🚨 CVE-2026-23988
Rufus is a utility that helps format and create bootable USB flash drives. Versions 4.11 and below contain a race condition (TOCTOU) in src/net.c during the creation, validation, and execution of the Fido PowerShell script. Since Rufus runs with elevated privileges (Administrator) but writes the script to the %TEMP% directory (writeable by standard users) without locking the file, a local attacker can replace the legitimate script with a malicious one between the file write operation and the execution step. This allows arbitrary code execution with Administrator privileges. This issue has been fixed in version 4.12_BETA.
🎖@cveNotify
Rufus is a utility that helps format and create bootable USB flash drives. Versions 4.11 and below contain a race condition (TOCTOU) in src/net.c during the creation, validation, and execution of the Fido PowerShell script. Since Rufus runs with elevated privileges (Administrator) but writes the script to the %TEMP% directory (writeable by standard users) without locking the file, a local attacker can replace the legitimate script with a malicious one between the file write operation and the execution step. This allows arbitrary code execution with Administrator privileges. This issue has been fixed in version 4.12_BETA.
🎖@cveNotify
GitHub
[net] fix local privilege escalation via TOCTOU race condition in Fid… · pbatard/rufus@460cc57
…o script handling (CVE-2026-23988)
* Because PowerShell forces us to close the script we downloaded prior to execution, it is possible for a
malicious background process (running unprivileged, ...
* Because PowerShell forces us to close the script we downloaded prior to execution, it is possible for a
malicious background process (running unprivileged, ...
🚨 CVE-2026-24484
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, Magick fails to check for multi-layer nested mvg conversions to svg, leading to DoS. Versions 7.1.2-15 and 6.9.13-40 contain a patch.
🎖@cveNotify
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, Magick fails to check for multi-layer nested mvg conversions to svg, leading to DoS. Versions 7.1.2-15 and 6.9.13-40 contain a patch.
🎖@cveNotify
GitHub
https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-w… · ImageMagick/ImageMagick@0349df6
…g3g-gvx5-2pmv
🚨 CVE-2026-24485
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, when a PCD file does not contain a valid Sync marker, the DecodeImage() function becomes trapped in an infinite loop while searching for the Sync marker, causing the program to become unresponsive and continuously consume CPU resources, ultimately leading to system resource exhaustion and denial of service. Versions 7.1.2-15 and 6.9.13-40 contain a patch.
🎖@cveNotify
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, when a PCD file does not contain a valid Sync marker, the DecodeImage() function becomes trapped in an infinite loop while searching for the Sync marker, causing the program to become unresponsive and continuously consume CPU resources, ultimately leading to system resource exhaustion and denial of service. Versions 7.1.2-15 and 6.9.13-40 contain a patch.
🎖@cveNotify
GitHub
https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-p… · ImageMagick/ImageMagick@332c156
…qgj-2p96-rx85
🚨 CVE-2026-25576
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a heap buffer over-read vulnerability exists in multiple raw image format handles. The vulnerability occurs when processing images with -extract dimensions larger than -size dimensions, causing out-of-bounds memory reads from a heap-allocated buffer. Versions 7.1.2-15 and 6.9.13-40 contain a patch.
🎖@cveNotify
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-15 and 6.9.13-40, a heap buffer over-read vulnerability exists in multiple raw image format handles. The vulnerability occurs when processing images with -extract dimensions larger than -size dimensions, causing out-of-bounds memory reads from a heap-allocated buffer. Versions 7.1.2-15 and 6.9.13-40 contain a patch.
🎖@cveNotify
GitHub
Fixed out of bounds read in multiple coders that read raw pixel data … · ImageMagick/ImageMagick@077b426
…(GHSA-jv4p-gjwq-9r2j)
🚨 CVE-2026-25637
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to version 7.1.2-15, a memory leak in the ASHLAR image writer allows an attacker to exhaust process memory by providing a crafted image that results in small objects that are allocated but never freed. Version 7.1.2-15 contains a patch.
