Common Weakness Enumeration
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Show details on NVD website
Back to CWE stats page
CWE-749
Exposed Dangerous Method or Function
The product provides an Applications Programming Interface (API) or similar interface for interaction with external actors, but the interface includes a dangerous method or function that is not properly restricted.
CVE-2026-25266 (GCVE-0-2026-25266)
Vulnerability from cvelistv5 – Published: 2026-05-04 16:43 – Updated: 2026-05-04 18:10
VLAI
EPSS
VEX
Title
Exposed dangerous function in windows host
Summary
Memory corruption while processing IOCTL command when device is in power-save state.
Severity
5.5 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-749 - Exposed Dangerous Method or Function
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Qualcomm, Inc. | Snapdragon |
Affected:
Cologne
Affected: FastConnect 6900 Affected: FastConnect 7800 Affected: SC8380XP Affected: Snapdragon AR1 Gen 1 Platform Affected: WCD9378C Affected: WCD9380 Affected: WCD9385 Affected: WCN7861 Affected: WCN7880 Affected: WSA8830 Affected: WSA8832 Affected: WSA8835 Affected: WSA8840 Affected: WSA8845 Affected: WSA8845H Affected: X2000077 Affected: X2000086 Affected: X2000090 Affected: X2000092 Affected: X2000094 Affected: XG101002 Affected: XG101032 Affected: XG101039 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25266",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-04T18:10:08.893266Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-04T18:10:31.034Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"Snapdragon CCW",
"Snapdragon Compute",
"Snapdragon Connectivity",
"Snapdragon MC"
],
"product": "Snapdragon",
"vendor": "Qualcomm, Inc.",
"versions": [
{
"status": "affected",
"version": "Cologne"
},
{
"status": "affected",
"version": "FastConnect 6900"
},
{
"status": "affected",
"version": "FastConnect 7800"
},
{
"status": "affected",
"version": "SC8380XP"
},
{
"status": "affected",
"version": "Snapdragon AR1 Gen 1 Platform"
},
{
"status": "affected",
"version": "WCD9378C"
},
{
"status": "affected",
"version": "WCD9380"
},
{
"status": "affected",
"version": "WCD9385"
},
{
"status": "affected",
"version": "WCN7861"
},
{
"status": "affected",
"version": "WCN7880"
},
{
"status": "affected",
"version": "WSA8830"
},
{
"status": "affected",
"version": "WSA8832"
},
{
"status": "affected",
"version": "WSA8835"
},
{
"status": "affected",
"version": "WSA8840"
},
{
"status": "affected",
"version": "WSA8845"
},
{
"status": "affected",
"version": "WSA8845H"
},
{
"status": "affected",
"version": "X2000077"
},
{
"status": "affected",
"version": "X2000086"
},
{
"status": "affected",
"version": "X2000090"
},
{
"status": "affected",
"version": "X2000092"
},
{
"status": "affected",
"version": "X2000094"
},
{
"status": "affected",
"version": "XG101002"
},
{
"status": "affected",
"version": "XG101032"
},
{
"status": "affected",
"version": "XG101039"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Memory corruption while processing IOCTL command when device is in power-save state."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-749",
"description": "CWE-749: Exposed Dangerous Method or Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-04T16:43:19.977Z",
"orgId": "2cfc7d3e-20d3-47ac-8db7-1b7285aff15f",
"shortName": "qualcomm"
},
"references": [
{
"url": "https://docs.qualcomm.com/product/publicresources/securitybulletin/may-2026-bulletin.html"
}
],
"title": "Exposed dangerous function in windows host"
}
},
"cveMetadata": {
"assignerOrgId": "2cfc7d3e-20d3-47ac-8db7-1b7285aff15f",
"assignerShortName": "qualcomm",
"cveId": "CVE-2026-25266",
"datePublished": "2026-05-04T16:43:19.977Z",
"dateReserved": "2026-02-02T04:19:00.940Z",
"dateUpdated": "2026-05-04T18:10:31.034Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-28400 (GCVE-0-2026-28400)
Vulnerability from cvelistv5 – Published: 2026-02-27 21:06 – Updated: 2026-03-03 20:30
VLAI
EPSS
VEX
Title
Docker Model Runner Unauthenticated Runtime Flag Injection via _configure Endpoint
Summary
Docker Model Runner (DMR) is software used to manage, run, and deploy AI models using Docker. Versions prior to 1.0.16 expose a POST `/engines/_configure` endpoint that accepts arbitrary runtime flags without authentication. These flags are passed directly to the underlying inference server (llama.cpp). By injecting the --log-file flag, an attacker with network access to the Model Runner API can write or overwrite arbitrary files accessible to the Model Runner process. When bundled with Docker Desktop (where Model Runner is enabled by default since version 4.46.0), it is reachable from any default container at model-runner.docker.internal without authentication. In this context, the file overwrite can target the Docker Desktop VM disk (`Docker.raw` ), resulting in the destruction of all containers, images, volumes, and build history. However, in specific configurations and with user interaction, it is possible to convert this vulnerability in a container escape. The issue is fixed in Docker Model Runner 1.0.16. Docker Desktop users should update to 4.61.0 or later, which includes the fixed Model Runner. A workaround is available. For Docker Desktop users, enabling Enhanced Container Isolation (ECI) blocks container access to Model Runner, preventing exploitation. However, if the Docker Model Runner is exposed to localhost over TCP in specific configurations, the vulnerability is still exploitable.
