Search criteria
1626 vulnerabilities
CVE-2026-32994 (GCVE-0-2026-32994)
Vulnerability from cvelistv5 – Published: 2026-05-19 04:43 – Updated: 2026-05-19 12:36
VLAI?
Summary
The /api/v1/autotranslate.translateMessage endpoint in versions <8.5.0, <8.4.2, <8.3.4, <8.2.4, <8.1.5, <8.0.6, <7.13.8, and <7.10.12 allows any authenticated user to retrieve the full content of any message from any room (private groups, direct messages, channels) by simply providing the target message ID. The endpoint fetches the message via Messages.findOneById(messageId) with no room access check (canAccessRoomIdAsync is never called), returning the complete IMessage object including message text, sender info, room ID, timestamps, and markdown content.
Severity ?
5.3 (Medium)
CWE
- CWE-284 - Improper Access Control - Generic
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Rocket.Chat | Rocket.Chat |
Affected:
0 , < 8.5.0
(semver)
Affected: 0 , < 8.4.2 (semver) Affected: 0 , < 8.3.4 (semver) Affected: 0 , < 8.2.4 (semver) Affected: 0 , < 8.1.5 (semver) Affected: 0 , < 8.0.6 (semver) Affected: 0 , < 7.13.8 (semver) Affected: 0 , < 7.10.12 (semver) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-32994",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-19T12:36:21.168251Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-19T12:36:27.839Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Rocket.Chat",
"vendor": "Rocket.Chat",
"versions": [
{
"lessThan": "8.5.0",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "8.4.2",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "8.3.4",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "8.2.4",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "8.1.5",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "8.0.6",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "7.13.8",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "7.10.12",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "The /api/v1/autotranslate.translateMessage endpoint in versions \u003c8.5.0, \u003c8.4.2, \u003c8.3.4, \u003c8.2.4, \u003c8.1.5, \u003c8.0.6, \u003c7.13.8, and \u003c7.10.12 allows any authenticated user to retrieve the full content of any message from any room (private groups, direct messages, channels) by simply providing the target message ID. The endpoint fetches the message via Messages.findOneById(messageId) with no room access check (canAccessRoomIdAsync is never called), returning the complete IMessage object including message text, sender info, room ID, timestamps, and markdown content."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control - Generic",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-19T04:43:41.777Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"url": "https://hackerone.com/reports/3713682"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2026-32994",
"datePublished": "2026-05-19T04:43:41.777Z",
"dateReserved": "2026-03-17T15:00:07.746Z",
"dateUpdated": "2026-05-19T12:36:27.839Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-29206 (GCVE-0-2026-29206)
Vulnerability from cvelistv5 – Published: 2026-05-13 22:07 – Updated: 2026-05-14 13:55
VLAI?
Summary
Insufficient sanitization of SQL queries in the `sqloptimizer` utility script allows SQL Injections on behalf of the root user if Slow Query logging is enabled.
Severity ?
8.1 (High)
CWE
- CWE-89 - SQL Injection
Assigner
References
1 reference
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| WebPros | cPanel |
Affected:
11.136.0.0 , < 11.136.0.10
(semver)
Affected: 11.134.0.0 , < 11.134.0.26 (semver) Affected: 11.132.0.0 , < 11.132.0.32 (semver) Affected: 11.130.0.0 , < 11.130.0.23 (semver) Affected: 11.126.0.0 , < 11.126.0.59 (semver) Affected: 11.124.0.0 , < 11.124.0.38 (semver) Affected: 11.118.0.0 , < 11.118.0.67 (semver) Affected: 11.110.0.0 , < 11.110.0.119 (semver) Affected: 11.102.0.0 , < 11.102.0.42 (semver) Affected: 11.94.0.0 , < 11.94.0.31 (semver) Affected: 11.30.0.0 , < 11.86.0.44 (semver) |
|
| WebPros | WP Squared |
Affected:
11.136.1.0 , < 11.136.1.12
(semver)
|
|
| WebPros | cPanel (CloudLinux 6, CentOS 6) |
Affected:
11.110.0.0 , < 11.110.0.118
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-29206",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-14T13:55:04.846635Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T13:55:12.266Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "cPanel",
"vendor": "WebPros",
"versions": [
{
"lessThan": "11.136.0.10",
"status": "affected",
"version": "11.136.0.0",
"versionType": "semver"
},
{
"lessThan": "11.134.0.26",
"status": "affected",
"version": "11.134.0.0",
"versionType": "semver"
},
{
"lessThan": "11.132.0.32",
"status": "affected",
"version": "11.132.0.0",
"versionType": "semver"
},
{
"lessThan": "11.130.0.23",
"status": "affected",
"version": "11.130.0.0",
"versionType": "semver"
},
{
"lessThan": "11.126.0.59",
"status": "affected",
"version": "11.126.0.0",
"versionType": "semver"
},
{
"lessThan": "11.124.0.38",
"status": "affected",
"version": "11.124.0.0",
"versionType": "semver"
},
{
"lessThan": "11.118.0.67",
"status": "affected",
"version": "11.118.0.0",
"versionType": "semver"
},
{
"lessThan": "11.110.0.119",
"status": "affected",
"version": "11.110.0.0",
"versionType": "semver"
},
{
"lessThan": "11.102.0.42",
"status": "affected",
"version": "11.102.0.0",
"versionType": "semver"
},
{
"lessThan": "11.94.0.31",
"status": "affected",
"version": "11.94.0.0",
"versionType": "semver"
},
{
"lessThan": "11.86.0.44",
"status": "affected",
"version": "11.30.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WP Squared",
"vendor": "WebPros",
"versions": [
{
"lessThan": "11.136.1.12",
"status": "affected",
"version": "11.136.1.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "cPanel (CloudLinux 6, CentOS 6)",
"vendor": "WebPros",
"versions": [
{
"lessThan": "11.110.0.118",
"status": "affected",
"version": "11.110.0.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Insufficient sanitization of SQL queries in the `sqloptimizer` utility script allows SQL Injections on behalf of the root user if Slow Query logging is enabled."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 SQL Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T22:07:16.256Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"url": "https://support.cpanel.net/hc/en-us/articles/40437213099159-Security-CVE-2026-29206-cPanel-WHM-WP2-Security-Update-May-13-2026"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2026-29206",
"datePublished": "2026-05-13T22:07:16.256Z",
"dateReserved": "2026-03-04T15:00:09.267Z",
"dateUpdated": "2026-05-14T13:55:12.266Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-32991 (GCVE-0-2026-32991)
Vulnerability from cvelistv5 – Published: 2026-05-13 22:07 – Updated: 2026-05-14 13:11
VLAI?
Summary
Improper authorization checks of team members privileges allow a team member to escalate privileges to the team owner account.
Severity ?
7.1 (High)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
1 reference
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| WebPros | cPanel |
Affected:
11.136.0.0 , < 11.136.0.10
(semver)
Affected: 11.134.0.0 , < 11.134.0.26 (semver) Affected: 11.132.0.0 , < 11.132.0.32 (semver) Affected: 11.130.0.0 , < 11.130.0.23 (semver) Affected: 11.126.0.0 , < 11.126.0.59 (semver) Affected: 11.124.0.0 , < 11.124.0.38 (semver) Affected: 11.118.0.0 , < 11.118.0.67 (semver) Affected: 11.110.0.0 , < 11.110.0.119 (semver) |
|
| WebPros | WP Squared |
Affected:
11.136.1.0 , < 11.136.1.12
(semver)
|
|
| WebPros | cPanel (CloudLinux 6, CentOS 6) |
Affected:
11.110.0.0 , < 11.110.0.118
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-32991",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-14T13:11:15.440259Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T13:11:23.622Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "cPanel",
"vendor": "WebPros",
"versions": [
{
"lessThan": "11.136.0.10",
"status": "affected",
"version": "11.136.0.0",
"versionType": "semver"
},
{
"lessThan": "11.134.0.26",
"status": "affected",
"version": "11.134.0.0",
"versionType": "semver"
},
{
"lessThan": "11.132.0.32",
"status": "affected",
"version": "11.132.0.0",
"versionType": "semver"
},
{
"lessThan": "11.130.0.23",
"status": "affected",
"version": "11.130.0.0",
"versionType": "semver"
},
{
"lessThan": "11.126.0.59",
"status": "affected",
"version": "11.126.0.0",
"versionType": "semver"
},
{
"lessThan": "11.124.0.38",
"status": "affected",
"version": "11.124.0.0",
"versionType": "semver"
},
{
"lessThan": "11.118.0.67",
"status": "affected",
"version": "11.118.0.0",
"versionType": "semver"
},
{
"lessThan": "11.110.0.119",
"status": "affected",
"version": "11.110.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WP Squared",
"vendor": "WebPros",
"versions": [
{
"lessThan": "11.136.1.12",
"status": "affected",
"version": "11.136.1.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "cPanel (CloudLinux 6, CentOS 6)",
"vendor": "WebPros",
"versions": [
{
"lessThan": "11.110.0.118",
"status": "affected",
"version": "11.110.0.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper authorization checks of team members privileges allow a team member to escalate privileges to the team owner account."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T22:07:16.151Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"url": "https://support.cpanel.net/hc/en-us/articles/40437254183959-Security-CVE-2026-32991-cPanel-WHM-WP2-Security-Update-May-13-2026"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2026-32991",
"datePublished": "2026-05-13T22:07:16.151Z",
"dateReserved": "2026-03-17T15:00:07.746Z",
"dateUpdated": "2026-05-14T13:11:23.622Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-29205 (GCVE-0-2026-29205)
Vulnerability from cvelistv5 – Published: 2026-05-13 22:06 – Updated: 2026-05-14 13:13
VLAI?
Summary
Incorrect privileges management and insufficient path filtering allow to read arbitrary file on the server via the cpdavd attachment download endpoints.
Severity ?