🎖@cveNotify
ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to version 7.1.2-15, a memory leak in the ASHLAR image writer allows an attacker to exhaust process memory by providing a crafted image that results in small objects that are allocated but never freed. Version 7.1.2-15 contains a patch.
🎖@cveNotify
GitHub
Fixed possible memory leak (GHSA-gm37-qx7w-p258) · ImageMagick/ImageMagick@30ce0e8
ImageMagick is a free, open-source software suite for creating, editing, converting, and displaying images. It supports 200+ formats and offers powerful command-line tools and APIs for automation, scripting, and integration across platforms. - Fixed possible…
🚨 CVE-2026-23627
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, an SQL injection vulnerability in the Immunization module allows any authenticated user to execute arbitrary SQL queries, leading to complete database compromise, PHI exfiltration, credential theft, and potential remote code execution. The vulnerability exists because user-supplied `patient_id` values are directly concatenated into SQL WHERE clauses without parameterization or escaping. Version 8.0.0 patches the issue.
🎖@cveNotify
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, an SQL injection vulnerability in the Immunization module allows any authenticated user to execute arbitrary SQL queries, leading to complete database compromise, PHI exfiltration, credential theft, and potential remote code execution. The vulnerability exists because user-supplied `patient_id` values are directly concatenated into SQL WHERE clauses without parameterization or escaping. Version 8.0.0 patches the issue.
🎖@cveNotify
GitHub
Merge commit from fork · openemr/openemr@cbf4ea4
* core fix
* test
* Fix additional SQL injection in query_codes parameter
* test removed before merging
* test
* Fix additional SQL injection in query_codes parameter
* test removed before merging
🚨 CVE-2026-24487
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, an authorization bypass vulnerability in the FHIR CareTeam resource endpoint allows patient-scoped FHIR tokens to access care team data for all patients instead of being restricted to only the authenticated patient's data. This could potentially lead to unauthorized disclosure of Protected Health Information (PHI), including patient-provider relationships and care team structures across the entire system. The issue occurs because the `FhirCareTeamService` does not implement the `IPatientCompartmentResourceService` interface and does not pass the patient binding parameter to the underlying service, bypassing the patient compartment filtering mechanism. Version 8.0.0 contains a patch for this issue.
🎖@cveNotify
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, an authorization bypass vulnerability in the FHIR CareTeam resource endpoint allows patient-scoped FHIR tokens to access care team data for all patients instead of being restricted to only the authenticated patient's data. This could potentially lead to unauthorized disclosure of Protected Health Information (PHI), including patient-provider relationships and care team structures across the entire system. The issue occurs because the `FhirCareTeamService` does not implement the `IPatientCompartmentResourceService` interface and does not pass the patient binding parameter to the underlying service, bypassing the patient compartment filtering mechanism. Version 8.0.0 contains a patch for this issue.
🎖@cveNotify
GitHub
Merge commit from fork · openemr/openemr@5ce10a3
* WIP fix, working on unit tests to verify
WIP for unit tests. Afterwards will write integration tests to verify
everything is working properly.
* Have a working unit test now.
Next steps is to...
WIP for unit tests. Afterwards will write integration tests to verify
everything is working properly.
* Have a working unit test now.
Next steps is to...
🚨 CVE-2026-24890
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, an authorization bypass vulnerability in the patient portal signature endpoint allows authenticated portal users to upload and overwrite provider signatures by setting `type=admin-signature` and specifying any provider user ID. This could potentially lead to signature forgery on medical documents, legal compliance violations, and fraud. The issue occurs when portal users are allowed to modify provider signatures without proper authorization checks. Version 8.0.0 fixes the issue.
🎖@cveNotify
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, an authorization bypass vulnerability in the patient portal signature endpoint allows authenticated portal users to upload and overwrite provider signatures by setting `type=admin-signature` and specifying any provider user ID. This could potentially lead to signature forgery on medical documents, legal compliance violations, and fraud. The issue occurs when portal users are allowed to modify provider signatures without proper authorization checks. Version 8.0.0 fixes the issue.
