๐จ CVE-2015-1347
Cross-site scripting (XSS) vulnerability in client.inc.php in osTicket before 1.9.5.1 allows remote attackers to inject arbitrary web script or HTML via the lang parameter.
๐@cveNotify
Cross-site scripting (XSS) vulnerability in client.inc.php in osTicket before 1.9.5.1 allows remote attackers to inject arbitrary web script or HTML via the lang parameter.
๐@cveNotify
GitHub
xss: Fix possible vuln setting client lang pref ยท osTicket/osTicket@b38b3ca
The osTicket open source ticketing system official project repository, for versions 1.8 and later - xss: Fix possible vuln setting client lang pref ยท osTicket/osTicket@b38b3ca
๐จ CVE-2018-7192
Cross-site scripting (XSS) vulnerability in /ajax.php/form/help-topic in Enhancesoft osTicket before 1.10.2 allows remote attackers to inject arbitrary web script or HTML via the "message" parameter.
๐@cveNotify
Cross-site scripting (XSS) vulnerability in /ajax.php/form/help-topic in Enhancesoft osTicket before 1.10.2 allows remote attackers to inject arbitrary web script or HTML via the "message" parameter.
๐@cveNotify
๐จ CVE-2018-7193
Cross-site scripting (XSS) vulnerability in /scp/directory.php in Enhancesoft osTicket before 1.10.2 allows remote attackers to inject arbitrary web script or HTML via the "order" parameter.
๐@cveNotify
Cross-site scripting (XSS) vulnerability in /scp/directory.php in Enhancesoft osTicket before 1.10.2 allows remote attackers to inject arbitrary web script or HTML via the "order" parameter.
๐@cveNotify
๐จ CVE-2018-7194
Integer format vulnerability in the ticket number generator in Enhancesoft osTicket before 1.10.2 allows remote attackers to cause a denial-of-service (preventing the creation of new tickets) via a large number of digits in the ticket number format setting.
๐@cveNotify
Integer format vulnerability in the ticket number generator in Enhancesoft osTicket before 1.10.2 allows remote attackers to cause a denial-of-service (preventing the creation of new tickets) via a large number of digits in the ticket number format setting.
๐@cveNotify
๐จ CVE-2018-7195
Enhancesoft osTicket before 1.10.2 allows remote attackers to reset arbitrary passwords (when an associated e-mail address is known) by leveraging guest access and guessing a 6-digit number.
๐@cveNotify
Enhancesoft osTicket before 1.10.2 allows remote attackers to reset arbitrary passwords (when an associated e-mail address is known) by leveraging guest access and guessing a 6-digit number.
๐@cveNotify
๐จ CVE-2018-7196
Cross-site scripting (XSS) vulnerability in /scp/index.php in Enhancesoft osTicket before 1.10.2 allows remote attackers to inject arbitrary web script or HTML via the "sort" parameter.
๐@cveNotify
Cross-site scripting (XSS) vulnerability in /scp/index.php in Enhancesoft osTicket before 1.10.2 allows remote attackers to inject arbitrary web script or HTML via the "sort" parameter.
๐@cveNotify
๐จ CVE-2019-11537
In osTicket before 1.12, XSS exists via /upload/file.php, /upload/scp/users.php?do=import-users, and /upload/scp/ajax.php/users/import if an agent manager user uploads a crafted .csv file to the User Importer, because file contents can appear in an error message. The XSS can lead to local file inclusion.
๐@cveNotify
In osTicket before 1.12, XSS exists via /upload/file.php, /upload/scp/users.php?do=import-users, and /upload/scp/ajax.php/users/import if an agent manager user uploads a crafted .csv file to the User Importer, because file contents can appear in an error message. The XSS can lead to local file inclusion.
๐@cveNotify
GitHub
xss: XSS To LFI Vulnerability by JediKev ยท Pull Request #4869 ยท osTicket/osTicket
This addresses a vulnerability found by AkkuS where a simple XSS attempt can lead to an LFI (Local File Inclusion) attack. The issue stems from the system returning the unformatted file contents in...
๐จ CVE-2019-14748
An issue was discovered in osTicket before 1.10.7 and 1.12.x before 1.12.1. The Ticket creation form allows users to upload files along with queries. It was found that the file-upload functionality has fewer (or no) mitigations implemented for file content checks; also, the output is not handled properly, causing persistent XSS that leads to cookie stealing or malicious actions. For example, a non-agent user can upload a .html file, and Content-Disposition will be set to inline instead of attachment.
