🚨 CVE-2026-13752
Improper neutralization of parameters in Snowflake CLI versions prior to 3.19 allowed unintended SQL execution. An attacker could exploit this by supplying crafted values to vulnerable command paths, causing Snowflake CLI to execute unintended SQL in the context of the user’s Snowflake session. Successful exploitation required crafted values to reach vulnerable parameters, including through socially engineered input, malicious repository configuration, or compromised automation feeding external values into the CLI, and impact is limited by the privileges assigned to the active session. The fix is available in Snowflake CLI version 3.19, and users must manually upgrade.
🎖@cveNotify
Improper neutralization of parameters in Snowflake CLI versions prior to 3.19 allowed unintended SQL execution. An attacker could exploit this by supplying crafted values to vulnerable command paths, causing Snowflake CLI to execute unintended SQL in the context of the user’s Snowflake session. Successful exploitation required crafted values to reach vulnerable parameters, including through socially engineered input, malicious repository configuration, or compromised automation feeding external values into the CLI, and impact is limited by the privileges assigned to the active session. The fix is available in Snowflake CLI version 3.19, and users must manually upgrade.
🎖@cveNotify
Snowflake
Snowflake Community
Join our community of data professionals to learn, connect, share and innovate together
🚨 CVE-2026-11720
A path traversal vulnerability exists in the HTTP tool URL builder of googleapis/mcp-toolbox.
When constructing downstream API requests, the URL builder substitutes user-controlled pathParams into the configured tool path and parses the resulting string as a relative URL. While it checks that the input does not alter the scheme, host, or user info, it relies on ResolveReference for the final URL resolution. Because dot segments (../) are normalized during this resolution step, an attacker can supply path parameters containing directory traversal sequences to escape the operator-configured path scope. This allows the client to coerce the toolbox into making requests to unintended endpoints on the same target host while forwarding the toolbox's configured credentials (e.g., bypassing a restricted path like /api/v1/users/{{.id}} to reach /admin/secrets).
🎖@cveNotify
A path traversal vulnerability exists in the HTTP tool URL builder of googleapis/mcp-toolbox.
When constructing downstream API requests, the URL builder substitutes user-controlled pathParams into the configured tool path and parses the resulting string as a relative URL. While it checks that the input does not alter the scheme, host, or user info, it relies on ResolveReference for the final URL resolution. Because dot segments (../) are normalized during this resolution step, an attacker can supply path parameters containing directory traversal sequences to escape the operator-configured path scope. This allows the client to coerce the toolbox into making requests to unintended endpoints on the same target host while forwarding the toolbox's configured credentials (e.g., bypassing a restricted path like /api/v1/users/{{.id}} to reach /admin/secrets).
🎖@cveNotify
GitHub
fix(tools/http): prevent path traversal and base path scope escape by duwenxin99 · Pull Request #3218 · googleapis/mcp-toolbox
Rejects relative or URL-encoded dot segments (.., %2e%2e) to prevent directory traversal.
Enforces verification to ensure resolved paths do not escape the intended base path scope or allow unauthor...
Enforces verification to ensure resolved paths do not escape the intended base path scope or allow unauthor...
🚨 CVE-2026-13592
A vulnerability was detected in liftoff-sr CIPster up to e8e9dba09bf56962807d3504b783ccdb6287f3e4. Affected by this issue is the function BufWriter::append of the component EtherNet IP Message Handler. Performing a manipulation results in out-of-bounds write. Remote exploitation of the attack is possible. The exploit is now public and may be used. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. The patch is named 3a0159ed43125dcd024a1965f0289cb186bae9ff. To fix this issue, it is recommended to deploy a patch.
🎖@cveNotify
A vulnerability was detected in liftoff-sr CIPster up to e8e9dba09bf56962807d3504b783ccdb6287f3e4. Affected by this issue is the function BufWriter::append of the component EtherNet IP Message Handler. Performing a manipulation results in out-of-bounds write. Remote exploitation of the attack is possible. The exploit is now public and may be used. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. The patch is named 3a0159ed43125dcd024a1965f0289cb186bae9ff. To fix this issue, it is recommended to deploy a patch.
