present or future -- automatically escalates to full remote code execution on the victim's machine, as injected scripts gain access to Node.js APIs. Version 2.2.0 fixes the issue.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "24 Mar 2026",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
"Source": "CVE FEED",
"Title": "CVE-2026-33334 - Vikunja Desktop: Any frontend XSS escalates to Remote Code Execution due to nodeIntegration",
"Content": "CVE ID :CVE-2026-33334
Published : March 24, 2026, 4:16 p.m. | 2 hours ago
Description :Vikunja is an open-source self-hosted task management platform. Starting in version 0.21.0 and prior to version 2.2.0, the Vikunja Desktop Electron wrapper enables `nodeIntegration` in the renderer process without `contextIsolation` or `sandbox`. This means any cross-site scripting (XSS) vulnerability in the Vikunja web frontend -- present or future -- automatically escalates to full remote code execution on the victim's machine, as injected scripts gain access to Node.js APIs. Version 2.2.0 fixes the issue.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "24 Mar 2026",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
{
"Source": "CVE FEED",
"Title": "CVE-2026-33335 - Vikunja Desktop allows arbitrary local application invocation via unvalidated shell.openExternal",
"Content": "CVE ID :CVE-2026-33335
Published : March 24, 2026, 4:16 p.m. | 2 hours ago
Description :Vikunja is an open-source self-hosted task management platform. Starting in version 0.21.0 and prior to version 2.2.0, the Vikunja Desktop Electron wrapper passes URLs from `window.open()` calls directly to `shell.openExternal()` without any validation or protocol allowlisting. An attacker who can place a link with `target="_blank"` (or that otherwise triggers `window.open`) in user-generated content can cause the victim's operating system to open arbitrary URI schemes, invoking local applications, opening local files, or triggering custom protocol handlers. Version 2.2.0 patches the issue.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "24 Mar 2026",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
"Source": "CVE FEED",
"Title": "CVE-2026-33335 - Vikunja Desktop allows arbitrary local application invocation via unvalidated shell.openExternal",
"Content": "CVE ID :CVE-2026-33335
Published : March 24, 2026, 4:16 p.m. | 2 hours ago
Description :Vikunja is an open-source self-hosted task management platform. Starting in version 0.21.0 and prior to version 2.2.0, the Vikunja Desktop Electron wrapper passes URLs from `window.open()` calls directly to `shell.openExternal()` without any validation or protocol allowlisting. An attacker who can place a link with `target="_blank"` (or that otherwise triggers `window.open`) in user-generated content can cause the victim's operating system to open arbitrary URI schemes, invoking local applications, opening local files, or triggering custom protocol handlers. Version 2.2.0 patches the issue.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "24 Mar 2026",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
{
"Source": "CVE FEED",
"Title": "CVE-2026-33336 - Vikunja Desktop vulnerable to Remote Code Execution via same-window navigation",
"Content": "CVE ID :CVE-2026-33336
Published : March 24, 2026, 4:16 p.m. | 2 hours ago
Description :Vikunja is an open-source self-hosted task management platform. Starting in version 0.21.0 and prior to version 2.2.0, the Vikunja Desktop Electron wrapper enables `nodeIntegration` in the main BrowserWindow and does not restrict same-window navigations. An attacker who can place a link in user-generated content (task descriptions, comments, project descriptions) can cause the BrowserWindow to navigate to an attacker-controlled origin, where JavaScript executes with full Node.js access, resulting in arbitrary code execution on the victim's machine. Version 2.2.0 patches the issue.
## Root cause
Two misconfigurations combine to create this vulnerability:
1. **`nodeIntegration: true`** is set in `BrowserWindow` web preferences (`desktop/main.js:14-16`), giving any page loaded in the renderer full access to Node.js APIs (`require`, `child_process`, `fs`, etc.).
2. **No `will-navigate` or `will-redirect` handler** is registered on the `webContents`. The existing `setWindowOpenHandler` (`desktop/main.js:19-23`) only intercepts `window.open()` calls (new-window requests). It does **not** intercept same-window navigations triggered by:
- `` links (without `target="_blank"`)
- `window.location` assignments
- HTTP redirects
- `` tags
## Attack scenario
1. The attacker is a normal user on the same Vikunja instance (e.g., a member of a shared project).
2. The attacker creates or edits a project description or task description containing a standard HTML link, e.g.: `Click here for the updated design spec`
3. The Vikunja frontend renders this link. DOMPurify sanitization correctly allows it -- it is a legitimate anchor tag, not a script injection. Render path example: `frontend/src/views/project/ProjectInfo.vue` uses `v-html` with DOMPurify-sanitized output.
