7.2
CVE-2024-1490 - Wago: Vulnerability in WBM through Open VPN
An authenticated remote attacker with high privileges can exploit the OpenVPN configuration via the web-based management interface of a WAGO PLC. If user-defined scripts are permitted, OpenVPN may allow the execution of arbitrary shell commands enabling the attacker to run arbitrary commands on theโฆ
3.7
CVE-2026-24661 - Unbounded Request Body Read in MS Teams Plugin {{/changes}} Webhook Endpoint
Mattermost Plugins versions <=2.1.3.0 fail to limit the request body size on the {{/changes}} webhook endpoint which allows an authenticated attacker to cause memory exhaustion and denial of service via sending an oversized JSON payload. Mattermost Advisory ID: MMSA-2026-00611
3.7
CVE-2026-21388 - Unbounded Request Body Read in MS Teams Plugin {{/lifecycle}} Webhook Endpoint
Mattermost Plugins versions <=2.3.1 fail to limit the request body size on the {{/lifecycle}} webhook endpoint which allows an authenticated attacker to cause memory exhaustion and denial of service via sending an oversized JSON payload. Mattermost Advisory ID: MMSA-2026-00610
8.7
CVE-2026-34185 - SQL Injection in Hydrosystem Control System
Hydrosystem Control System is vulnerable to SQL Injection across most scripts and input parameters. Because no protections are in place, an authenticated attacker can inject arbitrary SQL commands, potentially gaining full control over the database.This issue was fixed in Hydrosystem Control Systemโฆ
8.8
CVE-2026-34184 - Missing Authorization in Hydrosystem Control System
Hydrosystem Control System does not enforce authorization for some directories. This allows an unauthorized attacker to read all files in these directories and even execute some of them. Critically the attacker could run PHP scripts directly on the connected database.This issue was fixed inย Hydrosyโฆ
6.9
CVE-2026-4901 - Insertion of Sesitive Information into Log File in Hydrosystem Control System
Hydrosystem Control System saves sensitive information into a log file. Critically, user credentials are logged allowing the attacker to obtain further authorized access into the system. Combined with vulnerability CVE-2026-34184, these sensitive information could be accessed by an unauthorized useโฆ
7.5
CVE-2025-62188 - Apache DolphinScheduler: Users can access sensitive information through the actuator endpoint.
An Exposure of Sensitive Information to an Unauthorized Actor vulnerability exists in Apache DolphinScheduler. This vulnerability may allow unauthorized actors to access sensitive information, including database credentials. This issue affects Apache DolphinScheduler versions 3.1.*. Users are โฆ
9.1
CVE-2026-34179 - Update of type field in restricted TLS certificate allows privilege escalation to cluster admin
In Canonical LXD versions 4.12 through 6.7, the doCertificateUpdate function in lxd/certificates.go does not validate the Type field when handling PUT/PATCH requests to /1.0/certificates/{fingerprint} for restricted TLS certificate users, allowing a remote authenticated attacker to escalate privileโฆ
9.1
CVE-2026-34178 - Importing a crafted backup leads to project restriction bypass
In Canonical LXD before 6.8, the backup import path validates project restrictions against backup/index.yaml in the supplied tar archive but creates the instance from backup/container/backup.yaml, a separate file in the same archive that is never checked against project restrictions. An authenticatโฆ
9.1
CVE-2026-34177 - VM lowlevel restriction bypass via raw.apparmor and raw.qemu.conf
Canonical LXD versions 4.12 through 6.7 contain an incomplete denylist in isVMLowLevelOptionForbidden (lxd/project/limits/permissions.go), which omits raw.apparmor and raw.qemu.conf from the set of keys blocked under the restricted.virtual-machines.lowlevel=block project restriction. A remote attacโฆ