π¨ CVE-2026-60094
Vinchin Backup & Recovery through 9.0.0.86562 contains a heap buffer overflow vulnerability that allows unauthenticated remote attackers to cause process crash or memory corruption by sending a malformed TCP packet with an unchecked body_len field to the agentlink_server service. Attackers can craft a malicious packet that passes an attacker-controlled length directly to recv(), triggering a heap overflow of up to approximately 4 GiB and resulting in process crash or potential memory corruption.
π@cveNotify
Vinchin Backup & Recovery through 9.0.0.86562 contains a heap buffer overflow vulnerability that allows unauthenticated remote attackers to cause process crash or memory corruption by sending a malformed TCP packet with an unchecked body_len field to the agentlink_server service. Attackers can craft a malicious packet that passes an attacker-controlled length directly to recv(), triggering a heap overflow of up to approximately 4 GiB and resulting in process crash or potential memory corruption.
π@cveNotify
Code-White
CODE WHITE | Public Vulnerability List
Public list of vulnerabilities, found by CODE WHITE
π¨ CVE-2026-60095
Vinchin Backup & Recovery through 9.0.0.86562 contains a stack buffer overflow vulnerability in the ModuleHandShake function of the agentlink_server service that allows unauthenticated remote attackers to overwrite the saved return address by supplying an oversized _listen_uuid field that is measured via strlen() and copied without bounds checking into a fixed-length stack buffer using strcpy(). Attackers can send a crafted request with a malicious _listen_uuid value to corrupt the stack and achieve process crash or potential control flow hijack without requiring authentication.
π@cveNotify
Vinchin Backup & Recovery through 9.0.0.86562 contains a stack buffer overflow vulnerability in the ModuleHandShake function of the agentlink_server service that allows unauthenticated remote attackers to overwrite the saved return address by supplying an oversized _listen_uuid field that is measured via strlen() and copied without bounds checking into a fixed-length stack buffer using strcpy(). Attackers can send a crafted request with a malicious _listen_uuid value to corrupt the stack and achieve process crash or potential control flow hijack without requiring authentication.
π@cveNotify
Code-White
CODE WHITE | Public Vulnerability List
Public list of vulnerabilities, found by CODE WHITE
π¨ CVE-2026-56812
Improper Check for Unusual or Exceptional Conditions vulnerability in phoenixframework phoenix (Presence JavaScript client) allows an attacker with ordinary channel access to cause a persistent client-side denial of service against every viewer of a presence channel topic.
This vulnerability is associated with program files assets/js/phoenix/presence.js and program routines Presence.syncState and Presence.syncDiff.
The Phoenix JavaScript presence client checks whether a presence already exists with a bare truthiness test (state[key]) instead of an own-property check. Presence keys can be attacker-controlled, because applications track presences under a username or id supplied by the client. A user who joins a channel choosing a key that is an Object.prototype member name (__proto__, constructor, toString, hasOwnProperty, and similar) makes that lookup return JavaScript's built-in Object.prototype instead of undefined. Because the prototype is truthy, the code treats it as an existing presence and reads .metas.map(...) off it, which throws an uncaught TypeError.
The exception propagates out of the presence message handler, so the local state is never updated and onSync() never fires. Because the malicious key is tracked on the server, it is re-pushed on every presence update and keeps re-throwing, so presence sync stays broken for every viewer of that channel topic until the attacker leaves. Both syncState and syncDiff use the same unsafe existence-check pattern. The impact is limited to the affected topic and is a read-time confusion of the prototype object, not a mutation of Object.prototype (it is not prototype pollution).
This issue affects phoenix: from 1.2.0-rc.0 before 1.5.15, from 1.6.0-rc.0 before 1.6.17, from 1.7.0-rc.0 before 1.7.24, and from 1.8.0-rc.0 before 1.8.9.
π@cveNotify
Improper Check for Unusual or Exceptional Conditions vulnerability in phoenixframework phoenix (Presence JavaScript client) allows an attacker with ordinary channel access to cause a persistent client-side denial of service against every viewer of a presence channel topic.
This vulnerability is associated with program files assets/js/phoenix/presence.js and program routines Presence.syncState and Presence.syncDiff.
The Phoenix JavaScript presence client checks whether a presence already exists with a bare truthiness test (state[key]) instead of an own-property check. Presence keys can be attacker-controlled, because applications track presences under a username or id supplied by the client. A user who joins a channel choosing a key that is an Object.prototype member name (__proto__, constructor, toString, hasOwnProperty, and similar) makes that lookup return JavaScript's built-in Object.prototype instead of undefined. Because the prototype is truthy, the code treats it as an existing presence and reads .metas.map(...) off it, which throws an uncaught TypeError.
