ReportizFlow
Filtered by vendor
Subscriptions
Total
593 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-32029 | 1 Openclaw | 1 Openclaw | 2026-03-25 | 5.3 Medium |
| OpenClaw versions prior to 2026.2.21 improperly parse the left-most X-Forwarded-For header value when requests originate from configured trusted proxies, allowing attackers to spoof client IP addresses. In proxy chains that append or preserve header values, attackers can inject malicious header content to influence security decisions including authentication rate-limiting and IP-based access controls. | ||||
| CVE-2026-4115 | 1 Putty | 1 Putty | 2026-03-25 | 3.7 Low |
| A vulnerability was detected in PuTTY 0.83. Affected is the function eddsa_verify of the file crypto/ecc-ssh.c of the component Ed25519 Signature Handler. The manipulation results in improper verification of cryptographic signature. The attack may be performed from remote. The attack requires a high level of complexity. The exploitability is told to be difficult. The exploit is now public and may be used. The real existence of this vulnerability is still doubted at the moment. The patch is identified as af996b5ec27ab79bae3882071b9d6acf16044549. It is advisable to implement a patch to correct this issue. The vendor was contacted early, responded in a very professional manner and quickly released a patch for the affected product. However, at the moment there is no proof that this flaw might have any real-world impact. | ||||
| CVE-2026-33143 | 2 Hackerbay, Oneuptime | 2 Oneuptime, Oneuptime | 2026-03-25 | 7.5 High |
| OneUptime is a solution for monitoring and managing online services. Prior to version 10.0.34, the WhatsApp POST webhook handler (/notification/whatsapp/webhook) processes incoming status update events without verifying the Meta/WhatsApp X-Hub-Signature-256 HMAC signature, allowing any unauthenticated attacker to send forged webhook payloads that manipulate notification delivery status records, suppress alerts, and corrupt audit trails. The codebase already implements proper signature verification for Slack webhooks. This issue has been patched in version 10.0.34. | ||||
| CVE-2026-33221 | 1 Nhost | 1 Nhost | 2026-03-25 | N/A |
| Nhost is an open source Firebase alternative with GraphQL. Prior to version 0.12.0, the storage service's file upload handler trusts the client-provided Content-Type header without performing server-side MIME type detection. This allows an attacker to upload files with an arbitrary MIME type, bypassing any MIME-type-based restrictions configured on storage buckets. This issue has been patched in version 0.12.0. | ||||
| CVE-2026-28500 | 2 Linuxfoundation, Onnx | 2 Onnx, Onnx | 2026-03-24 | 8.6 High |
| Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability. In versions up to and including 1.20.1, a security control bypass exists in onnx.hub.load() due to improper logic in the repository trust verification mechanism. While the function is designed to warn users when loading models from non-official sources, the use of the silent=True parameter completely suppresses all security warnings and confirmation prompts. This vulnerability transforms a standard model-loading function into a vector for Zero-Interaction Supply-Chain Attacks. When chained with file-system vulnerabilities, an attacker can silently exfiltrate sensitive files (SSH keys, cloud credentials) from the victim's machine the moment the model is loaded. As of time of publication, no known patched versions are available. | ||||
| CVE-2026-32231 | 2 Qhkm, Zeptoclaw | 2 Zeptoclaw, Zeptoclaw | 2026-03-23 | 8.2 High |
| ZeptoClaw is a personal AI assistant. Prior to 0.7.6, the generic webhook channel trusts caller-supplied identity fields (sender, chat_id) from the request body and applies authorization checks to those untrusted values. Because authentication is optional and defaults to disabled (auth_token: None), an attacker who can reach POST /webhook can spoof an allowlisted sender and choose arbitrary chat_id values, enabling high-risk message spoofing and potential IDOR-style session/chat routing abuse. This vulnerability is fixed in 0.7.6. | ||||
| CVE-2024-3049 | 2 Clusterlabs, Redhat | 12 Booth, Enterprise Linux, Enterprise Linux Eus and 9 more | 2026-03-18 | 5.9 Medium |
| A flaw was found in Booth, a cluster ticket manager. If a specially-crafted hash is passed to gcry_md_get_algo_dlen(), it may allow an invalid HMAC to be accepted by the Booth server. | ||||
| CVE-2022-37008 | 1 Huawei | 3 Emui, Harmonyos, Magic Ui | 2026-03-06 | 7.5 High |