Severity
7.6 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-749 - Exposed Dangerous Method or Function
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/docker/model-runner/security/a… | x_refsource_CONFIRM |
| https://www.zerodayinitiative.com/advisories/ZDI-… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| docker | model-runner |
Affected:
< 1.0.16
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-28400",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-03T20:30:23.572316Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-03T20:30:39.966Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "model-runner",
"vendor": "docker",
"versions": [
{
"status": "affected",
"version": "\u003c 1.0.16"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Docker Model Runner (DMR) is software used to manage, run, and deploy AI models using Docker. Versions prior to 1.0.16 expose a POST `/engines/_configure` endpoint that accepts arbitrary runtime flags without authentication. These flags are passed directly to the underlying inference server (llama.cpp). By injecting the --log-file flag, an attacker with network access to the Model Runner API can write or overwrite arbitrary files accessible to the Model Runner process. When bundled with Docker Desktop (where Model Runner is enabled by default since version 4.46.0), it is reachable from any default container at model-runner.docker.internal without authentication. In this context, the file overwrite can target the Docker Desktop VM disk (`Docker.raw` ), resulting in the destruction of all containers, images, volumes, and build history. However, in specific configurations and with user interaction, it is possible to convert this vulnerability in a container escape. The issue is fixed in Docker Model Runner 1.0.16. Docker Desktop users should update to 4.61.0 or later, which includes the fixed Model Runner. A workaround is available. For Docker Desktop users, enabling Enhanced Container Isolation (ECI) blocks container access to Model Runner, preventing exploitation. However, if the Docker Model Runner is exposed to localhost over TCP in specific configurations, the vulnerability is still exploitable."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-749",
"description": "CWE-749: Exposed Dangerous Method or Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-27T21:06:12.418Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/docker/model-runner/security/advisories/GHSA-m456-c56c-hh5c",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/docker/model-runner/security/advisories/GHSA-m456-c56c-hh5c"
},
{
"name": "https://www.zerodayinitiative.com/advisories/ZDI-CAN-28379",
"tags": [
"x_refsource_MISC"
],
"url": "https://www.zerodayinitiative.com/advisories/ZDI-CAN-28379"
}
],
"source": {
"advisory": "GHSA-m456-c56c-hh5c",
"discovery": "UNKNOWN"
},
"title": "Docker Model Runner Unauthenticated Runtime Flag Injection via _configure Endpoint"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-28400",
"datePublished": "2026-02-27T21:06:12.418Z",
"dateReserved": "2026-02-27T15:33:57.288Z",
"dateUpdated": "2026-03-03T20:30:39.966Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-30797 (GCVE-0-2026-30797)
Vulnerability from cvelistv5 – Published: 2026-03-05 15:35 – Updated: 2026-03-17 14:31
VLAI
EPSS
VEX
Title
RustDesk rustdesk://config/ URI Silently Re-homes Client to Attacker-Controlled Server
Summary
Missing Authorization vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android (Flutter URI scheme handler, config import modules) allows Application API Message Manipulation via Man-in-the-Middle. This vulnerability is associated with program files flutter/lib/common.Dart and program routines importConfig() via URI handler.