The exception propagates out of the presence message handler, so the local state is never updated and onSync() never fires. Because the malicious key is tracked on the server, it is re-pushed on every presence update and keeps re-throwing, so presence sync stays broken for every viewer of that channel topic until the attacker leaves. Both syncState and syncDiff use the same unsafe existence-check pattern. The impact is limited to the affected topic and is a read-time confusion of the prototype object, not a mutation of Object.prototype (it is not prototype pollution).
This issue affects phoenix: from 1.2.0-rc.0 before 1.5.15, from 1.6.0-rc.0 before 1.6.17, from 1.7.0-rc.0 before 1.7.24, and from 1.8.0-rc.0 before 1.8.9.
π@cveNotify
Erlang Ecosystem Foundation CNA
Phoenix JavaScript presence client crashes on presence keys colliding with Object.prototype members in Presence.syncState/syncDiff
This project handles the CVE Numbering Authority (CNA) for the Erlang Ecosystem Foundation (EEF).
π¨ CVE-2026-13019
Esri Portal for ArcGIS versions 12.1 and earlier on Windows, Linux and Kubernetes have a missing authentication for critical function vulnerability allows a remote, unauthenticated attacker to access an unprotected API.
π@cveNotify
Esri Portal for ArcGIS versions 12.1 and earlier on Windows, Linux and Kubernetes have a missing authentication for critical function vulnerability allows a remote, unauthenticated attacker to access an unprotected API.
π@cveNotify
ArcGIS Blog
June 2026 ArcGIS Security Bulletin
ArcGIS Enterprise Account Recovery Targeted - Customer Action Required
π¨ CVE-2026-13020
A Weak Password Recovery Mechanism for Forgotten Password exists in Esri Portal for ArcGIS versions 12.1 and earlier on Windows, Linux and Kubernetes. A remote, unauthorized attacker may assume ownership of a userβs account by manipulating this mechanism. ArcGIS Administrators should configure an email server with ArcGIS Enterprise to facilitate user self-service password recovery. The ability for an administrator to reset a userβs password remains unchanged.
π@cveNotify
A Weak Password Recovery Mechanism for Forgotten Password exists in Esri Portal for ArcGIS versions 12.1 and earlier on Windows, Linux and Kubernetes. A remote, unauthorized attacker may assume ownership of a userβs account by manipulating this mechanism. ArcGIS Administrators should configure an email server with ArcGIS Enterprise to facilitate user self-service password recovery. The ability for an administrator to reset a userβs password remains unchanged.
π@cveNotify
ArcGIS Blog
June 2026 ArcGIS Security Bulletin
ArcGIS Enterprise Account Recovery Targeted - Customer Action Required
π¨ CVE-2026-48947
An improper access check allows privileged users to overwrite media files without editing permissions.
π@cveNotify
An improper access check allows privileged users to overwrite media files without editing permissions.
π@cveNotify
Joomla! Developer Networkβ’
Joomla! Developer Network
The Flexible Platform Empowering Website Creators
π¨ CVE-2026-48954
Improper validation leads to a generic XSS vector in the language override feature.
π@cveNotify
Improper validation leads to a generic XSS vector in the language override feature.
π@cveNotify
Joomla! Developer Networkβ’
Joomla! Developer Network
The Flexible Platform Empowering Website Creators
π¨ CVE-2026-57239
The user-controllable executable files will be directly executed by high-privilege processes, allowing low-privilege users to have the opportunity to elevate their privileges to NT AUTHORITY\SYSTEM.
π@cveNotify
The user-controllable executable files will be directly executed by high-privilege processes, allowing low-privilege users to have the opportunity to elevate their privileges to NT AUTHORITY\SYSTEM.
π@cveNotify
Foxit
Security Bulletins | Foxit
A prompt response to software defects and security vulnerabilities has been, and will continue to be, a top priority for everyone here at Foxit Software.
π¨ CVE-2026-57241
The application opens the PDF, and JavaScript performs operations on the page and the document, causing the page-related objects within the application to lose synchronization; however, the renderer still trusts the outdated page count, and eventually the application crashes due to out-of-bounds access.
π@cveNotify
The application opens the PDF, and JavaScript performs operations on the page and the document, causing the page-related objects within the application to lose synchronization; however, the renderer still trusts the outdated page count, and eventually the application crashes due to out-of-bounds access.
π@cveNotify
Foxit
Security Bulletins | Foxit
A prompt response to software defects and security vulnerabilities has been, and will continue to be, a top priority for everyone here at Foxit Software.
π¨ CVE-2026-57243
During the process of page opening and form formatting, a JavaScript reentrancy results in an inconsistent document status. Subsequently, with outdated page information, the application attempts to access invalid addresses, causing the application to crash.
π@cveNotify
During the process of page opening and form formatting, a JavaScript reentrancy results in an inconsistent document status. Subsequently, with outdated page information, the application attempts to access invalid addresses, causing the application to crash.