🎖@cveNotify
GitHub
GitHub - liftoff-sr/CIPster: Ethernet/IP (Common Industrial Protocol) stack in C++. This started as a C to C++ conversion of C…
Ethernet/IP (Common Industrial Protocol) stack in C++. This started as a C to C++ conversion of C based OpENer. - liftoff-sr/CIPster
🚨 CVE-2026-36848
Gigamon GVOS v5.16.1 and below is vulnerable to Directory Traversal in the GVOS H-VUE subsystem.
🎖@cveNotify
Gigamon GVOS v5.16.1 and below is vulnerable to Directory Traversal in the GVOS H-VUE subsystem.
🎖@cveNotify
GitHub
GitHub - calligraf0/CVE-2026-36848: Gigamon Unauth RCE (CVE-2026-36848)
Gigamon Unauth RCE (CVE-2026-36848). Contribute to calligraf0/CVE-2026-36848 development by creating an account on GitHub.
🚨 CVE-2026-56285
Nitter's /video media proxy endpoint fails to validate target URLs against Twitter/X domains and uses a hardcoded default HMAC key, allowing unauthenticated attackers to compute valid HMACs for arbitrary URLs. Attackers can retrieve HTTP responses from any host reachable by the server, including cloud metadata services and internal network resources.
🎖@cveNotify
Nitter's /video media proxy endpoint fails to validate target URLs against Twitter/X domains and uses a hardcoded default HMAC key, allowing unauthenticated attackers to compute valid HMACs for arbitrary URLs. Attackers can retrieve HTTP responses from any host reachable by the server, including cloud metadata services and internal network resources.
🎖@cveNotify
GitHub
Fix SSRF in /video proxy and API JSON injection · zedeus/nitter@44b2f09
Validate the target host on the /video media route with
isTwitterUrl() (mirroring /pic) and reject non-http(s) schemes,
and stop the media proxy following redirects off the validated
host. JSON-esc...
isTwitterUrl() (mirroring /pic) and reject non-http(s) schemes,
and stop the media proxy following redirects off the validated
host. JSON-esc...
🚨 CVE-2026-56780
Modoboa before 2.9.0 contains an insecure direct object reference vulnerability in the PUT /api/v1/accounts/{pk}/password/ endpoint that allows domain administrators to change any user's password. Attackers with domain admin privileges can bypass object-level access controls to reset superadmin passwords and achieve full account takeover.
🎖@cveNotify
Modoboa before 2.9.0 contains an insecure direct object reference vulnerability in the PUT /api/v1/accounts/{pk}/password/ endpoint that allows domain administrators to change any user's password. Attackers with domain admin privileges can bypass object-level access controls to reset superadmin passwords and achieve full account takeover.
🎖@cveNotify
GitHub
Merge pull request #4038 from modoboa/fix/change-password-endpoint-idor · modoboa/modoboa@a1878c4
Fixed IDOR vulnerability in change password API endpoint.
🚨 CVE-2026-56781
Teable before 2026-06-15T04-43-24Z.1912 contains an improper access control vulnerability that allows anonymous attackers to access hidden field data by supplying arbitrary field IDs in the projection parameter of the share view records endpoint. Attackers can enumerate hidden field IDs from share metadata and specify them in projection parameters to read field values that are intended to be restricted from public view.
🎖@cveNotify
Teable before 2026-06-15T04-43-24Z.1912 contains an improper access control vulnerability that allows anonymous attackers to access hidden field data by supplying arbitrary field IDs in the projection parameter of the share view records endpoint. Attackers can enumerate hidden field IDs from share metadata and specify them in projection parameters to read field values that are intended to be restricted from public view.
🎖@cveNotify
GitHub
Unauthenticated hidden-field disclosure in share views via client-supplied projection · Issue #3335 · teableio/teable
Summary A view can mark fields hidden, and share views are meant to never expose hidden field values to viewers. The share-view records endpoint masks hidden fields by passing a default projection ...