This issue affects RustDesk Client: through 1.4.5.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://rustdesk.com/docs/en/client/ | technical-descriptionx_--config documentation |
| https://docs.google.com/document/d/e/2PACX-1vSds6… | third-party-advisoryexploit |
| https://www.vulsec.org/ | vdb-entrythird-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| rustdesk-client | RustDesk Client |
Affected:
0 , ≤ 1.4.5
(custom)
|
Date Public
2026-03-05 13:45
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-30797",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-17T14:31:54.962148Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-17T14:31:59.164Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/rustdesk/rustdesk/releases",
"defaultStatus": "affected",
"modules": [
"Flutter URI scheme handler",
"config import"
],
"packageName": "rustdesk-client",
"platforms": [
"Windows",
"MacOS",
"Linux",
"iOS",
"Android"
],
"product": "RustDesk Client",
"programFiles": [
"flutter/lib/common.dart"
],
"programRoutines": [
{
"name": "importConfig() via URI handler"
}
],
"repo": "https://github.com/rustdesk/rustdesk,https://github.com/rustdesk/hbb_common",
"vendor": "rustdesk-client",
"versions": [
{
"lessThanOrEqual": "1.4.5",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"configurations": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Default \u2014 RustDesk installed with URI scheme handler registered"
}
],
"value": "Default \u2014 RustDesk installed with URI scheme handler registered"
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:rustdesk-client:rustdesk_client:*:*:windows:*:*:*:*:*",
"versionEndIncluding": "1.4.5",
"versionStartIncluding": "0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rustdesk-client:rustdesk_client:*:*:macos:*:*:*:*:*",
"versionEndIncluding": "1.4.5",
"versionStartIncluding": "0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rustdesk-client:rustdesk_client:*:*:linux:*:*:*:*:*",
"versionEndIncluding": "1.4.5",
"versionStartIncluding": "0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rustdesk-client:rustdesk_client:*:*:ios:*:*:*:*:*",
"versionEndIncluding": "1.4.5",
"versionStartIncluding": "0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:rustdesk-client:rustdesk_client:*:*:android:*:*:*:*:*",
"versionEndIncluding": "1.4.5",
"versionStartIncluding": "0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Erez Kalman"
},
{
"lang": "en",
"type": "reporter",
"value": "Erez Kalman"
}
],
"datePublic": "2026-03-05T13:45:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing Authorization vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android (Flutter URI scheme handler, config import modules) allows Application API Message Manipulation via Man-in-the-Middle.\u003cp\u003e This vulnerability is associated with program files \u003ctt\u003eflutter/lib/common.Dart\u003c/tt\u003e and program routines \u003ctt\u003eimportConfig() via URI handler\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects RustDesk Client: through 1.4.5.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android (Flutter URI scheme handler, config import modules) allows Application API Message Manipulation via Man-in-the-Middle. This vulnerability is associated with program files flutter/lib/common.Dart and program routines importConfig() via URI handler.\n\nThis issue affects RustDesk Client: through 1.4.5."
}
],
"exploits": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "PoC available. Trivially exploitable.\u003cbr\u003e"
}
],
"value": "PoC available. Trivially exploitable."
}
],
"impacts": [
{
"capecId": "CAPEC-384",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-384 Application API Message Manipulation via Man-in-the-Middle"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "PASSIVE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-749",
"description": "CWE-749",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-05T16:53:48.123Z",
"orgId": "2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe",
"shortName": "VULSec"
},
"references": [
{
"tags": [
"technical-description",
"x_--config documentation"
],
"url": "https://rustdesk.com/docs/en/client/"
},
{
"tags": [
"third-party-advisory",
"exploit"
],
"url": "https://docs.google.com/document/d/e/2PACX-1vSds6jjpd38oO_yIAyd1HYtKNUuea-I-ozAPpGhYI7QgAU-QGJ7D8a4rOZVj1vmiUXV1EcdRHf9aZAW/pub"
},
{
"tags": [
"vdb-entry",
"third-party-advisory"
],
"url": "https://www.vulsec.org/"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Require admin elevation and user confirmation. Add config to disable. Sign config payloads."
