π¨ CVE-2026-58378
Allwinner H616 TV Box TV98 has ADB enabled and exposed to the network on production. An attacker could request for ADB authorization and gain root level privileges if the victim allows access.
π@cveNotify
Allwinner H616 TV Box TV98 has ADB enabled and exposed to the network on production. An attacker could request for ADB authorization and gain root level privileges if the victim allows access.
π@cveNotify
π¨ CVE-2026-59221
Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.9.6 before 0.10.0, _sanitize_proxy_path in backend/open_webui/routers/terminals.py decoded proxy paths only eight times, allowing a nine-times percent-encoded ../ traversal value to pass normalization checks and be decoded by the upstream terminal server. This issue is fixed in version 0.10.0.
π@cveNotify
Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. From 0.9.6 before 0.10.0, _sanitize_proxy_path in backend/open_webui/routers/terminals.py decoded proxy paths only eight times, allowing a nine-times percent-encoded ../ traversal value to pass normalization checks and be decoded by the upstream terminal server. This issue is fixed in version 0.10.0.
π@cveNotify
GitHub
Fail closed when the proxy/redirect path decode cap is exceeded (#26050) Β· open-webui/open-webui@05098d2
The decode-until-stable loops in _sanitize_proxy_path (terminals.py, cap 8) and
_safe_static_redirect_path (models.py, cap 2) proceed with whatever remains after the
cap instead of rejecting it. A ...
_safe_static_redirect_path (models.py, cap 2) proceed with whatever remains after the
cap instead of rejecting it. A ...
π¨ CVE-2026-59720
Hoppscotch is an open source API development ecosystem. Prior to 2026.6.0, mock server creation in mock-server.service.ts does not persist the isPublic input field while schema.prisma defaults isPublic to true, causing mock servers linked to private collections to be publicly accessible without authentication and potentially expose sensitive API data. This issue is fixed in version 2026.6.0.
π@cveNotify
Hoppscotch is an open source API development ecosystem. Prior to 2026.6.0, mock server creation in mock-server.service.ts does not persist the isPublic input field while schema.prisma defaults isPublic to true, causing mock servers linked to private collections to be publicly accessible without authentication and potentially expose sensitive API data. This issue is fixed in version 2026.6.0.
π@cveNotify
GitHub
fix(mock-server): persist isPublic on creation, default to private (#β¦ Β· hoppscotch/hoppscotch@e433211
β¦6410)
* fix(mock-server): persist isPublic on creation, default to private
* test: update unit test coverage
* fix(mock-server): persist isPublic on creation, default to private
* test: update unit test coverage
π¨ CVE-2026-59721
Hoppscotch is an open source API development ecosystem. Prior to 2026.6.0, the updateInfraConfigs GraphQL mutation in admin/infra.resolver.ts accepts an attacker-controlled MAILER_SMTP_URL value, and validateSMTPUrl in utils.ts permits path, query, or fragment content that nodemailer parses into sendmail transport options, allowing an admin to execute arbitrary commands as root in the backend container after restart and mail sending. This issue is fixed in version 2026.6.0.
π@cveNotify
Hoppscotch is an open source API development ecosystem. Prior to 2026.6.0, the updateInfraConfigs GraphQL mutation in admin/infra.resolver.ts accepts an attacker-controlled MAILER_SMTP_URL value, and validateSMTPUrl in utils.ts permits path, query, or fragment content that nodemailer parses into sendmail transport options, allowing an admin to execute arbitrary commands as root in the backend container after restart and mail sending. This issue is fixed in version 2026.6.0.
π@cveNotify
GitHub
fix(backend): reject path/query/fragment in SMTP URL validation (GHSA⦠· hoppscotch/hoppscotch@73a88c8
β¦-v7q6-r45w-2c6r) (#6413)
* fix(backend): reject path/query/fragment in SMTP URL validation
* refactor: fix ai feedbacks
* fix(backend): harden SMTP URL validation against parser differentials
* fix(backend): reject path/query/fragment in SMTP URL validation
* refactor: fix ai feedbacks
* fix(backend): harden SMTP URL validation against parser differentials
π¨ CVE-2026-59726
Ruflo is an agent meta-harness for Claude Code and Codex. Prior to 3.16.3, ruflo's default docker-compose deployment exposed the MCP bridge POST /mcp and POST /mcp/:group endpoints without authentication, allowing an unauthenticated network attacker to invoke tools/call to terminal_execute, obtain a shell in the bridge container, read provider API keys, and poison AgentDB learning-store patterns. This issue is fixed in version 3.16.3.
