Search criteria
9 vulnerabilities
CVE-2026-7763 (GCVE-0-2026-7763)
Vulnerability from cvelistv5 – Published: 2026-06-05 01:39 – Updated: 2026-06-05 01:39
VLAI
Title
Heap buffer overflow in morse.ko TIM IE processing
Summary
A heap-based buffer overflow vulnerability in the morse.ko HaLow Wi-Fi kernel driver in Morse Micro HaLowLink 2 software versions prior to 2.11.13 allows an unauthenticated attacker within radio range to cause a Denial of Service (kernel panic) or potentially achieve Remote Code Execution via a crafted 802.11ah beacon frame containing a malformed Traffic Indication Map (TIM) Information Element. The function morse_page_slicing_process_tim_element() in page_slicing.c derives the TIM bitmap length directly from a received IE field without validating it against the fixed-size destination buffer before passing it to memset and memcpy operations, allowing up to 252 bytes of attacker-controlled data to be written beyond the buffer boundary. Because beacons are broadcast frames processed during passive scanning, no authentication, association, or user interaction is required.
Severity
No CVSS data available.
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Morse Micro | HaLowLink 2 |
Affected:
0 , < 2.11.13
(semver)
|
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "HaLowLink 2",
"vendor": "Morse Micro",
"versions": [
{
"lessThan": "2.11.13",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:morsemicro:halow_link_2:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2.11.13",
"versionStartIncluding": "0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A heap-based buffer overflow vulnerability in the morse.ko HaLow Wi-Fi kernel driver in Morse Micro HaLowLink 2 software versions prior to 2.11.13 allows an unauthenticated attacker within radio range to cause a Denial of Service (kernel panic) or potentially achieve Remote Code Execution via a crafted 802.11ah beacon frame containing a malformed Traffic Indication Map (TIM) Information Element. The function morse_page_slicing_process_tim_element() in page_slicing.c derives the TIM bitmap length directly from a received IE field without validating it against the fixed-size destination buffer before passing it to memset and memcpy operations, allowing up to 252 bytes of attacker-controlled data to be written beyond the buffer boundary. Because beacons are broadcast frames processed during passive scanning, no authentication, association, or user interaction is required."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-122 Heap-based Buffer Overflow",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-05T01:39:33.488Z",
"orgId": "4ac701fe-44e9-4bcd-9585-dd6449257611",
"shortName": "Bugcrowd"
},
"references": [
{
"url": "https://www.morsemicro.com/security-advisories/MM-SA-2026-001"
}
],
"title": "Heap buffer overflow in morse.ko TIM IE processing"
}
},
"cveMetadata": {
"assignerOrgId": "4ac701fe-44e9-4bcd-9585-dd6449257611",
"assignerShortName": "Bugcrowd",
"cveId": "CVE-2026-7763",
"datePublished": "2026-06-05T01:39:33.488Z",
"dateReserved": "2026-05-04T05:03:00.671Z",
"dateUpdated": "2026-06-05T01:39:33.488Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-7762 (GCVE-0-2026-7762)
Vulnerability from cvelistv5 – Published: 2026-06-05 01:36 – Updated: 2026-06-05 01:36
VLAI
Title
Heap buffer overflow in dot11ah.ko S1G Capabilities IE processing
Summary
A heap-based buffer overflow vulnerability in the dot11ah.ko HaLow Wi-Fi kernel driver in Morse Micro HaLowLink 2 software versions prior to 2.11.13 allows an unauthenticated attacker within radio range to cause a Denial of Service (kernel panic) or potentially achieve Remote Code Execution via a crafted 802.11ah beacon or probe response frame containing a malformed S1G Capabilities Information Element (IE element ID 0xD9). The function morse_dot11ah_find_s1g_caps_for_bssid() uses the IE length field directly as the size argument to memcpy without validating it against the 15-byte destination buffer. An attacker can supply up to 255 bytes, causing an overflow of up to 240 bytes of attacker-controlled data into adjacent kernel heap memory. The vulnerability is triggerable during normal scanning without authentication, association, or user interaction.
Severity
No CVSS data available.