}
],
"value": "Require admin elevation and user confirmation. Add config to disable. Sign config payloads."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "RustDesk rustdesk://config/ URI Silently Re-homes Client to Attacker-Controlled Server",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Unregister the \u003ccode\u003erustdesk://\u003c/code\u003e URI scheme handler at OS level"
}
],
"value": "Unregister the rustdesk:// URI scheme handler at OS level"
}
],
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "2fdefc65-d750-4b8d-96ee-6e2c0c42dbfe",
"assignerShortName": "VULSec",
"cveId": "CVE-2026-30797",
"datePublished": "2026-03-05T15:35:08.889Z",
"dateReserved": "2026-03-05T14:13:37.203Z",
"dateUpdated": "2026-03-17T14:31:59.164Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-30921 (GCVE-0-2026-30921)
Vulnerability from cvelistv5 – Published: 2026-03-09 22:58 – Updated: 2026-03-10 14:13
VLAI
EPSS
VEX
Title
OneUptime Synthetic Monitor RCE via exposed Playwright browser object
Summary
OneUptime is a solution for monitoring and managing online services. Prior to 10.0.20, OneUptime Synthetic Monitors allow low-privileged project users to submit custom Playwright code that is executed on the oneuptime-probe service. In the current implementation, this untrusted code is run inside Node's vm and is given live host Playwright objects such as browser and page. This creates a distinct server-side RCE primitive: the attacker does not need the classic this.constructor.constructor(...) sandbox escape. Instead, the attacker can directly use the injected Playwright browser object to reach browser.browserType().launch(...) and spawn an arbitrary executable on the probe host/container. This vulnerability is fixed in 10.0.20.
Severity
10 (Critical)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-749 - Exposed Dangerous Method or Function
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/OneUptime/oneuptime/security/a… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-30921",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-10T14:13:48.408035Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-10T14:13:54.890Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "oneuptime",
"vendor": "OneUptime",
"versions": [
{
"status": "affected",
"version": "\u003c 10.0.20"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OneUptime is a solution for monitoring and managing online services. Prior to 10.0.20, OneUptime Synthetic Monitors allow low-privileged project users to submit custom Playwright code that is executed on the oneuptime-probe service. In the current implementation, this untrusted code is run inside Node\u0027s vm and is given live host Playwright objects such as browser and page. This creates a distinct server-side RCE primitive: the attacker does not need the classic this.constructor.constructor(...) sandbox escape. Instead, the attacker can directly use the injected Playwright browser object to reach browser.browserType().launch(...) and spawn an arbitrary executable on the probe host/container. This vulnerability is fixed in 10.0.20."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-749",
"description": "CWE-749: Exposed Dangerous Method or Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-09T22:58:58.618Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/OneUptime/oneuptime/security/advisories/GHSA-4j36-39gm-8vq8",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/OneUptime/oneuptime/security/advisories/GHSA-4j36-39gm-8vq8"
}
],
"source": {
"advisory": "GHSA-4j36-39gm-8vq8",
"discovery": "UNKNOWN"
},
"title": "OneUptime Synthetic Monitor RCE via exposed Playwright browser object"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-30921",
"datePublished": "2026-03-09T22:58:58.618Z",
"dateReserved": "2026-03-07T16:40:05.884Z",
"dateUpdated": "2026-03-10T14:13:54.890Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-30957 (GCVE-0-2026-30957)
Vulnerability from cvelistv5 – Published: 2026-03-10 16:58 – Updated: 2026-03-10 18:22
VLAI
EPSS
VEX
Title
OneUptime Synthetic Monitor RCE via exposed Playwright browser object
Summary
OneUptime is a solution for monitoring and managing online services. Prior to 10.0.21, OneUptime Synthetic Monitors allow a low-privileged authenticated project user to execute arbitrary commands on the oneuptime-probe server/container. The root cause is that untrusted Synthetic Monitor code is executed inside Node's vm while live host-realm Playwright browser and page objects are exposed to it. A malicious user can call Playwright APIs on the injected browser object and cause the probe to spawn an attacker-controlled executable. This is a server-side remote code execution issue. It does not require a separate vm sandbox escape. This vulnerability is fixed in 10.0.21.