8.6 (High)
CWE
- CWE-250 - Execution with Unnecessary Privileges
Assigner
References
1 reference
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| WebPros | cPanel |
Affected:
11.136.0.0 , < 11.136.0.10
(semver)
Affected: 11.134.0.0 , < 11.134.0.26 (semver) Affected: 11.132.0.0 , < 11.132.0.32 (semver) Affected: 11.130.0.0 , < 11.130.0.23 (semver) Affected: 11.126.0.0 , < 11.126.0.59 (semver) Affected: 11.120.0.0 , < 11.124.0.38 (semver) |
|
| WebPros | WP Squared |
Affected:
11.120.1.0 , < 11.136.1.12
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-29205",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-14T13:13:34.728020Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T13:13:52.380Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "cPanel",
"vendor": "WebPros",
"versions": [
{
"lessThan": "11.136.0.10",
"status": "affected",
"version": "11.136.0.0",
"versionType": "semver"
},
{
"lessThan": "11.134.0.26",
"status": "affected",
"version": "11.134.0.0",
"versionType": "semver"
},
{
"lessThan": "11.132.0.32",
"status": "affected",
"version": "11.132.0.0",
"versionType": "semver"
},
{
"lessThan": "11.130.0.23",
"status": "affected",
"version": "11.130.0.0",
"versionType": "semver"
},
{
"lessThan": "11.126.0.59",
"status": "affected",
"version": "11.126.0.0",
"versionType": "semver"
},
{
"lessThan": "11.124.0.38",
"status": "affected",
"version": "11.120.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WP Squared",
"vendor": "WebPros",
"versions": [
{
"lessThan": "11.136.1.12",
"status": "affected",
"version": "11.120.1.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Incorrect privileges management and insufficient path filtering allow to read arbitrary file on the server via the cpdavd attachment download endpoints."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.6,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-250",
"description": "CWE-250 Execution with Unnecessary Privileges",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T22:06:04.220Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"url": "https://support.cpanel.net/hc/en-us/articles/40437020299927-Security-CVE-2026-29205-cPanel-WHM-WP2-Security-Update-May-13-2026"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2026-29205",
"datePublished": "2026-05-13T22:06:04.220Z",
"dateReserved": "2026-03-04T15:00:09.267Z",
"dateUpdated": "2026-05-14T13:13:52.380Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-32992 (GCVE-0-2026-32992)
Vulnerability from cvelistv5 – Published: 2026-05-13 22:06 – Updated: 2026-05-14 13:13
VLAI?
Summary
SSL verification is disabled in the DNS Cluster system. This could allow for a malicious server to man-in-the-middle the request and capture credentials.
Severity ?
8.2 (High)
CWE
- CWE-295 - Improper Certificate Validation
Assigner
References
1 reference
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| WebPros | cPanel |
Affected:
11.136.0.0 , < 11.136.0.10
(semver)
Affected: 11.134.0.0 , < 11.134.0.26 (semver) Affected: 11.132.0.0 , < 11.132.0.32 (semver) Affected: 11.130.0.0 , < 11.130.0.23 (semver) Affected: 11.126.0.0 , < 11.126.0.59 (semver) |
|
| WebPros | WP Squared |
Affected:
11.126.1.0 , < 11.136.1.12
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-32992",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-14T13:12:58.222950Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T13:13:06.565Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "cPanel",
"vendor": "WebPros",
"versions": [
{
"lessThan": "11.136.0.10",
"status": "affected",
"version": "11.136.0.0",
"versionType": "semver"
},
{
"lessThan": "11.134.0.26",
"status": "affected",
"version": "11.134.0.0",
"versionType": "semver"
},
{
"lessThan": "11.132.0.32",
"status": "affected",
"version": "11.132.0.0",
"versionType": "semver"
},
{
"lessThan": "11.130.0.23",
"status": "affected",
"version": "11.130.0.0",
"versionType": "semver"
},
{
"lessThan": "11.126.0.59",
"status": "affected",
"version": "11.126.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WP Squared",
"vendor": "WebPros",
"versions": [
{
"lessThan": "11.136.1.12",
"status": "affected",
"version": "11.126.1.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SSL verification is disabled in the DNS Cluster system. This could allow for a malicious server to man-in-the-middle the request and capture credentials."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-295",
"description": "CWE-295 Improper Certificate Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T22:06:04.157Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"url": "https://support.cpanel.net/hc/en-us/articles/40437241987607-Security-CVE-2026-32992-cPanel-WHM-WP2-Security-Update-May-13-2026"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2026-32992",
"datePublished": "2026-05-13T22:06:04.157Z",
"dateReserved": "2026-03-17T15:00:07.746Z",
"dateUpdated": "2026-05-14T13:13:06.565Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-32993 (GCVE-0-2026-32993)
Vulnerability from cvelistv5 – Published: 2026-05-13 22:06 – Updated: 2026-05-14 13:12
VLAI?
Summary
Improper sanitization of the `status` query parameter of the `/unprotected/nova_error` endpoint allows unauthenticated attacker to inject arbitrary HTTP header to the response.
Severity ?
8.3 (High)
CWE
- CWE-93 - CRLF Injection
Assigner
References
1 reference
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| WebPros | cPanel |
Affected:
11.132.0.0 , < 11.132.0.32
(semver)
Affected: 11.134.0.0 , < 11.134.0.26 (semver) Affected: 11.136.0.0 , < 11.136.0.10 (semver) |
|
| WebPros | WP Squared |
Affected:
11.132.1.0 , < 11.136.1.12
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-32993",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-14T13:12:12.439407Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T13:12:33.758Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "cPanel",
"vendor": "WebPros",
"versions": [
{
"lessThan": "11.132.0.32",
"status": "affected",
"version": "11.132.0.0",
"versionType": "semver"
},
{
"lessThan": "11.134.0.26",
"status": "affected",
"version": "11.134.0.0",
"versionType": "semver"
},
{
"lessThan": "11.136.0.10",
"status": "affected",
"version": "11.136.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WP Squared",
"vendor": "WebPros",
"versions": [
{
"lessThan": "11.136.1.12",
"status": "affected",
"version": "11.132.1.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Improper sanitization of the `status` query parameter of the `/unprotected/nova_error` endpoint allows unauthenticated attacker to inject arbitrary HTTP header to the response."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-93",
"description": "CWE-93 CRLF Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T22:06:04.114Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"url": "https://support.cpanel.net/hc/en-us/articles/40437313190295-Security-CVE-2026-32993-cPanel-WHM-WP2-Security-Update-May-13-2026"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2026-32993",
"datePublished": "2026-05-13T22:06:04.114Z",
"dateReserved": "2026-03-17T15:00:07.746Z",
"dateUpdated": "2026-05-14T13:12:33.758Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-29204 (GCVE-0-2026-29204)
Vulnerability from cvelistv5 – Published: 2026-05-12 17:46 – Updated: 2026-05-12 21:57
VLAI?
Summary
Insufficient ownership check in `clientarea.php` allows an authenticated client area user to submit requests using another user’s `addonId` without any ownership validation leading to unauthorized access to the victim's account.
Severity ?
9.1 (Critical)
CWE
- CWE-639 - Insecure Direct Object Reference (IDOR)
Assigner
References
1 reference
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-29204",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-12T21:10:39.672400Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-12T21:13:06.404Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WHMCS",
"vendor": "WebPros",
"versions": [
{
"lessThanOrEqual": "18.12.2",
"status": "affected",
"version": "7.4.0",
"versionType": "semver"
},
{
"lessThan": "18.13.3",
"status": "affected",
"version": "18.13.0",
"versionType": "semver"
},
{
"lessThan": "9.0.4",
"status": "affected",
"version": "9.0.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Insufficient ownership check in `clientarea.php` allows an authenticated client area user to submit requests using another user\u2019s `addonId` without any ownership validation leading to unauthorized access to the victim\u0027s account."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Insecure Direct Object Reference (IDOR)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-12T21:57:08.277Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"url": "https://help.whmcs.com/m/125386/l/2073908-cve-2026-29204"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2026-29204",
"datePublished": "2026-05-12T17:46:55.152Z",
"dateReserved": "2026-03-04T15:00:09.267Z",
"dateUpdated": "2026-05-12T21:57:08.277Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-29201 (GCVE-0-2026-29201)
Vulnerability from cvelistv5 – Published: 2026-05-08 18:51 – Updated: 2026-05-13 21:59
VLAI?
Summary
Insufficient input validation of the feature file name in `feature::LOADFEATUREFILE` adminbin call can cause arbitrary file read when a relative file path is passed.
Severity ?
8.6 (High)
CWE
- CWE-23 - Relative Path Traversal
Assigner
References
1 reference
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| WebPros | cPanel |
Affected:
11.136.0.0 , < 11.136.0.9
(semver)
Affected: 11.134.0.0 , < 11.134.0.25 (semver) Affected: 11.132.0.0 , < 11.132.0.31 (semver) Affected: 11.130.0.0 , < 11.130.0.22 (semver) Affected: 11.126.0.0 , < 11.126.0.58 (semver) Affected: 11.124.0.0 , < 11.124.0.37 (semver) Affected: 11.118.0.0 , < 11.118.0.66 (semver) Affected: 11.110.0.0 , < 11.110.0.117 (semver) Affected: 11.102.0.0 , < 11.102.0.41 (semver) Affected: 11.94.0.0 , < 11.94.0.30 (semver) Affected: 11.86.0.0 , < 11.86.0.43 (semver) |
|
| WebPros | WP Squared |
Affected:
11.136.1.0 , < 11.136.1.11
(semver)
|
|
| WebPros | cPanel (CloudLinux 6, CentOS 6) |
Affected:
11.110.0.0 , < 11.110.0.116
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-29201",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-08T19:52:34.386985Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T19:52:40.780Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "cPanel",
"vendor": "WebPros",
"versions": [
{
"lessThan": "11.136.0.9",
"status": "affected",
"version": "11.136.0.0",
"versionType": "semver"
},
{
"lessThan": "11.134.0.25",
"status": "affected",
"version": "11.134.0.0",
"versionType": "semver"
},
{
"lessThan": "11.132.0.31",
"status": "affected",
"version": "11.132.0.0",
"versionType": "semver"
},
{
"lessThan": "11.130.0.22",
"status": "affected",
"version": "11.130.0.0",
"versionType": "semver"
},
{
"lessThan": "11.126.0.58",
"status": "affected",
"version": "11.126.0.0",
"versionType": "semver"
},
{
"lessThan": "11.124.0.37",
"status": "affected",
"version": "11.124.0.0",
"versionType": "semver"
},
{
"lessThan": "11.118.0.66",
"status": "affected",
"version": "11.118.0.0",
"versionType": "semver"
},
{
"lessThan": "11.110.0.117",
"status": "affected",
"version": "11.110.0.0",
"versionType": "semver"
},
{
"lessThan": "11.102.0.41",
"status": "affected",
"version": "11.102.0.0",
"versionType": "semver"
},
{
"lessThan": "11.94.0.30",
"status": "affected",
"version": "11.94.0.0",
"versionType": "semver"
},
{
"lessThan": "11.86.0.43",
"status": "affected",
"version": "11.86.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WP Squared",
"vendor": "WebPros",
"versions": [
{
"lessThan": "11.136.1.11",
"status": "affected",
"version": "11.136.1.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "cPanel (CloudLinux 6, CentOS 6)",
"vendor": "WebPros",
"versions": [
{
"lessThan": "11.110.0.116",
"status": "affected",
"version": "11.110.0.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Insufficient input validation of the feature file name in `feature::LOADFEATUREFILE` adminbin call can cause arbitrary file read when a relative file path is passed."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.6,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-23",
"description": "CWE-23 Relative Path Traversal",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T21:59:09.469Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"url": "https://support.cpanel.net/hc/en-us/articles/40311033698327-Security-CVE-2026-29201-cPanel-WHM-WP2-Security-Update-May-08-2026"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2026-29201",
"datePublished": "2026-05-08T18:51:05.803Z",
"dateReserved": "2026-03-04T15:00:09.267Z",
"dateUpdated": "2026-05-13T21:59:09.469Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-29202 (GCVE-0-2026-29202)
Vulnerability from cvelistv5 – Published: 2026-05-08 18:51 – Updated: 2026-05-13 22:03
VLAI?
