🚨 CVE-2026-58011
A flaw was found in GLib. An out-of-bounds read of only 2 bytes can occur in the g_date_time_get_ymd function in the glib/gdatetime.c file when an invalid GDateTime object produced by the g_date_time_add_full function is processed. This flaw can corrupt the date output and potentially cause logic errors that may lead to a denial of service.
🎖@cveNotify
A flaw was found in GLib. An out-of-bounds read of only 2 bytes can occur in the g_date_time_get_ymd function in the glib/gdatetime.c file when an invalid GDateTime object produced by the g_date_time_add_full function is processed. This flaw can corrupt the date output and potentially cause logic errors that may lead to a denial of service.
🎖@cveNotify
🚨 CVE-2026-58012
A flaw was found in GLib. A buffer over-read can occur in the g_regex_replace function when used with the `G_REGEX_RAW` compile flag and case-change replacement escapes because the string_append function processes matched substrings using UTF-8 functions that assume valid UTF-8 input, even when the string is treated as raw bytes. This vulnerability can cause a minor information disclosure of 1-5 bytes and a denial of service when the buffer over-read crosses a page boundary.
🎖@cveNotify
A flaw was found in GLib. A buffer over-read can occur in the g_regex_replace function when used with the `G_REGEX_RAW` compile flag and case-change replacement escapes because the string_append function processes matched substrings using UTF-8 functions that assume valid UTF-8 input, even when the string is treated as raw bytes. This vulnerability can cause a minor information disclosure of 1-5 bytes and a denial of service when the buffer over-read crosses a page boundary.
🎖@cveNotify
🚨 CVE-2026-58013
A flaw was found in GLib. A buffer over-read can occur in g_io_channel_read_line_backend() in the giochannel.c file when a custom line terminator with a length greater than one is set, causing memcmp to read past the GString buffer. This vulnerability can cause a minor information disclosure of 7 bytes or a denial of service when the buffer over-read crosses a page boundary.
🎖@cveNotify
A flaw was found in GLib. A buffer over-read can occur in g_io_channel_read_line_backend() in the giochannel.c file when a custom line terminator with a length greater than one is set, causing memcmp to read past the GString buffer. This vulnerability can cause a minor information disclosure of 7 bytes or a denial of service when the buffer over-read crosses a page boundary.
🎖@cveNotify
🚨 CVE-2026-58014
A flaw was found in GLib. An off-by-one error can occur in the g_key_file_get_locale_string_list function in the gkeyfile.c file when loading a key file with an empty value. This flaw can cause an out-of-bounds access of 1 byte or a denial of service when the out-of-bounds access crosses a page boundary.
🎖@cveNotify
A flaw was found in GLib. An off-by-one error can occur in the g_key_file_get_locale_string_list function in the gkeyfile.c file when loading a key file with an empty value. This flaw can cause an out-of-bounds access of 1 byte or a denial of service when the out-of-bounds access crosses a page boundary.
🎖@cveNotify
🚨 CVE-2026-58015
A flaw was found in GLib. The D-Bus client-side implementation of the DBUS_COOKIE_SHA1 SASL authentication mechanism does not validate the cookie_context parameter received from the server. A malicious D-Bus server can supply a cookie_context containing path traversal sequences, causing the client to read an arbitrary file and exfiltrate sensitive data by verifying guessed file contents against a generated hash.
🎖@cveNotify
A flaw was found in GLib. The D-Bus client-side implementation of the DBUS_COOKIE_SHA1 SASL authentication mechanism does not validate the cookie_context parameter received from the server. A malicious D-Bus server can supply a cookie_context containing path traversal sequences, causing the client to read an arbitrary file and exfiltrate sensitive data by verifying guessed file contents against a generated hash.
🎖@cveNotify
🚨 CVE-2026-58016
A flaw was found in GLib. A state confusion issue exists in g_dbus_node_info_new_for_xml() in the gio/gdbusintrospection.c file when processing malformed D-Bus introspection XML, specifically with a <node> element nested within other elements like <method>, <signal>, <property> or <arg>. This issue can cause an unsigned integer overflow and lead to an out-of-bounds read, resulting in a denial of service.
