Security Vulnerabilities
Tanium addressed an unauthorized code execution vulnerability in Tanium Appliance.
CVSS Score
7.8
EPSS Score
0.0
Published
2026-02-05
Tanium addressed an improper output sanitization vulnerability in Tanium Appliance.
CVSS Score
6.6
EPSS Score
0.0
Published
2026-02-05
Tanium addressed an improper output sanitization vulnerability in Tanium Appliance.
CVSS Score
6.6
EPSS Score
0.0
Published
2026-02-05
Tanium addressed an improper input validation vulnerability in Tanium Appliance.
CVSS Score
2.7
EPSS Score
0.0
Published
2026-02-05
Tanium addressed an improper certificate validation vulnerability in Tanium Appliance.
CVSS Score
3.7
EPSS Score
0.0
Published
2026-02-05
During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and mutates the returned Config, or uses Config.GetConfigForClient. This can cause a client to resume a session with a server that it would not have resumed with during the initial handshake, or cause a server to resume a session with a client that it would not have resumed with during the initial handshake.
CVSS Score
10.0
EPSS Score
0.0
Published
2026-02-05
Cross Site Scripting vulnerability in the "/admin/order/abandoned" endpoint of Microweber 2.0.19. An attacker can manipulate the "orderDirection" parameter in a crafted URL and lure a user with admin privileges into visiting it, achieving JavaScript code execution in the victim's browser. The issue was reported to the developers and fixed in version 2.0.20.
CVSS Score
6.1
EPSS Score
0.0
Published
2026-02-05
Cross Site Scripting vulnerability in the "/admin/category/create" endpoint of Microweber 2.0.19. An attacker can manipulate the "rel_id" parameter in a crafted URL and lure a user with admin privileges into visiting it, achieving JavaScript code execution in the victim's browser. The issue was reported to the developers and fixed in version 2.0.20.
CVSS Score
6.1
EPSS Score
0.0
Published
2026-02-05
Axigen Mail Server before 10.5.57 allows stored Cross-Site Scripting (XSS) in the handling of the timeFormat account preference parameter. Attackers can exploit this by deploying a multi-stage attack. In the first stage, a malicious JavaScript payload is injected into the timeFormat preference by exploiting a separate vulnerability or using compromised credentials. In the second stage, when the victim logs into the WebMail interface, the unsanitized timeFormat value is loaded from storage and inserted into the DOM, causing the injected script to execute.
CVSS Score
5.4
EPSS Score
0.0
Published
2026-02-05
Axigen Mail Server before 10.5.57 contains multiple stored Cross-Site Scripting (XSS) vulnerabilities in the WebAdmin interface. Three instances exist: (1) the log file name parameter in the Local Services Log page, (2) certificate file content in the SSL Certificates View Usage feature, and (3) the Certificate File name parameter in the WebMail Listeners SSL settings. Attackers can inject malicious JavaScript payloads that execute in administrators' browsers when they access affected pages or features, enabling privilege escalation attacks where low-privileged admins can force high-privileged admins to perform unauthorized actions.
CVSS Score
9.0
EPSS Score
0.0
Published
2026-02-05