Summary
Insufficient input validation of the `plugin` parameter of the `create_user` plugin allows arbitrary Perl code execution on behalf of the already authenticated account's system user.
Severity ?
CWE
- CWE-94 - Code Injection
Assigner
References
1 reference
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| WebPros | cPanel |
Affected:
11.136.0.0 , < 11.136.0.9
(semver)
Affected: 11.134.0.0 , < 11.134.0.25 (semver) Affected: 11.132.0.0 , < 11.132.0.31 (semver) Affected: 11.130.0.0 , < 11.130.0.22 (semver) Affected: 11.126.0.0 , < 11.126.0.58 (semver) Affected: 11.124.0.0 , < 11.124.0.37 (semver) Affected: 11.118.0.0 , < 11.118.0.66 (semver) Affected: 11.110.0.0 , < 11.110.0.117 (semver) Affected: 11.102.0.0 , < 11.102.0.41 (semver) Affected: 11.94.0.0 , < 11.94.0.30 (semver) Affected: 11.86.0.0 , < 11.86.0.43 (semver) |
|
| WebPros | cPanel (CloudLinux 6, CentOS 6) |
Affected:
11.110.0.0 , < 11.110.0.116
(semver)
|
|
| WebPros | WP Squared |
Affected:
11.136.1.0 , < 11.136.1.11
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-29202",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-08T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-09T03:56:06.386Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "cPanel",
"vendor": "WebPros",
"versions": [
{
"lessThan": "11.136.0.9",
"status": "affected",
"version": "11.136.0.0",
"versionType": "semver"
},
{
"lessThan": "11.134.0.25",
"status": "affected",
"version": "11.134.0.0",
"versionType": "semver"
},
{
"lessThan": "11.132.0.31",
"status": "affected",
"version": "11.132.0.0",
"versionType": "semver"
},
{
"lessThan": "11.130.0.22",
"status": "affected",
"version": "11.130.0.0",
"versionType": "semver"
},
{
"lessThan": "11.126.0.58",
"status": "affected",
"version": "11.126.0.0",
"versionType": "semver"
},
{
"lessThan": "11.124.0.37",
"status": "affected",
"version": "11.124.0.0",
"versionType": "semver"
},
{
"lessThan": "11.118.0.66",
"status": "affected",
"version": "11.118.0.0",
"versionType": "semver"
},
{
"lessThan": "11.110.0.117",
"status": "affected",
"version": "11.110.0.0",
"versionType": "semver"
},
{
"lessThan": "11.102.0.41",
"status": "affected",
"version": "11.102.0.0",
"versionType": "semver"
},
{
"lessThan": "11.94.0.30",
"status": "affected",
"version": "11.94.0.0",
"versionType": "semver"
},
{
"lessThan": "11.86.0.43",
"status": "affected",
"version": "11.86.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "cPanel (CloudLinux 6, CentOS 6)",
"vendor": "WebPros",
"versions": [
{
"lessThan": "11.110.0.116",
"status": "affected",
"version": "11.110.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WP Squared",
"vendor": "WebPros",
"versions": [
{
"lessThan": "11.136.1.11",
"status": "affected",
"version": "11.136.1.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Insufficient input validation of the `plugin` parameter of the `create_user` plugin allows arbitrary Perl code execution on behalf of the already authenticated account\u0027s system user."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Code Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T22:03:15.187Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"url": "https://support.cpanel.net/hc/en-us/articles/40311426610327-Security-CVE-2026-29202-cPanel-WHM-WP2-Security-Update-May-08-2026"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2026-29202",
"datePublished": "2026-05-08T18:51:05.585Z",
"dateReserved": "2026-03-04T15:00:09.267Z",
"dateUpdated": "2026-05-13T22:03:15.187Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-29203 (GCVE-0-2026-29203)
Vulnerability from cvelistv5 – Published: 2026-05-08 18:51 – Updated: 2026-05-15 17:14
VLAI?
Summary
A chmod call in the cPanel Nova plugin's Cpanel::Nova::Connector follows symlinks, allowing setting root permissions on arbitrary system files or directories. That can cause DoS or local privilege escalation when an authenticated cPanel user places a symlink at a user-controlled legacy Nova path under their home directory.
Severity ?
CWE
- CWE-61 - UNIX Symbolic Link (Symlink) Following
Assigner
References
1 reference
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| WebPros | cPanel |
Affected:
11.136.0.0 , < 11.136.0.9
(semver)
Affected: 11.134.0.0 , < 11.134.0.25 (semver) Affected: 11.132.0.0 , < 11.132.0.31 (semver) Affected: 11.130.0.0 , < 11.130.0.22 (semver) Affected: 11.126.0.0 , < 11.126.0.58 (semver) Affected: 11.124.0.0 , < 11.124.0.37 (semver) Affected: 11.118.0.0 , < 11.118.0.66 (semver) Affected: 11.110.0.0 , < 11.110.0.117 (semver) Affected: 11.102.0.0 , < 11.102.0.41 (semver) Affected: 11.94.0.0 , < 11.94.0.30 (semver) Affected: 11.86.0.0 , < 11.86.0.43 (semver) |
|
| WebPros | cPanel (CloudLinux 6, CentOS 6) |
Affected:
11.110.0.0 , < 11.110.0.116
(semver)
|
|
| WebPros | WP Squared |
Affected:
11.136.1.0 , < 11.136.1.10
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-29203",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-08T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-09T03:56:05.260Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "cPanel",
"vendor": "WebPros",
"versions": [
{
"lessThan": "11.136.0.9",
"status": "affected",
"version": "11.136.0.0",
"versionType": "semver"
},
{
"lessThan": "11.134.0.25",
"status": "affected",
"version": "11.134.0.0",
"versionType": "semver"
},
{
"lessThan": "11.132.0.31",
"status": "affected",
"version": "11.132.0.0",
"versionType": "semver"
},
{
"lessThan": "11.130.0.22",
"status": "affected",
"version": "11.130.0.0",
"versionType": "semver"
},
{
"lessThan": "11.126.0.58",
"status": "affected",
"version": "11.126.0.0",
"versionType": "semver"
},
{
"lessThan": "11.124.0.37",
"status": "affected",
"version": "11.124.0.0",
"versionType": "semver"
},
{
"lessThan": "11.118.0.66",
"status": "affected",
"version": "11.118.0.0",
"versionType": "semver"
},
{
"lessThan": "11.110.0.117",
"status": "affected",
"version": "11.110.0.0",
"versionType": "semver"
},
{
"lessThan": "11.102.0.41",
"status": "affected",
"version": "11.102.0.0",
"versionType": "semver"
},
{
"lessThan": "11.94.0.30",
"status": "affected",
"version": "11.94.0.0",
"versionType": "semver"
},
{
"lessThan": "11.86.0.43",
"status": "affected",
"version": "11.86.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "cPanel (CloudLinux 6, CentOS 6)",
"vendor": "WebPros",
"versions": [
{
"lessThan": "11.110.0.116",
"status": "affected",
"version": "11.110.0.0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "WP Squared",
"vendor": "WebPros",
"versions": [
{
"lessThan": "11.136.1.10",
"status": "affected",
"version": "11.136.1.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A chmod call in the cPanel Nova plugin\u0027s Cpanel::Nova::Connector follows symlinks, allowing setting root permissions on arbitrary system files or directories. That can cause DoS or local privilege escalation when an authenticated cPanel user places a symlink at a user-controlled legacy Nova path under their home directory."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N",
"version": "4.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-61",
"description": "CWE-61 UNIX Symbolic Link (Symlink) Following",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-15T17:14:52.318Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"url": "https://support.cpanel.net/hc/en-us/articles/40311543760407-Security-CVE-2026-29203-cPanel-WHM-WP2-Security-Update-May-08-2026"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2026-29203",
"datePublished": "2026-05-08T18:51:05.541Z",
"dateReserved": "2026-03-04T15:00:09.267Z",
"dateUpdated": "2026-05-15T17:14:52.318Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-29200 (GCVE-0-2026-29200)
Vulnerability from cvelistv5 – Published: 2026-05-04 05:42 – Updated: 2026-05-04 19:44
VLAI?
Summary
A critical IDOR vulnerability has been discovered in Comet Backup affecting all versions from 20.11.0 to 26.1.1 and 26.2.1. The vulnerability allows a tenant administrator to impersonate any end-user account of other tenants on the same server via a vulnerable API call.
Severity ?
CWE
- CWE-639 - Insecure Direct Object Reference (IDOR)
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| WebPros | Comet Backup |
Affected:
20.11.0 , < 26.1.2
(semver)
Affected: 26.2.0 , < 26.2.2 (semver) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-29200",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-04T19:44:00.939292Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-04T19:44:22.056Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Comet Backup",
"vendor": "WebPros",
"versions": [
{
"lessThan": "26.1.2",
"status": "affected",
"version": "20.11.0",
"versionType": "semver"
},
{
"lessThan": "26.2.2",
"status": "affected",
"version": "26.2.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A critical IDOR vulnerability has been discovered in Comet Backup affecting all versions from 20.11.0 to 26.1.1 and 26.2.1. The vulnerability allows a tenant administrator to impersonate any end-user account of other tenants on the same server via a vulnerable API call."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:H",
"version": "4.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Insecure Direct Object Reference (IDOR)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-04T05:42:15.576Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"url": "https://support.cometbackup.com/hc/en-us/articles/40090945484823--CVE-2026-29200-%D0%A1ritical-IDOR-vulnerability-in-Comet-Backup"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2026-29200",
"datePublished": "2026-05-04T05:42:15.576Z",
"dateReserved": "2026-03-04T15:00:09.266Z",
"dateUpdated": "2026-05-04T19:44:22.056Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-29199 (GCVE-0-2026-29199)
Vulnerability from cvelistv5 – Published: 2026-05-04 05:42 – Updated: 2026-05-04 19:43
VLAI?