Severity
10 (Critical)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-749 - Exposed Dangerous Method or Function
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/OneUptime/oneuptime/security/a… | x_refsource_CONFIRM |
| https://github.com/OneUptime/oneuptime/releases/t… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-30957",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-10T18:21:28.474564Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-10T18:22:16.657Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "oneuptime",
"vendor": "OneUptime",
"versions": [
{
"status": "affected",
"version": "\u003c 10.0.21"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OneUptime is a solution for monitoring and managing online services. Prior to 10.0.21, OneUptime Synthetic Monitors allow a low-privileged authenticated project user to execute arbitrary commands on the oneuptime-probe server/container. The root cause is that untrusted Synthetic Monitor code is executed inside Node\u0027s vm while live host-realm Playwright browser and page objects are exposed to it. A malicious user can call Playwright APIs on the injected browser object and cause the probe to spawn an attacker-controlled executable. This is a server-side remote code execution issue. It does not require a separate vm sandbox escape. This vulnerability is fixed in 10.0.21."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 10,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-749",
"description": "CWE-749: Exposed Dangerous Method or Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-10T16:58:28.216Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/OneUptime/oneuptime/security/advisories/GHSA-jw8q-gjvg-8w4q",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/OneUptime/oneuptime/security/advisories/GHSA-jw8q-gjvg-8w4q"
},
{
"name": "https://github.com/OneUptime/oneuptime/releases/tag/10.0.21",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/OneUptime/oneuptime/releases/tag/10.0.21"
}
],
"source": {
"advisory": "GHSA-jw8q-gjvg-8w4q",
"discovery": "UNKNOWN"
},
"title": "OneUptime Synthetic Monitor RCE via exposed Playwright browser object"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-30957",
"datePublished": "2026-03-10T16:58:28.216Z",
"dateReserved": "2026-03-07T17:34:39.981Z",
"dateUpdated": "2026-03-10T18:22:16.657Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-33583 (GCVE-0-2026-33583)
Vulnerability from cvelistv5 – Published: 2026-05-13 18:19 – Updated: 2026-05-13 18:57
VLAI
EPSS
VEX
Title
Arqit SKA-Platform Vulnerable to Key Exposure
Summary
Exposure of the QKEY (used as
input into the ‘OTA-Quantum’ device registration process) and internal
system keys via an unauthenticated and unencrypted HTTP GET method in the Arqit Symmetric Key Agreement Platform.
This issue affects Symmetric Key Agreement Platform: before 26.03.
Severity
8.7 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-749 - Exposed dangerous method or function
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.cvcn.gov.it/cvcn/cve/CVE-2026-33583 | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Arqit | Symmetric Key Agreement Platform |
Affected:
0 , < 26.03
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33583",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-13T18:57:23.168695Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T18:57:55.074Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Symmetric Key Agreement Platform",
"vendor": "Arqit",
"versions": [
{
"lessThan": "26.03",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Exposure of the QKEY (used as \ninput into the \u2018OTA-Quantum\u2019 device registration process) and internal \nsystem keys via an unauthenticated and unencrypted HTTP GET method in the Arqit Symmetric Key Agreement Platform.\u003cp\u003eThis issue affects Symmetric Key Agreement Platform: before 26.03.\u003c/p\u003e"
}
],
"value": "Exposure of the QKEY (used as \ninput into the \u2018OTA-Quantum\u2019 device registration process) and internal \nsystem keys via an unauthenticated and unencrypted HTTP GET method in the Arqit Symmetric Key Agreement Platform.\n\nThis issue affects Symmetric Key Agreement Platform: before 26.03."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-749",
"description": "CWE-749 Exposed dangerous method or function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T18:19:34.651Z",
"orgId": "a6d3dc9e-0591-4a13-bce7-0f5b31ff6158",
"shortName": "ENISA"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://www.cvcn.gov.it/cvcn/cve/CVE-2026-33583"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Arqit SKA-Platform Vulnerable to Key Exposure",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "a6d3dc9e-0591-4a13-bce7-0f5b31ff6158",
"assignerShortName": "ENISA",
"cveId": "CVE-2026-33583",
"datePublished": "2026-05-13T18:19:34.651Z",
"dateReserved": "2026-03-23T12:53:47.473Z",
"dateUpdated": "2026-05-13T18:57:55.074Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-33584 (GCVE-0-2026-33584)
Vulnerability from cvelistv5 – Published: 2026-05-13 18:30 – Updated: 2026-05-13 19:39
VLAI
EPSS
VEX
Title
Arqit SKA-Platform Enables Access to Debug Information
Summary
Exposed Keycloak management
service in the Arqit Symmetric Key Agreement Platform enables unauthorized access to sensitive debug
information such as metrics and
health data. This issue affects Symmetric Key Agreement Platform: before 26.03.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-749 - Exposed dangerous method or function
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.cvcn.gov.it/cvcn/cve/CVE-2026-33584 | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Arqit | Symmetric Key Agreement Platform |
Affected:
0 , < 26.03
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33584",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-13T19:37:59.672987Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T19:39:01.096Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Symmetric Key Agreement Platform",
"vendor": "Arqit",
"versions": [
{
"lessThan": "26.03",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Exposed Keycloak management \nservice in the Arqit Symmetric Key Agreement Platform enables unauthorized access to sensitive debug \ninformation such as metrics and\n health data.\u0026nbsp;This issue affects Symmetric Key Agreement Platform: before 26.03."