🎖@cveNotify
A flaw was found in GLib. A state confusion issue exists in g_dbus_node_info_new_for_xml() in the gio/gdbusintrospection.c file when processing malformed D-Bus introspection XML, specifically with a <node> element nested within other elements like <method>, <signal>, <property> or <arg>. This issue can cause an unsigned integer overflow and lead to an out-of-bounds read, resulting in a denial of service.
🎖@cveNotify
🚨 CVE-2026-58116
LLaMA-Factory through 0.9.5 contains a remote code execution vulnerability that allows attackers with WebUI access to execute arbitrary Python code by supplying a malicious model path in the Chat or Training interfaces. The application passes user-supplied model path input unvalidated into AutoTokenizer.from_pretrained() and AutoModel.from_pretrained() with a hardcoded trust_remote_code=True parameter, causing the Hugging Face transformers library to fetch and execute arbitrary code from a remote or local model repository with the privileges of the server process.
🎖@cveNotify
LLaMA-Factory through 0.9.5 contains a remote code execution vulnerability that allows attackers with WebUI access to execute arbitrary Python code by supplying a malicious model path in the Chat or Training interfaces. The application passes user-supplied model path input unvalidated into AutoTokenizer.from_pretrained() and AutoModel.from_pretrained() with a hardcoded trust_remote_code=True parameter, causing the Hugging Face transformers library to fetch and execute arbitrary code from a remote or local model repository with the privileges of the server process.
🎖@cveNotify
Gist
Remote Code Execution (RCE) via Model Path Injection in LLaMA-Factory WebUI <= 0.9.4
Remote Code Execution (RCE) via Model Path Injection in LLaMA-Factory WebUI <= 0.9.4 - llama-factory-rce_v0.9.4.md
🚨 CVE-2025-53648
SQL misconfiguration in the Gravitino UI, in versions 1.0.0 and below, can allow a malicious user to read or truncate files.
Users are recommended to upgrade to version 1.0.0, which fixes this issue.
🎖@cveNotify
SQL misconfiguration in the Gravitino UI, in versions 1.0.0 and below, can allow a malicious user to read or truncate files.
Users are recommended to upgrade to version 1.0.0, which fixes this issue.
🎖@cveNotify
🚨 CVE-2026-14178
openGauss 在处理带 NLS 参数的 to_timestamp 调用时,to_timestamp_with_fmt_nls() 会将 nls_fmt_str 保存到 u_sess->parser_cxt.nls_fmt_str。在 seqscan + sort 执行路径下,该字符串原本被分配在 SeqScan 的表达式上下文中;当 SeqScan 完成后,该内存上下文会被 reset,但后续结果输出阶段 timestamp_out() 仍会通过 CheckNlsFormat() 访问 u_sess->parser_cxt.nls_fmt_str,导致访问已释放内存。攻击者在具备数据库 SQL 执行权限的情况下,可构造特定 to_timestamp(..., ..., nlsparam) 查询触发 heap-use-after-free。在 ASan/Memcheck 环境下表现为数据库服务退出;在实际运行环境中可能造成后端进程异常退出,影响数据库服务可用性,形成拒绝服务风险。该问题在openGauss-server-7.0.0-RC1版本和openGauss-server-7.0.0-RC2版本存在,目前已在openGauss-server-7.0.0-RC3版本修复。由于
openGauss-server-7.0.0-RC1版本和openGauss-server-7.0.0-RC2均为创新版本,不会发布针对性补丁包,涉及版本升级至
openGauss-server-7.0.0-RC3或更新版本即可。
🎖@cveNotify
openGauss 在处理带 NLS 参数的 to_timestamp 调用时,to_timestamp_with_fmt_nls() 会将 nls_fmt_str 保存到 u_sess->parser_cxt.nls_fmt_str。在 seqscan + sort 执行路径下,该字符串原本被分配在 SeqScan 的表达式上下文中;当 SeqScan 完成后,该内存上下文会被 reset,但后续结果输出阶段 timestamp_out() 仍会通过 CheckNlsFormat() 访问 u_sess->parser_cxt.nls_fmt_str,导致访问已释放内存。攻击者在具备数据库 SQL 执行权限的情况下,可构造特定 to_timestamp(..., ..., nlsparam) 查询触发 heap-use-after-free。在 ASan/Memcheck 环境下表现为数据库服务退出;在实际运行环境中可能造成后端进程异常退出,影响数据库服务可用性,形成拒绝服务风险。该问题在openGauss-server-7.0.0-RC1版本和openGauss-server-7.0.0-RC2版本存在,目前已在openGauss-server-7.0.0-RC3版本修复。由于
