Webserver

A Server-Side Request Forgery (SSRF) vulnerability exists in Hugo versions 0.162.0 through 0.163.0, where the 'security.http.urls' policy designed to deny requests to loopback, internal, and cloud-metadata IPv4 literals could be bypassed as the policy only matched dotted-decimal notation, allowing alternate IPv4 encodings (integer, hex, octal) to pass, enabling build-time server-side requests to internal services and cloud-metadata endpoints when untrusted or data-derived URLs are passed to 'resources.GetRemote'.

An unauthenticated attacker can exploit CVE-2026-55882 in Tilt HUD server versions 0.19.5 through 0.37.3, when exposed on a non-loopback address, by accessing the `/debug/pprof` endpoints to read sensitive process memory, including session and API server tokens, and to degrade application performance through prolonged CPU profiling or tracing.

An integer overflow vulnerability (CVE-2026-55203) in HAProxy through version 3.4.0 allows malicious FastCGI backends to desynchronize the FCGI framing parser, leading to request routing errors, response smuggling, or memory safety issues.

An authenticated user can exploit CVE-2026-54005, a high-severity missing authorization vulnerability in Kirby CMS versions <= 4.9.3 and from 5.0.0-alpha.1 to <= 5.4.3, via the `/api/site/find` REST API route to bypass `pages.access` permissions and retrieve sensitive content and metadata from unauthorized pages.

This rule detects unusual child process executions originating from web server processes on Linux systems, which attackers may use to maintain persistence on a compromised system by exploiting web server vulnerabilities.

nextlevelbuilder GoClaw up to 3.11.3 is vulnerable to remote OS command injection via manipulation of the write_file Tool component's FsBridge.WriteFile function (CVE-2026-10219), with a public exploit available.

Gotenberg is vulnerable to a remote denial-of-service (DoS) in multipart `downloadFrom` handling, where a crafted multipart request with multiple `downloadFrom` entries causes concurrent goroutines to write to shared maps without synchronization, leading to process termination.

IBM InfoSphere Optim Test Data Fabrication versions 1.0.0 through 1.0.2.7 are susceptible to a path traversal vulnerability (CVE-2026-3366), allowing a remote attacker to send a specially crafted URL request containing 'dot dot' sequences (/../) to view arbitrary files on the system.

Mattermost versions 11.6.x <= 11.6.0, 11.5.x <= 11.5.3, 11.4.x <= 11.4.4, 10.11.x <= 10.11.14 fail to enforce request body size limits on plugin HTTP endpoints, allowing an attacker to cause a denial of service via crafted oversized HTTP requests.

A vulnerability in Nginx allows a remote attacker to execute arbitrary code and cause a denial-of-service condition, affecting Nginx Open Source versions 1.x before 1.30.2, versions after 1.31.0 before 1.31.1, Nginx Plus versions 37.x before 37.0.1.1, and versions Rx before R36 P5 or R32 P7.

A remote, anonymous attacker can exploit a vulnerability in cPanel cPanel/WHM to potentially execute arbitrary code or cause a denial-of-service condition.

The BookingPress Pro plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'bookingpress_validate_submitted_booking_form_func' function in versions up to 5.6, allowing unauthenticated attackers to upload arbitrary files and potentially achieve remote code execution if a signature custom field is added to the booking form.

Multiple vulnerabilities in NGINX Open Source and NGINX Plus allow a remote, anonymous attacker to bypass security measures, execute arbitrary code, manipulate data, disclose confidential information, or cause a denial-of-service condition.

Nordex N149/4.0-4.5 Wind Turbine Web Server 4.0 is vulnerable to SQL injection (CVE-2018-25333), allowing unauthenticated attackers to execute arbitrary SQL queries and extract sensitive information via crafted POST requests to login.php.

AVideo is vulnerable to OS command injection (CVE-2026-45578) in the `on_publish.php` file due to improper sanitization of the m3u8 URL, allowing attackers to execute arbitrary commands by injecting shell metacharacters.

NGINX Plus and NGINX Open Source are vulnerable to a heap buffer overflow (CVE-2026-42945) due to crafted HTTP requests when the rewrite directive is followed by a rewrite, if, or set directive and an unnamed PCRE capture with a replacement string that includes a question mark, potentially leading to denial of service or code execution.