🚨 CVE-2026-56782
Gorse before 0.5.10 contains an authentication bypass vulnerability in the /api/dump and /api/restore endpoints that allows unauthenticated attackers to access protected functionality when admin_api_key is empty, which is the default configuration. Remote attackers can exfiltrate the entire database including user records, items, and feedback data containing personally identifiable information, or completely overwrite the dataset without authentication.
🎖@cveNotify
Gorse before 0.5.10 contains an authentication bypass vulnerability in the /api/dump and /api/restore endpoints that allows unauthenticated attackers to access protected functionality when admin_api_key is empty, which is the default configuration. Remote attackers can exfiltrate the entire database including user records, items, and feedback data containing personally identifiable information, or completely overwrite the dataset without authentication.
🎖@cveNotify
GitHub
fix(master): protect dump and restore endpoints (#1293) · gorse-io/gorse@19fdcbb
AI powered open source recommender system engine supports classical/LLM rankers and multimodal content via embedding - fix(master): protect dump and restore endpoints (#1293) · gorse-io/gorse@19fdcbb
🚨 CVE-2026-56783
Parseable before 2.9.2 contains an information disclosure vulnerability in the notification-target API endpoints that returns webhook tokens and basic-auth credentials in cleartext due to commented-out secret-masking functionality. Any authenticated user with the GetAlert action, including low-privilege reader roles, can recover credentials and internal endpoint URLs for all configured notification targets by querying GET /api/v1/targets or related endpoints.
🎖@cveNotify
Parseable before 2.9.2 contains an information disclosure vulnerability in the notification-target API endpoints that returns webhook tokens and basic-auth credentials in cleartext due to commented-out secret-masking functionality. Any authenticated user with the GetAlert action, including low-privilege reader roles, can recover credentials and internal endpoint URLs for all configured notification targets by querying GET /api/v1/targets or related endpoints.
🎖@cveNotify
GitHub
Restore and harden credential masking for /targets (#1698) · parseablehq/parseable@f307c49
This patch re-enables masking with a few backend changes
- Add mask_url() using url based parsing
- Apply consistent masking across Slack, Webhook, and AlertManager types.
- Add strict unit tests e...
- Add mask_url() using url based parsing
- Apply consistent masking across Slack, Webhook, and AlertManager types.
- Add strict unit tests e...
🚨 CVE-2026-57942
LibreTranslate through 1.9.7, fixed in commit 397fd22, contains an IP spoofing vulnerability in the get_remote_address() function that allows unauthenticated attackers to spoof client IP addresses by injecting arbitrary values into the X-Forwarded-For header without trusted proxy validation. Attackers can bypass per-IP rate limiting and flood bans by supplying forged addresses in the X-Forwarded-For header to enable unlimited API abuse.
🎖@cveNotify
LibreTranslate through 1.9.7, fixed in commit 397fd22, contains an IP spoofing vulnerability in the get_remote_address() function that allows unauthenticated attackers to spoof client IP addresses by injecting arbitrary values into the X-Forwarded-For header without trusted proxy validation. Attackers can bypass per-IP rate limiting and flood bans by supplying forged addresses in the X-Forwarded-For header to enable unlimited API abuse.
🎖@cveNotify
GitHub
Merge pull request #987 from pierotofy/trustfor · LibreTranslate/LibreTranslate@397fd22
Add --trust-forwarded-for
🚨 CVE-2026-57943
LibrePhotos before 1.0.0 contains a broken object level authorization vulnerability in the SetPhotosShared endpoint that allows authenticated users to grant themselves access to other users' private photos by bypassing ownership validation. Attackers can manipulate shared_to relations without proper owner checks to read arbitrary private photos belonging to other users.
