Security Vulnerabilities
File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to 2.57.1, a case-sensitivity flaw in the password validation logic allows any authenticated user to change their password (or an admin to change any user's password) without providing the current password. By using Title Case field name "Password" instead of lowercase "password" in the API request, the current_password verification is completely bypassed. This enables account takeover if an attacker obtains a valid JWT token through XSS, session hijacking, or other means. This vulnerability is fixed in 2.57.1.
CVSS Score
5.4
EPSS Score
0.0
Published
2026-02-09
File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to 2.57.1, an authenticated user can bypass the application's "Disallow" file path rules by modifying the request URL. By adding multiple slashes (e.g., //private/) to the path, the authorization check fails to match the rule, while the underlying filesystem resolves the path correctly, granting unauthorized access to restricted files. This vulnerability is fixed in 2.57.1.
CVSS Score
8.1
EPSS Score
0.0
Published
2026-02-09
ZAI Shell is an autonomous SysOps agent designed to navigate, repair, and secure complex environments. Prior to 9.0.3, the P2P terminal sharing feature (share start) opens a TCP socket on port 5757 without any authentication mechanism. Any remote attacker can connect to this port using a simple socket script. An attacker who connects to a ZAI-Shell P2P session running in --no-ai mode can send arbitrary system commands. If the host user approves the command without reviewing its contents, the command executes directly with the user's privileges, bypassing all Sentinel safety checks. This vulnerability is fixed in 9.0.3.
CVSS Score
8.8
EPSS Score
0.001
Published
2026-02-09
Hollo is a federated single-user microblogging software designed to be federated through ActivityPub. Prior to 0.6.20 and 0.7.2, there is a security vulnerability where DMs and followers-only posts were exposed through the ActivityPub outbox endpoint without authorization. This vulnerability is fixed in 0.6.20 and 0.7.2.
CVSS Score
7.5
EPSS Score
0.0
Published
2026-02-09
PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the application derives the tenant identifier directly from the email domain provided by the user, without validating domain ownership or registration. This allows cross-tenant data access.
CVSS Score
9.1
EPSS Score
0.0
Published
2026-02-09
PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the application enables credentialed CORS requests but does not implement any CSRF protection mechanism.
CVSS Score
8.8
EPSS Score
0.0
Published
2026-02-09
PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, The application logs highly sensitive data directly to console output without masking or redaction.
CVSS Score
7.5
EPSS Score
0.0
Published
2026-02-09
Tanium addressed a local privilege escalation vulnerability in Tanium Module Server.
CVSS Score
6.7
EPSS Score
0.0
Published
2026-02-09
Tanium addressed a local privilege escalation vulnerability in Tanium Server.
CVSS Score
6.7
EPSS Score
0.0
Published
2026-02-09
Tanium addressed an uncontrolled resource consumption vulnerability in Tanium Server.
CVSS Score
6.5
EPSS Score
0.0
Published
2026-02-09