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Morse Micro | HaLowLink 2 |
Affected:
0 , < 2.11.13
(semver)
|
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "HaLowLink 2",
"vendor": "Morse Micro",
"versions": [
{
"lessThan": "2.11.13",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:morsemicro:halow_link_2:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2.11.13",
"versionStartIncluding": "0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A heap-based buffer overflow vulnerability in the dot11ah.ko HaLow Wi-Fi kernel driver in Morse Micro HaLowLink 2 software versions prior to 2.11.13 allows an unauthenticated attacker within radio range to cause a Denial of Service (kernel panic) or potentially achieve Remote Code Execution via a crafted 802.11ah beacon or probe response frame containing a malformed S1G Capabilities Information Element (IE element ID 0xD9). The function morse_dot11ah_find_s1g_caps_for_bssid() uses the IE length field directly as the size argument to memcpy without validating it against the 15-byte destination buffer. An attacker can supply up to 255 bytes, causing an overflow of up to 240 bytes of attacker-controlled data into adjacent kernel heap memory. The vulnerability is triggerable during normal scanning without authentication, association, or user interaction."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-122 Heap-based Buffer Overflow",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-05T01:36:20.993Z",
"orgId": "4ac701fe-44e9-4bcd-9585-dd6449257611",
"shortName": "Bugcrowd"
},
"references": [
{
"url": "https://www.morsemicro.com/security-advisories/MM-SA-2026-002"
}
],
"title": "Heap buffer overflow in dot11ah.ko S1G Capabilities IE processing"
}
},
"cveMetadata": {
"assignerOrgId": "4ac701fe-44e9-4bcd-9585-dd6449257611",
"assignerShortName": "Bugcrowd",
"cveId": "CVE-2026-7762",
"datePublished": "2026-06-05T01:36:20.993Z",
"dateReserved": "2026-05-04T05:02:07.918Z",
"dateUpdated": "2026-06-05T01:36:20.993Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-7764 (GCVE-0-2026-7764)
Vulnerability from cvelistv5 – Published: 2026-06-04 00:17 – Updated: 2026-06-04 13:01
VLAI
Title
Out-of-bounds read in morse.ko Vendor IE processing
Summary
An out-of-bounds read vulnerability in the morse.ko HaLow Wi-Fi kernel driver in Morse Micro HaLowLink 2 software versions prior to 2.11.12 allows an unauthenticated attacker within radio range to disclose a small amount of kernel heap memory or cause a Denial of Service (kernel oops/panic) via a crafted 802.11ah beacon or probe response frame containing a malformed Vendor Information Element. The function morse_vendor_find_vendor_ie() does not validate the IE length against the expected structure size before its result is passed to morse_vendor_rx_caps_ops_ie() and morse_vendor_fill_sta_vendor_info(), which read at fixed offsets into the IE data. Because the length check only requires the IE to be longer than 3 bytes, an attacker can supply an undersized IE, causing a heap out-of-bounds read of up to 9 bytes. No authentication, association, or user interaction is required.
Severity
6.8 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-125 - Out-of-bounds Read
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Morse Micro | HaLowLink 2 |
Affected:
0 , < 2.11.12
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-7764",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-04T13:01:07.316384Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-04T13:01:15.389Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "HaLowLink 2",
"vendor": "Morse Micro",
"versions": [
{
"lessThan": "2.11.12",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:morsemicro:halow_link_2:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2.11.12",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An out-of-bounds read vulnerability in the morse.ko HaLow Wi-Fi kernel driver in Morse Micro HaLowLink 2 software versions prior to 2.11.12 allows an unauthenticated attacker within radio range to disclose a small amount of kernel heap memory or cause a Denial of Service (kernel oops/panic) via a crafted 802.11ah beacon or probe response frame containing a malformed Vendor Information Element. The function morse_vendor_find_vendor_ie() does not validate the IE length against the expected structure size before its result is passed to morse_vendor_rx_caps_ops_ie() and morse_vendor_fill_sta_vendor_info(), which read at fixed offsets into the IE data. Because the length check only requires the IE to be longer than 3 bytes, an attacker can supply an undersized IE, causing a heap out-of-bounds read of up to 9 bytes. No authentication, association, or user interaction is required."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-125: Out-of-bounds Read",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-04T00:17:45.373Z",
"orgId": "4ac701fe-44e9-4bcd-9585-dd6449257611",
"shortName": "Bugcrowd"
},
"references": [
{
"url": "https://www.morsemicro.com/security-advisories/MM-SA-2026-003"
}
],
"title": "Out-of-bounds read in morse.ko Vendor IE processing"
}
},
"cveMetadata": {
"assignerOrgId": "4ac701fe-44e9-4bcd-9585-dd6449257611",
"assignerShortName": "Bugcrowd",
"cveId": "CVE-2026-7764",
"datePublished": "2026-06-04T00:17:45.373Z",
"dateReserved": "2026-05-04T05:03:13.154Z",
"dateUpdated": "2026-06-04T13:01:15.389Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-9264 (GCVE-0-2026-9264)
Vulnerability from cvelistv5 – Published: 2026-05-22 01:04 – Updated: 2026-05-22 15:52
VLAI
Title
Cross-Site Scripting in SketchUp Dynamic Components
Summary
A cross-site scripting (XSS) vulnerability in SketchUp 2026's Dynamic Components feature allows remote code execution and local file exfiltration through maliciously crafted SKP files. The vulnerability stems from improper input sanitization in the component options window, enabling attackers to execute arbitrary system commands and read local files without user interaction by exploiting an embedded Internet Explorer 11 browser.