SPIP versions prior to 4.4.14 contain a remote code execution vulnerability exploitable in certain Nginx configurations, allowing attackers to execute arbitrary code within the web server's context.

A remote, authenticated attacker can exploit a vulnerability in JetBrains TeamCity On-Premises to escalate privileges.

Multiple vulnerabilities in SmarterTools SmarterMail could allow an attacker to gain elevated privileges, bypass security measures, manipulate data, disclose sensitive information, cause a denial-of-service condition, or carry out other unspecified attacks.

OpenCart 3.0.3.8 is vulnerable to session fixation (CVE-2021-47923), allowing attackers to hijack user sessions by injecting arbitrary values into the OCSESSID cookie, leading to unauthorized access.

A vulnerability in Apache HTTP Server's HTTP/2 protocol can lead to denial of service by crashing worker processes, and in specific configurations (APR with mmap), remote code execution.

A stored XSS vulnerability exists in Grav Core + Admin Plugin versions before 2.0.0-beta.2, where a low-privileged user can inject malicious code via a crafted tag, potentially leading to the exfiltration of admin session context, bypassing CSRF protections, and escalating to remote code execution (RCE).

A stack-based buffer overflow vulnerability exists in EFM ipTIME NAS1dual 1.5.24, affecting the get_csrf_whites function in /cgi/advanced/misc_main.cgi, exploitable remotely, and leading to potential arbitrary code execution.

A critical authentication bypass vulnerability (CVE-2026-4670) in Progress MOVEit Automation allows an unauthenticated remote attacker to gain administrative access, potentially leading to full control over the application and sensitive file transfer workflows.

A buffer overflow vulnerability exists in Totolink N300RH 3.2.4-B20220812 allowing remote attackers to execute arbitrary code by manipulating the mac_address argument in the setMacFilterRules function of the /cgi-bin/cstecgi.cgi POST request handler.

Shandong Hoteam Software PDM Product Data Management System up to version 8.3.9 is vulnerable to SQL injection via manipulation of the SortOrder argument in the GetQueryMachineGridOnePageData function of the /Base/BaseService.asmx/DataService file, allowing remote attackers to potentially execute arbitrary SQL commands.

A remote buffer overflow vulnerability exists in Edimax BR-6428nC devices up to version 1.16 via manipulation of the pptpDfGateway argument in the /goform/setWAN file, potentially allowing for arbitrary code execution.

A buffer overflow vulnerability exists in Edimax BR-6208AC devices (<= 1.02) via manipulation of the pptpDfGateway argument in the /goform/setWAN endpoint, potentially allowing remote attackers to execute arbitrary code.

CVE-2026-7593 is an OS command injection vulnerability in Sunwood-ai-labs command-executor-mcp-server up to version 0.1.0, allowing remote attackers to execute arbitrary commands via the execute_command function in src/index.ts.

An authentication bypass vulnerability in cPanel and WHM versions prior to 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.132.0.29, 11.134.0.20, and 11.136.0.5 allows unauthenticated remote attackers to gain unauthorized access to the control panel.

Toowiredd chatgpt-mcp-server up to version 0.1.0 is vulnerable to OS command injection via the file src/services/docker.service.ts of the component MCP/HTTP, allowing for remote exploitation.

WWBN AVideo versions 29.0 and below contain a path traversal vulnerability (CVE-2026-41058) in the CloneSite functionality, allowing unauthenticated attackers to delete arbitrary files via manipulation of the `deleteDump` parameter.

An insecure deserialization vulnerability exists in Progress Telerik UI for AJAX's RadFilter control (versions 2024.4.1114 through 2026.1.421) allowing remote code execution via tampering with the filter state exposed to the client.

CVE-2026-33519 is a critical vulnerability in Esri Portal for ArcGIS 11.4, 11.5, and 12.0, where incorrect authorization checks on developer credentials can lead to unauthorized privilege escalation on Windows, Linux, and Kubernetes deployments.