}
],
"value": "Exposed Keycloak management \nservice in the Arqit Symmetric Key Agreement Platform enables unauthorized access to sensitive debug \ninformation such as metrics and\n health data.\u00a0This issue affects Symmetric Key Agreement Platform: before 26.03."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-749",
"description": "CWE-749 Exposed dangerous method or function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T18:35:29.330Z",
"orgId": "a6d3dc9e-0591-4a13-bce7-0f5b31ff6158",
"shortName": "ENISA"
},
"references": [
{
"tags": [
"third-party-advisory"
],
"url": "https://www.cvcn.gov.it/cvcn/cve/CVE-2026-33584"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Arqit SKA-Platform Enables Access to Debug Information",
"x_generator": {
"engine": "Vulnogram 1.0.2"
}
}
},
"cveMetadata": {
"assignerOrgId": "a6d3dc9e-0591-4a13-bce7-0f5b31ff6158",
"assignerShortName": "ENISA",
"cveId": "CVE-2026-33584",
"datePublished": "2026-05-13T18:30:48.206Z",
"dateReserved": "2026-03-23T12:53:47.473Z",
"dateUpdated": "2026-05-13T19:39:01.096Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-3483 (GCVE-0-2026-3483)
Vulnerability from cvelistv5 – Published: 2026-03-10 14:19 – Updated: 2026-03-11 03:56
VLAI
EPSS
VEX
Summary
An exposed dangerous method in Ivanti DSM before version 2026.1.1 allows a local authenticated attacker to escalate their privileges.
Severity
7.8 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-749 - Exposed dangerous method or function
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Ivanti | Desktop and Server Management |
Unaffected:
2026.1.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-3483",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-10T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-11T03:56:43.597Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Desktop and Server Management",
"vendor": "Ivanti",
"versions": [
{
"status": "unaffected",
"version": "2026.1.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eAn exposed dangerous method in Ivanti DSM before version 2026.1.1 allows a local authenticated attacker to escalate their privileges.\u003c/p\u003e"
}
],
"value": "An exposed dangerous method in Ivanti DSM before version 2026.1.1 allows a local authenticated attacker to escalate their privileges."
}
],
"impacts": [
{
"capecId": "CAPEC-500",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-500 WebView Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-749",
"description": "CWE-749 Exposed dangerous method or function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-10T14:19:34.226Z",
"orgId": "3c1d8aa1-5a33-4ea4-8992-aadd6440af75",
"shortName": "ivanti"
},
"references": [
{
"url": "https://hub.ivanti.com/s/article/Security-Advisory-Ivanti-DSM-CVE-2026-3483?language=en_US"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 1.0.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "3c1d8aa1-5a33-4ea4-8992-aadd6440af75",
"assignerShortName": "ivanti",
"cveId": "CVE-2026-3483",
"datePublished": "2026-03-10T14:19:25.340Z",
"dateReserved": "2026-03-03T15:08:57.000Z",
"dateUpdated": "2026-03-11T03:56:43.597Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-35488 (GCVE-0-2026-35488)
Vulnerability from cvelistv5 – Published: 2026-04-07 14:51 – Updated: 2026-04-08 14:48
VLAI
EPSS
VEX
Title
Tandoor Recipes — CustomIsShared permits DELETE/PUT on RecipeBook by shared (read-only) users
Summary
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.6.4, RecipeBookViewSet and RecipeBookEntryViewSet use CustomIsShared as an alternative permission class, but CustomIsShared.has_object_permission() returns True for all HTTP methods — including DELETE, PUT, and PATCH — without checking request.method in SAFE_METHODS. Any user who is in the shared list of a RecipeBook can delete or overwrite it, even though shared access is semantically read-only. This vulnerability is fixed in 2.6.4.