Severity
9.3 (Critical)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
1 reference
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-9264",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-22T15:51:45.754618Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-22T15:52:45.358Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "SketchUp",
"vendor": "Trimble",
"versions": [
{
"lessThan": "2026.1.3",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:trimble:sketchup:*:*:*:*:*:*:*:*",
"versionEndExcluding": "2026.1.3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"descriptions": [
{
"lang": "en",
"value": "A cross-site scripting (XSS) vulnerability in SketchUp 2026\u0027s Dynamic Components feature allows remote code execution and local file exfiltration through maliciously crafted SKP files. The vulnerability stems from improper input sanitization in the component options window, enabling attackers to execute arbitrary system commands and read local files without user interaction by exploiting an embedded Internet Explorer 11 browser."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-94: Improper Control of Generation of Code",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-22T01:04:03.699Z",
"orgId": "4ac701fe-44e9-4bcd-9585-dd6449257611",
"shortName": "Bugcrowd"
},
"references": [
{
"url": "https://trust.trimble.com/?tcuUid=52252bc0-c196-4b1f-9f13-4e4c9ba247d9"
}
],
"title": "Cross-Site Scripting in SketchUp Dynamic Components"
}
},
"cveMetadata": {
"assignerOrgId": "4ac701fe-44e9-4bcd-9585-dd6449257611",
"assignerShortName": "Bugcrowd",
"cveId": "CVE-2026-9264",
"datePublished": "2026-05-22T01:04:03.699Z",
"dateReserved": "2026-05-22T00:57:32.121Z",
"dateUpdated": "2026-05-22T15:52:45.358Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-9057 (GCVE-0-2026-9057)
Vulnerability from cvelistv5 – Published: 2026-05-20 04:39 – Updated: 2026-05-20 13:08
VLAI
Title
Security fix for Qlik Talend Administration Center URL access control vulnerability
Summary
A broken access control issue has been identified in the Talend Administration Center, that allows a user with “View” permission to modify the Talend Studio update URL. This issue was resolved in a patch, which is already available.
Severity
8.2 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-284 - Improper Access Control
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Talend | Talend Administration Center |
Affected:
8.0 , < Patch_20251121_QTAC-1471_R2025-11_v1-8.0.1
(custom)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-9057",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-20T13:07:57.861351Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-20T13:08:08.157Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Talend Administration Center",
"vendor": "Talend",
"versions": [
{
"lessThan": "Patch_20251121_QTAC-1471_R2025-11_v1-8.0.1",
"status": "affected",
"version": "8.0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:talend:administration_center:*:*:*:*:*:*:*:*",
"versionEndExcluding": "Patch_20251121_QTAC-1471_R2025-11_v1-8.0.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"value": "Kaushik Roy"
}
],
"descriptions": [
{
"lang": "en",
"value": "A broken access control issue has been identified in the Talend Administration Center, that allows a user with \u201cView\u201d permission to modify the Talend Studio update URL. This issue was resolved in a patch, which is already available."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-284: Improper Access Control",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-20T04:39:38.619Z",
"orgId": "4ac701fe-44e9-4bcd-9585-dd6449257611",
"shortName": "Bugcrowd"
},
"references": [
{
"url": "https://community.qlik.com/t5/Official-Support-Articles/Security-fix-for-Qlik-Talend-Administration-Center-URL-access/ta-p/2548524"
}
],
"title": "Security fix for Qlik Talend Administration Center URL access control vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "4ac701fe-44e9-4bcd-9585-dd6449257611",
"assignerShortName": "Bugcrowd",
"cveId": "CVE-2026-9057",
"datePublished": "2026-05-20T04:39:38.619Z",
"dateReserved": "2026-05-20T04:38:31.550Z",
"dateUpdated": "2026-05-20T13:08:08.157Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-9056 (GCVE-0-2026-9056)
Vulnerability from cvelistv5 – Published: 2026-05-20 04:35 – Updated: 2026-05-20 13:08
VLAI
Title
Security fix for Qlik Talend Administration Center cross-site scripting vulnerability
Summary
A stored cross-site scripting vulnerability has been found in the Talend Administration Center. An attacker with permission to manage servers can store a XSS payload that can be triggered by a different user.