π@cveNotify
Foxit
Security Bulletins | Foxit
A prompt response to software defects and security vulnerabilities has been, and will continue to be, a top priority for everyone here at Foxit Software.
π¨ CVE-2026-57257
During the PRC parsing stage, there is a lack of boundary verification for the PRC entity index, which leads to an out-of-bounds read of the entity array. As a result, the application crashes.
π@cveNotify
During the PRC parsing stage, there is a lack of boundary verification for the PRC entity index, which leads to an out-of-bounds read of the entity array. As a result, the application crashes.
π@cveNotify
Foxit
Security Bulletins | Foxit
A prompt response to software defects and security vulnerabilities has been, and will continue to be, a top priority for everyone here at Foxit Software.
π¨ CVE-2026-57258
The PRC file header parsing logic trusts the constructed file structure description information, assumes that the underlying array contains elements and reads them, leading to out-of-bounds reads and application crashes.
π@cveNotify
The PRC file header parsing logic trusts the constructed file structure description information, assumes that the underlying array contains elements and reads them, leading to out-of-bounds reads and application crashes.
π@cveNotify
Foxit
Security Bulletins | Foxit
A prompt response to software defects and security vulnerabilities has been, and will continue to be, a top priority for everyone here at Foxit Software.
π¨ CVE-2026-57259
The input file does not need to be strictly in a structurally valid PDF format. Instead, after reviewing the content, the original document disguised as a PDF will be sent to the parser. Malicious documents will construct malicious external entities that, through the protocol, point to local paths, thereby allowing access to any local files within the user's permission range.
π@cveNotify
The input file does not need to be strictly in a structurally valid PDF format. Instead, after reviewing the content, the original document disguised as a PDF will be sent to the parser. Malicious documents will construct malicious external entities that, through the protocol, point to local paths, thereby allowing access to any local files within the user's permission range.
π@cveNotify
Foxit
Security Bulletins | Foxit
A prompt response to software defects and security vulnerabilities has been, and will continue to be, a top priority for everyone here at Foxit Software.
π¨ CVE-2026-56374
ImageMagick before 7.1.2-19 contains a heap buffer overflow vulnerability in the FTXT encoder due to missing boundary checks when parsing ftxt:format. Remote attackers can trigger an out of bounds read by crafting malicious FTXT image files to cause denial of service or information disclosure.
π@cveNotify
ImageMagick before 7.1.2-19 contains a heap buffer overflow vulnerability in the FTXT encoder due to missing boundary checks when parsing ftxt:format. Remote attackers can trigger an out of bounds read by crafting malicious FTXT image files to cause denial of service or information disclosure.
π@cveNotify
GitHub
Heap-buffer-overflow in FTXT encoder
The FTXT encoder lacks a boundary check when parsing `ftxt:format`, resulting in an out of bounds read.
```
==3040863==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x5020000085b2 at...
```
==3040863==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x5020000085b2 at...
π¨ CVE-2023-2373
A vulnerability was identified in Ubiquiti EdgeRouter X up to 2.0.9-hotfix.6. This vulnerability affects unknown code of the component Web Management Interface. Such manipulation of the argument ecn-up leads to command injection. The attack may be performed from remote. The exploit is publicly available and might be used. The actual existence of this vulnerability is currently in question. The vendor position is that post-authentication issues are not accepted as vulnerabilities.
π@cveNotify
A vulnerability was identified in Ubiquiti EdgeRouter X up to 2.0.9-hotfix.6. This vulnerability affects unknown code of the component Web Management Interface. Such manipulation of the argument ecn-up leads to command injection. The attack may be performed from remote. The exploit is publicly available and might be used. The actual existence of this vulnerability is currently in question. The vendor position is that post-authentication issues are not accepted as vulnerabilities.
π@cveNotify
π¨ CVE-2023-2374
A security flaw has been discovered in Ubiquiti EdgeRouter X up to 2.0.9-hotfix.6. This issue affects some unknown processing of the component Web Management Interface. Performing a manipulation of the argument ecn-down results in command injection. It is possible to initiate the attack remotely. The exploit has been released to the public and may be used for attacks. The existence of this vulnerability is still disputed at present. The vendor position is that post-authentication issues are not accepted as vulnerabilities.
π@cveNotify
A security flaw has been discovered in Ubiquiti EdgeRouter X up to 2.0.9-hotfix.6. This issue affects some unknown processing of the component Web Management Interface. Performing a manipulation of the argument ecn-down results in command injection. It is possible to initiate the attack remotely. The exploit has been released to the public and may be used for attacks. The existence of this vulnerability is still disputed at present. The vendor position is that post-authentication issues are not accepted as vulnerabilities.