4. The victim uses Vikunja Desktop and clicks the link.
5. Because no `will-navigate` handler exists, the BrowserWindow navigates to `` in the same renderer process.
6. The attacker's page now executes in a context with `nodeIntegration: true` and runs: `require('child_process').exec('id > /tmp/pwned');`
7. Arbitrary commands execute as the victim's OS user.
## Impact
Full remote code execution on the victim's desktop. The attacker can read/write arbitrary files, execute arbitrary commands, install malware or backdoors, and exfiltrate credentials and sensitive data. No XSS vulnerability is required -- a normal, sanitizer-approved hyperlink is sufficient.
## Proof of concept
1. Set up a Vikunja instance with two users sharing a project.
2. As the attacker user, edit a project description to include: `Meeting notes`
3. Host poc.html with: ``
4. As the victim, open the project in Vikunja Desktop and click the link.
5. calc.exe (or any other command) executes on the victim's machine.
## Credits
This vulnerability was found using [GitHub Security Lab Taskflows]().
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "24 Mar 2026",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
"Source": "CVE FEED",
"Title": "CVE-2026-33336 - Vikunja Desktop vulnerable to Remote Code Execution via same-window navigation",
"Content": "CVE ID :CVE-2026-33336
Published : March 24, 2026, 4:16 p.m. | 2 hours ago
Description :Vikunja is an open-source self-hosted task management platform. Starting in version 0.21.0 and prior to version 2.2.0, the Vikunja Desktop Electron wrapper enables `nodeIntegration` in the main BrowserWindow and does not restrict same-window navigations. An attacker who can place a link in user-generated content (task descriptions, comments, project descriptions) can cause the BrowserWindow to navigate to an attacker-controlled origin, where JavaScript executes with full Node.js access, resulting in arbitrary code execution on the victim's machine. Version 2.2.0 patches the issue.
## Root cause
Two misconfigurations combine to create this vulnerability:
1. **`nodeIntegration: true`** is set in `BrowserWindow` web preferences (`desktop/main.js:14-16`), giving any page loaded in the renderer full access to Node.js APIs (`require`, `child_process`, `fs`, etc.).
2. **No `will-navigate` or `will-redirect` handler** is registered on the `webContents`. The existing `setWindowOpenHandler` (`desktop/main.js:19-23`) only intercepts `window.open()` calls (new-window requests). It does **not** intercept same-window navigations triggered by:
- `` links (without `target="_blank"`)
- `window.location` assignments
- HTTP redirects
- `` tags
## Attack scenario
1. The attacker is a normal user on the same Vikunja instance (e.g., a member of a shared project).
2. The attacker creates or edits a project description or task description containing a standard HTML link, e.g.: `Click here for the updated design spec`
3. The Vikunja frontend renders this link. DOMPurify sanitization correctly allows it -- it is a legitimate anchor tag, not a script injection. Render path example: `frontend/src/views/project/ProjectInfo.vue` uses `v-html` with DOMPurify-sanitized output.
4. The victim uses Vikunja Desktop and clicks the link.
5. Because no `will-navigate` handler exists, the BrowserWindow navigates to `` in the same renderer process.
6. The attacker's page now executes in a context with `nodeIntegration: true` and runs: `require('child_process').exec('id > /tmp/pwned');`
7. Arbitrary commands execute as the victim's OS user.
## Impact
Full remote code execution on the victim's desktop. The attacker can read/write arbitrary files, execute arbitrary commands, install malware or backdoors, and exfiltrate credentials and sensitive data. No XSS vulnerability is required -- a normal, sanitizer-approved hyperlink is sufficient.
## Proof of concept
1. Set up a Vikunja instance with two users sharing a project.
2. As the attacker user, edit a project description to include: `Meeting notes`
3. Host poc.html with: ``
4. As the victim, open the project in Vikunja Desktop and click the link.
5. calc.exe (or any other command) executes on the victim's machine.
## Credits
This vulnerability was found using [GitHub Security Lab Taskflows]().