Severity
8.1 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-749 - Exposed Dangerous Method or Function
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/TandoorRecipes/recipes/securit… | x_refsource_CONFIRM |
| https://github.com/TandoorRecipes/recipes/release… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| TandoorRecipes | recipes |
Affected:
< 2.6.4
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-35488",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-08T14:48:32.807386Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T14:48:54.946Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "recipes",
"vendor": "TandoorRecipes",
"versions": [
{
"status": "affected",
"version": "\u003c 2.6.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Prior to 2.6.4, RecipeBookViewSet and RecipeBookEntryViewSet use CustomIsShared as an alternative permission class, but CustomIsShared.has_object_permission() returns True for all HTTP methods \u2014 including DELETE, PUT, and PATCH \u2014 without checking request.method in SAFE_METHODS. Any user who is in the shared list of a RecipeBook can delete or overwrite it, even though shared access is semantically read-only. This vulnerability is fixed in 2.6.4."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-749",
"description": "CWE-749: Exposed Dangerous Method or Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T14:51:25.861Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-xvmf-cfrq-4j8f",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/TandoorRecipes/recipes/security/advisories/GHSA-xvmf-cfrq-4j8f"
},
{
"name": "https://github.com/TandoorRecipes/recipes/releases/tag/2.6.4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/TandoorRecipes/recipes/releases/tag/2.6.4"
}
],
"source": {
"advisory": "GHSA-xvmf-cfrq-4j8f",
"discovery": "UNKNOWN"
},
"title": "Tandoor Recipes \u2014 CustomIsShared permits DELETE/PUT on RecipeBook by shared (read-only) users"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-35488",
"datePublished": "2026-04-07T14:51:25.861Z",
"dateReserved": "2026-04-02T20:49:44.454Z",
"dateUpdated": "2026-04-08T14:48:54.946Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-4051 (GCVE-0-2026-4051)
Vulnerability from cvelistv5 – Published: 2026-05-26 18:12 – Updated: 2026-05-28 03:55
VLAI
EPSS
VEX
Title
IBM Engineering Lifecycle Management - Jazz Foundation is vulnerable to Server Post-Auth Remote Code Execution
Summary
IBM Engineering Lifecycle Management 7.0.3, 7.1.0, and 7.2.0 could allow an attacker with administrative privileges to execute remote code due to exposed method that is not properly restricted.
Severity
7.2 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-749 - Exposed Dangerous Method or Function
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://www.ibm.com/support/pages/node/7274077 | vendor-advisorypatch |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| IBM | Engineering Lifecycle Management |
Affected:
7.0.3 , ≤ Interim Fix 021
(semver)
Affected: 7.1.0 , ≤ Interim Fix 009 (semver) Affected: 7.2.0 , ≤ Interim Fix 001 (semver) cpe:2.3:a:ibm:engineering_lifecycle_management:7.0.3:*:*:*:*:*:*:* cpe:2.3:a:ibm:engineering_lifecycle_management:7.0.3:ifix021:*:*:*:*:*:* cpe:2.3:a:ibm:engineering_lifecycle_management:7.1.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:engineering_lifecycle_management:7.1.0:ifix009:*:*:*:*:*:* cpe:2.3:a:ibm:engineering_lifecycle_management:7.2.0:*:*:*:*:*:*:* cpe:2.3:a:ibm:engineering_lifecycle_management:7.0.2:ifix1:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-4051",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-27T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T03:55:37.288Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:ibm:engineering_lifecycle_management:7.0.3:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:engineering_lifecycle_management:7.0.3:ifix021:*:*:*:*:*:*",
"cpe:2.3:a:ibm:engineering_lifecycle_management:7.1.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:engineering_lifecycle_management:7.1.0:ifix009:*:*:*:*:*:*",
"cpe:2.3:a:ibm:engineering_lifecycle_management:7.2.0:*:*:*:*:*:*:*",
"cpe:2.3:a:ibm:engineering_lifecycle_management:7.0.2:ifix1:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "Engineering Lifecycle Management",
"vendor": "IBM",
"versions": [
{
"lessThanOrEqual": "Interim Fix 021",
"status": "affected",
"version": "7.0.3",
"versionType": "semver"
},
{
"lessThanOrEqual": "Interim Fix 009",
"status": "affected",
"version": "7.1.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "Interim Fix 001",
"status": "affected",
"version": "7.2.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIBM Engineering Lifecycle Management 7.0.3, 7.1.0, and 7.2.0 could allow an attacker with administrative privileges to execute remote code due to exposed method that is not properly restricted.\u003c/p\u003e"
}
],
"value": "IBM Engineering Lifecycle Management 7.0.3, 7.1.0, and 7.2.0 could allow an attacker with administrative privileges to execute remote code due to exposed method that is not properly restricted."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-749",
