PULSE
EN VIVO41señales / 24h
FEED
ransomkrybit reclama a eitzchaim.com · IL · Not Foundransomkrybit reclama a formasuniversales.com · MX · Business Servicesransomkrybit reclama a rehabmalaysia.com · MY · Healthcareransomkrybit reclama a www.lagus.cz · CZ · Business Servicesransomgunra reclama a Dissinger and Dissinger Law Firm · US · Business Servicesransomplay reclama a Boston Electric and Telephone · US · Telecommunicationransomplay reclama a Wring Group · GB · Not Foundransomincransom reclama a asa-international.com · GB · Business Servicesransomplay reclama a AG Scholtes · NL · Manufacturingransomplay reclama a Andorra Life · AD · Healthcareransomplay reclama a Svensk Direktreklam · SE · Business Servicesransomchaos reclama a radiax.com · US · Technologyransominterlock reclama a Converting Equipment International · GB · Manufacturingransomblack x reclama a sanaa · YE · Not Foundransomkrybit reclama a eitzchaim.com · IL · Not Foundransomkrybit reclama a formasuniversales.com · MX · Business Servicesransomkrybit reclama a rehabmalaysia.com · MY · Healthcareransomkrybit reclama a www.lagus.cz · CZ · Business Servicesransomgunra reclama a Dissinger and Dissinger Law Firm · US · Business Servicesransomplay reclama a Boston Electric and Telephone · US · Telecommunicationransomplay reclama a Wring Group · GB · Not Foundransomincransom reclama a asa-international.com · GB · Business Servicesransomplay reclama a AG Scholtes · NL · Manufacturingransomplay reclama a Andorra Life · AD · Healthcareransomplay reclama a Svensk Direktreklam · SE · Business Servicesransomchaos reclama a radiax.com · US · Technologyransominterlock reclama a Converting Equipment International · GB · Manufacturingransomblack x reclama a sanaa · YE · Not Found
← Todos los CVEs
CVE Watch14 jul 2026

CVE-2026-41459

Xerte Online Toolkits versions 3.15 and earlier contain an information disclosure vulnerability that allows unauthenticated attackers to ret

CVSS

5.3

Medio

EPSS

0.8%

p52

KEV

Exploit Today

16

0-100

Publicado: 22 abr 2026 · Última mod.: 14 jul 2026 · CWE-497

EPSS · 30d
0.8%EPSS · 30 días0.8%
2026-06-302026-07-16
Descripción técnica

Xerte Online Toolkits versions 3.15 and earlier contain an information disclosure vulnerability that allows unauthenticated attackers to retrieve the full server-side filesystem path of the application root. Attackers can send a GET request to the /setup page to access the exposed root_path value rendered in the HTML response, which enables exploitation of path-dependent vulnerabilities such as relative path traversal in connector.php.

Referencias oficiales
CVEs relacionados
CVECVSSEPSSKEVRExplotTítuloVis.
CVE-2025-551317.1 ALT
87.8%
26A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. Under specific timing conditions, buffers allocated with `Buffer.alloc` and other `TypedArray` instances like `Uint8Array` may contain leftover data from previous operations, allowing in-process secrets like tokens or passwords to leak or causing data corruption. While exploitation typically requires precise timing or in-process code execution, it can become remotely exploitable when untrusted input influences workload and timeouts, leading to potential confidentiality and integrity impact.2d
CVE-2026-344138.6 ALT
84.9%
25Xerte Online Toolkits versions 3.15 and earlier contain a missing authentication vulnerability in the elFinder connector endpoint at /editor/elfinder/php/connector.php where an HTTP redirect to unauthenticated callers does not call exit() or die(), allowing PHP execution to continue and process the full request server-side. Unauthenticated attackers can perform file operations on project media directories including creating directories, uploading files, renaming files, duplicating files, overwriting files, and deleting files, which can be chained with path traversal and extension blocklist vulnerabilities to achieve remote code execution and arbitrary file read.2d
CVE-2025-341715.3 MED
42.2%
13CasaOS versions up to and including 0.4.15 expose multiple unauthenticated endpoints that allow remote attackers to retrieve sensitive configuration files and system debug information. The /v1/users/image endpoint can be abused with a user-controlled path parameter to access files under /var/lib/casaos/1/, which reveals installed applications and configuration details. Additionally, /v1/sys/debug discloses host operating system, kernel, hardware, and storage information. The endpoints also return distinct error messages, enabling file existence enumeration of arbitrary paths on the underlying host filesystem. This information disclosure can be used for reconnaissance and to facilitate targeted follow-up attacks against services deployed on the host.2d
CVE-2025-464216.8 MED
39.9%
12A flaw was found in libsoup. When libsoup clients encounter an HTTP redirect, they mistakenly send the HTTP Authorization header to the new host that the redirection points to. This allows the new host to impersonate the user to the original host that issued the redirect.17d
CVE-2026-148089.8 CRÍ
39.9%
12Prog Management System developed by PROG MIS has a Exposure of Sensitive Information vulnerability, allowing unauthenticated remote attackers to view a specific page and obtain the database account and password.10d
CVE-2026-419285.3 MED
33.9%
10Vvveb before 1.0.8.2 contains an information disclosure vulnerability in the cron controller that allows unauthenticated attackers to retrieve the application's secret cron key. Attackers can access the cron controller without authentication and retrieve the exposed secret key from the response, enabling them to trigger scheduled task execution outside of the intended schedule.2d