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "24 Mar 2026",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
{
"Source": "CVE FEED",
"Title": "CVE-2026-29839 - DedeCMS CSRF",
"Content": "CVE ID :CVE-2026-29839
Published : March 24, 2026, 4:16 p.m. | 2 hours ago
Description :DedeCMS v5.7.118 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability in /sys_task_add.php.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "24 Mar 2026",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
"Source": "CVE FEED",
"Title": "CVE-2026-29839 - DedeCMS CSRF",
"Content": "CVE ID :CVE-2026-29839
Published : March 24, 2026, 4:16 p.m. | 2 hours ago
Description :DedeCMS v5.7.118 was discovered to contain a Cross-Site Request Forgery (CSRF) vulnerability in /sys_task_add.php.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "24 Mar 2026",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
{
"Source": "CVE FEED",
"Title": "CVE-2026-29840 - JiZhiCMS Stored Cross-Site Scripting (XSS)",
"Content": "CVE ID :CVE-2026-29840
Published : March 24, 2026, 4:16 p.m. | 2 hours ago
Description :JiZhiCMS v2.5.6 and before contains a Stored Cross-Site Scripting (XSS) vulnerability in the release function within app/home/c/UserController.php. The application attempts to sanitize input by filtering",
"Detection Date": "24 Mar 2026",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
"Source": "CVE FEED",
"Title": "CVE-2026-29840 - JiZhiCMS Stored Cross-Site Scripting (XSS)",
"Content": "CVE ID :CVE-2026-29840
Published : March 24, 2026, 4:16 p.m. | 2 hours ago
Description :JiZhiCMS v2.5.6 and before contains a Stored Cross-Site Scripting (XSS) vulnerability in the release function within app/home/c/UserController.php. The application attempts to sanitize input by filtering",
"Detection Date": "24 Mar 2026",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
{
"Source": "CVE FEED",
"Title": "CVE-2026-21783 - HCL Traveler is affected by sensitive information disclosure",
"Content": "CVE ID :CVE-2026-21783
Published : March 24, 2026, 7:48 p.m. | 28 minutes ago
Description :HCL Traveler is affected by sensitive information disclosure. The application generates some error messages that provide detailed information about errors and failures, such as internal paths, file names, sensitive tokens, credentials, error codes, or stack traces. Attackers could exploit this information to gain insights into the system's architecture and potentially launch targeted attacks.
Severity: 4.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "24 Mar 2026",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
"Source": "CVE FEED",
"Title": "CVE-2026-21783 - HCL Traveler is affected by sensitive information disclosure",
"Content": "CVE ID :CVE-2026-21783
Published : March 24, 2026, 7:48 p.m. | 28 minutes ago
Description :HCL Traveler is affected by sensitive information disclosure. The application generates some error messages that provide detailed information about errors and failures, such as internal paths, file names, sensitive tokens, credentials, error codes, or stack traces. Attackers could exploit this information to gain insights into the system's architecture and potentially launch targeted attacks.
Severity: 4.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "24 Mar 2026",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
{
"Source": "CVE FEED",
"Title": "CVE-2026-33412 - Vim affected by Command injection via newline in glob()",
"Content": "CVE ID :CVE-2026-33412
Published : March 24, 2026, 7:43 p.m. | 34 minutes ago
Description :Vim is an open source, command line text editor. Prior to version 9.2.0202, a command injection vulnerability exists in Vim's glob() function on Unix-like systems. By including a newline character (\n) in a pattern passed to glob(), an attacker may be able to execute arbitrary shell commands. This vulnerability depends on the user's 'shell' setting. This issue has been patched in version 9.2.0202.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "24 Mar 2026",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
"Source": "CVE FEED",
"Title": "CVE-2026-33412 - Vim affected by Command injection via newline in glob()",
"Content": "CVE ID :CVE-2026-33412
Published : March 24, 2026, 7:43 p.m. | 34 minutes ago
Description :Vim is an open source, command line text editor. Prior to version 9.2.0202, a command injection vulnerability exists in Vim's glob() function on Unix-like systems. By including a newline character (\n) in a pattern passed to glob(), an attacker may be able to execute arbitrary shell commands. This vulnerability depends on the user's 'shell' setting. This issue has been patched in version 9.2.0202.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "24 Mar 2026",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
{
"Source": "CVE FEED",
"Title": "CVE-2026-33353 - Soft Serve: Authenticated repo import can clone server-local private repositories",
"Content": "CVE ID :CVE-2026-33353
Published : March 24, 2026, 7:39 p.m. | 37 minutes ago
