The DIRAC PilotManager component contains combined security weaknesses: a SQL injection vulnerability (CWE-89) in the PilotAgentsDB database interaction layer, and an improper access control configuration (CWE-284) within the default authorization structure. A low-privilege authenticated attacker can bypass intended authorization checks to run administrative commands, manipulate grid job tracking records, and execute arbitrary SQL statements against the backend database.
A comprehensive security analysis of CVE-2024-27091, a stored cross-site scripting (XSS) vulnerability in the GeoNode geospatial content management system. Unsanitized metadata fields rendered with Django's safe template filter permit stored JavaScript execution, leading directly to admin account takeover via CSRF token theft and silent profile email modification.
An authentication bypass in the SiYuan personal knowledge management system before version 3.7.0 exposes a dynamic icon rendering endpoint. This endpoint processes client-supplied Go template directives. By submitting a crafted request, an unauthenticated remote attacker can leverage registered database template functions to execute arbitrary read-only SQL queries and exfiltrate workspace contents.
CVE-2026-54069 is a critical authentication bypass vulnerability in the SiYuan Note personal knowledge management system. The flaw is located in the HTTP server's middleware handling API authorization, which unconditionally trusts requests carrying a 'chrome-extension://' scheme in the Origin HTTP header, granting administrative access without validating API tokens.
CVE-2026-54089 is a critical authentication bypass vulnerability in File Browser affecting instances configured with proxy-based authentication. An unauthenticated remote attacker with direct network access can impersonate arbitrary users or register new accounts by spoofing configured HTTP headers.
The malicious Cargo package 'exploration' was uploaded to the crates.io registry. During compilation or package import, the crate executes code designed to establish an outbound TCP/HTTP connection, download an external second-stage binary, and execute the binary locally on the host machine. This creates an unauthenticated remote code execution vector impacting developer environments and continuous integration pipelines.
CVE-2026-54088 is a critical command injection vulnerability in File Browser prior to version 2.63.6. When Hook Authentication is enabled, the application interpolates unsanitized credentials into a shell command, allowing unauthenticated remote code execution.
An authenticated remote code execution vulnerability exists in NotrinosERP (versions up to and including 1.0.0) within the Human Resource Management (HRM) module. Users with employee management permissions can upload arbitrary file types, including PHP scripts, which are written directly to a web-accessible directory. This allows for arbitrary code execution in the context of the web-server user.
A high-severity security bypass vulnerability exists in safeinstall-cli up to version 0.10.1. Due to multiple logical limitations in its shell command parsing mechanism (guard-parser), attackers can craft specific shell commands that completely evade the Agent Guard interceptor hooks. This allows arbitrary unverified installations and code executions on the developer system when executed by AI coding agents.
An arbitrary server-side file read vulnerability exists in the mcp-atlassian integration server. Remote clients utilizing SSE or HTTP transports can exploit the lack of directory containment on attachment-upload tools to resolve and read arbitrary host files, exfiltrating them directly to Atlassian Jira or Confluence.
A directory traversal vulnerability exists in the mcp-atlassian integration server prior to version 0.22.0. The confluence_upload_attachment tool fails to restrict the paths of uploaded files, allowing authenticated users or external prompt injection payloads to retrieve and exfiltrate arbitrary files from the server's filesystem into Confluence.
A critical-severity Stored Cross-Site Scripting (XSS) vulnerability exists in the SiYuan personal knowledge management system. Due to missing sanitization in the attribute-view cell renderer and an insecure Electron default configuration (nodeIntegration: true), attackers can execute arbitrary commands on the victim's host operating system through synchronized workspaces.
Or generate a custom report
Search for a CVE ID (e.g. CVE-2024-1234) to generate an AI-powered vulnerability analysis
Automated vulnerability intelligence. 2,073+ reports.