π@cveNotify
Ruflo is an agent meta-harness for Claude Code and Codex. Prior to 3.16.3, ruflo's default docker-compose deployment exposed the MCP bridge POST /mcp and POST /mcp/:group endpoints without authentication, allowing an unauthenticated network attacker to invoke tools/call to terminal_execute, obtain a shell in the bridge container, read provider API keys, and poison AgentDB learning-store patterns. This issue is fixed in version 3.16.3.
π@cveNotify
GitHub
security(mcp-bridge): ADR-166 unauthenticated RCE β Phase 1-3 remediaβ¦ Β· ruvnet/ruflo@d00a0a4
β¦tion + CI lock (#2521)
* docs(adr): ADR-166 β MCP bridge unauthenticated RCE remediation (coordinated disclosure)
Document and propose remediation for a coordinated-disclosure report: the
ruvoca...
* docs(adr): ADR-166 β MCP bridge unauthenticated RCE remediation (coordinated disclosure)
Document and propose remediation for a coordinated-disclosure report: the
ruvoca...
π¨ CVE-2026-59734
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.469, Coolify's app/Jobs/ApplicationDeploymentJob.php generate_healthcheck_commands() function directly interpolated the health_check_host, health_check_method, and health_check_path parameters into shell commands without proper sanitization, allowing authenticated users to execute arbitrary commands inside deployment containers. This issue is fixed in version 4.0.0-beta.469.
π@cveNotify
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.469, Coolify's app/Jobs/ApplicationDeploymentJob.php generate_healthcheck_commands() function directly interpolated the health_check_host, health_check_method, and health_check_path parameters into shell commands without proper sanitization, allowing authenticated users to execute arbitrary commands inside deployment containers. This issue is fixed in version 4.0.0-beta.469.
π@cveNotify
GitHub
Squashed commit from '4fhp-investigate-os-command-injection' Β· coollabsio/coolify@0ffcee7
An open-source, self-hostable PaaS alternative to Vercel, Heroku & Netlify that lets you easily deploy static sites, databases, full-stack applications and 280+ one-click services on your own servers. - Squashed commit from '4fhp-investigate-os-command-injection'β¦
π¨ CVE-2026-59817
Ghost is a Node.js content management system. From 6.27.0 before 6.44.0, Ghost's public donation checkout flow allowed an unauthenticated attacker to control donation checkout metadata and obtain full paid gift memberships for a minimal payment without exposing customer or member data or stealing money from a site or its members. This issue is fixed in version 6.44.0.
π@cveNotify
Ghost is a Node.js content management system. From 6.27.0 before 6.44.0, Ghost's public donation checkout flow allowed an unauthenticated attacker to control donation checkout metadata and obtain full paid gift memberships for a minimal payment without exposing customer or member data or stealing money from a site or its members. This issue is fixed in version 6.44.0.
π@cveNotify
GitHub
Updated donation checkout metadata handling (#28352) Β· TryGhost/Ghost@cab716c
no ref
Tightens how donation checkout metadata is assembled so Ghost-owned
metadata stays authoritative and webhook routing keys off trusted
values.
- normalizes caller-supplied checkout metadata...
Tightens how donation checkout metadata is assembled so Ghost-owned
metadata stays authoritative and webhook routing keys off trusted
values.
- normalizes caller-supplied checkout metadata...
π¨ CVE-2026-59826
Metabase is an open-source business intelligence and embedded analytics tool. From 1.55.0 until 1.58.15.1, 1.59.12, 1.60.6.3, and 1.61.2, Metabase did not validate unsafe H2 connection properties on one database-creation code path, allowing an authenticated administrator to register a crafted H2 database connection and execute arbitrary Java code on the Metabase server. This issue is fixed in versions 1.58.15.1, 1.59.12, 1.60.6.3, and 1.61.2.
π@cveNotify
Metabase is an open-source business intelligence and embedded analytics tool. From 1.55.0 until 1.58.15.1, 1.59.12, 1.60.6.3, and 1.61.2, Metabase did not validate unsafe H2 connection properties on one database-creation code path, allowing an authenticated administrator to register a crafted H2 database connection and execute arbitrary Java code on the Metabase server. This issue is fixed in versions 1.58.15.1, 1.59.12, 1.60.6.3, and 1.61.2.
