CVE-2022-24241
ACEweb Online Portal 3.5.065 was discovered to contain an External Controlled File Path and Name vulnerability via the txtFilePath parameter
CVSS
7.5
High
EPSS
0.9%
p55
KEV
—
Exploit Today
17
0-100
Published: Jun 2, 2022 · Last modified: Jul 9, 2026 · CWE-610
0.9%EPSS · 30 days1.1%
2026-06-302026-07-16
ACEweb Online Portal 3.5.065 was discovered to contain an External Controlled File Path and Name vulnerability via the txtFilePath parameter in attachments.awp.
CVECVSSEPSSKEVRExploitTitleMod.
CVE-2026-108167.5 HIG33.6%
——10Arbitrary File Read (Unauthenticated) in NetScaler ADC and NetScaler Gateway if the access to NSIP, Cluster Management IP or SNIP with management access is enabled15dCVE-2026-155838.6 HIG23.2%
——7A confused-deputy flaw in Grafana MCP Server allows an unauthenticated remote attacker to exfiltrate the server's environment-configured Grafana service-account token by supplying a crafted X-Grafana-URL request header. This also enables SSRF against arbitrary internal services, including cloud metadata endpoints.2dCVE-2026-12879—8.6%
——3An Improper Input Validation vulnerability in BigQuery DAO in Google Cloud Apigee versions prior to 2026-06-12 on Google Cloud Platform allows an authenticated attacker to exfiltrate cross-tenant data.
This vulnerability was patched on 12 June 2026 on the Apigee Servers, and no customer action is needed.8d