🎖@cveNotify
LibrePhotos before 1.0.0 contains a broken object level authorization vulnerability in the SetPhotosShared endpoint that allows authenticated users to grant themselves access to other users' private photos by bypassing ownership validation. Attackers can manipulate shared_to relations without proper owner checks to read arbitrary private photos belonging to other users.
🎖@cveNotify
GitHub
backend: fix cross-user authorization issues and server-stats parse f… · LibrePhotos/librephotos@325bd1f
…ailure
Closes #1860, #1861, #1864.
Authorization:
- SetPhotosShared: scope the photo lookup to owner=request.user on both the
share and unshare branches, matching the sibling SetPhotos* endpoi...
Closes #1860, #1861, #1864.
Authorization:
- SetPhotosShared: scope the photo lookup to owner=request.user on both the
share and unshare branches, matching the sibling SetPhotos* endpoi...
🚨 CVE-2026-57945
PhotoPrism before 260601-a7d098548 contains a broken access control vulnerability that allows authenticated non-admin users to modify other users' profile information by sending requests to arbitrary user endpoints. Attackers can exploit the missing session-to-user identifier validation in the PUT users API endpoint to overwrite another user's profile details without authorization.
🎖@cveNotify
PhotoPrism before 260601-a7d098548 contains a broken access control vulnerability that allows authenticated non-admin users to modify other users' profile information by sending requests to arbitrary user endpoints. Attackers can exploit the missing session-to-user identifier validation in the PUT users API endpoint to overwrite another user's profile details without authorization.
🎖@cveNotify
GitHub
API: Reinforce user profile authorization checks · Issue #5619 · photoprism/photoprism
As a PhotoPrism admin, I want the authorization checks for the user profile endpoint to be reinforced so that non-admin account holders who are logged in cannot modify other users' informationa...
🚨 CVE-2026-57946
Invidious before version 2.20260626.0 contains a broken access control vulnerability that allows unauthenticated attackers to retrieve private playlist contents by accessing the RSS feed playlist endpoint without authentication. Attackers can supply a playlist ID to the feed endpoint to obtain the full playlist contents, owner email address, and associated video entries without any authentication.
🎖@cveNotify
Invidious before version 2.20260626.0 contains a broken access control vulnerability that allows unauthenticated attackers to retrieve private playlist contents by accessing the RSS feed playlist endpoint without authentication. Attackers can supply a playlist ID to the feed endpoint to obtain the full playlist contents, owner email address, and associated video entries without any authentication.
🎖@cveNotify
GitHub
fix: fix private invidious playlists on rss feeds from being fetched … · iv-org/invidious@c435dc1
…without authentication (#5776)
🚨 CVE-2026-57947
Pinpoint through 3.1.0 contains a server-side request forgery vulnerability in the webhook registration endpoint that allows authenticated users to register internal URLs due to missing SSRF protection. Attackers can trigger alarm threshold breaches to force the server to issue POST requests to internal hosts and metadata endpoints, enabling unauthorized access to internal network resources.
🎖@cveNotify
Pinpoint through 3.1.0 contains a server-side request forgery vulnerability in the webhook registration endpoint that allows authenticated users to register internal URLs due to missing SSRF protection. Attackers can trigger alarm threshold breaches to force the server to issue POST requests to internal hosts and metadata endpoints, enabling unauthorized access to internal network resources.
🎖@cveNotify
GitHub
Webhook URL missing SSRF protection allows authenticated users to reach internal network resources · Issue #13857 · pinpoint-apm/pinpoint
Summary The Pinpoint web UI allows authenticated users to register alarm webhook URLs through the /api/webhook endpoint. The URL validation function checks only that the supplied string is a syntac...
🚨 CVE-2026-57948
Pinpoint through version 3.1.0 contains an insecure session management vulnerability that allows attackers to access the pinpointJwt session cookie due to missing HttpOnly and Secure attributes, enabling JavaScript access via document.cookie and cleartext transmission over HTTP. Attackers can exploit stored or reflected cross-site scripting vulnerabilities to exfiltrate the session token or intercept it through network sniffing to perform session hijacking.