Summary
phpBB before 3.3.16 is vulnerable to Host Header Injection that can lead to password rest link poisoning. When force_server_vars is disabled, the servers hostname may be extracted from the HTTP Host header which is used to generate the password reset link URL. An attacker who can manipulate the Host header (e.g. through misconfigured host setup or missing header validation by the webserver) can cause password reset emails to contain a link pointing to an attacker-controlled domain, potentially leading to account takeover.
Severity ?
8.1 (High)
CWE
- CWE-640 - Weak Password Recovery Mechanism for Forgotten Password
Assigner
References
1 reference
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-29199",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-04T19:42:51.610948Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-04T19:43:18.257Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "phpBB",
"vendor": "phpBB",
"versions": [
{
"lessThanOrEqual": "3.3.15",
"status": "affected",
"version": "3.0.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "SEONG HUN JEONG (HunSec)"
}
],
"descriptions": [
{
"lang": "en",
"value": "phpBB before 3.3.16 is vulnerable to Host Header Injection that can lead to password rest link poisoning. When force_server_vars is disabled, the servers hostname may be extracted from the HTTP Host header which is used to generate the password reset link URL. An attacker who can manipulate the Host header (e.g. through misconfigured host setup or missing header validation by the webserver) can cause password reset emails to contain a link pointing to an attacker-controlled domain, potentially leading to account takeover."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-640",
"description": "CWE-640 Weak Password Recovery Mechanism for Forgotten Password",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-04T05:42:15.554Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"url": "https://hackerone.com/reports/3543246"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2026-29199",
"datePublished": "2026-05-04T05:42:15.554Z",
"dateReserved": "2026-03-04T15:00:09.266Z",
"dateUpdated": "2026-05-04T19:43:18.257Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-29197 (GCVE-0-2026-29197)
Vulnerability from cvelistv5 – Published: 2026-04-23 23:19 – Updated: 2026-04-24 14:18
VLAI?
Summary
In versions <8.4.0, <8.3.2, <8.2.2, <8.1.3, <8.0.4, <7.13.6, <7.12.7, <7.11.7, and <7.10.10, the endpoints /api/apps/logs and /api/apps/:id/logs have a typo in the required permission check, allowing authenticated users without the proper permissions to read apps-engine logs.
Severity ?
4.3 (Medium)
CWE
- CWE-284 - Improper Access Control - Generic
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Rocket.Chat | Rocket.Chat |
Affected:
8.4.0 , < 8.4.0
(semver)
Affected: 8.3.2 , < 8.3.2 (semver) Affected: 8.2.2 , < 8.2.2 (semver) Affected: 8.1.3 , < 8.1.3 (semver) Affected: 8.0.4 , < 8.0.4 (semver) Affected: 7.13.6 , < 7.13.6 (semver) Affected: 7.12.7 , < 7.12.7 (semver) Affected: 7.11.7 , < 7.11.7 (semver) Affected: 7.10.10 , < 7.10.10 (semver) |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-29197",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-24T14:17:53.996452Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T14:18:07.117Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Rocket.Chat",
"vendor": "Rocket.Chat",
"versions": [
{
"lessThan": "8.4.0",
"status": "affected",
"version": "8.4.0",
"versionType": "semver"
},
{
"lessThan": "8.3.2",
"status": "affected",
"version": "8.3.2",
"versionType": "semver"
},
{
"lessThan": "8.2.2",
"status": "affected",
"version": "8.2.2",
"versionType": "semver"
},
{
"lessThan": "8.1.3",
"status": "affected",
"version": "8.1.3",
"versionType": "semver"
},
{
"lessThan": "8.0.4",
"status": "affected",
"version": "8.0.4",
"versionType": "semver"
},
{
"lessThan": "7.13.6",
"status": "affected",
"version": "7.13.6",
"versionType": "semver"
},
{
"lessThan": "7.12.7",
"status": "affected",
"version": "7.12.7",
"versionType": "semver"
},
{
"lessThan": "7.11.7",
"status": "affected",
"version": "7.11.7",
"versionType": "semver"
},
{
"lessThan": "7.10.10",
"status": "affected",
"version": "7.10.10",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In versions \u003c8.4.0, \u003c8.3.2, \u003c8.2.2, \u003c8.1.3, \u003c8.0.4, \u003c7.13.6, \u003c7.12.7, \u003c7.11.7, and \u003c7.10.10, the endpoints /api/apps/logs and /api/apps/:id/logs have a typo in the required permission check, allowing authenticated users without the proper permissions to read apps-engine logs."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control - Generic",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-23T23:19:40.722Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"url": "https://hackerone.com/reports/3589551"
},
{
"url": "https://github.com/RocketChat/Rocket.Chat/pull/40125"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2026-29197",
"datePublished": "2026-04-23T23:19:40.722Z",
"dateReserved": "2026-03-04T15:00:09.266Z",
"dateUpdated": "2026-04-24T14:18:07.117Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-29198 (GCVE-0-2026-29198)
Vulnerability from cvelistv5 – Published: 2026-04-22 23:30 – Updated: 2026-04-23 17:41
VLAI?
Summary
In Rocket.Chat <8.3.0, <8.2.1, <8.1.2, <8.0.3, <7.13.5, <7.12.6, <7.11.6, and <7.10.9, a NoSQL injection vulnerability can lead to account takeover of the first user with a generated token when an OAuth app is configured.
Severity ?
9.8 (Critical)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Rocket.Chat | Rocket.Chat |
Unaffected:
8.3.0 , < 8.3.0
(semver)
Unaffected: 8.2.1 , < 8.2.1 (semver) Unaffected: 8.0.3 , < 8.0.3 (semver) Unaffected: 7.13.5 , < 7.13.5 (semver) Unaffected: 7.12.6 , < 7.12.6 (semver) Unaffected: 7.11.6 , < 7.11.6 (semver) Unaffected: 7.10.9 , < 7.10.9 (semver) |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-29198",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-23T17:41:26.415612Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-23T17:41:50.981Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Rocket.Chat",
"vendor": "Rocket.Chat",
"versions": [
{
"lessThan": "8.3.0",
"status": "unaffected",
"version": "8.3.0",
"versionType": "semver"
},
{
"lessThan": "8.2.1",
"status": "unaffected",
"version": "8.2.1",
"versionType": "semver"
},
{
"lessThan": "8.0.3",
"status": "unaffected",
"version": "8.0.3",
"versionType": "semver"
},
{
"lessThan": "7.13.5",
"status": "unaffected",
"version": "7.13.5",
"versionType": "semver"
},
{
"lessThan": "7.12.6",
"status": "unaffected",
"version": "7.12.6",
"versionType": "semver"
},
{
"lessThan": "7.11.6",
"status": "unaffected",
"version": "7.11.6",
"versionType": "semver"
},
{
"lessThan": "7.10.9",
"status": "unaffected",
"version": "7.10.9",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "In Rocket.Chat \u003c8.3.0, \u003c8.2.1, \u003c8.1.2, \u003c8.0.3, \u003c7.13.5, \u003c7.12.6, \u003c7.11.6, and \u003c7.10.9, a NoSQL injection vulnerability can lead to account takeover of the first user with a generated token when an OAuth app is configured."
}
],
"providerMetadata": {
"dateUpdated": "2026-04-22T23:30:15.355Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"url": "https://hackerone.com/reports/3564655"
},
{
"url": "https://github.com/RocketChat/Rocket.Chat/pull/39492"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2026-29198",
"datePublished": "2026-04-22T23:30:15.355Z",
"dateReserved": "2026-03-04T15:00:09.266Z",
"dateUpdated": "2026-04-23T17:41:50.981Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-21709 (GCVE-0-2026-21709)
Vulnerability from cvelistv5 – Published: 2026-04-17 15:32 – Updated: 2026-04-20 14:06
VLAI?
Summary
A vulnerability allowing a local attacker with administrator privileges to bypass Windows Driver Signature Enforcement.
Severity ?
6.7 (Medium)
CWE
- CWE-77 - Command Injection - Generic
Assigner
References
2 references
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Veeam | Backup and Replication |
Affected:
12 , < 12.3.2
(semver)
|
|
| Veeam | Software Appliance |
Affected:
13 , < 13.0.1
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 6.7,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-21709",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-18T03:55:57.432669Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-20T14:06:52.636Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Backup and Replication",
"vendor": "Veeam",
"versions": [
{
"lessThan": "12.3.2",
"status": "affected",
"version": "12",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Software Appliance",
"vendor": "Veeam",
"versions": [
{
"lessThan": "13.0.1",
"status": "affected",
"version": "13",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability allowing a local attacker with administrator privileges to bypass Windows Driver Signature Enforcement."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77 Command Injection - Generic",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-17T15:32:10.755Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"url": "https://www.veeam.com/kb4830"
},
{
"url": "https://www.veeam.com/kb4831"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2026-21709",
"datePublished": "2026-04-17T15:32:10.755Z",
"dateReserved": "2026-01-04T15:00:06.574Z",
"dateUpdated": "2026-04-20T14:06:52.636Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-22563 (GCVE-0-2026-22563)
Vulnerability from cvelistv5 – Published: 2026-04-13 21:28 – Updated: 2026-04-14 13:14
VLAI?
Summary
A series of Improper Input Validation vulnerabilities could allow a Command Injection by a malicious actor with access to the UniFi Play network.
Affected Products:
UniFi Play PowerAmp (Version 1.0.35 and earlier)
UniFi Play Audio Port (Version 1.0.24 and earlier)
Mitigation:
Update UniFi Play PowerAmp to Version 1.0.38 or later
Update UniFi Play Audio Port to Version 1.1.9 or later
Severity ?
9.8 (Critical)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
1 reference
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Ubiquiti Inc | UniFi Play PowerAmp |
Affected:
0 , < 1.0.38
(semver)
|
|
| Ubiquiti Inc | UniFi Play Audio Port |
Affected:
0 , < 1.1.9
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-22563",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-14T12:59:16.083892Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-14T13:14:19.586Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "UniFi Play PowerAmp",
"vendor": "Ubiquiti Inc",
"versions": [
{
"lessThan": "1.0.38",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "UniFi Play Audio Port",
"vendor": "Ubiquiti Inc",
"versions": [
{
"lessThan": "1.1.9",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A series of Improper Input Validation vulnerabilities could allow a Command Injection by a malicious actor with access to the UniFi Play network.\n \nAffected Products:\nUniFi Play PowerAmp (Version 1.0.35 and earlier)\u2028\nUniFi Play Audio Port\u00a0 (Version 1.0.24 and earlier)\u2028 \n\nMitigation:\nUpdate UniFi Play PowerAmp to Version 1.0.38 or later\u2028\nUpdate UniFi Play Audio Port\u00a0 to Version 1.1.9 or later"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-13T21:28:11.100Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"url": "https://community.ui.com/releases/Security-Advisory-Bulletin-063/e468dd4b-5090-4ef8-89d8-939903c08e83"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2026-22563",
"datePublished": "2026-04-13T21:28:11.100Z",
"dateReserved": "2026-01-07T15:39:03.440Z",
"dateUpdated": "2026-04-14T13:14:19.586Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-22562 (GCVE-0-2026-22562)
Vulnerability from cvelistv5 – Published: 2026-04-13 21:28 – Updated: 2026-04-14 13:14
VLAI?
