Export limit exceeded: 352599 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Export limit exceeded: 352599 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (352599 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-40384 | 2026-05-26 | N/A | ||
| An improper validation of the search parameter of the com_media files API endpoint leads to a path traversal vulnerability. | ||||
| CVE-2026-48905 | 2026-05-26 | N/A | ||
| Lack of input filtering leads to an XSS vector in the HTML filter code. | ||||
| CVE-2026-48897 | 2026-05-26 | N/A | ||
| Insufficient state checks lead to a vector that allows to bypass 2FA checks. | ||||
| CVE-2026-25901 | 2026-05-26 | N/A | ||
| Lack of output escaping leads to a XSS vector in the multilingual associations component. | ||||
| CVE-2026-48126 | 2026-05-26 | 8.2 High | ||
| Algernon is a small self-contained pure-Go web server. Prior to 1.17.8, when algernon is started with --domain (or --letsencrypt, which silently turns on --domain at engine/flags.go:372), the request handler resolves the served directory by joining the configured --dir with the value of the client-supplied Host header. The join is performed by filepath.Join with no validation, so a Host: .. header walks one level above the document root. Subsequent file resolution then exposes everything in that parent directory — arbitrary file read, full directory listing, and, if any .lua file is present, server-side Lua execution. This vulnerability is fixed in 1.17.8. | ||||
| CVE-2026-48899 | 2026-05-26 | N/A | ||
| An improper access check allows privilege escalation through the com_users batch task. | ||||
| CVE-2026-48900 | 2026-05-26 | N/A | ||
| An improper access check allowed low privileged users to edit the task types of existing scheduler tasks. | ||||
| CVE-2026-48902 | 2026-05-26 | N/A | ||
| The password and username reset features created plain http links for https connections if the "Force SSL" flag wasn't explicitly set. | ||||
| CVE-2026-35223 | 2026-05-26 | N/A | ||
| An improper access check allows unauthorized access to com_config webservice endpoints. | ||||
| CVE-2026-25900 | 2026-05-26 | N/A | ||
| Lack of output escaping leads to a XSS vector in the feed modules. | ||||
| CVE-2026-48904 | 2026-05-26 | N/A | ||
| An improper access check allows privelege escalation through the com_users group editing webservice endpoint. | ||||
| CVE-2026-30895 | 2026-05-26 | N/A | ||
| Lack of output escaping leads to a XSS vector in the readmore links for com_content. | ||||
| CVE-2026-48898 | 2026-05-26 | N/A | ||
| An improper access check allows privilege escalation through the com_users batch task. | ||||
| CVE-2026-30894 | 2026-05-26 | N/A | ||
| Lack of output escaping leads to a XSS vector in the content history component. | ||||
| CVE-2026-48901 | 2026-05-26 | N/A | ||
| The InputFilter::getInstance() method omitted a security sensitive parameter from the instance cache key. | ||||
| CVE-2026-46431 | 2026-05-26 | 4.3 Medium | ||
| Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, the SSE event server's Access-Control-Allow-Origin response header was hardcoded to the wildcard * regardless of the caller's Origin. Because EventSource does not preflight and does not send cookies, the wildcard is sufficient to let any third-party page the developer visits open a cross-origin EventSource to the SSE port and read the live filename stream from JavaScript. This vulnerability is fixed in 1.17.7. | ||||
| CVE-2026-46430 | 2026-05-26 | 4.3 Medium | ||
| Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, the SSE event server bound to 0.0.0.0:5553 on Linux/macOS by default because the platform-dependent host default in engine/flags.go:39-46 set host = "" for non-Windows, and utils.JoinHostPort("", ":5553") resolves to ":5553". This vulnerability is fixed in 1.17.7. | ||||
| CVE-2026-48091 | 2026-05-26 | N/A | ||
| Further research determined the issue is not a vulnerability. | ||||
| CVE-2026-45728 | 2026-05-26 | 7.5 High | ||
| Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, when Algernon is invoked with a single file path instead of a directory, singleFileMode is set to true and debugMode is forcibly enabled. debugMode activates the PrettyError renderer, which on any Lua or template error response dumps the absolute path of the file that errored, complete byte contents of that file, and exception or parser error text. This response is served with HTTP 200 OK to whoever sent the request that triggered the error. Any client able to reach the server and able to provoke a runtime error in the served script obtains the full server-side source of that script and of any sibling Lua data file consulted during the request. This vulnerability is fixed in 1.17.7. | ||||
| CVE-2026-45721 | 2026-05-26 | 9 Critical | ||
| Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, when Algernon is asked for any URL path that resolves to a directory without an index file, DirPage walks upward through parent directories — past the configured server root — looking for a file named handler.lua to execute as the request handler. The loop terminates only after 100 ancestor steps or when filepath.Dir returns ., so on any absolute server-root path the search reaches the filesystem root (/ on Unix, drive letter on Windows). The first handler.lua it finds is loaded into the Lua interpreter with the full Algernon API exposed — including run3(), httpclient, os.execute, io.popen, PQ, MSSQL, raw filesystem access, and the userstate database. Any process that can write handler.lua anywhere in a parent directory of the server root obtains pre-authenticated remote code execution on the next HTTP request. This is reachable without authentication — the lookup happens before the permission check returns a hit (the perm system only gates URL prefixes, not the handler-resolution step), and any URL pointing at a directory without an index triggers the walk. On a fresh stock Algernon install the request GET / is enough. This vulnerability is fixed in 1.17.7. | ||||