🎖@cveNotify
Pinpoint through version 3.1.0 contains an insecure session management vulnerability that allows attackers to access the pinpointJwt session cookie due to missing HttpOnly and Secure attributes, enabling JavaScript access via document.cookie and cleartext transmission over HTTP. Attackers can exploit stored or reflected cross-site scripting vulnerabilities to exfiltrate the session token or intercept it through network sniffing to perform session hijacking.
🎖@cveNotify
GitHub
JWT session cookie missing HttpOnly and Secure attributes exposes session tokens to script access and plaintext transmission ·…
Summary When basicLogin mode is enabled, Pinpoint issues the JWT session token as a cookie named pinpointJwt. The cookie is created without the HttpOnly or Secure attributes. The absence of HttpOnl...
🚨 CVE-2026-57949
ruoyi-vue-pro through 2026.05, fixed in commit c779a47, contains a missing authorization vulnerability in the CRM module's GET /admin-api/crm/follow-up-record/get endpoint that allows authenticated users to read any follow-up record by iterating sequential numeric IDs. Attackers can exploit this by sending requests with arbitrary ID parameters to access other users' follow-up notes, file attachments, scheduling information, and business entity references without proper authorization checks.
🎖@cveNotify
ruoyi-vue-pro through 2026.05, fixed in commit c779a47, contains a missing authorization vulnerability in the CRM module's GET /admin-api/crm/follow-up-record/get endpoint that allows authenticated users to read any follow-up record by iterating sequential numeric IDs. Attackers can exploit this by sending requests with arbitrary ID parameters to access other users' follow-up notes, file attachments, scheduling information, and business entity references without proper authorization checks.
🎖@cveNotify
GitHub
fix(crm): 修复跟进记录详情越权读取 · YunaiV/ruoyi-vue-pro@c779a47
跟进记录详情接口按 id 查询后,增加关联 CRM 业务对象的 READ 权限校验,
避免用户通过自增 id 越权读取其他用户的跟进记录。
Fixes: https://github.com/YunaiV/ruoyi-vue-pro/issues/1159
避免用户通过自增 id 越权读取其他用户的跟进记录。
Fixes: https://github.com/YunaiV/ruoyi-vue-pro/issues/1159
🚨 CVE-2026-57950
ruoyi-vue-pro through 2026.05, fixed in commit 5d1fd70 contains a broken access control vulnerability in ErpSaleOrderController that allows attackers with erp:sale-out permissions to gain unauthorized access to sale order operations by exploiting an incorrect permission namespace enforcement. Attackers holding shipment-level permissions can perform unauthorized create, update, delete, and read operations on financially sensitive sale orders due to the controller enforcing erp:sale-out instead of the intended erp:sale-order namespace.
🎖@cveNotify
ruoyi-vue-pro through 2026.05, fixed in commit 5d1fd70 contains a broken access control vulnerability in ErpSaleOrderController that allows attackers with erp:sale-out permissions to gain unauthorized access to sale order operations by exploiting an incorrect permission namespace enforcement. Attackers holding shipment-level permissions can perform unauthorized create, update, delete, and read operations on financially sensitive sale orders due to the controller enforcing erp:sale-out instead of the intended erp:sale-order namespace.
🎖@cveNotify
GitHub
fix(erp): 修复销售订单误用销售出库权限 · YunaiV/ruoyi-vue-pro@5d1fd70
将 ErpSaleOrderController 的权限标识从 erp:sale-out:* 修正为
erp:sale-order:*,避免拥有销售出库权限的用户越权访问销售订单接口。
Fixes: https://github.com/YunaiV/ruoyi-vue-pro/issues/1161
erp:sale-order:*,避免拥有销售出库权限的用户越权访问销售订单接口。
Fixes: https://github.com/YunaiV/ruoyi-vue-pro/issues/1161
🚨 CVE-2026-57951
Mythic before 3.4.0.60 contains a broken hasura permission filter on the payload_build_step table with an always-satisfied _or condition that bypasses operation-scoped access controls. Authenticated operators and spectators can query payload_build_step to read step_stdout, step_stderr, step_name, and step_description across all operations on the server.