Summary
A malicious actor with access to the UniFi Play network could exploit a Path Traversal vulnerability found in the device firmware to write files on the system that could be used for a remote code execution (RCE).
Affected Products:
UniFi Play PowerAmp (Version 1.0.35 and earlier)
UniFi Play Audio Port (Version 1.0.24 and earlier)
Mitigation:
Update UniFi Play PowerAmp to Version 1.0.38 or later
Update UniFi Play Audio Port to Version 1.1.9 or later
Severity ?
9.8 (Critical)
CWE
- CWE-22 - Path Traversal
Assigner
References
1 reference
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Ubiquiti Inc | UniFi Play PowerAmp |
Affected:
0 , < 1.0.38
(semver)
|
|
| Ubiquiti Inc | UniFi Play Audio Port |
Affected:
0 , < 1.1.9
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-22562",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-14T12:58:13.202458Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-14T13:14:19.709Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "UniFi Play PowerAmp",
"vendor": "Ubiquiti Inc",
"versions": [
{
"lessThan": "1.0.38",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "UniFi Play Audio Port",
"vendor": "Ubiquiti Inc",
"versions": [
{
"lessThan": "1.1.9",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A malicious actor with access to the UniFi Play network could exploit a Path Traversal vulnerability found in the device firmware to write files on the system that could be used for a remote code execution (RCE).\n \nAffected Products:\nUniFi Play PowerAmp (Version 1.0.35 and earlier)\u2028UniFi Play Audio Port\u00a0 (Version 1.0.24 and earlier)\u2028 \nMitigation:\nUpdate UniFi Play PowerAmp to Version 1.0.38 or later\u2028Update UniFi Play Audio Port\u00a0 to Version 1.1.9 or later"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22 Path Traversal",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-13T21:28:11.025Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"url": "https://community.ui.com/releases/Security-Advisory-Bulletin-063/e468dd4b-5090-4ef8-89d8-939903c08e83"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2026-22562",
"datePublished": "2026-04-13T21:28:11.025Z",
"dateReserved": "2026-01-07T15:39:03.440Z",
"dateUpdated": "2026-04-14T13:14:19.709Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-22566 (GCVE-0-2026-22566)
Vulnerability from cvelistv5 – Published: 2026-04-13 21:28 – Updated: 2026-04-14 13:14
VLAI?
Summary
An Improper Access Control vulnerability could allow a malicious actor with access to the UniFi Play network to obtain UniFi Play WiFi credentials.
Affected Products:
UniFi Play PowerAmp (Version 1.0.35 and earlier)
UniFi Play Audio Port (Version 1.0.24 and earlier)
Mitigation:
Update UniFi Play PowerAmp to Version 1.0.38 or later
Update UniFi Play Audio Port to Version 1.1.9 or later
Severity ?
7.5 (High)
CWE
- CWE-284 - Improper Access Control - Generic
Assigner
References
1 reference
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Ubiquiti Inc | UniFi Play PowerAmp |
Affected:
0 , < 1.0.38
(semver)
|
|
| Ubiquiti Inc | UniFi Play Audio Port |
Affected:
0 , < 1.1.9
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-22566",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-14T12:59:25.303372Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-14T13:14:19.836Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "UniFi Play PowerAmp",
"vendor": "Ubiquiti Inc",
"versions": [
{
"lessThan": "1.0.38",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "UniFi Play Audio Port",
"vendor": "Ubiquiti Inc",
"versions": [
{
"lessThan": "1.1.9",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An Improper Access Control vulnerability could allow a malicious actor with access to the UniFi Play network to obtain UniFi Play WiFi credentials.\u2028 \n\nAffected Products:\nUniFi Play PowerAmp (Version 1.0.35 and earlier)\u2028\nUniFi Play Audio Port\u00a0 (Version 1.0.24 and earlier)\u2028 \n\nMitigation:\nUpdate UniFi Play PowerAmp to Version 1.0.38 or later\u2028\nUpdate UniFi Play Audio Port\u00a0 to Version 1.1.9 or later"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control - Generic",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-13T21:28:10.973Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"url": "https://community.ui.com/releases/Security-Advisory-Bulletin-063/e468dd4b-5090-4ef8-89d8-939903c08e83"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2026-22566",
"datePublished": "2026-04-13T21:28:10.973Z",
"dateReserved": "2026-01-07T15:39:03.441Z",
"dateUpdated": "2026-04-14T13:14:19.836Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-22565 (GCVE-0-2026-22565)
Vulnerability from cvelistv5 – Published: 2026-04-13 21:28 – Updated: 2026-04-14 20:18
VLAI?
Summary
An Improper Input Validation vulnerability could allow a malicious actor with access to the UniFi Play network to cause the device to stop responding.
Affected Products:
UniFi Play PowerAmp (Version 1.0.35 and earlier)
UniFi Play Audio Port (Version 1.0.24 and earlier)
Mitigation:
Update UniFi Play PowerAmp to Version 1.0.38 or later
Update UniFi Play Audio Port to Version 1.1.9 or later
Severity ?
7.5 (High)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
1 reference
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Ubiquiti Inc | UniFi Play PowerAmp |
Affected:
0 , < 1.0.38
(semver)
|
|
| Ubiquiti Inc | UniFi Play Audio Port |
Affected:
0 , < 1.1.9
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-22565",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-14T20:18:25.833804Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-14T20:18:31.138Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "UniFi Play PowerAmp",
"vendor": "Ubiquiti Inc",
"versions": [
{
"lessThan": "1.0.38",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "UniFi Play Audio Port",
"vendor": "Ubiquiti Inc",
"versions": [
{
"lessThan": "1.1.9",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An Improper Input Validation vulnerability could allow a malicious actor with access to the UniFi Play network to cause the device to stop responding.\u2028 \n\nAffected Products:\nUniFi Play PowerAmp (Version 1.0.35 and earlier)\u2028\nUniFi Play Audio Port\u00a0 (Version 1.0.24 and earlier)\u2028 \n\nMitigation:\nUpdate UniFi Play PowerAmp to Version 1.0.38 or later\u2028\nUpdate UniFi Play Audio Port\u00a0 to Version 1.1.9 or later"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-13T21:28:10.916Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"url": "https://community.ui.com/releases/Security-Advisory-Bulletin-063/e468dd4b-5090-4ef8-89d8-939903c08e83"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2026-22565",
"datePublished": "2026-04-13T21:28:10.916Z",
"dateReserved": "2026-01-07T15:39:03.441Z",
"dateUpdated": "2026-04-14T20:18:31.138Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-22564 (GCVE-0-2026-22564)
Vulnerability from cvelistv5 – Published: 2026-04-13 21:28 – Updated: 2026-04-14 13:14
VLAI?
Summary
An Improper Access Control vulnerability could allow a malicious actor with access to the UniFi Play network to enable SSH to make unauthorized changes to the system.
Affected Products:
UniFi Play PowerAmp (Version 1.0.35 and earlier)
UniFi Play Audio Port (Version 1.0.24 and earlier)
Mitigation:
Update UniFi Play PowerAmp to Version 1.0.38 or later
Update UniFi Play Audio Port to Version 1.1.9 or later
Severity ?
9.8 (Critical)
CWE
- CWE-284 - Improper Access Control - Generic
Assigner
References
1 reference
Impacted products
2 products
| Vendor | Product | Version | |
|---|---|---|---|
| Ubiquiti Inc | UniFi Play PowerAmp |
Affected:
0 , < 1.0.38
(semver)
|
|
| Ubiquiti Inc | UniFi Play Audio Port |
Affected:
0 , < 1.1.9
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-22564",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-14T12:59:47.135052Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-14T13:14:19.961Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "UniFi Play PowerAmp",
"vendor": "Ubiquiti Inc",
"versions": [
{
"lessThan": "1.0.38",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "UniFi Play Audio Port",
"vendor": "Ubiquiti Inc",
"versions": [
{
"lessThan": "1.1.9",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An Improper Access Control vulnerability could allow a malicious actor with access to the UniFi Play network to enable SSH to make unauthorized changes to the system.\u2028 \n\nAffected Products:\nUniFi Play PowerAmp (Version 1.0.35 and earlier)\u2028\nUniFi Play Audio Port\u00a0 (Version 1.0.24 and earlier)\u2028 \n\nMitigation:\nUpdate UniFi Play PowerAmp to Version 1.0.38 or later\u2028\nUpdate UniFi Play Audio Port\u00a0 to Version 1.1.9 or later"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control - Generic",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-13T21:28:10.865Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"url": "https://community.ui.com/releases/Security-Advisory-Bulletin-063/e468dd4b-5090-4ef8-89d8-939903c08e83"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2026-22564",
"datePublished": "2026-04-13T21:28:10.865Z",
"dateReserved": "2026-01-07T15:39:03.440Z",
"dateUpdated": "2026-04-14T13:14:19.961Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-22560 (GCVE-0-2026-22560)
Vulnerability from cvelistv5 – Published: 2026-04-10 17:00 – Updated: 2026-04-14 19:04
VLAI?
Summary
An open redirect vulnerability in Rocket.Chat versions prior to 8.4.0 allows users to be redirected to arbitrary URLs by manipulating parameters within a SAML endpoint.
Severity ?
5.3 (Medium)
CWE
- CWE-601 - Open Redirect
Assigner
References
2 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Rocket.Chat | Rocket.Chat |
Affected:
8.4.0 , < 8.4.0
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-22560",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-14T19:04:29.881437Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-14T19:04:32.571Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Rocket.Chat",
"vendor": "Rocket.Chat",
"versions": [
{
"lessThan": "8.4.0",
"status": "affected",
"version": "8.4.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An open redirect vulnerability in Rocket.Chat versions prior to 8.4.0 allows users to be redirected to arbitrary URLs by manipulating parameters within a SAML endpoint."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-601",
"description": "CWE-601 Open Redirect",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-10T17:00:11.746Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"url": "https://hackerone.com/reports/3418031"
},
{
"url": "https://github.com/RocketChat/Rocket.Chat/pull/38994"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2026-22560",
"datePublished": "2026-04-10T17:00:11.746Z",
"dateReserved": "2026-01-07T15:39:03.440Z",
"dateUpdated": "2026-04-14T19:04:32.571Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-22561 (GCVE-0-2026-22561)
Vulnerability from cvelistv5 – Published: 2026-03-31 15:30 – Updated: 2026-05-10 13:58
VLAI?