๐@cveNotify
An issue was discovered in osTicket before 1.10.7 and 1.12.x before 1.12.1. The Ticket creation form allows users to upload files along with queries. It was found that the file-upload functionality has fewer (or no) mitigations implemented for file content checks; also, the output is not handled properly, causing persistent XSS that leads to cookie stealing or malicious actions. For example, a non-agent user can upload a .html file, and Content-Disposition will be set to inline instead of attachment.
๐@cveNotify
packetstorm.news
Packet Storm Security
Packet Storm Security provides security news, exploits, advisories, and tools for information security professionals.
๐จ CVE-2019-14749
An issue was discovered in osTicket before 1.10.7 and 1.12.x before 1.12.1. CSV (aka Formula) injection exists in the export spreadsheets functionality. These spreadsheets are generated dynamically from unvalidated or unfiltered user input in the Name and Internal Notes fields in the Users tab, and the Issue Summary field in the tickets tab. This allows other agents to download data in a .csv file format or .xls file format. This is used as input for spreadsheet applications such as Excel and OpenOffice Calc, resulting in a situation where cells in the spreadsheets can contain input from an untrusted source. As a result, the end user who is accessing the exported spreadsheet can be affected.
๐@cveNotify
An issue was discovered in osTicket before 1.10.7 and 1.12.x before 1.12.1. CSV (aka Formula) injection exists in the export spreadsheets functionality. These spreadsheets are generated dynamically from unvalidated or unfiltered user input in the Name and Internal Notes fields in the Users tab, and the Issue Summary field in the tickets tab. This allows other agents to download data in a .csv file format or .xls file format. This is used as input for spreadsheet applications such as Excel and OpenOffice Calc, resulting in a situation where cells in the spreadsheets can contain input from an untrusted source. As a result, the end user who is accessing the exported spreadsheet can be affected.
๐@cveNotify
packetstorm.news
Packet Storm Security
Packet Storm Security provides security news, exploits, advisories, and tools for information security professionals.
๐จ CVE-2019-14750
An issue was discovered in osTicket before 1.10.7 and 1.12.x before 1.12.1. Stored XSS exists in setup/install.php. It was observed that no input sanitization was provided in the firstname and lastname fields of the application. The insertion of malicious queries in those fields leads to the execution of those queries. This can further lead to cookie stealing or other malicious actions.
๐@cveNotify
An issue was discovered in osTicket before 1.10.7 and 1.12.x before 1.12.1. Stored XSS exists in setup/install.php. It was observed that no input sanitization was provided in the firstname and lastname fields of the application. The insertion of malicious queries in those fields leads to the execution of those queries. This can further lead to cookie stealing or other malicious actions.
๐@cveNotify
packetstorm.news
Packet Storm Security
Packet Storm Security provides security news, exploits, advisories, and tools for information security professionals.
๐จ CVE-2020-16193
osTicket before 1.14.3 allows XSS because include/staff/banrule.inc.php has an unvalidated echo $info['notes'] call.
๐@cveNotify
osTicket before 1.14.3 allows XSS because include/staff/banrule.inc.php has an unvalidated echo $info['notes'] call.
๐@cveNotify
GitHub
osTicket/include/staff/banrule.inc.php at develop ยท osTicket/osTicket
The osTicket open source ticketing system official project repository, for versions 1.8 and later - osTicket/osTicket
๐จ CVE-2020-24881
SSRF exists in osTicket before 1.14.3, where an attacker can add malicious file to server or perform port scanning.
๐@cveNotify
SSRF exists in osTicket before 1.14.3, where an attacker can add malicious file to server or perform port scanning.
๐@cveNotify
packetstorm.news
Packet Storm Security
Packet Storm Security provides security news, exploits, advisories, and tools for information security professionals.
๐จ CVE-2022-32074
A stored cross-site scripting (XSS) vulnerability in the component audit/class.audit.php of osTicket-plugins - Storage-FS before commit a7842d494889fd5533d13deb3c6a7789768795ae allows attackers to execute arbitrary web scripts or HTML via a crafted SVG file.
๐@cveNotify
A stored cross-site scripting (XSS) vulnerability in the component audit/class.audit.php of osTicket-plugins - Storage-FS before commit a7842d494889fd5533d13deb3c6a7789768795ae allows attackers to execute arbitrary web scripts or HTML via a crafted SVG file.
