5.5
CVE-2026-39390 - CI4MS has Stored XSS via srcdoc attribute bypass in Google Maps iframe setting
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, the Google Maps iframe setting (cMap field) in compInfosPost() sanitizes input using strip_tags() with an <iframe> allowlist and regex-bas…
6.7
CVE-2026-39389 - CI4MS has a Hidden Items Authorization Bypass in Fileeditor Allows Reading Secrets and Writing Prot…
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, This vulnerability is fixed in 0.31.4.0.
5.9
CVE-2026-39865 - Axios HTTP/2 Session Cleanup State Corruption Vulnerability
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.13.2, Axios HTTP/2 session cleanup logic contains a state corruption bug that allows a malicious server to crash the client process through concurrent session closures. The vulnerability exists in the Http2Sessions.getSess…
6.4
CVE-2025-58713 - Rhpam: privilege escalation via excessive /etc/passwd permissions
A container privilege escalation flaw was found in certain Red Hat Process Automation Manager images. This issue stems from the /etc/passwd file being created with group-writable permissions during build time. In certain conditions, an attacker who can execute commands within an affected container,…
6.4
CVE-2025-57853 - Web-terminal: privilege escalation via excessive /etc/passwd permissions
A container privilege escalation flaw was found in certain Web Terminal images. This issue stems from the /etc/passwd file being created with group-writable permissions during build time. In certain conditions, an attacker who can execute commands within an affected container, even as a non-root us…
6.4
CVE-2025-57854 - Osus-operator: privilege escalation via excessive /etc/passwd permissions
A container privilege escalation flaw was found in certain OpenShift Update Service (OSUS) images. This issue stems from the /etc/passwd file being created with group-writable permissions during build time. In certain conditions, an attacker who can execute commands within an affected container, ev…
6.4
CVE-2025-57851 - Mce: privilege escalation via excessive /etc/passwd permissions
A container privilege escalation flaw was found in certain Multicluster Engine for Kubernetes images. This issue stems from the /etc/passwd file being created with group-writable permissions during build time. In certain conditions, an attacker who can execute commands within an affected container,…
6.4
CVE-2025-57847 - Ansible-automation-platform: privilege escalation via excessive group writable /etc/passwd permissi…
A container privilege escalation flaw was found in certain Ansible Automation Platform images. This issue arises from the /etc/passwd file being created with group-writable permissions during the build process. In certain conditions, an attacker who can execute commands within an affected container…
7.4
CVE-2026-5795 - ThreadLocal Variable Leak Allows Thread-Based Privilege Escalation in Eclipse Jetty JASPIAuthentica…
In Eclipse Jetty, the class JASPIAuthenticator initiates the authentication checks, which set two ThreadLocal variable. Upon returning from the initial checks, there are conditions that cause an early return from the JASPIAuthenticator code without clearing those ThreadLocals. A subsequent requ…
6.4
CVE-2026-2509 - Page Builder: Pagelayer <= 2.0.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via But…
The Page Builder: Pagelayer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Button widget's Custom Attributes field in all versions up to, and including, 2.0.8. This is due to an incomplete event handler blocklist in the 'pagelayer_xss_content' XSS filtering function, whic…