Summary
Uncontrolled search path elements in Anthropic Claude for Windows installer (Claude Setup.exe) versions prior to 1.1.3363 allow local privilege escalation via DLL search-order hijacking. The installer loads DLLs (e.g., profapi.dll) from its own directory after UAC elevation, enabling arbitrary code execution if a malicious DLL is planted alongside the installer.
Severity ?
CWE
- CWE-427 - Uncontrolled Search Path Element
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Anthropic | Claude Desktop - Windows |
Affected:
0 , < 1.1.3363
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-22561",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-31T16:27:37.909291Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-427",
"description": "CWE-427 Uncontrolled Search Path Element",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-10T13:58:31.956Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Claude Desktop - Windows",
"vendor": "Anthropic",
"versions": [
{
"lessThan": "1.1.3363",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Kazuma Matsumoto, a security reseaercher at GMO Cybersecurity by IERAE, Inc"
}
],
"descriptions": [
{
"lang": "en",
"value": "Uncontrolled search path elements in Anthropic Claude for Windows installer (Claude Setup.exe) versions prior to 1.1.3363 allow local privilege escalation via DLL search-order hijacking. The installer loads DLLs (e.g., profapi.dll) from its own directory after UAC elevation, enabling arbitrary code execution if a malicious DLL is planted alongside the installer."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H",
"version": "4.0"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-31T18:13:52.328Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"url": "https://trust.anthropic.com/resources?s=1cvig6ldp3zvuj1yffzr11\u0026name=cve-2026-22561-dll-search-order-hijacking-in-claude-for-windows-installer"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2026-22561",
"datePublished": "2026-03-31T15:30:38.876Z",
"dateReserved": "2026-01-07T15:39:03.440Z",
"dateUpdated": "2026-05-10T13:58:31.956Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-21710 (GCVE-0-2026-21710)
Vulnerability from cvelistv5 – Published: 2026-03-30 19:07 – Updated: 2026-03-31 13:55
VLAI?
Summary
A flaw in Node.js HTTP request handling causes an uncaught `TypeError` when a request is received with a header named `__proto__` and the application accesses `req.headersDistinct`.
When this occurs, `dest["__proto__"]` resolves to `Object.prototype` rather than `undefined`, causing `.push()` to be called on a non-array. This exception is thrown synchronously inside a property getter and cannot be intercepted by `error` event listeners, meaning it cannot be handled without wrapping every `req.headersDistinct` access in a `try/catch`.
* This vulnerability affects all Node.js HTTP servers on **20.x, 22.x, 24.x, and v25.x**
Severity ?
7.5 (High)
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| nodejs | node |
Affected:
20.20.1 , ≤ 20.20.1
(semver)
Affected: 22.22.1 , ≤ 22.22.1 (semver) Affected: 24.14.0 , ≤ 24.14.0 (semver) Affected: 25.8.1 , ≤ 25.8.1 (semver) Affected: 4.0 , < 4.* (semver) Affected: 5.0 , < 5.* (semver) Affected: 6.0 , < 6.* (semver) Affected: 7.0 , < 7.* (semver) Affected: 8.0 , < 8.* (semver) Affected: 9.0 , < 9.* (semver) Affected: 10.0 , < 10.* (semver) Affected: 11.0 , < 11.* (semver) Affected: 12.0 , < 12.* (semver) Affected: 13.0 , < 13.* (semver) Affected: 14.0 , < 14.* (semver) Affected: 15.0 , < 15.* (semver) Affected: 16.0 , < 16.* (semver) Affected: 17.0 , < 17.* (semver) Affected: 18.0 , < 18.* (semver) Affected: 19.0 , < 19.* (semver) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-21710",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-31T13:55:20.665443Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770 Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-31T13:55:23.719Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "node",
"vendor": "nodejs",
"versions": [
{
"lessThanOrEqual": "20.20.1",
"status": "affected",
"version": "20.20.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "22.22.1",
"status": "affected",
"version": "22.22.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "24.14.0",
"status": "affected",
"version": "24.14.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "25.8.1",
"status": "affected",
"version": "25.8.1",
"versionType": "semver"
},
{
"lessThan": "4.*",
"status": "affected",
"version": "4.0",
"versionType": "semver"
},
{
"lessThan": "5.*",
"status": "affected",
"version": "5.0",
"versionType": "semver"
},
{
"lessThan": "6.*",
"status": "affected",
"version": "6.0",
"versionType": "semver"
},
{
"lessThan": "7.*",
"status": "affected",
"version": "7.0",
"versionType": "semver"
},
{
"lessThan": "8.*",
"status": "affected",
"version": "8.0",
"versionType": "semver"
},
{
"lessThan": "9.*",
"status": "affected",
"version": "9.0",
"versionType": "semver"
},
{
"lessThan": "10.*",
"status": "affected",
"version": "10.0",
"versionType": "semver"
},
{
"lessThan": "11.*",
"status": "affected",
"version": "11.0",
"versionType": "semver"
},
{
"lessThan": "12.*",
"status": "affected",
"version": "12.0",
"versionType": "semver"
},
{
"lessThan": "13.*",
"status": "affected",
"version": "13.0",
"versionType": "semver"
},
{
"lessThan": "14.*",
"status": "affected",
"version": "14.0",
"versionType": "semver"
},
{
"lessThan": "15.*",
"status": "affected",
"version": "15.0",
"versionType": "semver"
},
{
"lessThan": "16.*",
"status": "affected",
"version": "16.0",
"versionType": "semver"
},
{
"lessThan": "17.*",
"status": "affected",
"version": "17.0",
"versionType": "semver"
},
{
"lessThan": "18.*",
"status": "affected",
"version": "18.0",
"versionType": "semver"
},
{
"lessThan": "19.*",
"status": "affected",
"version": "19.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A flaw in Node.js HTTP request handling causes an uncaught `TypeError` when a request is received with a header named `__proto__` and the application accesses `req.headersDistinct`.\r\n\r\nWhen this occurs, `dest[\"__proto__\"]` resolves to `Object.prototype` rather than `undefined`, causing `.push()` to be called on a non-array. This exception is thrown synchronously inside a property getter and cannot be intercepted by `error` event listeners, meaning it cannot be handled without wrapping every `req.headersDistinct` access in a `try/catch`.\r\n\r\n* This vulnerability affects all Node.js HTTP servers on **20.x, 22.x, 24.x, and v25.x**"
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-30T19:07:28.558Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"url": "https://nodejs.org/en/blog/vulnerability/march-2026-security-releases"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2026-21710",
"datePublished": "2026-03-30T19:07:28.558Z",
"dateReserved": "2026-01-04T15:00:06.574Z",
"dateUpdated": "2026-03-31T13:55:23.719Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-21716 (GCVE-0-2026-21716)
Vulnerability from cvelistv5 – Published: 2026-03-30 19:07 – Updated: 2026-03-31 14:27
VLAI?
Summary
An incomplete fix for CVE-2024-36137 leaves `FileHandle.chmod()` and `FileHandle.chown()` in the promises API without the required permission checks, while their callback-based equivalents (`fs.fchmod()`, `fs.fchown()`) were correctly patched.
As a result, code running under `--permission` with restricted `--allow-fs-write` can still use promise-based `FileHandle` methods to modify file permissions and ownership on already-open file descriptors, bypassing the intended write restrictions.
This vulnerability affects **20.x, 22.x, 24.x, and 25.x** processes using the Permission Model where `--allow-fs-write` is intentionally restricted.
Severity ?
CWE
- CWE-862 - Missing Authorization
Assigner
References
1 reference
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-21716",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-31T14:27:06.373734Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-31T14:27:23.323Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "node",
"vendor": "nodejs",
"versions": [
{
"lessThanOrEqual": "20.20.1",
"status": "affected",
"version": "20.20.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "22.22.1",
"status": "affected",
"version": "22.22.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "24.14.0",
"status": "affected",
"version": "24.14.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "25.8.1",
"status": "affected",
"version": "25.8.1",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An incomplete fix for CVE-2024-36137 leaves `FileHandle.chmod()` and `FileHandle.chown()` in the promises API without the required permission checks, while their callback-based equivalents (`fs.fchmod()`, `fs.fchown()`) were correctly patched.\r\n\r\nAs a result, code running under `--permission` with restricted `--allow-fs-write` can still use promise-based `FileHandle` methods to modify file permissions and ownership on already-open file descriptors, bypassing the intended write restrictions.\r\n\r\nThis vulnerability affects **20.x, 22.x, 24.x, and 25.x** processes using the Permission Model where `--allow-fs-write` is intentionally restricted."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 3.3,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.0"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-30T19:07:28.538Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"url": "https://nodejs.org/en/blog/vulnerability/march-2026-security-releases"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2026-21716",
"datePublished": "2026-03-30T19:07:28.538Z",
"dateReserved": "2026-01-04T15:00:06.575Z",
"dateUpdated": "2026-03-31T14:27:23.323Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-21711 (GCVE-0-2026-21711)
Vulnerability from cvelistv5 – Published: 2026-03-30 19:07 – Updated: 2026-04-01 15:03
VLAI?
Summary
A flaw in Node.js Permission Model network enforcement leaves Unix Domain Socket (UDS) server operations without the required permission checks, while all comparable network paths correctly enforce them.
As a result, code running under `--permission` without `--allow-net` can create and expose local IPC endpoints, allowing communication with other processes on the same host outside of the intended network restriction boundary.
This vulnerability affects Node.js **25.x** processes using the Permission Model where `--allow-net` is intentionally omitted to restrict network access. Note that `--allow-net` is currently an experimental feature.
Severity ?
