Security Vulnerabilities
Traccar is an open source GPS tracking system. Prior to 6.13.0, DeviceResource.uploadImage authorizes the target device only through Condition.Permission(User.class, getUserId(), Device.class) and then immediately streams the uploaded body into mediaManager.createFileStream(...). Unlike the generic mutation path in BaseObjectResource.update and the explicit device mutation handler updateAccumulators, this route never invokes permissionsService.checkEdit(getUserId(), Device.class, false, false). The skipped guard is exactly where Traccar enforces readonly and deviceReadonly restrictions for non-admin users. An unauthorized user can replace a device’s stored image file under the server media directory. This allows modification of UI-visible device media and any downstream workflows that rely on the persisted image, despite other device update paths correctly rejecting the same identity. This vulnerability is fixed in 6.13.0.
CVSS Score
5.3
EPSS Score
0.002
Published
2026-05-26
Vowpal Wabbit is a machine learning system. The workflow .github/workflows/python_checks.yml embeds ${{ github.event.pull_request.title }} directly inside double-quoted bash strings in four separate steps across four jobs, each passing it as a CLI argument to the Python test script run_tests_model_gen_and_load.py. The shell interprets the expanded string before invoking Python, allowing an attacker to break out of the quotes and execute arbitrary commands on the runner. The pull_request trigger fires on PRs targeting any branch (branches: ['*']), with no additional access gate. This vulnerability is fixed by the 998e390e80a7e8192d7849b7784bc113dbd190ad commit.
CVSS Score
5.0
EPSS Score
0.004
Published
2026-05-26
Twenty is an open source CRM. In 1.18.0 and earlier, the file serving endpoints in Twenty CRM at /files/* and /file/:fileFolder/:id serve uploaded files using fileStream.pipe(res) without setting any Content-Type, Content-Disposition, or X-Content-Type-Options response headers. This allows an authenticated attacker to upload an HTML file containing JavaScript, which will be rendered by the victim's browser in the context of the Twenty CRM domain when accessed — enabling session hijacking, account takeover, and data theft.
CVSS Score
8.7
EPSS Score
0.002
Published
2026-05-26
An improper validation of user-supplied input leads to a local file inclusion vulnerability.
CVSS Score
7.5
EPSS Score
0.005
Published
2026-05-26
An improper validation of the search parameter of the com_media files API endpoint leads to a path traversal vulnerability.
CVSS Score
5.9
EPSS Score
0.004
Published
2026-05-26
An improper access check allows unauthorized access to com_config webservice endpoints.
CVSS Score
8.6
EPSS Score
0.003
Published
2026-05-26
Lack of CSRF token validation lead to a CSRF attack vector in the admin activation endpoint of com_users.
CVSS Score
4.6
EPSS Score
0.001
Published
2026-05-26
Improperly built filter clauses lead to a SQL injection vulnerability in the search query for com_finder.
CVSS Score
6.9
EPSS Score
0.003
Published
2026-05-26
Improperly validated order clauses lead to a SQL injection vulnerability in com_tags.
CVSS Score
6.9
EPSS Score
0.003
Published
2026-05-26
Lack of output escaping leads to a XSS vector in the readmore links for com_content.
CVSS Score
6.9
EPSS Score
0.002
Published
2026-05-26