openGauss-server-7.0.0-RC1版本和openGauss-server-7.0.0-RC2均为创新版本,不会发布针对性补丁包,涉及版本升级至
openGauss-server-7.0.0-RC3或更新版本即可。
🎖@cveNotify
Gitcode
AtomGit - 全球开发者的开源社区,开源代码托管平台
AtomGit是面向全球开发者的开源社区,包括原创博客,开源代码托管,代码协作,项目管理等。与开发者社区互动,提升您的研发效率和质量。
🚨 CVE-2026-35095
KTM System e-BOK allows the session identifier to be set by the client prior to authentication. If a cookie with a valid name is set, its value remains unchanged after successful login. This behaviour enables an attacker to fix a session ID for a victim and later hijack the authenticated session.
This issue was fixed in the patch published in June 2026.
🎖@cveNotify
KTM System e-BOK allows the session identifier to be set by the client prior to authentication. If a cookie with a valid name is set, its value remains unchanged after successful login. This behaviour enables an attacker to fix a session ID for a victim and later hijack the authenticated session.
This issue was fixed in the patch published in June 2026.
🎖@cveNotify
cert.pl
Podatności w oprogramowaniu KTM System e-BOK
W oprogramowaniu KTM System e-BOK wykryto 4 podatności różnego typu (od CVE-2026-35095 do CVE-2026-35098)
🚨 CVE-2026-35096
KTM System e-BOK is vulnerable to Cross‑Site Request Forgery (CSRF) in both the email-change and password-change functionalities. An attacker can craft a malicious website that, when visited by an authenticated user, automatically sends a forged POST request to the application. This allows the attacker to trigger an unauthorized email or password change on behalf of the victim without their knowledge or interaction.
This issue was fixed in the patch published in June 2026.
🎖@cveNotify
KTM System e-BOK is vulnerable to Cross‑Site Request Forgery (CSRF) in both the email-change and password-change functionalities. An attacker can craft a malicious website that, when visited by an authenticated user, automatically sends a forged POST request to the application. This allows the attacker to trigger an unauthorized email or password change on behalf of the victim without their knowledge or interaction.
This issue was fixed in the patch published in June 2026.
🎖@cveNotify
cert.pl
Podatności w oprogramowaniu KTM System e-BOK
W oprogramowaniu KTM System e-BOK wykryto 4 podatności różnego typu (od CVE-2026-35095 do CVE-2026-35098)
🚨 CVE-2026-35097
KTM System e-BOK enforces a maximum password length of six numeric digits and does not permit the use of any alphabetic, special, or extended characters.
This issue was fixed in the patch published in June 2026.
🎖@cveNotify
KTM System e-BOK enforces a maximum password length of six numeric digits and does not permit the use of any alphabetic, special, or extended characters.
This issue was fixed in the patch published in June 2026.
🎖@cveNotify
cert.pl
Podatności w oprogramowaniu KTM System e-BOK
W oprogramowaniu KTM System e-BOK wykryto 4 podatności różnego typu (od CVE-2026-35095 do CVE-2026-35098)
🚨 CVE-2026-35098
KTM System e-BOK does not implement any limit or timeout on consecutive login attempts, allowing an attacker to perform unlimited authentication requests. This lack of rate‑limiting enables efficient brute‑force attacks against user accounts. When combined with vulnerability CVE-2026-35097, where passwords are restricted to a six‑digit numeric format, this becomes a critical issue, as such passwords can be brute‑forced in a relatively short time.