5.3 (Medium)
CWE
- CWE-284 - Improper Access Control
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| nodejs | node |
Affected:
25.8.1 , ≤ 25.8.1
(semver)
Affected: 4.0 , < 4.* (semver) Affected: 5.0 , < 5.* (semver) Affected: 6.0 , < 6.* (semver) Affected: 7.0 , < 7.* (semver) Affected: 8.0 , < 8.* (semver) Affected: 9.0 , < 9.* (semver) Affected: 10.0 , < 10.* (semver) Affected: 11.0 , < 11.* (semver) Affected: 12.0 , < 12.* (semver) Affected: 13.0 , < 13.* (semver) Affected: 14.0 , < 14.* (semver) Affected: 15.0 , < 15.* (semver) Affected: 16.0 , < 16.* (semver) Affected: 17.0 , < 17.* (semver) Affected: 18.0 , < 18.* (semver) Affected: 19.0 , < 19.* (semver) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-21711",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-01T15:02:57.115426Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T15:03:21.612Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "node",
"vendor": "nodejs",
"versions": [
{
"lessThanOrEqual": "25.8.1",
"status": "affected",
"version": "25.8.1",
"versionType": "semver"
},
{
"lessThan": "4.*",
"status": "affected",
"version": "4.0",
"versionType": "semver"
},
{
"lessThan": "5.*",
"status": "affected",
"version": "5.0",
"versionType": "semver"
},
{
"lessThan": "6.*",
"status": "affected",
"version": "6.0",
"versionType": "semver"
},
{
"lessThan": "7.*",
"status": "affected",
"version": "7.0",
"versionType": "semver"
},
{
"lessThan": "8.*",
"status": "affected",
"version": "8.0",
"versionType": "semver"
},
{
"lessThan": "9.*",
"status": "affected",
"version": "9.0",
"versionType": "semver"
},
{
"lessThan": "10.*",
"status": "affected",
"version": "10.0",
"versionType": "semver"
},
{
"lessThan": "11.*",
"status": "affected",
"version": "11.0",
"versionType": "semver"
},
{
"lessThan": "12.*",
"status": "affected",
"version": "12.0",
"versionType": "semver"
},
{
"lessThan": "13.*",
"status": "affected",
"version": "13.0",
"versionType": "semver"
},
{
"lessThan": "14.*",
"status": "affected",
"version": "14.0",
"versionType": "semver"
},
{
"lessThan": "15.*",
"status": "affected",
"version": "15.0",
"versionType": "semver"
},
{
"lessThan": "16.*",
"status": "affected",
"version": "16.0",
"versionType": "semver"
},
{
"lessThan": "17.*",
"status": "affected",
"version": "17.0",
"versionType": "semver"
},
{
"lessThan": "18.*",
"status": "affected",
"version": "18.0",
"versionType": "semver"
},
{
"lessThan": "19.*",
"status": "affected",
"version": "19.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A flaw in Node.js Permission Model network enforcement leaves Unix Domain Socket (UDS) server operations without the required permission checks, while all comparable network paths correctly enforce them.\r\n\r\nAs a result, code running under `--permission` without `--allow-net` can create and expose local IPC endpoints, allowing communication with other processes on the same host outside of the intended network restriction boundary.\r\n\r\nThis vulnerability affects Node.js **25.x** processes using the Permission Model where `--allow-net` is intentionally omitted to restrict network access. Note that `--allow-net` is currently an experimental feature."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-30T19:07:28.526Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"url": "https://nodejs.org/en/blog/vulnerability/march-2026-security-releases"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2026-21711",
"datePublished": "2026-03-30T19:07:28.526Z",
"dateReserved": "2026-01-04T15:00:06.574Z",
"dateUpdated": "2026-04-01T15:03:21.612Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-21715 (GCVE-0-2026-21715)
Vulnerability from cvelistv5 – Published: 2026-03-30 19:07 – Updated: 2026-04-01 15:02
VLAI?
Summary
A flaw in Node.js Permission Model filesystem enforcement leaves `fs.realpathSync.native()` without the required read permission checks, while all comparable filesystem functions correctly enforce them.
As a result, code running under `--permission` with restricted `--allow-fs-read` can still use `fs.realpathSync.native()` to check file existence, resolve symlink targets, and enumerate filesystem paths outside of permitted directories.
This vulnerability affects **20.x, 22.x, 24.x, and 25.x** processes using the Permission Model where `--allow-fs-read` is intentionally restricted.
Severity ?
CWE
- CWE-732 - Incorrect Permission Assignment for Critical Resource
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| nodejs | node |
Affected:
20.20.1 , ≤ 20.20.1
(semver)
Affected: 22.22.1 , ≤ 22.22.1 (semver) Affected: 24.14.0 , ≤ 24.14.0 (semver) Affected: 25.8.1 , ≤ 25.8.1 (semver) Affected: 4.0 , < 4.* (semver) Affected: 5.0 , < 5.* (semver) Affected: 6.0 , < 6.* (semver) Affected: 7.0 , < 7.* (semver) Affected: 8.0 , < 8.* (semver) Affected: 9.0 , < 9.* (semver) Affected: 10.0 , < 10.* (semver) Affected: 11.0 , < 11.* (semver) Affected: 12.0 , < 12.* (semver) Affected: 13.0 , < 13.* (semver) Affected: 14.0 , < 14.* (semver) Affected: 15.0 , < 15.* (semver) Affected: 16.0 , < 16.* (semver) Affected: 17.0 , < 17.* (semver) Affected: 18.0 , < 18.* (semver) Affected: 19.0 , < 19.* (semver) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-21715",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-01T14:55:13.031405Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-732",
"description": "CWE-732 Incorrect Permission Assignment for Critical Resource",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T15:02:10.706Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "node",
"vendor": "nodejs",
"versions": [
{
"lessThanOrEqual": "20.20.1",
"status": "affected",
"version": "20.20.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "22.22.1",
"status": "affected",
"version": "22.22.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "24.14.0",
"status": "affected",
"version": "24.14.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "25.8.1",
"status": "affected",
"version": "25.8.1",
"versionType": "semver"
},
{
"lessThan": "4.*",
"status": "affected",
"version": "4.0",
"versionType": "semver"
},
{
"lessThan": "5.*",
"status": "affected",
"version": "5.0",
"versionType": "semver"
},
{
"lessThan": "6.*",
"status": "affected",
"version": "6.0",
"versionType": "semver"
},
{
"lessThan": "7.*",
"status": "affected",
"version": "7.0",
"versionType": "semver"
},
{
"lessThan": "8.*",
"status": "affected",
"version": "8.0",
"versionType": "semver"
},
{
"lessThan": "9.*",
"status": "affected",
"version": "9.0",
"versionType": "semver"
},
{
"lessThan": "10.*",
"status": "affected",
"version": "10.0",
"versionType": "semver"
},
{
"lessThan": "11.*",
"status": "affected",
"version": "11.0",
"versionType": "semver"
},
{
"lessThan": "12.*",
"status": "affected",
"version": "12.0",
"versionType": "semver"
},
{
"lessThan": "13.*",
"status": "affected",
"version": "13.0",
"versionType": "semver"
},
{
"lessThan": "14.*",
"status": "affected",
"version": "14.0",
"versionType": "semver"
},
{
"lessThan": "15.*",
"status": "affected",
"version": "15.0",
"versionType": "semver"
},
{
"lessThan": "16.*",
"status": "affected",
"version": "16.0",
"versionType": "semver"
},
{
"lessThan": "17.*",
"status": "affected",
"version": "17.0",
"versionType": "semver"
},
{
"lessThan": "18.*",
"status": "affected",
"version": "18.0",
"versionType": "semver"
},
{
"lessThan": "19.*",
"status": "affected",
"version": "19.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A flaw in Node.js Permission Model filesystem enforcement leaves `fs.realpathSync.native()` without the required read permission checks, while all comparable filesystem functions correctly enforce them.\r\n\r\nAs a result, code running under `--permission` with restricted `--allow-fs-read` can still use `fs.realpathSync.native()` to check file existence, resolve symlink targets, and enumerate filesystem paths outside of permitted directories.\r\n\r\nThis vulnerability affects **20.x, 22.x, 24.x, and 25.x** processes using the Permission Model where `--allow-fs-read` is intentionally restricted."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 3.3,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-30T19:07:28.507Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"url": "https://nodejs.org/en/blog/vulnerability/march-2026-security-releases"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2026-21715",
"datePublished": "2026-03-30T19:07:28.507Z",
"dateReserved": "2026-01-04T15:00:06.574Z",
"dateUpdated": "2026-04-01T15:02:10.706Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-21717 (GCVE-0-2026-21717)
Vulnerability from cvelistv5 – Published: 2026-03-30 19:07 – Updated: 2026-05-10 13:16
VLAI?
Summary
A flaw in V8's string hashing mechanism causes integer-like strings to be hashed to their numeric value, making hash collisions trivially predictable. By crafting a request that causes many such collisions in V8's internal string table, an attacker can significantly degrade performance of the Node.js process.
The most common trigger is any endpoint that calls `JSON.parse()` on attacker-controlled input, as JSON parsing automatically internalizes short strings into the affected hash table.
This vulnerability affects **20.x, 22.x, 24.x, and 25.x**.
Severity ?