π@cveNotify
GitHub
introduce validate-db-details multimethod (#74343) Β· metabase/metabase@74032e5
* feat: introduce validate-db-details multimethod
* include mysql
* add to changelog
* include mysql
* add to changelog
π¨ CVE-2026-59827
Metabase is an open-source business intelligence and embedded analytics tool. Prior to 1.58.15, 1.59.12, 1.60.6.3, and 1.61.1.4, Metabase instances with an H2 database connection, including the default sample database, deserialize arbitrary Java objects returned in H2 native query result columns of type OTHER without validation, allowing an authenticated user who can run native H2 queries to execute code on the Metabase server. This issue is fixed in versions 1.58.15, 1.59.12, 1.60.6.3, and 1.61.1.4.
π@cveNotify
Metabase is an open-source business intelligence and embedded analytics tool. Prior to 1.58.15, 1.59.12, 1.60.6.3, and 1.61.1.4, Metabase instances with an H2 database connection, including the default sample database, deserialize arbitrary Java objects returned in H2 native query result columns of type OTHER without validation, allowing an authenticated user who can run native H2 queries to execute code on the Metabase server. This issue is fixed in versions 1.58.15, 1.59.12, 1.60.6.3, and 1.61.1.4.
π@cveNotify
GitHub
better error message for java object error (#74315) Β· metabase/metabase@00f4251
The easy-to-use open source Business Intelligence and Embedded Analytics tool that lets everyone work with data :bar_chart: - better error message for java object error (#74315) Β· metabase/metabase@00f4251
π¨ CVE-2026-61343
LibreBooking's email template editor save action passes the submitted template name directly into the destination file path, allowing a remote attacker with administrator credentials to write an arbitrary file outside the template directory and execute code. Fixed in 5.1.0.
π@cveNotify
LibreBooking's email template editor save action passes the submitted template name directly into the destination file path, allowing a remote attacker with administrator credentials to write an arbitrary file outside the template directory and execute code. Fixed in 5.1.0.
π@cveNotify
GitHub
fix(harden-email-templates): reject path traversal in template name Β· LibreBooking/librebooking@cb9b7ad
The email template editor's save action passed the submitted template
name straight into the destination file path, while the load actions
already rejected names that do not end in .tpl or ...
name straight into the destination file path, while the load actions
already rejected names that do not end in .tpl or ...
π¨ CVE-2026-61344
The Superior Court of California Hearing Reminder Service at https://www.hrs.courts.ca.gov exposes an API endpoint that returns court reminder records containing potentially sensitive information without authentication.
π@cveNotify
The Superior Court of California Hearing Reminder Service at https://www.hrs.courts.ca.gov exposes an API endpoint that returns court reminder records containing potentially sensitive information without authentication.
π@cveNotify
π¨ CVE-2011-4042
An unspecified ActiveX control in SVUIGrd.ocx in ARC Informatique PcVue 6.0 through 10.0, FrontVue, and PlantVue allows remote attackers to execute arbitrary code by using a crafted HTML document to obtain control of a function pointer.
π@cveNotify
An unspecified ActiveX control in SVUIGrd.ocx in ARC Informatique PcVue 6.0 through 10.0, FrontVue, and PlantVue allows remote attackers to execute arbitrary code by using a crafted HTML document to obtain control of a function pointer.
π@cveNotify
PcVue
HMI SCADA
PcVue HMI Scada is secure, stable and scalable software simplifying digital transformation for industries to improve productivity and sustainability.
π¨ CVE-2011-4043
Integer overflow in an unspecified ActiveX control in SVUIGrd.ocx in ARC Informatique PcVue 6.0 through 10.0, FrontVue, and PlantVue allows remote attackers to execute arbitrary code via a large value for an integer parameter, leading to a buffer overflow.
π@cveNotify
Integer overflow in an unspecified ActiveX control in SVUIGrd.ocx in ARC Informatique PcVue 6.0 through 10.0, FrontVue, and PlantVue allows remote attackers to execute arbitrary code via a large value for an integer parameter, leading to a buffer overflow.
π@cveNotify
PcVue
HMI SCADA
PcVue HMI Scada is secure, stable and scalable software simplifying digital transformation for industries to improve productivity and sustainability.
π¨ CVE-2011-4044
An unspecified ActiveX control in SVUIGrd.ocx in ARC Informatique PcVue 6.0 through 10.0, FrontVue, and PlantVue allows remote attackers to modify files via calls to unknown methods.