A buffer overflow vulnerability (CVE-2026-6631) in Tenda F451 router version 1.0.0.7_cn_svn7958 allows remote attackers to execute arbitrary code by manipulating the 'page' argument in the /goform/webExcptypemanFilter component.

Fastify v5.x is vulnerable to a body schema validation bypass, allowing attackers to circumvent request body validation by prepending a single space to the Content-Type header, potentially compromising data integrity and security constraints.

Jetty is vulnerable to HTTP request smuggling due to improper parsing of quoted strings in HTTP/1.1 chunked transfer encoding extension values, potentially allowing attackers to inject arbitrary HTTP requests, poison caches, and bypass security controls.

CMSsite 1.0 is vulnerable to unauthenticated SQL injection (CVE-2019-25697) via the cat_id parameter in category.php, allowing attackers to extract sensitive database information.

Chamilo LMS versions prior to 1.11.38 and 2.0.0-RC.3 generate predictable REST API keys, allowing attackers with knowledge of a username and approximate key creation time to brute-force access.

OpenClaw before 2026.3.25 contains an improper access control vulnerability (CVE-2026-34512) in the HTTP /sessions/:sessionKey/kill route, allowing any authenticated user to terminate arbitrary subagent sessions.

A stored cross-site scripting (XSS) vulnerability in Immich versions before 2.7.0 allows authenticated users to inject arbitrary JavaScript via crafted equirectangular images, leading to session hijacking, data exfiltration, and unauthorized access.

Brave CMS versions prior to 2.0.6 contain an unrestricted file upload vulnerability within the CKEditor upload functionality in the ckupload method, allowing authenticated users to upload executable PHP scripts and achieve Remote Code Execution.

CVE-2026-34402 is a time-based blind SQL injection vulnerability in ChurchCRM versions prior to 7.1.0. Authenticated users with Edit Records or Manage Groups permissions can exploit the PropertyAssign.php endpoint to exfiltrate or modify database content, including user credentials, PII, and configuration secrets.

News Website Script 2.0.5 contains an SQL injection vulnerability (CVE-2019-25668) allowing unauthenticated attackers to extract sensitive information by injecting SQL code through the news ID parameter in GET requests.

CVE-2026-5570 is an improper authentication vulnerability in the index_config function of the /LoginCB file of Technostrobe HI-LED-WR120-G2 version 5.5.0.1R6.03.30, allowing remote attackers to bypass authentication.

A buffer overflow vulnerability exists in Tenda M3 1.0.0.10 via manipulation of the policyType argument in the setAdvPolicyData function, allowing remote attackers to execute arbitrary code.

pyLoad is vulnerable to arbitrary code execution via an unprotected `storage_folder` configuration option, allowing an attacker with `SETTINGS` and `ADD` permissions to write a malicious pickle payload to the Flask session store and execute arbitrary code upon subsequent HTTP requests.

OneUptime versions prior to 10.0.42 are vulnerable to an authentication bypass due to improper SAML signature validation, allowing attackers to impersonate users by prepending unsigned assertions.

Rack versions prior to 2.2.23, 3.1.21, and 3.2.6 are vulnerable to information disclosure due to improper static file serving via a prefix matching issue in Rack::Static.

CVE-2026-20160 is a critical vulnerability in Cisco Smart Software Manager On-Prem (SSM On-Prem) that allows an unauthenticated, remote attacker to execute arbitrary commands on the underlying operating system with root privileges by sending a crafted request to an exposed API.

A remote, anonymous attacker can exploit a vulnerability in various HTTP/2 implementations to perform a denial-of-service attack.

A remote, authenticated attacker can exploit multiple vulnerabilities in Django to perform SQL injections, disclose confidential information, or cause a denial-of-service condition.

baserCMS versions prior to 5.2.3 are vulnerable to OS command injection, allowing an authenticated administrator to execute arbitrary commands on the server via maliciously crafted input to the core update functionality.

baserCMS prior to version 5.2.3 contains an OS command injection vulnerability in the update functionality, allowing authenticated administrators to execute arbitrary OS commands on the server.

baserCMS versions prior to 5.2.3 are vulnerable to arbitrary code execution via a crafted zip file upload through the restore function, leading to unauthenticated remote command execution on the webserver.