5.9 (Medium)
CWE
- CWE-328 - Use of Weak Hash
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| nodejs | node |
Affected:
20.20.1 , ≤ 20.20.1
(semver)
Affected: 22.22.1 , ≤ 22.22.1 (semver) Affected: 24.14.0 , ≤ 24.14.0 (semver) Affected: 25.8.1 , ≤ 25.8.1 (semver) Affected: 4.0 , < 4.* (semver) Affected: 5.0 , < 5.* (semver) Affected: 6.0 , < 6.* (semver) Affected: 7.0 , < 7.* (semver) Affected: 8.0 , < 8.* (semver) Affected: 9.0 , < 9.* (semver) Affected: 10.0 , < 10.* (semver) Affected: 11.0 , < 11.* (semver) Affected: 12.0 , < 12.* (semver) Affected: 13.0 , < 13.* (semver) Affected: 14.0 , < 14.* (semver) Affected: 15.0 , < 15.* (semver) Affected: 16.0 , < 16.* (semver) Affected: 17.0 , < 17.* (semver) Affected: 18.0 , < 18.* (semver) Affected: 19.0 , < 19.* (semver) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-21717",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-30T19:46:02.350544Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-328",
"description": "CWE-328 Use of Weak Hash",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-10T13:16:01.620Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "node",
"vendor": "nodejs",
"versions": [
{
"lessThanOrEqual": "20.20.1",
"status": "affected",
"version": "20.20.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "22.22.1",
"status": "affected",
"version": "22.22.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "24.14.0",
"status": "affected",
"version": "24.14.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "25.8.1",
"status": "affected",
"version": "25.8.1",
"versionType": "semver"
},
{
"lessThan": "4.*",
"status": "affected",
"version": "4.0",
"versionType": "semver"
},
{
"lessThan": "5.*",
"status": "affected",
"version": "5.0",
"versionType": "semver"
},
{
"lessThan": "6.*",
"status": "affected",
"version": "6.0",
"versionType": "semver"
},
{
"lessThan": "7.*",
"status": "affected",
"version": "7.0",
"versionType": "semver"
},
{
"lessThan": "8.*",
"status": "affected",
"version": "8.0",
"versionType": "semver"
},
{
"lessThan": "9.*",
"status": "affected",
"version": "9.0",
"versionType": "semver"
},
{
"lessThan": "10.*",
"status": "affected",
"version": "10.0",
"versionType": "semver"
},
{
"lessThan": "11.*",
"status": "affected",
"version": "11.0",
"versionType": "semver"
},
{
"lessThan": "12.*",
"status": "affected",
"version": "12.0",
"versionType": "semver"
},
{
"lessThan": "13.*",
"status": "affected",
"version": "13.0",
"versionType": "semver"
},
{
"lessThan": "14.*",
"status": "affected",
"version": "14.0",
"versionType": "semver"
},
{
"lessThan": "15.*",
"status": "affected",
"version": "15.0",
"versionType": "semver"
},
{
"lessThan": "16.*",
"status": "affected",
"version": "16.0",
"versionType": "semver"
},
{
"lessThan": "17.*",
"status": "affected",
"version": "17.0",
"versionType": "semver"
},
{
"lessThan": "18.*",
"status": "affected",
"version": "18.0",
"versionType": "semver"
},
{
"lessThan": "19.*",
"status": "affected",
"version": "19.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A flaw in V8\u0027s string hashing mechanism causes integer-like strings to be hashed to their numeric value, making hash collisions trivially predictable. By crafting a request that causes many such collisions in V8\u0027s internal string table, an attacker can significantly degrade performance of the Node.js process.\r\n\r\nThe most common trigger is any endpoint that calls `JSON.parse()` on attacker-controlled input, as JSON parsing automatically internalizes short strings into the affected hash table.\r\n\r\nThis vulnerability affects **20.x, 22.x, 24.x, and 25.x**."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-30T19:07:28.415Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"url": "https://nodejs.org/en/blog/vulnerability/march-2026-security-releases"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2026-21717",
"datePublished": "2026-03-30T19:07:28.415Z",
"dateReserved": "2026-01-04T15:00:06.575Z",
"dateUpdated": "2026-05-10T13:16:01.620Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-21713 (GCVE-0-2026-21713)
Vulnerability from cvelistv5 – Published: 2026-03-30 19:07 – Updated: 2026-05-10 13:17
VLAI?
Summary
A flaw in Node.js HMAC verification uses a non-constant-time comparison when validating user-provided signatures, potentially leaking timing information proportional to the number of matching bytes. Under certain threat models where high-resolution timing measurements are possible, this behavior could be exploited as a timing oracle to infer HMAC values.
Node.js already provides timing-safe comparison primitives used elsewhere in the codebase, indicating this is an oversight rather than an intentional design decision.
This vulnerability affects **20.x, 22.x, 24.x, and 25.x**.
Severity ?
5.9 (Medium)
CWE
- CWE-208 - Observable Timing Discrepancy
Assigner
References
1 reference
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| nodejs | node |
Affected:
20.20.1 , ≤ 20.20.1
(semver)
Affected: 22.22.1 , ≤ 22.22.1 (semver) Affected: 24.14.0 , ≤ 24.14.0 (semver) Affected: 25.8.1 , ≤ 25.8.1 (semver) Affected: 4.0 , < 4.* (semver) Affected: 5.0 , < 5.* (semver) Affected: 6.0 , < 6.* (semver) Affected: 7.0 , < 7.* (semver) Affected: 8.0 , < 8.* (semver) Affected: 9.0 , < 9.* (semver) Affected: 10.0 , < 10.* (semver) Affected: 11.0 , < 11.* (semver) Affected: 12.0 , < 12.* (semver) Affected: 13.0 , < 13.* (semver) Affected: 14.0 , < 14.* (semver) Affected: 15.0 , < 15.* (semver) Affected: 16.0 , < 16.* (semver) Affected: 17.0 , < 17.* (semver) Affected: 18.0 , < 18.* (semver) Affected: 19.0 , < 19.* (semver) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-21713",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-30T19:45:13.027379Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-208",
"description": "CWE-208 Observable Timing Discrepancy",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-10T13:17:50.281Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "node",
"vendor": "nodejs",
"versions": [
{
"lessThanOrEqual": "20.20.1",
"status": "affected",
"version": "20.20.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "22.22.1",
"status": "affected",
"version": "22.22.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "24.14.0",
"status": "affected",
"version": "24.14.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "25.8.1",
"status": "affected",
"version": "25.8.1",
"versionType": "semver"
},
{
"lessThan": "4.*",
"status": "affected",
"version": "4.0",
"versionType": "semver"
},
{
"lessThan": "5.*",
"status": "affected",
"version": "5.0",
"versionType": "semver"
},
{
"lessThan": "6.*",
"status": "affected",
"version": "6.0",
"versionType": "semver"
},
{
"lessThan": "7.*",
"status": "affected",
"version": "7.0",
"versionType": "semver"
},
{
"lessThan": "8.*",
"status": "affected",
"version": "8.0",
"versionType": "semver"
},
{
"lessThan": "9.*",
"status": "affected",
"version": "9.0",
"versionType": "semver"
},
{
"lessThan": "10.*",
"status": "affected",
"version": "10.0",
"versionType": "semver"
},
{
"lessThan": "11.*",
"status": "affected",
"version": "11.0",
"versionType": "semver"
},
{
"lessThan": "12.*",
"status": "affected",
"version": "12.0",
"versionType": "semver"
},
{
"lessThan": "13.*",
"status": "affected",
"version": "13.0",
"versionType": "semver"
},
{
"lessThan": "14.*",
"status": "affected",
"version": "14.0",
"versionType": "semver"
},
{
"lessThan": "15.*",
"status": "affected",
"version": "15.0",
"versionType": "semver"
},
{
"lessThan": "16.*",
"status": "affected",
"version": "16.0",
"versionType": "semver"
},
{
"lessThan": "17.*",
"status": "affected",
"version": "17.0",
"versionType": "semver"
},
{
"lessThan": "18.*",
"status": "affected",
"version": "18.0",
"versionType": "semver"
},
{
"lessThan": "19.*",
"status": "affected",
"version": "19.0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A flaw in Node.js HMAC verification uses a non-constant-time comparison when validating user-provided signatures, potentially leaking timing information proportional to the number of matching bytes. Under certain threat models where high-resolution timing measurements are possible, this behavior could be exploited as a timing oracle to infer HMAC values.\r\n\r\nNode.js already provides timing-safe comparison primitives used elsewhere in the codebase, indicating this is an oversight rather than an intentional design decision.\r\n\r\nThis vulnerability affects **20.x, 22.x, 24.x, and 25.x**."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-30T19:07:28.356Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"url": "https://nodejs.org/en/blog/vulnerability/march-2026-security-releases"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2026-21713",
"datePublished": "2026-03-30T19:07:28.356Z",
"dateReserved": "2026-01-04T15:00:06.574Z",
"dateUpdated": "2026-05-10T13:17:50.281Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-21714 (GCVE-0-2026-21714)
Vulnerability from cvelistv5 – Published: 2026-03-30 19:07 – Updated: 2026-03-31 18:05
VLAI?
Summary
A memory leak occurs in Node.js HTTP/2 servers when a client sends WINDOW_UPDATE frames on stream 0 (connection-level) that cause the flow control window to exceed the maximum value of 2³¹-1. The server correctly sends a GOAWAY frame, but the Http2Session object is never cleaned up.
This vulnerability affects HTTP2 users on Node.js 20, 22, 24 and 25.
Severity ?
5.3 (Medium)
CWE
- CWE-401 - Missing Release of Memory after Effective Lifetime
Assigner
References
1 reference
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-21714",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-31T16:14:45.777607Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-401",
"description": "CWE-401 Missing Release of Memory after Effective Lifetime",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-31T18:05:22.283Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "node",
"vendor": "nodejs",
"versions": [
{
"lessThanOrEqual": "20.20.1",
"status": "affected",
"version": "20.20.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "22.22.1",
"status": "affected",
"version": "22.22.1",
"versionType": "semver"
},
{
"lessThanOrEqual": "24.14.0",
"status": "affected",
"version": "24.14.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "25.8.1",
"status": "affected",
"version": "25.8.1",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A memory leak occurs in Node.js HTTP/2 servers when a client sends WINDOW_UPDATE frames on stream 0 (connection-level) that cause the flow control window to exceed the maximum value of 2\u00b3\u00b9-1. The server correctly sends a GOAWAY frame, but the Http2Session object is never cleaned up.\r\n\r\nThis vulnerability affects HTTP2 users on Node.js 20, 22, 24 and 25."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.0"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-30T19:07:28.317Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"url": "https://nodejs.org/en/blog/vulnerability/march-2026-security-releases"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2026-21714",
"datePublished": "2026-03-30T19:07:28.317Z",
"dateReserved": "2026-01-04T15:00:06.574Z",
"dateUpdated": "2026-03-31T18:05:22.283Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-21712 (GCVE-0-2026-21712)
Vulnerability from cvelistv5 – Published: 2026-03-30 15:13 – Updated: 2026-05-10 13:16
VLAI?
Summary
A flaw in Node.js URL processing causes an assertion failure in native code when `url.format()` is called with a malformed internationalized domain name (IDN) containing invalid characters, crashing the Node.js process.
Severity ?
5.7 (Medium)
CWE
- CWE-20 - Improper Input Validation
Assigner
References
2 references
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-21712",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-30T15:52:17.619170Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20 Improper Input Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-10T13:16:37.222Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "node",
"vendor": "nodejs",
"versions": [
{
"lessThanOrEqual": "24.14.0",
"status": "affected",
"version": "24.14.0",
"versionType": "semver"
},
{
"lessThanOrEqual": "25.8.1",
"status": "affected",
"version": "25.8.1",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A flaw in Node.js URL processing causes an assertion failure in native code when `url.format()` is called with a malformed internationalized domain name (IDN) containing invalid characters, crashing the Node.js process."
}
],
"metrics": [
{
"cvssV3_0": {
"baseScore": 5.7,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H",
"version": "3.0"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-30T15:13:59.172Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"url": "https://nodejs.org/en/blog/vulnerability/march-2026-security-releases"
},
{
"url": "https://hackerone.com/reports/3546390"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2026-21712",
"datePublished": "2026-03-30T15:13:59.172Z",
"dateReserved": "2026-01-04T15:00:06.574Z",
"dateUpdated": "2026-05-10T13:16:37.222Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}