2.7
CVE-2024-48928 - Piwigo's secret key can be brute forced
Piwigo is an open source photo gallery application for the web. In versions on the 14.x branch, when installing, the secret_key configuration parameter is set to MD5(RAND()) in MySQL. However, RAND() only has 30 bits of randomness, making it feasible to brute-force the secret key. The CSRF token isโฆ
8.9
CVE-2026-27590 - Caddy: Unicode case-folding length expansion causes incorrect split_path index (SCRIPT_NAME/PATH_INโฆ
Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's FastCGI path splitting logic computes the split index on a lowercased copy of the request path and then uses that byte index to slice the original path. This is unsafe for Unicode because `strings.ToLoโฆ
6.9
CVE-2026-27589 - Caddy vulnerable to cross-origin config application via local admin API /load (caddy)
Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, the local caddy admin API (default listen `127.0.0.1:2019`) exposes a state-changing `POST /load` endpoint that replaces the entire running configuration. When origin enforcement is not enabled (`enforce_origiโฆ
7.7
CVE-2026-27588 - Caddy: MatchHost becomes case-sensitive for large host lists (>100), enabling host-based route/authโฆ
Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's HTTP `host` request matcher is documented as case-insensitive, but when configured with a large host list (>100 entries) it becomes case-sensitive due to an optimized matching path. An attacker can bypโฆ
7.7
CVE-2026-27587 - Caddy: MatchPath %xx (escaped-path) branch skips case normalization, enabling path-based route/authโฆ
Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, Caddy's HTTP `path` request matcher is intended to be case-insensitive, but when the match pattern contains percent-escape sequences (`%xx`) it compares against the request's escaped path without lowercasing. โฆ
8.8
CVE-2026-27586 - Caddy's mTLS client authentication silently fails open when CA certificate file is missing or malfoโฆ
Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, two swallowed errors in `ClientAuthentication.provision()` cause mTLS client certificate authentication to silently fail open when a CA certificate file is missing, unreadable, or malformed. The server starts โฆ
6.9
CVE-2026-27585 - Caddy's improper sanitization of glob characters in file matcher may lead to bypassing security proโฆ
Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, the path sanitization routine in file matcher doesn't sanitize backslashes which can lead to bypassing path related security protections. It affects users with specific Caddy and environment configurations. Veโฆ
5.9
CVE-2026-27571 - nats-server websockets are vulnerable to pre-auth memory DoS
NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. The WebSockets handling of NATS messages handles compressed messages via the WebSockets negotiated compression. Prior to versions 2.11.2 and 2.12.3, the implementation bound the memory size of a NATS mesโฆ
8.6
CVE-2025-13776 - Hard-coded database credentials in Finka software
Multiple Finka programs use hard-coded Firebird database credentials (shared across all instances of this software). A malicious attacker in local network who knows default credentials is able to read and edit database content. This vulnerability has been fixed in version: Finka-FK 18.5, Finka-KPRโฆ
5.7
CVE-2025-47904 - Unsigned upgrade package
Download of Code Without Integrity Check vulnerability in Microchip Time Provider 4100 allows Malicious Manual Software Update.This issue affects Time Provider 4100: before 2.5.