Severity
5.4 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-94 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Talend | Talend Administration Center |
Affected:
8.0 , < Patch_20260123_QTAC-1883 (cumulative patch)_R2026-01_v1-8.0.1
(custom)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-9056",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-20T13:08:26.585632Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-20T13:08:33.447Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Talend Administration Center",
"vendor": "Talend",
"versions": [
{
"lessThan": "Patch_20260123_QTAC-1883 (cumulative patch)_R2026-01_v1-8.0.1",
"status": "affected",
"version": "8.0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:talend:administration_center:*:*:*:*:*:*:*:*",
"versionEndExcluding": "Patch_20260123_QTAC-1883 (cumulative patch)_R2026-01_v1-8.0.1",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"value": "Ahsan"
}
],
"descriptions": [
{
"lang": "en",
"value": "A stored cross-site scripting vulnerability has been found in the Talend Administration Center. An attacker with permission to manage servers can store a XSS payload that can be triggered by a different user."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-94: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-20T04:35:39.031Z",
"orgId": "4ac701fe-44e9-4bcd-9585-dd6449257611",
"shortName": "Bugcrowd"
},
"references": [
{
"url": "https://community.qlik.com/t5/Official-Support-Articles/Security-fix-for-Qlik-Talend-Administration-Center-cross-site/ta-p/2548522"
}
],
"title": "Security fix for Qlik Talend Administration Center cross-site scripting vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "4ac701fe-44e9-4bcd-9585-dd6449257611",
"assignerShortName": "Bugcrowd",
"cveId": "CVE-2026-9056",
"datePublished": "2026-05-20T04:35:39.031Z",
"dateReserved": "2026-05-20T04:33:36.038Z",
"dateUpdated": "2026-05-20T13:08:33.447Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-6264 (GCVE-0-2026-6264)
Vulnerability from cvelistv5 – Published: 2026-04-14 01:49 – Updated: 2026-04-16 00:03
VLAI
Title
Critical Security fix for the Talend JobServer and Talend Runtime
Summary
A critical vulnerability in the Talend JobServer and Talend Runtime allows unauthenticated remote code execution via the JMX monitoring port. The attack vector is the JMX monitoring port of the Talend JobServer. The vulnerability can be mitigated for the Talend JobServer by requiring TLS client authentication for the monitoring port; however, the patch must be applied for full mitigation. For Talend ESB Runtime, the vulnerability can be mitigated by disabling the JobServer JMX monitoring port, which is disabled by default from the R2024-07-RT patch.
Severity
9.8 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
Assigner
References
1 reference
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Talend | Talend JobServer |
Affected:
8.0 , < TPS-6017
(custom)
Affected: 7.3 , < TPS-6018 (custom) |
|
| Talend | Talend Runtime |
Affected:
8.0 , < 8.0.1.R2026-01-RT
(custom)
Affected: 7.3 , < 7.3.1-R2026-01 (custom) |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-6264",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-14T13:07:04.623162Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-14T13:14:17.018Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Talend JobServer",
"vendor": "Talend",
"versions": [
{
"lessThan": "TPS-6017",
"status": "affected",
"version": "8.0",
"versionType": "custom"
},
{
"lessThan": "TPS-6018",
"status": "affected",
"version": "7.3",
"versionType": "custom"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Talend Runtime",
"vendor": "Talend",
"versions": [
{
"lessThan": "8.0.1.R2026-01-RT",
"status": "affected",
"version": "8.0",
"versionType": "custom"
},
{
"lessThan": "7.3.1-R2026-01",
"status": "affected",
"version": "7.3",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:talend:jobserver:*:*:*:*:*:*:*:*",
"versionEndExcluding": "TPS-6017",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:talend:esb_runtime:*:*:*:*:*:*:*:*",
"versionEndExcluding": "8.0.1.R2026-01-RT",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"value": "Harpreet Singh (@TheCyb3rAlpha), Profession: Security Researcher"
}
],
"descriptions": [
{
"lang": "en",
"value": "A critical vulnerability in the Talend JobServer and Talend Runtime allows unauthenticated remote code execution via the JMX monitoring port. The attack vector is the JMX monitoring port of the Talend JobServer. The vulnerability can be mitigated for the Talend JobServer by requiring TLS client authentication for the monitoring port; however, the patch must be applied for full mitigation. For Talend ESB Runtime, the vulnerability can be mitigated by disabling the JobServer JMX monitoring port, which is disabled by default from the R2024-07-RT patch."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-306 Missing Authentication for Critical Function",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-16T00:03:18.302Z",