Description :Soft Serve is a self-hostable Git server for the command line. From version 0.6.0 to before version 0.11.6, an authorization flaw in repo import allows any authenticated SSH user to clone a server-local Git repository, including another user's private repo, into a new repository they control. This issue has been patched in version 0.11.6.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "24 Mar 2026",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
"Source": "CVE FEED",
"Title": "CVE-2026-33353 - Soft Serve: Authenticated repo import can clone server-local private repositories",
"Content": "CVE ID :CVE-2026-33353
Published : March 24, 2026, 7:39 p.m. | 37 minutes ago
Description :Soft Serve is a self-hostable Git server for the command line. From version 0.6.0 to before version 0.11.6, an authorization flaw in repo import allows any authenticated SSH user to clone a server-local Git repository, including another user's private repo, into a new repository they control. This issue has been patched in version 0.11.6.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "24 Mar 2026",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
{
"Source": "CVE FEED",
"Title": "CVE-2026-33349 - fast-xml-parser: Entity Expansion Limits Bypassed When Set to Zero Due to JavaScript Falsy Evaluation",
"Content": "CVE ID :CVE-2026-33349
Published : March 24, 2026, 7:35 p.m. | 41 minutes ago
Description :fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. From version 4.0.0-beta.3 to before version 5.5.7, the DocTypeReader in fast-xml-parser uses JavaScript truthy checks to evaluate maxEntityCount and maxEntitySize configuration limits. When a developer explicitly sets either limit to 0 — intending to disallow all entities or restrict entity size to zero bytes — the falsy nature of 0 in JavaScript causes the guard conditions to short-circuit, completely bypassing the limits. An attacker who can supply XML input to such an application can trigger unbounded entity expansion, leading to memory exhaustion and denial of service. This issue has been patched in version 5.5.7.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "24 Mar 2026",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
"Source": "CVE FEED",
"Title": "CVE-2026-33349 - fast-xml-parser: Entity Expansion Limits Bypassed When Set to Zero Due to JavaScript Falsy Evaluation",
"Content": "CVE ID :CVE-2026-33349
Published : March 24, 2026, 7:35 p.m. | 41 minutes ago
Description :fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. From version 4.0.0-beta.3 to before version 5.5.7, the DocTypeReader in fast-xml-parser uses JavaScript truthy checks to evaluate maxEntityCount and maxEntitySize configuration limits. When a developer explicitly sets either limit to 0 — intending to disallow all entities or restrict entity size to zero bytes — the falsy nature of 0 in JavaScript causes the guard conditions to short-circuit, completely bypassing the limits. An attacker who can supply XML input to such an application can trigger unbounded entity expansion, leading to memory exhaustion and denial of service. This issue has been patched in version 5.5.7.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "24 Mar 2026",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
{
"Source": "CVE FEED",
"Title": "CVE-2026-33345 - solidtime vulnerable to IDOR in private projects",
"Content": "CVE ID :CVE-2026-33345
Published : March 24, 2026, 7:30 p.m. | 46 minutes ago
Description :solidtime is an open-source time-tracking app. Prior to version 0.11.6, the project detail endpoint GET /api/v1/organizations/{org}/projects/{project} allows any authenticated Employee to access any project in the organization by UUID, including private projects they are not a member of. The index() endpoint correctly applies the visibleByEmployee() scope, but show() does not. This issue has been patched in version 0.11.6.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "24 Mar 2026",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
"Source": "CVE FEED",
"Title": "CVE-2026-33345 - solidtime vulnerable to IDOR in private projects",
"Content": "CVE ID :CVE-2026-33345
Published : March 24, 2026, 7:30 p.m. | 46 minutes ago
Description :solidtime is an open-source time-tracking app. Prior to version 0.11.6, the project detail endpoint GET /api/v1/organizations/{org}/projects/{project} allows any authenticated Employee to access any project in the organization by UUID, including private projects they are not a member of. The index() endpoint correctly applies the visibleByEmployee() scope, but show() does not. This issue has been patched in version 0.11.6.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "24 Mar 2026",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
{
"Source": "CVE FEED",
"Title": "CVE-2026-33347 - league/commonmark has an embed extension allowed_domains bypass",
"Content": "CVE ID :CVE-2026-33347
Published : March 24, 2026, 7:26 p.m. | 50 minutes ago
Description :league/commonmark is a PHP Markdown parser. From version 2.3.0 to before version 2.8.2, the DomainFilteringAdapter in the Embed extension is vulnerable to an allowlist bypass due to a missing hostname boundary assertion in the domain-matching regex. An attacker-controlled domain like youtube.com.evil passes the allowlist check when youtube.com is an allowed domain. This issue has been patched in version 2.8.2.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "24 Mar 2026",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