🎖@cveNotify
GitHub
Merge commit from fork · openemr/openemr@a29c0f7
Portal users could forge provider signatures by:
1. Setting type=admin-signature to bypass patient PID checks
2. Specifying arbitrary user IDs in POST data
Fix:
- Block portal users from using adm...
1. Setting type=admin-signature to bypass patient PID checks
2. Specifying arbitrary user IDs in POST data
Fix:
- Block portal users from using adm...
🚨 CVE-2026-24908
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, an SQL injection vulnerability in the Patient REST API endpoint allows authenticated users with API access to execute arbitrary SQL queries through the `_sort` parameter. This could potentially lead to database access, PHI (Protected Health Information) exposure, and credential compromise. The issue occurs when user-supplied sort field names are used in ORDER BY clauses without proper validation or identifier escaping. Version 8.0.0 fixes the issue.
🎖@cveNotify
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, an SQL injection vulnerability in the Patient REST API endpoint allows authenticated users with API access to execute arbitrary SQL queries through the `_sort` parameter. This could potentially lead to database access, PHI (Protected Health Information) exposure, and credential compromise. The issue occurs when user-supplied sort field names are used in ORDER BY clauses without proper validation or identifier escaping. Version 8.0.0 fixes the issue.
🎖@cveNotify
GitHub
Merge commit from fork · openemr/openemr@943e23c
Add validation to SearchConfigClauseBuilder::buildSortOrderClauseFromConfig()
to ensure sort field names only contain valid SQL identifier characters.
This prevents SQL injection via the _sort para...
to ensure sort field names only contain valid SQL identifier characters.
This prevents SQL injection via the _sort para...
🚨 CVE-2026-25164
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the REST API route table in `apis/routes/_rest_routes_standard.inc.php` does not call `RestConfig::request_authorization_check()` for the document and insurance routes. Other patient routes in the same file (e.g. encounters, patients/med) call it with the appropriate ACL. As a result, any valid API bearer token can access or modify every patient's documents and insurance data, regardless of the token’s OpenEMR ACLs—effectively exposing all document and insurance PHI to any authenticated API client. Version 8.0.0 patches the issue.
🎖@cveNotify
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the REST API route table in `apis/routes/_rest_routes_standard.inc.php` does not call `RestConfig::request_authorization_check()` for the document and insurance routes. Other patient routes in the same file (e.g. encounters, patients/med) call it with the appropriate ACL. As a result, any valid API bearer token can access or modify every patient's documents and insurance data, regardless of the token’s OpenEMR ACLs—effectively exposing all document and insurance PHI to any authenticated API client. Version 8.0.0 patches the issue.
🎖@cveNotify
GitHub
Merge commit from fork · openemr/openemr@c5e1c44
Document and insurance REST API routes were missing
RestConfig::request_authorization_check() calls, allowing any valid API
bearer token to access or modify data regardless of ACL permissions.
RestConfig::request_authorization_check() calls, allowing any valid API
bearer token to access or modify data regardless of ACL permissions.
🚨 CVE-2026-25220
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the Message Center accepts the URL parameter `show_all=yes` and passes it to `getPnotesByUser()`, which returns all internal messages (all users’ notes). The backend does not verify that the requesting user is an administrator before honoring `show_all=yes`. The "Show All" link is also visible to non-admin users. As a result, any authenticated user can view the entire internal message list by requesting `messages.php?show_all=yes`. Version 8.0.0 patches the issue.
🎖@cveNotify
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the Message Center accepts the URL parameter `show_all=yes` and passes it to `getPnotesByUser()`, which returns all internal messages (all users’ notes). The backend does not verify that the requesting user is an administrator before honoring `show_all=yes`. The "Show All" link is also visible to non-admin users. As a result, any authenticated user can view the entire internal message list by requesting `messages.php?show_all=yes`. Version 8.0.0 patches the issue.