π@cveNotify
π¨ CVE-2023-2375
A weakness has been identified in Ubiquiti EdgeRouter X up to 2.0.9-hotfix.6. Impacted is an unknown function of the component Web Management Interface. Executing a manipulation of the argument src can lead to command injection. It is possible to launch the attack remotely. The exploit has been made available to the public and could be used for attacks. The presence of this vulnerability remains uncertain at this time. The vendor position is that post-authentication issues are not accepted as vulnerabilities.
π@cveNotify
A weakness has been identified in Ubiquiti EdgeRouter X up to 2.0.9-hotfix.6. Impacted is an unknown function of the component Web Management Interface. Executing a manipulation of the argument src can lead to command injection. It is possible to launch the attack remotely. The exploit has been made available to the public and could be used for attacks. The presence of this vulnerability remains uncertain at this time. The vendor position is that post-authentication issues are not accepted as vulnerabilities.
π@cveNotify
π¨ CVE-2023-2376
A security vulnerability has been detected in Ubiquiti EdgeRouter X up to 2.0.9-hotfix.6. The affected element is an unknown function of the component Web Management Interface. The manipulation of the argument dpi leads to command injection. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. There are still doubts about whether this vulnerability truly exists. The vendor position is that post-authentication issues are not accepted as vulnerabilities.
π@cveNotify
A security vulnerability has been detected in Ubiquiti EdgeRouter X up to 2.0.9-hotfix.6. The affected element is an unknown function of the component Web Management Interface. The manipulation of the argument dpi leads to command injection. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. There are still doubts about whether this vulnerability truly exists. The vendor position is that post-authentication issues are not accepted as vulnerabilities.
π@cveNotify
π¨ CVE-2023-2377
A vulnerability was detected in Ubiquiti EdgeRouter X up to 2.0.9-hotfix.6. The impacted element is an unknown function of the component Web Management Interface. The manipulation of the argument Name results in command injection. The attack can be launched remotely. The exploit is now public and may be used. There is ongoing doubt regarding the real existence of this vulnerability. The vendor position is that post-authentication issues are not accepted as vulnerabilities.
π@cveNotify
A vulnerability was detected in Ubiquiti EdgeRouter X up to 2.0.9-hotfix.6. The impacted element is an unknown function of the component Web Management Interface. The manipulation of the argument Name results in command injection. The attack can be launched remotely. The exploit is now public and may be used. There is ongoing doubt regarding the real existence of this vulnerability. The vendor position is that post-authentication issues are not accepted as vulnerabilities.
π@cveNotify
π¨ CVE-2023-2378
A flaw has been found in Ubiquiti EdgeRouter X up to 2.0.9-hotfix.6. This affects an unknown function of the component Web Management Interface. This manipulation of the argument suffix-rate-up causes command injection. The attack may be initiated remotely. The exploit has been published and may be used. The real existence of this vulnerability is still doubted at the moment. The vendor position is that post-authentication issues are not accepted as vulnerabilities.
π@cveNotify
A flaw has been found in Ubiquiti EdgeRouter X up to 2.0.9-hotfix.6. This affects an unknown function of the component Web Management Interface. This manipulation of the argument suffix-rate-up causes command injection. The attack may be initiated remotely. The exploit has been published and may be used. The real existence of this vulnerability is still doubted at the moment. The vendor position is that post-authentication issues are not accepted as vulnerabilities.
π@cveNotify
π¨ CVE-2025-44203
In HotelDruid 3.0.0 and 3.0.7, the unauthenticated database-setup endpoint creadb.php can be reached before setup is completed and performs database creation without locking. By sending many concurrent requests, an attacker can trigger a race condition during which verbose SQL error messages disclose the administrator username, password hash, and salt. The same race leaves the setup partially initialized, so the administrator can no longer log in with the credentials set during installation, resulting in a denial of service that requires reinstallation to recover. Remote exploitation additionally requires the installation to allow non-localhost access. The vulnerability was fixed in version 3.0.8.
π@cveNotify
In HotelDruid 3.0.0 and 3.0.7, the unauthenticated database-setup endpoint creadb.php can be reached before setup is completed and performs database creation without locking. By sending many concurrent requests, an attacker can trigger a race condition during which verbose SQL error messages disclose the administrator username, password hash, and salt. The same race leaves the setup partially initialized, so the administrator can no longer log in with the credentials set during installation, resulting in a denial of service that requires reinstallation to recover. Remote exploitation additionally requires the installation to allow non-localhost access. The vulnerability was fixed in version 3.0.8.
π@cveNotify
GitHub
GitHub - IvanT7D3/CVE-2025-44203: CVE-2025-44203 - HotelDruid 3.0.0/3.0.7 - Sensitive Information Disclosure, DoS
CVE-2025-44203 - HotelDruid 3.0.0/3.0.7 - Sensitive Information Disclosure, DoS - IvanT7D3/CVE-2025-44203