"Source": "CVE FEED",
"Title": "CVE-2026-33347 - league/commonmark has an embed extension allowed_domains bypass",
"Content": "CVE ID :CVE-2026-33347
Published : March 24, 2026, 7:26 p.m. | 50 minutes ago
Description :league/commonmark is a PHP Markdown parser. From version 2.3.0 to before version 2.8.2, the DomainFilteringAdapter in the Embed extension is vulnerable to an allowlist bypass due to a missing hostname boundary assertion in the domain-matching regex. An attacker-controlled domain like youtube.com.evil passes the allowlist check when youtube.com is an allowed domain. This issue has been patched in version 2.8.2.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "24 Mar 2026",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
{
"Source": "CVE FEED",
"Title": "CVE-2026-33344 - Dagu has an incomplete fix for CVE-2026-27598: path traversal via %2F-encoded slashes in locateDAG",
"Content": "CVE ID :CVE-2026-33344
Published : March 24, 2026, 7:23 p.m. | 53 minutes ago
Description :Dagu is a workflow engine with a built-in Web user interface. From version 2.0.0 to before version 2.3.1, the fix for CVE-2026-27598 added ValidateDAGName to CreateNewDAG and rewrote generateFilePath to use filepath.Base. This patched the CREATE path. The remaining API endpoints - GET, DELETE, RENAME, EXECUTE - all pass the {fileName} URL path parameter to locateDAG without calling ValidateDAGName. %2F-encoded forward slashes in the {fileName} segment traverse outside the DAGs directory. This issue has been patched in version 2.3.1.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "24 Mar 2026",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
"Source": "CVE FEED",
"Title": "CVE-2026-33344 - Dagu has an incomplete fix for CVE-2026-27598: path traversal via %2F-encoded slashes in locateDAG",
"Content": "CVE ID :CVE-2026-33344
Published : March 24, 2026, 7:23 p.m. | 53 minutes ago
Description :Dagu is a workflow engine with a built-in Web user interface. From version 2.0.0 to before version 2.3.1, the fix for CVE-2026-27598 added ValidateDAGName to CreateNewDAG and rewrote generateFilePath to use filepath.Base. This patched the CREATE path. The remaining API endpoints - GET, DELETE, RENAME, EXECUTE - all pass the {fileName} URL path parameter to locateDAG without calling ValidateDAGName. %2F-encoded forward slashes in the {fileName} segment traverse outside the DAGs directory. This issue has been patched in version 2.3.1.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "24 Mar 2026",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
{
"Source": "CVE FEED",
"Title": "CVE-2026-33332 - NiceGUI's unvalidated chunk size parameter in media routes can cause memory exhaustion",
"Content": "CVE ID :CVE-2026-33332
Published : March 24, 2026, 7:20 p.m. | 56 minutes ago
Description :NiceGUI is a Python-based UI framework. Prior to version 3.9.0, NiceGUI's app.add_media_file() and app.add_media_files() media routes accept a user-controlled query parameter that influences how files are read during streaming. The parameter is passed to the range-response implementation without validation, allowing an attacker to bypass chunked streaming and force the server to load entire files into memory at once. With large media files and concurrent requests, this can lead to excessive memory consumption, degraded performance, or denial of service. This issue has been patched in version 3.9.0.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "24 Mar 2026",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
"Source": "CVE FEED",
"Title": "CVE-2026-33332 - NiceGUI's unvalidated chunk size parameter in media routes can cause memory exhaustion",
"Content": "CVE ID :CVE-2026-33332
Published : March 24, 2026, 7:20 p.m. | 56 minutes ago
Description :NiceGUI is a Python-based UI framework. Prior to version 3.9.0, NiceGUI's app.add_media_file() and app.add_media_files() media routes accept a user-controlled query parameter that influences how files are read during streaming. The parameter is passed to the range-response implementation without validation, allowing an attacker to bypass chunked streaming and force the server to load entire files into memory at once. With large media files and concurrent requests, this can lead to excessive memory consumption, degraded performance, or denial of service. This issue has been patched in version 3.9.0.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "24 Mar 2026",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
{
"Source": "CVE FEED",
"Title": "CVE-2026-33331 - oRPC: Stored XSS in OpenAPI Reference Plugin via unescaped JSON.stringify",
"Content": "CVE ID :CVE-2026-33331
Published : March 24, 2026, 7:18 p.m. | 59 minutes ago