This issue was fixed in the patch published in June 2026.
🎖@cveNotify
KTM System e-BOK does not implement any limit or timeout on consecutive login attempts, allowing an attacker to perform unlimited authentication requests. This lack of rate‑limiting enables efficient brute‑force attacks against user accounts. When combined with vulnerability CVE-2026-35097, where passwords are restricted to a six‑digit numeric format, this becomes a critical issue, as such passwords can be brute‑forced in a relatively short time.
This issue was fixed in the patch published in June 2026.
🎖@cveNotify
cert.pl
Podatności w oprogramowaniu KTM System e-BOK
W oprogramowaniu KTM System e-BOK wykryto 4 podatności różnego typu (od CVE-2026-35095 do CVE-2026-35098)
🚨 CVE-2026-27881
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.464, `GET /api/v1/deployments/{uuid}` in DeployController.php retrieves deployment details without validating that the deployment belongs to the authenticated user's team. Any authenticated API user can read deployment records from other teams by providing a valid deployment UUID. This vulnerability is fixed in 4.0.0-beta.464.
🎖@cveNotify
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.464, `GET /api/v1/deployments/{uuid}` in DeployController.php retrieves deployment details without validating that the deployment belongs to the authenticated user's team. Any authenticated API user can read deployment records from other teams by providing a valid deployment UUID. This vulnerability is fixed in 4.0.0-beta.464.
🎖@cveNotify
GitHub
Cross-team deployment information disclosure via GET /api/v1/deployments/{uuid} (IDOR)
## Summary
`GET /api/v1/deployments/{uuid}` in `DeployController.php` retrieves deployment details without validating that the deployment belongs to the authenticated user's team. Any authen...
`GET /api/v1/deployments/{uuid}` in `DeployController.php` retrieves deployment details without validating that the deployment belongs to the authenticated user's team. Any authen...
🚨 CVE-2026-27882
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.461, the GitLab webhook endpoint uses a non-constant-time string comparison operator (!==) to validate the webhook secret token. This implementation is vulnerable to timing attacks, which could allow an attacker to gradually discover the secret token by measuring response time differences. This vulnerability is fixed in 4.0.0-beta.461.
🎖@cveNotify
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.461, the GitLab webhook endpoint uses a non-constant-time string comparison operator (!==) to validate the webhook secret token. This implementation is vulnerable to timing attacks, which could allow an attacker to gradually discover the secret token by measuring response time differences. This vulnerability is fixed in 4.0.0-beta.461.
🎖@cveNotify
GitHub
Timing Attack in GitLab Webhook Token Validation
## Vulnerability Description
The GitLab webhook endpoint uses a non-constant-time string comparison operator (`!==`) to validate the webhook secret token. This implementation is vulnerable to ti...
The GitLab webhook endpoint uses a non-constant-time string comparison operator (`!==`) to validate the webhook secret token. This implementation is vulnerable to ti...
🚨 CVE-2026-27883
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.464, the `GET /api/v1/deployments/{uuid}` endpoint allows any authenticated user to access deployment details belonging to any team, bypassing team-based authorization. The $teamId is extracted from the authentication token but never used to scope the database query. This vulnerability is fixed in 4.0.0-beta.464.
🎖@cveNotify
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.464, the `GET /api/v1/deployments/{uuid}` endpoint allows any authenticated user to access deployment details belonging to any team, bypassing team-based authorization. The $teamId is extracted from the authentication token but never used to scope the database query. This vulnerability is fixed in 4.0.0-beta.464.
🎖@cveNotify
GitHub
IDOR in Deployment API - Cross-Team Deployment Information Disclosure
## Summary
The `GET /api/v1/deployments/{uuid}` endpoint allows any authenticated user to access deployment details belonging to **any team**, bypassing team-based authorization. The `$teamId` i...
The `GET /api/v1/deployments/{uuid}` endpoint allows any authenticated user to access deployment details belonging to **any team**, bypassing team-based authorization. The `$teamId` i...
