Security Vulnerabilities
A command injection vulnerability in the component /jmreport/show of jeecg boot v3.0.0 to v3.5.3 allows attackers to execute arbitrary code via a crafted HTTP request.
CVSS Score
9.8
EPSS Score
0.008
Published
2026-04-01
Improper access control in the multi-factor authentication (MFA) management API in Devolutions Server allows an authenticated attacker to delete their own configured MFA factors and reduce account protection to password-only authentication via crafted HTTP requests.
This issue affects Server: from 2026.1.6 through 2026.1.11.
CVSS Score
5.0
EPSS Score
0.0
Published
2026-04-01
Improper authentication in the OAuth login functionality in Devolutions Server 2026.1.11 and earlier allows a remote attacker with valid credentials to bypass multi-factor authentication via a crafted login request.
CVSS Score
8.2
EPSS Score
0.0
Published
2026-04-01
Improper authentication in the external OAuth authentication flow in Devolutions Server 2026.1.11 and earlier allows an authenticated user to authenticate as other users, including administrators, via reuse of a session code from an external authentication flow.
CVSS Score
5.4
EPSS Score
0.0
Published
2026-04-01
Improper
authentication in the two-factor authentication (2FA) feature in
Devolutions Server 2026.1.11 and earlier allows a remote attacker with valid
credentials to bypass multifactor authentication and gain unauthorized
access to the victim account via reuse of a partially authenticated
session token.
CVSS Score
8.2
EPSS Score
0.0
Published
2026-04-01
Improper access control in the users MFA feature in Devolutions Server allows an authenticated user to bypass administrator-enforced restrictions and remove their own multi-factor authentication (MFA) configuration via a crafted request.
This issue affects Server: from 2026.1.6 through 2026.1.11.
CVSS Score
5.0
EPSS Score
0.0
Published
2026-04-01
Exposure of sensitive information in the users MFA feature in Devolutions Server allows users with user management privileges to obtain other users OTP keys via an authenticated API request.
This issue affects Server: from 2026.1.6 through 2026.1.11.
CVSS Score
6.5
EPSS Score
0.0
Published
2026-04-01
Improper input validation in the gateway health check feature in Devolutions Server allows a low-privileged authenticated user to perform server-side request forgery (SSRF), potentially leading to information disclosure, via a crafted API request.
This issue affects Server: from 2026.1.1 through 2026.1.11, from 2025.3.1 through 2025.3.17.
CVSS Score
4.3
EPSS Score
0.0
Published
2026-04-01
OpenClaw before 2026.3.22 contains a path traversal vulnerability in Windows media loaders that accepts remote-host file URLs and UNC-style paths before local-path validation. Attackers can exploit this by providing network-hosted file targets that are treated as local content, bypassing intended access restrictions.
CVSS Score
5.3
EPSS Score
0.001
Published
2026-04-01
TOTOlink A3600R v5.9c.4959 contains a buffer overflow vulnerability in the setAppEasyWizardConfig interface of /lib/cste_modules/app.so. The vulnerability occurs because the rootSsid parameter is not properly validated for length, allowing remote attackers to trigger a buffer overflow, potentially leading to arbitrary code execution or denial of service.
CVSS Score
9.8
EPSS Score
0.008
Published
2026-04-01