CVE Vulnerabilities - 29 May 2026

Dokploy's self-hosted Platform as a Service is affected. An attacker without a login could gain full access to the system, including executing commands and signing in as an admin. Update to the latest...

A security issue affects NodeVM, a library that restricts certain Node.js functions. This allows malicious code to bypass those restrictions and execute on the host system, potentially leading to unau...

A vulnerability in vm2 allows an attacker to run code on the host system if they create a nested sandbox without specifying the 'require' option. This could lead to full Remote Code Execution, allowin...

The vm2 sandbox can be broken, allowing attackers to execute arbitrary commands on the host system. This vulnerability affects the vm2 JavaScript sandboxing library, which is used to safely run untrus...

A vulnerability in the vm2 library allows attackers to escape the sandbox and run arbitrary code on the host system. This could potentially lead to unauthorized access or data theft. To protect agains...

A security flaw in Suprema BioStar 2 (versions 2.9.3 through 2.9.11) allows anyone on the network to download sensitive backup files without a password. This is a concern because the files contain imp...

Remote Spark's SparkView feature allows unauthorized access to files on the server, potentially leading to a complete takeover of the system. This is a serious issue because it could allow an attacker...

An attacker can access and modify system backups on certain devices, potentially allowing them to install malicious software. This vulnerability affects the security of sensitive data stored on these ...

The Acer device's firmware stores login credentials in an unprotected log file. This means unauthorized users can access sensitive information and potentially gain control of the device. Users should ...

The Mosquitto MQTT server is vulnerable to a security risk that allows attackers to execute malicious code on devices connected to it. This could lead to unauthorized access or control of those device...

The Acer Connect app's web endpoints are vulnerable to unauthorized access because they don't properly check the Authorization header. This could allow attackers to make requests as if they were autho...

PraisonAI's execute_code function in subprocess sandbox mode can be bypassed, allowing attackers to execute arbitrary OS commands on the host. This is a critical vulnerability that affects version 1.6...

If you're using stigmem-node and have disabled authentication, it's possible for anyone to access your data and settings from outside your local network. To fix this, update to the latest version of s...

FreeRDP, a software that helps computers connect to each other over a network, has a bug that could allow an attacker to write data outside the safe area of memory. This could potentially lead to the ...

A security issue was found in the cpp-httplib library, which is used for creating HTTP servers. This issue can allow an attacker to crash the server by sending a malicious HTTP request. To fix this, u...

A bug in cpp-httplib's server allowed malicious headers to be processed incorrectly, potentially leading to security issues. This vulnerability affects users of cpp-httplib before version 0.44.0. To f...

Prior to version 2.8.0, any authenticated user could take over the Shopper Admin Panel, creating new administrator roles and deleting other users, including legitimate administrators. This allowed a l...

Dokploy's self-hosted service, used by administrators to deploy applications, has a security flaw that allows authorized users to create unwanted files on the server. This could lead to unauthorized a...

Dokploy's self-hosted PaaS platform has a security flaw in its Docker logs feature. This allows authenticated users to execute commands with root access, potentially leading to unauthorized changes or...

In Dokploy 0.26.7 and earlier, any authenticated user can create, update, or delete schedules belonging to other organizations. This could allow attackers to run malicious scripts on the Dokploy host ...

Dokploy's self-hosted Platform as a Service (PaaS) has a security issue that affects any organization member with authenticated access. This issue allows users to take control of remote servers manage...

A security issue in Arcane Backend's API allows non-admin users to access and potentially steal stored Git credentials. This is because the API does not require admin authentication for certain Git re...

Dokploy's Docker file upload feature has a security flaw that could allow an attacker to execute unauthorized commands on the server. This is a concern for any Dokploy user, as it could lead to data t...

Plesk's search function in the Application Catalog can be tricked into executing system commands. This can happen if a low-privileged user knows what they're doing and has permission to use the search...

RAGFlow's open-source engine has a security flaw that allows authenticated users to run system commands on the server. This is a concern because any registered user can exploit this vulnerability. To ...