🚨 CVE-2026-27956
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.464, `GET /api/v1/servers/{server_uuid}/domains?uuid={app_uuid}` bypasses team scoping when the optional uuid query parameter is provided. Any authenticated API user can enumerate domain names (FQDNs) of applications belonging to other teams. This vulnerability is fixed in 4.0.0-beta.464.
🎖@cveNotify
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.464, `GET /api/v1/servers/{server_uuid}/domains?uuid={app_uuid}` bypasses team scoping when the optional uuid query parameter is provided. Any authenticated API user can enumerate domain names (FQDNs) of applications belonging to other teams. This vulnerability is fixed in 4.0.0-beta.464.
🎖@cveNotify
GitHub
Cross-team application domain enumeration via domains_by_server endpoint
## Summary
`GET /api/v1/servers/{server_uuid}/domains?uuid={app_uuid}` bypasses team scoping when the optional `uuid` query parameter is provided. Any authenticated API user can enumerate domain...
`GET /api/v1/servers/{server_uuid}/domains?uuid={app_uuid}` bypasses team scoping when the optional `uuid` query parameter is provided. Any authenticated API user can enumerate domain...
🚨 CVE-2026-27957
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.464, an authenticated command injection vulnerability in the CA Certificate management feature allows any authenticated user to execute arbitrary commands as the configured SSH user on the managed server host. As the SSH user typically would have to either be root or part of the docker group for Coolify to function as intended, this provides complete compromise of the managed server and associated docker containers. This vulnerability is fixed in 4.0.0-beta.464.
🎖@cveNotify
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.464, an authenticated command injection vulnerability in the CA Certificate management feature allows any authenticated user to execute arbitrary commands as the configured SSH user on the managed server host. As the SSH user typically would have to either be root or part of the docker group for Coolify to function as intended, this provides complete compromise of the managed server and associated docker containers. This vulnerability is fixed in 4.0.0-beta.464.
🎖@cveNotify
GitHub
Authenticated RCE via command injection in CA certificate management feature
### Summary
An authenticated command injection vulnerability in the CA Certificate management feature allows any authenticated user to execute arbitrary commands as the configured SSH user on th...
An authenticated command injection vulnerability in the CA Certificate management feature allows any authenticated user to execute arbitrary commands as the configured SSH user on th...
🚨 CVE-2026-44947
A missing clean-up in the legacy Project Role Template Binding (PRTB)
reconciler in Rancher versions 2.13.0 up to 2.13.7 and 2.14.0 up to 2.14.3 allowed users to retain unauthorized Pod Security
Admission (PSA) permissions after an administrator removes those
permissions from a RoleTemplate.
🎖@cveNotify
A missing clean-up in the legacy Project Role Template Binding (PRTB)
reconciler in Rancher versions 2.13.0 up to 2.13.7 and 2.14.0 up to 2.14.3 allowed users to retain unauthorized Pod Security
Admission (PSA) permissions after an administrator removes those
permissions from a RoleTemplate.
🎖@cveNotify
GitHub
Stale PSA ClusterRoleBinding Persists After RoleTemplate Downgrade in Rancher
### Impact
A vulnerability in the legacy Project Role Template Binding (PRTB) reconciler in Rancher allows users to retain unauthorized Pod Security Admission (PSA) permissions after an administ...
A vulnerability in the legacy Project Role Template Binding (PRTB) reconciler in Rancher allows users to retain unauthorized Pod Security Admission (PSA) permissions after an administ...
🚨 CVE-2026-44949
A Rancher FleetWorkspace admission path allowed side effects to occur in
the Rancher webhook handler for versions 0.7.0 up to 0.7.10, 0.8.0 up to 0.8.7, 0.9.0 up to 0.9.6 and 0.10.0 up to 0.10.7. An unauthenticated attacker with network access to
the in-cluster rancher-webhook service
could submit a crafted admission payload and cause workspace-related
Kubernetes objects to be created with attacker-chosen identity data.