Description :oRPC is an tool that helps build APIs that are end-to-end type-safe and adhere to OpenAPI standards. Prior to version 1.13.9, a stored cross-site scripting (XSS) vulnerability exists in the OpenAPI documentation generation of orpc. If an attacker can control any field within the OpenAPI specification (such as info.description), they can break out of the JSON context and execute arbitrary JavaScript when a user views the generated API documentation. This issue has been patched in version 1.13.9.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "24 Mar 2026",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
"Source": "CVE FEED",
"Title": "CVE-2026-33331 - oRPC: Stored XSS in OpenAPI Reference Plugin via unescaped JSON.stringify",
"Content": "CVE ID :CVE-2026-33331
Published : March 24, 2026, 7:18 p.m. | 59 minutes ago
Description :oRPC is an tool that helps build APIs that are end-to-end type-safe and adhere to OpenAPI standards. Prior to version 1.13.9, a stored cross-site scripting (XSS) vulnerability exists in the OpenAPI documentation generation of orpc. If an attacker can control any field within the OpenAPI specification (such as info.description), they can break out of the JSON context and execute arbitrary JavaScript when a user views the generated API documentation. This issue has been patched in version 1.13.9.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "24 Mar 2026",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
{
"Source": "CVE FEED",
"Title": "CVE-2026-33627 - Parse Server: Auth data exposed via /users/me endpoint",
"Content": "CVE ID :CVE-2026-33627
Published : March 24, 2026, 7:16 p.m. | 1 hour ago
Description :Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.61 and 9.6.0-alpha.55, an authenticated user calling GET /users/me receives unsanitized auth data, including sensitive credentials such as MFA TOTP secrets and recovery codes. The endpoint internally uses master-level authentication for the session query, and the master context leaks through to the user data, bypassing auth adapter sanitization. An attacker who obtains a user's session token can extract MFA secrets to generate valid TOTP codes indefinitely. This issue has been patched in versions 8.6.61 and 9.6.0-alpha.55.
Severity: 7.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "24 Mar 2026",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
"Source": "CVE FEED",
"Title": "CVE-2026-33627 - Parse Server: Auth data exposed via /users/me endpoint",
"Content": "CVE ID :CVE-2026-33627
Published : March 24, 2026, 7:16 p.m. | 1 hour ago
Description :Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.61 and 9.6.0-alpha.55, an authenticated user calling GET /users/me receives unsanitized auth data, including sensitive credentials such as MFA TOTP secrets and recovery codes. The endpoint internally uses master-level authentication for the session query, and the master context leaks through to the user data, bypassing auth adapter sanitization. An attacker who obtains a user's session token can extract MFA secrets to generate valid TOTP codes indefinitely. This issue has been patched in versions 8.6.61 and 9.6.0-alpha.55.
Severity: 7.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "24 Mar 2026",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
{
"Source": "CVE FEED",
"Title": "CVE-2026-33768 - Astro: Unauthenticated Path Override via `x-astro-path` / `x_astro_path`",
"Content": "CVE ID :CVE-2026-33768
Published : March 24, 2026, 7:16 p.m. | 1 hour ago
Description :Astro is a web framework. Prior to version 10.0.2, the @astrojs/vercel serverless entrypoint reads the x-astro-path header and x_astro_path query parameter to rewrite the internal request path, with no authentication whatsoever. On deployments without Edge Middleware, this lets anyone bypass Vercel's platform-level path restrictions entirely. The override preserves the original HTTP method and body, so this isn't limited to GET. POST, PUT, DELETE all land on the rewritten path. A Firewall rule blocking /admin/* does nothing when the request comes in as POST /api/health?x_astro_path=/admin/delete-user. This issue has been patched in version 10.0.2.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "24 Mar 2026",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹
"Source": "CVE FEED",
"Title": "CVE-2026-33768 - Astro: Unauthenticated Path Override via `x-astro-path` / `x_astro_path`",
"Content": "CVE ID :CVE-2026-33768
Published : March 24, 2026, 7:16 p.m. | 1 hour ago
Description :Astro is a web framework. Prior to version 10.0.2, the @astrojs/vercel serverless entrypoint reads the x-astro-path header and x_astro_path query parameter to rewrite the internal request path, with no authentication whatsoever. On deployments without Edge Middleware, this lets anyone bypass Vercel's platform-level path restrictions entirely. The override preserves the original HTTP method and body, so this isn't limited to GET. POST, PUT, DELETE all land on the rewritten path. A Firewall rule blocking /admin/* does nothing when the request comes in as POST /api/health?x_astro_path=/admin/delete-user. This issue has been patched in version 10.0.2.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...",
"Detection Date": "24 Mar 2026",
"Type": "Vulnerability"
}
🔹 t.me/cvedetector 🔹