๐@cveNotify
GitHub
GitHub - osTicket/osTicket-plugins: Core plugins for osTicket (v1.8+)
Core plugins for osTicket (v1.8+). Contribute to osTicket/osTicket-plugins development by creating an account on GitHub.
๐จ CVE-2025-26241
A SQL injection vulnerability in the "Search" functionality of "tickets.php" page in osTicket <=1.17.5 allows authenticated attackers to execute arbitrary SQL commands via the "keywords" and "topic_id" URL parameters combination.
๐@cveNotify
A SQL injection vulnerability in the "Search" functionality of "tickets.php" page in osTicket <=1.17.5 allows authenticated attackers to execute arbitrary SQL commands via the "keywords" and "topic_id" URL parameters combination.
๐@cveNotify
๐จ CVE-2026-0270
A path traversal vulnerability in Palo Alto Networks Cortex XSOAR engine software running on Linux allows an unauthenticated attacker on an adjacent network, with the ability to intercept and manipulate network response traffic via a man-in-the-middle (MITM) attack, to write arbitrary files to the host.
๐@cveNotify
A path traversal vulnerability in Palo Alto Networks Cortex XSOAR engine software running on Linux allows an unauthenticated attacker on an adjacent network, with the ability to intercept and manipulate network response traffic via a man-in-the-middle (MITM) attack, to write arbitrary files to the host.
๐@cveNotify
๐จ CVE-2026-0271
A privilege escalation (PE) vulnerability in the Palo Alto Networks Prisma Access Agent app on Linux devices enables a local user to execute code with elevated privileges.
This does not impact Prisma Access Agent on Windows, macOS, iOS, Android, or ChromeOS.
๐@cveNotify
A privilege escalation (PE) vulnerability in the Palo Alto Networks Prisma Access Agent app on Linux devices enables a local user to execute code with elevated privileges.
This does not impact Prisma Access Agent on Windows, macOS, iOS, Android, or ChromeOS.
๐@cveNotify
Palo Alto Networks Product Security Assurance
CVE-2026-0271 Prisma Access Agent: Local Privilege Escalation by Authorized Users
A privilege escalation (PE) vulnerability in the Palo Alto Networks Prisma Access Agent app on Linux devices enables a local user to execute code with elevated privileges.
This does not impact Prisma...
This does not impact Prisma...
๐จ CVE-2026-0272
A privilege escalation vulnerability in Palo Alto Networks PAN-OSยฎ software allows an authenticated administrator with access to the Command Line Interface (CLI) to perform actions on the device with root privileges.
The security risk posed by this issue is significantly minimized when CLI access is restricted to a limited group of administrators and by restricting access to the management interface to only trusted internal IP addresses according to our recommended best practice deployment guidelines https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431 .
This issue is applicable to PAN-OS software on PA-Series and VM-Series firewalls and on Panorama (virtual and M-Series).
Cloud NGFW, and Prismaยฎ Access are not impacted by this vulnerability.
๐@cveNotify
A privilege escalation vulnerability in Palo Alto Networks PAN-OSยฎ software allows an authenticated administrator with access to the Command Line Interface (CLI) to perform actions on the device with root privileges.
The security risk posed by this issue is significantly minimized when CLI access is restricted to a limited group of administrators and by restricting access to the management interface to only trusted internal IP addresses according to our recommended best practice deployment guidelines https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431 .
This issue is applicable to PAN-OS software on PA-Series and VM-Series firewalls and on Panorama (virtual and M-Series).
Cloud NGFW, and Prismaยฎ Access are not impacted by this vulnerability.
๐@cveNotify
Palo Alto Networks Product Security Assurance
CVE-2026-0272 PAN-OS: Privilege Escalation (PE) Vulnerability in the Command Line Interface (CLI)
A privilege escalation vulnerability in Palo Alto Networks PAN-OSยฎ software allows an authenticated administrator with access to the Command Line Interface (CLI) to perform actions on the device with ...
๐จ CVE-2026-48939
A vulnerability in the iCagenda extension for Joomla allows the upload of arbitrary files in the file attachment feature, ultimately resulting in PHP code upload and execution.
๐@cveNotify
A vulnerability in the iCagenda extension for Joomla allows the upload of arbitrary files in the file attachment feature, ultimately resulting in PHP code upload and execution.
๐@cveNotify
Icagenda
iCagenda - Events Management for Joomla!
iCagenda is a multi-lingual extension designed to create, manage and share events on a Joomla!โข based website.