🎖@cveNotify
GitHub
Merge commit from fork · openemr/openemr@9f2c44f
Force $show_all to "no" for non-admin users so the GET parameter
cannot bypass the access control on viewing all users' messages.
cannot bypass the access control on viewing all users' messages.
🚨 CVE-2026-25743
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, users with the "Forms administration" role can fill questionnaires ("forms") in patient encounters. The answers to the forms are displayed on the encounter page and in the visit history for the users with the same role. There exists a stored cross-site scripting (XSS) vulnerability in the function to display the form answers, allowing any authenticated attacker with the specific role to insert arbitrary JavaScript into the system by entering malicious payloads to the form answers. The JavaScript code is later executed by any user with the form role when viewing the form answers in the patient encounter pages or visit history. Version 8.0.0 fixes the issue.
🎖@cveNotify
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, users with the "Forms administration" role can fill questionnaires ("forms") in patient encounters. The answers to the forms are displayed on the encounter page and in the visit history for the users with the same role. There exists a stored cross-site scripting (XSS) vulnerability in the function to display the form answers, allowing any authenticated attacker with the specific role to insert arbitrary JavaScript into the system by entering malicious payloads to the form answers. The JavaScript code is later executed by any user with the form role when viewing the form answers in the patient encounter pages or visit history. Version 8.0.0 fixes the issue.
🎖@cveNotify
GitHub
Merge commit from fork · openemr/openemr@da18f83
The most popular open source electronic health records and medical practice management solution. - Merge commit from fork · openemr/openemr@da18f83
🚨 CVE-2026-25746
OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 8.0.0 contain a SQL injection vulnerability in prescription that can be exploited by authenticated attackers. The vulnerability exists due to insufficient input validation in the prescription listing functionality. Version 8.0.0 fixes the vulnerability.
🎖@cveNotify
OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 8.0.0 contain a SQL injection vulnerability in prescription that can be exploited by authenticated attackers. The vulnerability exists due to insufficient input validation in the prescription listing functionality. Version 8.0.0 fixes the vulnerability.
🎖@cveNotify
GitHub
GitHub - ChrisSub08/CVE-2026-25746_SqlInjectionVulnerabilityOpenEMR7.0.4: SQL Injection Vulnerability in OpenEMR 7.0.4
SQL Injection Vulnerability in OpenEMR 7.0.4 . Contribute to ChrisSub08/CVE-2026-25746_SqlInjectionVulnerabilityOpenEMR7.0.4 development by creating an account on GitHub.
🚨 CVE-2025-69416
In the plex.tv backend for Plex Media Server (PMS) through 2025-12-31, a non-server device token can retrieve other tokens (intended for unrelated access) via clients.plex.tv/devices.xml.
🎖@cveNotify
In the plex.tv backend for Plex Media Server (PMS) through 2025-12-31, a non-server device token can retrieve other tokens (intended for unrelated access) via clients.plex.tv/devices.xml.
🎖@cveNotify
GitHub
vulnerability-research/CVE-2025-34158/README.md at main · lufinkey/vulnerability-research
Collection of CVEs that i've discovered. Contribute to lufinkey/vulnerability-research development by creating an account on GitHub.
🚨 CVE-2025-69417
In the plex.tv backend for Plex Media Server (PMS) through 2025-12-31, a non-server device token can retrieve share tokens (intended for unrelated access) via a shared_servers endpoint.
🎖@cveNotify
In the plex.tv backend for Plex Media Server (PMS) through 2025-12-31, a non-server device token can retrieve share tokens (intended for unrelated access) via a shared_servers endpoint.
🎖@cveNotify
GitHub
vulnerability-research/CVE-2025-34158/README.md at main · lufinkey/vulnerability-research
Collection of CVEs that i've discovered. Contribute to lufinkey/vulnerability-research development by creating an account on GitHub.