π@cveNotify
An unspecified ActiveX control in SVUIGrd.ocx in ARC Informatique PcVue 6.0 through 10.0, FrontVue, and PlantVue allows remote attackers to modify files via calls to unknown methods.
π@cveNotify
PcVue
HMI SCADA
PcVue HMI Scada is secure, stable and scalable software simplifying digital transformation for industries to improve productivity and sustainability.
π¨ CVE-2011-4045
Buffer overflow in an unspecified ActiveX control in aipgctl.ocx in ARC Informatique PcVue 6.0 through 10.0, FrontVue, and PlantVue allows remote attackers to cause a denial of service via a crafted HTML document.
π@cveNotify
Buffer overflow in an unspecified ActiveX control in aipgctl.ocx in ARC Informatique PcVue 6.0 through 10.0, FrontVue, and PlantVue allows remote attackers to cause a denial of service via a crafted HTML document.
π@cveNotify
PcVue
HMI SCADA
PcVue HMI Scada is secure, stable and scalable software simplifying digital transformation for industries to improve productivity and sustainability.
π¨ CVE-2020-26867
ARC Informatique PcVue prior to version 12.0.17 is vulnerable due to the deserialization of untrusted data, which may allow an attacker to remotely execute arbitrary code on the web and mobile back-end server.
π@cveNotify
ARC Informatique PcVue prior to version 12.0.17 is vulnerable due to the deserialization of untrusted data, which may allow an attacker to remotely execute arbitrary code on the web and mobile back-end server.
π@cveNotify
π¨ CVE-2020-26868
ARC Informatique PcVue prior to version 12.0.17 is vulnerable to a denial-of-service attack due to the ability of an unauthorized user to modify information used to validate messages sent by legitimate web clients. This issue also affects third-party systems based on the Web Services Toolkit.
π@cveNotify
ARC Informatique PcVue prior to version 12.0.17 is vulnerable to a denial-of-service attack due to the ability of an unauthorized user to modify information used to validate messages sent by legitimate web clients. This issue also affects third-party systems based on the Web Services Toolkit.
π@cveNotify
π¨ CVE-2020-26869
ARC Informatique PcVue prior to version 12.0.17 is vulnerable to information exposure, allowing unauthorized users to access session data of legitimate users. This issue also affects third-party systems based on the Web Services Toolkit.
π@cveNotify
ARC Informatique PcVue prior to version 12.0.17 is vulnerable to information exposure, allowing unauthorized users to access session data of legitimate users. This issue also affects third-party systems based on the Web Services Toolkit.
π@cveNotify
π¨ CVE-2022-2569
The affected device stores sensitive information in cleartext, which may allow an authenticated user to access session data stored in the OAuth database belonging to legitimate users
π@cveNotify
The affected device stores sensitive information in cleartext, which may allow an authenticated user to access session data stored in the OAuth database belonging to legitimate users
π@cveNotify
π¨ CVE-2022-4311
An insertion of sensitive information into log file vulnerability exists in PcVue versions 15 through 15.2.2. This
could allow a user with access to the log files to discover connection strings of data sources configured for the
DbConnect, which could include credentials. Successful exploitation of this vulnerability could allow other users
unauthorized access to the underlying data sources.
π@cveNotify
An insertion of sensitive information into log file vulnerability exists in PcVue versions 15 through 15.2.2. This
could allow a user with access to the log files to discover connection strings of data sources configured for the
DbConnect, which could include credentials. Successful exploitation of this vulnerability could allow other users
unauthorized access to the underlying data sources.
π@cveNotify
π¨ CVE-2022-4312
A cleartext storage of sensitive information vulnerability exists in PcVue versions 8.10 through 15.2.3. This could
allow an unauthorized user with access the email and short messaging service (SMS) accounts configuration files
to discover the associated simple mail transfer protocol (SMTP) account credentials and the SIM card PIN code.
Successful exploitation of this vulnerability could allow an unauthorized user access to the underlying email
account and SIM card.
π@cveNotify
A cleartext storage of sensitive information vulnerability exists in PcVue versions 8.10 through 15.2.3. This could
allow an unauthorized user with access the email and short messaging service (SMS) accounts configuration files
to discover the associated simple mail transfer protocol (SMTP) account credentials and the SIM card PIN code.
Successful exploitation of this vulnerability could allow an unauthorized user access to the underlying email
account and SIM card.
π@cveNotify