๐จ CVE-2026-57851
MSI Feature Manager contains a local privilege escalation vulnerability in the KernCoreLib64.sys kernel driver that allows any locally logged-on user to perform arbitrary physical memory read/write and unrestricted I/O port operations by accessing exposed IOCTL handlers without administrator privileges. Attackers can exploit the accessible device object through IOCTL handlers to manipulate kernel objects, tamper with kernel-mode callbacks, bypass Protected Process Light protections, and disable security software.
๐@cveNotify
MSI Feature Manager contains a local privilege escalation vulnerability in the KernCoreLib64.sys kernel driver that allows any locally logged-on user to perform arbitrary physical memory read/write and unrestricted I/O port operations by accessing exposed IOCTL handlers without administrator privileges. Attackers can exploit the accessible device object through IOCTL handlers to manipulate kernel objects, tamper with kernel-mode callbacks, bypass Protected Process Light protections, and disable security software.
๐@cveNotify
GitHub
GitHub - readmsr/MSI_FeatureManager_CVE: CVE-2026-57851
CVE-2026-57851. Contribute to readmsr/MSI_FeatureManager_CVE development by creating an account on GitHub.
๐จ CVE-2026-59800
9Router before 0.4.44 contains an OS command injection vulnerability in the unauthenticated POST /api/tunnel/tailscale-install endpoint (this route is not covered by the dashboard middleware matcher, so no authorization check is applied). The sudoPassword field from the request body is written to the stdin of a 'sudo -S sh' child process. When sudo does not prompt for a password (the process runs as root, NOPASSWD is configured, or a recent sudo timestamp cache exists), the sudoPassword value is interpreted by sh as a shell command, allowing a remote unauthenticated attacker to execute arbitrary OS commands. Exploitation evidence was first observed by the Shadowserver Foundation on 2026-07-04 (UTC).
๐@cveNotify
9Router before 0.4.44 contains an OS command injection vulnerability in the unauthenticated POST /api/tunnel/tailscale-install endpoint (this route is not covered by the dashboard middleware matcher, so no authorization check is applied). The sudoPassword field from the request body is written to the stdin of a 'sudo -S sh' child process. When sudo does not prompt for a password (the process runs as root, NOPASSWD is configured, or a recent sudo timestamp cache exists), the sudoPassword value is interpreted by sh as a shell command, allowing a remote unauthenticated attacker to execute arbitrary OS commands. Exploitation evidence was first observed by the Shadowserver Foundation on 2026-07-04 (UTC).
๐@cveNotify
GitHub
Missing Authorization and OS Command Injection in 9router
# Unauthenticated RCE via `/api/tunnel/tailscale-install`
**Affected:** `9router` (npm package) โ current master (`v0.4.39`).
### Summary
`POST /api/tunnel/tailscale-install` accepts a JSO...
**Affected:** `9router` (npm package) โ current master (`v0.4.39`).
### Summary
`POST /api/tunnel/tailscale-install` accepts a JSO...
๐จ CVE-2026-53935
Cilium is a networking, observability, and security solution. Prior to 1.17.16, from 1.18.2 to 1.18.9, and from 1.19.0 to 1.19.3, users with the ability to create CiliumLocalRedirectPolicies can specify arbitrary ClusterIPs via addressMatcher, enabling hijacking traffic to Services in any namespace and bypassing namespace scoping enforced by serviceMatcher; deleting such a policy can also corrupt Cilium internal service state and stop service translation for the affected Service. This issue is fixed in versions 1.17.16, 1.18.10, and 1.19.4.
๐@cveNotify
Cilium is a networking, observability, and security solution. Prior to 1.17.16, from 1.18.2 to 1.18.9, and from 1.19.0 to 1.19.3, users with the ability to create CiliumLocalRedirectPolicies can specify arbitrary ClusterIPs via addressMatcher, enabling hijacking traffic to Services in any namespace and bypassing namespace scoping enforced by serviceMatcher; deleting such a policy can also corrupt Cilium internal service state and stop service translation for the affected Service. This issue is fixed in versions 1.17.16, 1.18.10, and 1.19.4.
๐@cveNotify
GitHub
docs: add 1.17.16 upgrade note for addressMatcher override fix ยท cilium/cilium@81d4463
Document the behavioral change: a CiliumLocalRedirectPolicy with
addressMatcher will no longer override an existing Service at the same
frontend address.
Signed-off-by: Yusuke Suzuki <yusuk...
addressMatcher will no longer override an existing Service at the same
frontend address.
Signed-off-by: Yusuke Suzuki <yusuk...