🚨 CVE-2026-23873
hustoj is an open source online judge based on PHP/C++/MySQL/Linux for ACM/ICPC and NOIP training. All versions are vulnerable to CSV Injection (Formula Injection) through the contest rank export functionality (contestrank.xls.php and admin/ranklist_export.php). The application fails to sanitize user-supplied input (specifically the "Nickname" field) before exporting it to an .xls file (which renders as an HTML table but is opened by Excel). If a malicious user sets their nickname to an Excel formula when an administrator exports and opens the rank list in Microsoft Excel, the formula will be executed. This can lead to arbitrary command execution (RCE) on the administrator's machine or data exfiltration. A fix was not available at the time of publication.
🎖@cveNotify
hustoj is an open source online judge based on PHP/C++/MySQL/Linux for ACM/ICPC and NOIP training. All versions are vulnerable to CSV Injection (Formula Injection) through the contest rank export functionality (contestrank.xls.php and admin/ranklist_export.php). The application fails to sanitize user-supplied input (specifically the "Nickname" field) before exporting it to an .xls file (which renders as an HTML table but is opened by Excel). If a malicious user sets their nickname to an Excel formula when an administrator exports and opens the rank list in Microsoft Excel, the formula will be executed. This can lead to arbitrary command execution (RCE) on the administrator's machine or data exfiltration. A fix was not available at the time of publication.
🎖@cveNotify
GitHub
Stored CSV Injection (Formula Injection) in Contest Rank Export Leading to RCE Risk
Summary: A CSV Injection (Formula Injection) vulnerability exists in the contest rank export functionality (contestrank.xls.php and admin/ranklist_export.php). The application fails to sanitize use...
🚨 CVE-2026-23592
Insecure file operations in HPE Aruba Networking Fabric Composer’s backup functionality could allow authenticated attackers to achieve remote code execution. Successful exploitation could allow an attacker to execute arbitrary commands on the underlying operating system.
🎖@cveNotify
Insecure file operations in HPE Aruba Networking Fabric Composer’s backup functionality could allow authenticated attackers to achieve remote code execution. Successful exploitation could allow an attacker to execute arbitrary commands on the underlying operating system.
🎖@cveNotify
🚨 CVE-2026-23593
A vulnerability in the web-based management interface of HPE Aruba Networking Fabric Composer could allow an unauthenticated remote attacker to view some system files. Successful exploitation could allow an attacker to read files within the affected directory.
🎖@cveNotify
A vulnerability in the web-based management interface of HPE Aruba Networking Fabric Composer could allow an unauthenticated remote attacker to view some system files. Successful exploitation could allow an attacker to read files within the affected directory.
🎖@cveNotify
🚨 CVE-2026-0709
Some Hikvision Wireless Access Points are vulnerable to authenticated command execution due to insufficient input validation. Attackers with valid credentials can exploit this flaw by sending crafted packets containing malicious commands to affected devices, leading to arbitrary command execution.
🎖@cveNotify
Some Hikvision Wireless Access Points are vulnerable to authenticated command execution due to insufficient input validation. Attackers with valid credentials can exploit this flaw by sending crafted packets containing malicious commands to affected devices, leading to arbitrary command execution.
🎖@cveNotify
🚨 CVE-2026-22623
Due to insufficient input parameter validation on the interface, authenticated users of certain HIKSEMI NAS products can execute arbitrary commands on the device by crafting specific messages.
🎖@cveNotify
Due to insufficient input parameter validation on the interface, authenticated users of certain HIKSEMI NAS products can execute arbitrary commands on the device by crafting specific messages.
🎖@cveNotify
🚨 CVE-2026-22624
Due to inadequate access control, authenticated users of certain HIKSEMI NAS products can manipulate other users' file resources without proper authorization.
🎖@cveNotify
Due to inadequate access control, authenticated users of certain HIKSEMI NAS products can manipulate other users' file resources without proper authorization.
🎖@cveNotify