🎖@cveNotify
Mythic before 3.4.0.60 contains a broken hasura permission filter on the payload_build_step table with an always-satisfied _or condition that bypasses operation-scoped access controls. Authenticated operators and spectators can query payload_build_step to read step_stdout, step_stderr, step_name, and step_description across all operations on the server.
🎖@cveNotify
GitHub
addressing issues #563 #564 and #565 · its-a-feature/Mythic@82648e8
A collaborative, multi-platform, red teaming framework - addressing issues #563 #564 and #565 · its-a-feature/Mythic@82648e8
🚨 CVE-2026-57953
Mythic before 3.4.0.60 contains an authorization bypass vulnerability that allows authenticated spectator-role users to perform unauthorized write operations by accessing the eventing_import_automatic_webhook endpoint registered under spectator-permitted middleware. Attackers with spectator role can exploit this misconfigured access control to create and delete automation workflows, making unauthorized modifications to operation automation configuration and EventGroups.
🎖@cveNotify
Mythic before 3.4.0.60 contains an authorization bypass vulnerability that allows authenticated spectator-role users to perform unauthorized write operations by accessing the eventing_import_automatic_webhook endpoint registered under spectator-permitted middleware. Attackers with spectator role can exploit this misconfigured access control to create and delete automation workflows, making unauthorized modifications to operation automation configuration and EventGroups.
🎖@cveNotify
GitHub
addressing issues #563 #564 and #565 · its-a-feature/Mythic@82648e8
A collaborative, multi-platform, red teaming framework - addressing issues #563 #564 and #565 · its-a-feature/Mythic@82648e8
🚨 CVE-2026-57954
Elide through 7.1.17 fails to enforce @ReadPermission on client-supplied sort expressions in SortingImpl.getValidSortingRules, allowing attackers to sort collections by forbidden fields. Attackers can infer hidden field values through row ordering analysis, leaking relative field ordering across all rows via both JSON:API and GraphQL read paths.
🎖@cveNotify
Elide through 7.1.17 fails to enforce @ReadPermission on client-supplied sort expressions in SortingImpl.getValidSortingRules, allowing attackers to sort collections by forbidden fields. Attackers can infer hidden field values through row ordering analysis, leaking relative field ordering across all rows via both JSON:API and GraphQL read paths.
🎖@cveNotify
GitHub
Read permission not enforced on client-supplied sort expressions (incomplete fix of CVE-2020-5289) · Issue #3415 · yahoo/elide
Summary Elide enforces @ReadPermission on client-supplied filter expressions (the fix for CVE-2020-5289), but it does NOT enforce @ReadPermission on client-supplied sort expressions. A caller can s...
🚨 CVE-2026-57955
SigNoz through 0.130.1 contains a SQL injection vulnerability that allows authenticated attackers to execute arbitrary ClickHouse queries by injecting URL-encoded quotes into the rule ID path parameter of the alert-history endpoints. Attackers can manipulate the unsanitized rule ID interpolated into ClickHouse queries to read all stored traces, logs, and metrics, or abuse the url() function to perform server-side request forgery.
🎖@cveNotify
SigNoz through 0.130.1 contains a SQL injection vulnerability that allows authenticated attackers to execute arbitrary ClickHouse queries by injecting URL-encoded quotes into the rule ID path parameter of the alert-history endpoints. Attackers can manipulate the unsanitized rule ID interpolated into ClickHouse queries to read all stored traces, logs, and metrics, or abuse the url() function to perform server-side request forgery.
🎖@cveNotify
GitHub
[security] clickhouse SQL Injection via Unvalidated Rule ID in Alert History Endpoints · Issue #11747 · SigNoz/signoz
(emailed on 23 may and 6 june - no responses) There's a potential SQL injection vulnerability in two alert history API endpoints that affects all authenticated users. The POST /api/v1/rules/{id...