"orgId": "4ac701fe-44e9-4bcd-9585-dd6449257611",
"shortName": "Bugcrowd"
},
"references": [
{
"url": "https://community.qlik.com/t5/Official-Support-Articles/Critical-Security-fix-for-the-Qlik-Talend-JobServer-and-Talend/tac-p/2541974"
}
],
"title": "Critical Security fix for the Talend JobServer and Talend Runtime"
}
},
"cveMetadata": {
"assignerOrgId": "4ac701fe-44e9-4bcd-9585-dd6449257611",
"assignerShortName": "Bugcrowd",
"cveId": "CVE-2026-6264",
"datePublished": "2026-04-14T01:49:08.920Z",
"dateReserved": "2026-04-14T01:12:19.962Z",
"dateUpdated": "2026-04-16T00:03:18.302Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-12792 (GCVE-0-2025-12792)
Vulnerability from cvelistv5 – Published: 2025-11-18 00:18 – Updated: 2025-11-18 16:35
VLAI
Summary
The Mac App Store distribution of the Canva for Mac desktop app before 1.117.1 was built without Hardened Runtime. A local threat actor with unprivileged access could execute arbitrary code that inherits the TCC (Transparency, Consent, and Control) permissions assigned to Canva.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-276 - Incorrect Default Permissions
Assigner
References
1 reference
Date Public
2025-11-14 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-12792",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-18T14:25:10.730306Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-18T16:35:38.443Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"platforms": [
"macOS"
],
"product": "Canva",
"vendor": "Canva",
"versions": [
{
"lessThan": "1.117.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:canva:canva:*:*:*:*:*:macos:*:*",
"versionEndExcluding": "1.117.1",
"versionStartIncluding": "0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "p1tsi (Bugcrowd)"
}
],
"datePublic": "2025-11-14T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The Mac App Store distribution of the Canva for Mac desktop app before 1.117.1 was built without Hardened Runtime. A local threat actor with unprivileged access could execute arbitrary code that inherits the TCC (Transparency, Consent, and Control) permissions assigned to Canva."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 3.2,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-276",
"description": "CWE-276 Incorrect Default Permissions",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-18T06:09:01.547Z",
"orgId": "4ac701fe-44e9-4bcd-9585-dd6449257611",
"shortName": "Bugcrowd"
},
"references": [
{
"url": "https://trust.canva.com/?tcuUid=1e77a34b-f586-450b-b30d-b6e17d15b443"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "4ac701fe-44e9-4bcd-9585-dd6449257611",
"assignerShortName": "Bugcrowd",
"cveId": "CVE-2025-12792",
"datePublished": "2025-11-18T00:18:00.348Z",
"dateReserved": "2025-11-06T07:17:33.346Z",
"dateUpdated": "2025-11-18T16:35:38.443Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-8319 (GCVE-0-2025-8319)
Vulnerability from cvelistv5 – Published: 2025-07-29 23:31 – Updated: 2025-07-30 15:06
VLAI
Summary
the BMA login interface allows arbitrary JavaScript or HTML to be written straight into the page’s Document Object Model via the error= URL parameter
Severity
6.1 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 Improper Neutralization of Input During Web Page Generation
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Barracuda | Barracuda Message Archiver |
Affected:
5.4.2.002 , < 5.4.2.002
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-8319",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-30T15:06:28.567224Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-30T15:06:34.396Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://bugcrowd.com/disclosures/30a330ef-0885-458c-a64f-2ad63d196b4d/dom-based-cross-site-scripting-xss-with-keylogger-injection-via-the-error-parameter-in-barracuda-mail-archiver"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Barracuda Message Archiver",
"vendor": "Barracuda",
"versions": [
{
"lessThan": "5.4.2.002",
"status": "affected",
"version": "5.4.2.002",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "the BMA login interface allows arbitrary JavaScript or HTML to be written straight into the page\u2019s Document Object Model via the error= URL parameter"
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-29T23:31:31.305Z",
"orgId": "4ac701fe-44e9-4bcd-9585-dd6449257611",
"shortName": "Bugcrowd"
},
"references": [
{
"url": "https://bugcrowd.com/disclosures/30a330ef-0885-458c-a64f-2ad63d196b4d/dom-based-cross-site-scripting-xss-with-keylogger-injection-via-the-error-parameter-in-barracuda-mail-archiver"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "4ac701fe-44e9-4bcd-9585-dd6449257611",
"assignerShortName": "Bugcrowd",
"cveId": "CVE-2025-8319",
"datePublished": "2025-07-29T23:31:31.305Z",
"dateReserved": "2025-07-29T23:31:18.974Z",
"dateUpdated": "2025-07-30T15:06:34.396Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}