| The recovery module has a vulnerability of bypassing the verification of an update package before use. Successful exploitation of this vulnerability may affect system stability. | ||||
| CVE-2025-15598 | 2 Dataease, Fit2cloud | 2 Sqlbot, Sqlbot | 2026-03-06 | 3.7 Low |
| A vulnerability was found in Dataease SQLBot up to 1.5.1. This impacts the function validateEmbedded of the file backend/apps/system/middleware/auth.py of the component JWT Token Handler. Performing a manipulation results in improper verification of cryptographic signature. The attack can be initiated remotely. The attack is considered to have high complexity. The exploitability is said to be difficult. The exploit has been made public and could be used. A comment in the source code warns users about using this feature. The vendor was contacted early about this disclosure. | ||||
| CVE-2025-63910 | 1 Cohesity | 2 Tranzman, Tranzman Migration Appliance | 2026-03-05 | 7.2 High |
| An authenticated arbitrary file upload vulnerability in Cohesity TranZman Migration Appliance Release 4.0 Build 14614 allows attackers with Administrator privileges to execute arbitrary code via uploading a crafted patch file. | ||||
| CVE-2025-29842 | 1 Microsoft | 19 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 16 more | 2026-02-26 | 7.5 High |
| Acceptance of extraneous untrusted data with trusted data in UrlMon allows an unauthorized attacker to bypass a security feature over a network. | ||||
| CVE-2025-12245 | 1 Chatwoot | 1 Chatwoot | 2026-02-26 | 5.3 Medium |
| A vulnerability was identified in chatwoot up to 4.7.0. This vulnerability affects the function initPostMessageCommunication of the file app/javascript/sdk/IFrameHelper.js of the component Widget. The manipulation of the argument baseUrl leads to origin validation error. Remote exploitation of the attack is possible. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2023-46446 | 2 Asyncssh Project, Redhat | 2 Asyncssh, Ceph Storage | 2026-02-25 | 6.8 Medium |
| An issue in AsyncSSH before 2.14.1 allows attackers to control the remote end of an SSH client session via packet injection/removal and shell emulation, aka a "Rogue Session Attack." | ||||
| CVE-2023-46445 | 1 Asyncssh Project | 1 Asyncssh | 2026-02-25 | 5.9 Medium |
| An issue in AsyncSSH before 2.14.1 allows attackers to control the extension info message (RFC 8308) via a man-in-the-middle attack, aka a "Rogue Extension Negotiation." | ||||
| CVE-2025-15154 | 1 Pbootcms | 1 Pbootcms | 2026-02-24 | 5.3 Medium |
| A security vulnerability has been detected in PbootCMS up to 3.2.12. The affected element is the function get_user_ip of the file core/function/handle.php of the component Header Handler. The manipulation of the argument X-Forwarded-For leads to use of less trusted source. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. | ||||
| CVE-2024-37370 | 2 Mit, Redhat | 8 Kerberos 5, Enterprise Linux, Rhel Aus and 5 more | 2026-02-18 | 7.5 High |
| In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can modify the plaintext Extra Count field of a confidential GSS krb5 wrap token, causing the unwrapped token to appear truncated to the application. | ||||
| CVE-2025-27735 | 1 Microsoft | 19 Windows 10 1507, Windows 10 1607, Windows 10 1809 and 16 more | 2026-02-13 | 6 Medium |
| Insufficient verification of data authenticity in Windows Virtualization-Based Security (VBS) Enclave allows an authorized attacker to bypass a security feature locally. | ||||
| CVE-2024-55929 | 1 Xerox | 1 Workplace Suite | 2026-01-31 | 5.3 Medium |
| A mail spoofing vulnerability in Xerox Workplace Suite allows attackers to forge email headers, making it appear as though messages are sent from trusted sources. | ||||
| CVE-2025-15385 | 2 Google, Tecno | 3 Android, Boomplay, Com.afmobi.boomplayer | 2026-01-30 | 9.8 Critical |
| Insufficient Verification of Data Authenticity vulnerability in TECNO Mobile com.Afmobi.Boomplayer allows Authentication Bypass.This issue affects com.Afmobi.Boomplayer: 7.4.63. | ||||
| CVE-2025-49199 | 1 Sick | 1 Field Analytics | 2026-01-26 | 8.8 High |
| The backup ZIPs are not signed by the application, leading to the possibility that an attacker can download a backup ZIP, modify and re-upload it. This allows the attacker to disrupt the application by configuring the services in a way that they are unable to run, making the application unusable. They can redirect traffic that is meant to be internal to their own hosted services and gathering information. | ||||