🎖@cveNotify
A Rancher FleetWorkspace admission path allowed side effects to occur in
the Rancher webhook handler for versions 0.7.0 up to 0.7.10, 0.8.0 up to 0.8.7, 0.9.0 up to 0.9.6 and 0.10.0 up to 0.10.7. An unauthenticated attacker with network access to
the in-cluster rancher-webhook service
could submit a crafted admission payload and cause workspace-related
Kubernetes objects to be created with attacker-chosen identity data.
🎖@cveNotify
GitHub
Unauthenticated namespace creation and RBAC injection via rancher-webhook FleetWorkspace mutating webhook
### Impact
A Rancher FleetWorkspace admission path allowed side effects to occur in the webhook handler. An unauthenticated attacker with network access to the in-cluster `rancher-webhook` servi...
A Rancher FleetWorkspace admission path allowed side effects to occur in the webhook handler. An unauthenticated attacker with network access to the in-cluster `rancher-webhook` servi...
🚨 CVE-2026-48192
A vulnerability has been identified in Mendix Studio Pro 10.11 (All versions), Mendix Studio Pro 10.12 (All versions), Mendix Studio Pro 10.13 (All versions), Mendix Studio Pro 10.14 (All versions), Mendix Studio Pro 10.15 (All versions), Mendix Studio Pro 10.16 (All versions), Mendix Studio Pro 10.17 (All versions), Mendix Studio Pro 10.18 (All versions), Mendix Studio Pro 10.19 (All versions), Mendix Studio Pro 10.20 (All versions), Mendix Studio Pro 10.21 (All versions), Mendix Studio Pro 10.22 (All versions), Mendix Studio Pro 10.23 (All versions), Mendix Studio Pro 10.24 (All versions < V10.24.21), Mendix Studio Pro 11.0 (All versions), Mendix Studio Pro 11.1 (All versions), Mendix Studio Pro 11.10 (All versions), Mendix Studio Pro 11.11 (All versions), Mendix Studio Pro 11.2 (All versions), Mendix Studio Pro 11.3 (All versions), Mendix Studio Pro 11.4 (All versions), Mendix Studio Pro 11.5 (All versions), Mendix Studio Pro 11.6 (All versions < V11.6.7), Mendix Studio Pro 11.7 (All versions), Mendix Studio Pro 11.8 (All versions), Mendix Studio Pro 11.9 (All versions). Affected versions of Mendix Studio Pro do not properly validate or sanitize project files processed during the build pipeline.
This could allow an attacker who tricks a user into opening and running a specially crafted malicious project locally on their system to execute arbitrary code in the context of that user.
🎖@cveNotify
A vulnerability has been identified in Mendix Studio Pro 10.11 (All versions), Mendix Studio Pro 10.12 (All versions), Mendix Studio Pro 10.13 (All versions), Mendix Studio Pro 10.14 (All versions), Mendix Studio Pro 10.15 (All versions), Mendix Studio Pro 10.16 (All versions), Mendix Studio Pro 10.17 (All versions), Mendix Studio Pro 10.18 (All versions), Mendix Studio Pro 10.19 (All versions), Mendix Studio Pro 10.20 (All versions), Mendix Studio Pro 10.21 (All versions), Mendix Studio Pro 10.22 (All versions), Mendix Studio Pro 10.23 (All versions), Mendix Studio Pro 10.24 (All versions < V10.24.21), Mendix Studio Pro 11.0 (All versions), Mendix Studio Pro 11.1 (All versions), Mendix Studio Pro 11.10 (All versions), Mendix Studio Pro 11.11 (All versions), Mendix Studio Pro 11.2 (All versions), Mendix Studio Pro 11.3 (All versions), Mendix Studio Pro 11.4 (All versions), Mendix Studio Pro 11.5 (All versions), Mendix Studio Pro 11.6 (All versions < V11.6.7), Mendix Studio Pro 11.7 (All versions), Mendix Studio Pro 11.8 (All versions), Mendix Studio Pro 11.9 (All versions). Affected versions of Mendix Studio Pro do not properly validate or sanitize project files processed during the build pipeline.
This could allow an attacker who tricks a user into opening and running a specially crafted malicious project locally on their system to execute arbitrary code in the context of that user.
🎖@cveNotify