|
611
|
8.8 |
HIGH
Network
|
-
|
-
|
A vulnerability has been identified in SINEC INS (All versions < V1.0 SP2 Update 6). The application does not properly sanitize user input in the /api/sftp/uploadFiles endpoint, allowing the injectio…
New
|
CWE-78
OS Command
|
CVE-2026-46746
|
2026-06-9 22:49 |
2026-06-9 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
612
|
4.3 |
MEDIUM
Network
|
-
|
-
|
A vulnerability has been identified in SINEC INS (All versions < V1.0 SP2 Update 6). The affected application does not properly sanitize path input in the `GET /api/sftp/uploadFiles` endpoint used fo…
New
|
CWE-26
Path Traversal: '/dir/../filename'
|
CVE-2026-46747
|
2026-06-9 22:49 |
2026-06-9 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
613
|
8.8 |
HIGH
Network
|
-
|
-
|
A vulnerability has been identified in SINEC INS (All versions < V1.0 SP2 Update 6). The affected system includes a binary that is configured with the cap_dac_override capability. This capability all…
New
|
CWE-250
Execution with Unnecessary Privileges
|
CVE-2026-46748
|
2026-06-9 22:49 |
2026-06-9 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
614
|
7.5 |
HIGH
Local
|
-
|
-
|
A vulnerability has been identified in SINEC INS (All versions < V1.0 SP2 Update 6). The affected application uses a password hashing implementation with a static, hardcoded salt shared across all us…
New
|
CWE-760
Use of a One-Way Hash with a Predictable Salt
|
CVE-2026-46749
|
2026-06-9 22:49 |
2026-06-9 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
615
|
4.7 |
MEDIUM
Local
|
-
|
-
|
A path traversal vulnerability was found in awxkit, the CLI tool for AWX. The YAML !include directive does not sanitize file paths, allowing an attacker to craft a malicious YAML file that reads arbi…
New
|
CWE-22
Path Traversal
|
CVE-2026-52902
|
2026-06-9 22:49 |
2026-06-9 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
616
|
- |
|
-
|
-
|
When ALLOW_INSECURE_RAW_TEXT is enabled, whitespace-variant closing tags (e.g., </style\t>) are not recognized by the sanitizer but accepted by browsers as valid end tags, allowing subsequent content…
New
|
CWE-79
CWE-436
Cross-site Scripting
Interpretation Conflict
|
CVE-2026-47344
|
2026-06-9 22:46 |
2026-06-9 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
617
|
- |
|
-
|
-
|
Namespace attributes are not encoded correctly during HTML serialization. This allows bypassing the cross-site scripting prevention mechanism of typo3/html-sanitizer before version 2.3.2.
New
|
CWE-79
Cross-site Scripting
|
CVE-2026-47345
|
2026-06-9 22:46 |
2026-06-9 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
618
|
- |
|
-
|
-
|
Backend users with access to the Form Framework were able to use files not ending in .form.yaml as form definitions, which were processed without denying the incorrect file extension. Maliciously cra…
New
|
CWE-862
Missing Authorization
|
CVE-2026-11607
|
2026-06-9 22:46 |
2026-06-9 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
619
|
- |
|
-
|
-
|
Non-privileged backend users with file mount access were able to perform write operations (move, delete, rename) on folders representing the root of an active file mount due to missing authorization …
New
|
CWE-862
Missing Authorization
|
CVE-2026-47343
|
2026-06-9 22:46 |
2026-06-9 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
620
|
- |
|
-
|
-
|
Backend users with file write permissions were able to upload form definition files with mixed-case extensions (e.g., .FORM.YAML) to bypass the Form Framework's upload restriction. Maliciously crafte…
New
|
CWE-178
CWE-862
Improper Handling of Case Sensitivity
Missing Authorization
|
CVE-2026-47346
|
2026-06-9 22:46 |
2026-06-9 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