Multiple vulnerabilities in NGINX Plus and NGINX can be exploited by an attacker to perform a denial of service attack, manipulate data, bypass security measures, and potentially execute arbitrary program code, leading to significant impact.

CVE-2026-2328 describes a vulnerability where an unauthenticated remote attacker can exploit insufficient input validation to access backend components beyond their intended scope via path traversal, leading to the exposure of sensitive information.

A remote attacker can exploit CVE-2026-28367 in Undertow by sending '\r\r\r' as a header block terminator, leading to request smuggling on vulnerable proxy servers.

A SQL injection vulnerability (CVE-2026-4910) exists in Shenzhen Ruiming Technology Streamax Crocus bis 1.3.44 via the /RemoteFormat.do endpoint, allowing remote attackers to execute arbitrary SQL commands by manipulating the State argument.

SiYuan is vulnerable to arbitrary document reading via the publishing service, allowing attackers to retrieve document IDs and view the content of all documents, including encrypted or prohibited ones, by exploiting the `/api/file/readDir` and `/api/block/getChildBlocks` interfaces.

An anonymous remote attacker can exploit a vulnerability in Apache CXF to perform a denial of service attack and disclose sensitive information.

An anonymous remote attacker can exploit multiple vulnerabilities in Red Hat JBoss Enterprise Application Platform to cause a denial-of-service condition, manipulate data, and conduct further attacks such as cache poisoning and session hijacking.

A remote code execution vulnerability exists in Craft CMS versions 5.6.0 through 5.9.12, where any authenticated user with control panel access can exploit the vulnerability by injecting malicious behavior via the `fieldLayouts` parameter in `ElementIndexesController::actionFilterHud()` due to the unsanitized parameter being passed to `FieldLayout::createFromConfig()`.

Census CSWeb 8.0.1 is vulnerable to unauthenticated remote configuration file disclosure via HTTP requests to the `/app/config` path, potentially exposing sensitive secrets; fixed in 8.1.0 alpha.

CVE-2026-4750 is a critical out-of-bounds read vulnerability affecting fabiangreffrath woof versions before 15.3.0, potentially leading to information disclosure or denial of service.

A server-side request forgery (SSRF) vulnerability exists in the DefaultFuction Jeson-Customer-Relationship-Management-System's API Module, specifically affecting the /api/System.php file, allowing remote attackers to manipulate the 'url' argument and potentially access internal resources.

AVideo versions up to 26.0 are vulnerable to an unauthenticated server-side request forgery (SSRF) vulnerability in the `plugin/Live/test.php` endpoint, allowing attackers to make the server send arbitrary HTTP requests, potentially exposing internal resources and cloud metadata.

An unauthenticated denial-of-service vulnerability in Phoenix's long-poll transport allows a remote client to exhaust server memory by sending a series of crafted HTTP requests, affecting LiveView apps with a public Longpoll socket or Phoenix.Socket with longpoll option.

A high-severity authentication bypass vulnerability exists in Traefik's `ForwardAuth` middleware when `trustForwardHeader=false` is configured and Traefik is deployed behind a trusted upstream proxy; Traefik fails to sanitize the `X-Forwarded-Prefix` header, allowing attackers to spoof a trusted prefix value and gain unauthorized access to protected backend routes.

A server-side request forgery (SSRF) vulnerability exists in BigSweetPotatoStudio HyperChat up to version 2.0.0-alpha.63, allowing a remote attacker to manipulate the 'baseurl' argument in the 'fetch' function of the AI Proxy Middleware component to make arbitrary HTTP requests.

Unauthenticated remote attackers can exploit an arbitrary file read vulnerability (CVE-2022-50992) in Weaver E-cology 9.5 versions prior to 10.52 via the XML-RPC endpoint to access sensitive files.

A path traversal vulnerability exists in pygeoapi versions 0.23.0 to 0.23.2 within the STAC FileSystemProvider plugin, allowing unauthenticated access to directories when deployed without a URL-normalizing proxy.

AzuraCast is vulnerable to path traversal in the Flow.js media upload endpoint, allowing authenticated users with media permissions to write arbitrary files, leading to remote code execution via PHP webshell upload.