"description": "CWE-749 Exposed Dangerous Method or Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-26T20:08:52.409Z",
"orgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"shortName": "ibm"
},
"references": [
{
"tags": [
"vendor-advisory",
"patch"
],
"url": "https://www.ibm.com/support/pages/node/7274077"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eIBM strongly recommends addressing the vulnerability now by upgrading to iFixes detailed below:\u003c/p\u003e\u003cdiv\u003e\u003ctable\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd\u003e\u003cstrong\u003eAffected Product(s)\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eVersion(s)\u003c/strong\u003e\u003c/td\u003e\u003ctd\u003e\u003cstrong\u003eRemediation/Fix/Instructions\u003c/strong\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003eIBM Engineering Lifecycle Management - Jazz Foundation\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e7.0.3\u003c/td\u003e\u003ctd\u003eDownload and install\u0026nbsp;\u003ca href=\"https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Engineering\u0026amp;product=ibm/Rational/IBM+Engineering+Lifecycle+Management\u0026amp;release=7.2\u0026amp;platform=All\u0026amp;function=fixId\u0026amp;fixids=7.0.3-IBM-ELM-iFix022\u0026amp;includeRequisites=0\u0026amp;includeSupersedes=0\u0026amp;downloadMethod=http\" rel=\"nofollow\"\u003eiFix022\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003eIBM Engineering Lifecycle Management - Jazz Foundation\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e7.1.0\u003c/td\u003e\u003ctd\u003eDownload and install\u0026nbsp;\u003ca href=\"https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Engineering\u0026amp;product=ibm/Rational/IBM+Engineering+Lifecycle+Management\u0026amp;release=7.1\u0026amp;platform=All\u0026amp;function=fixId\u0026amp;fixids=7.1-IBM-ELM-iFix010\u0026amp;includeRequisites=0\u0026amp;includeSupersedes=0\u0026amp;downloadMethod=http\u0026amp;login=true\" rel=\"nofollow\"\u003eiFix010\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd\u003e\u003cp\u003eIBM Engineering Lifecycle Management - Jazz Foundation\u003c/p\u003e\u003c/td\u003e\u003ctd\u003e7.2.0\u003c/td\u003e\u003ctd\u003eDownload and install\u0026nbsp;\u003ca href=\"https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Engineering\u0026amp;product=ibm/Rational/IBM+Engineering+Lifecycle+Management\u0026amp;release=7.2\u0026amp;platform=All\u0026amp;function=fixId\u0026amp;fixids=7.2-IBM-ELM-iFix002\u0026amp;includeRequisites=0\u0026amp;includeSupersedes=0\u0026amp;downloadMethod=http\u0026amp;login=true\" rel=\"nofollow\"\u003eiFix002\u003c/a\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/table\u003e\u003c/div\u003e\u003cp\u003e\u003c/p\u003e"
}
],
"value": "IBM strongly recommends addressing the vulnerability now by upgrading to iFixes detailed below:\n\nAffected Product(s)Version(s)Remediation/Fix/Instructions\n\nIBM Engineering Lifecycle Management - Jazz Foundation\n\n7.0.3Download and install\u00a0 iFix022 https://www.ibm.com/support/fixcentral/swg/downloadFixes \n\nIBM Engineering Lifecycle Management - Jazz Foundation\n\n7.1.0Download and install\u00a0 iFix010 https://www.ibm.com/support/fixcentral/swg/downloadFixes \n\nIBM Engineering Lifecycle Management - Jazz Foundation\n\n7.2.0Download and install\u00a0 iFix002 https://www.ibm.com/support/fixcentral/swg/downloadFixes"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IBM Engineering Lifecycle Management - Jazz Foundation is vulnerable to Server Post-Auth Remote Code Execution",
"x_generator": {
"engine": "ibm-cvegen"
}
}
},
"cveMetadata": {
"assignerOrgId": "9a959283-ebb5-44b6-b705-dcc2bbced522",
"assignerShortName": "ibm",
"cveId": "CVE-2026-4051",
"datePublished": "2026-05-26T18:12:43.303Z",
"dateReserved": "2026-03-12T14:25:02.970Z",
"dateUpdated": "2026-05-28T03:55:37.288Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation
Phase: Architecture and Design
Description:
- If you must expose a method, make sure to perform input validation on all arguments, limit access to authorized parties, and protect against all possible vulnerabilities.
Mitigation
Phases: Architecture and Design, Implementation
Strategy: Attack Surface Reduction
Description:
- Identify all exposed functionality. Explicitly list all functionality that must be exposed to some user or set of users. Identify which functionality may be:
- Ensure that the implemented code follows these expectations. This includes setting the appropriate access modifiers where applicable (public, private, protected, etc.) or not marking ActiveX controls safe-for-scripting.
- accessible to all users
- restricted to a small set of privileged users
- prevented from being directly accessible at all
CAPEC-500: WebView Injection
An adversary, through a previously installed malicious application, injects code into the context of a web page displayed by a WebView component. Through the injected code, an adversary is able to manipulate the DOM tree and cookies of the page, expose sensitive information, and can launch attacks against the web application from within the web page.