Security Vulnerabilities
A local file inclusion vulnerability in the upload/download flow of the VertiGIS FM application allows authenticated attackers to read arbitrary files from the server by manipulating a file's path during its upload. When the file is subsequently downloaded, the file in the attacker controlled path is returned. Due to the application's ASP.NET architecture, this could potentially lead to remote code execution when the "web.config" file is obtained. Furthermore, the application resolves UNC paths which may enable NTLM-relaying attacks.
This issue affects VertiGIS FM: 10.5.00119 (0d29d428).
CVSS Score
8.8
EPSS Score
0.003
Published
2026-04-01
MetInfo CMS versions 7.9, 8.0, and 8.1 contain an unauthenticated PHP code injection vulnerability that allows remote attackers to execute arbitrary code by sending crafted requests with malicious PHP code. Attackers can exploit insufficient input neutralization in the execution path to achieve remote code execution and gain full control over the affected server.
CVSS Score
9.8
EPSS Score
0.158
Published
2026-04-01
Dell AppSync, version(s) 4.6.0, contain(s) an UNIX Symbolic Link (Symlink) Following vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Information tampering.
CVSS Score
7.3
EPSS Score
0.0
Published
2026-04-01
Dell AppSync, version(s) 4.6.0, contain(s) an Incorrect Permission Assignment for Critical Resource vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of privileges.
CVSS Score
7.3
EPSS Score
0.0
Published
2026-04-01
A vulnerability was identified in MEPIS RM, an industrial
software product developed by Metronik. The application contained a hardcoded
cryptographic key within the Mx.Web.ComponentModel.dll component. When the
option to store domain passwords was enabled, this key was used to encrypt user
passwords before storing them in the application’s database. An attacker with
sufficient privileges to access the database could extract the encrypted
passwords, decrypt them using the embedded key, and gain unauthorized access to
the associated ICS/OT environment.
CVSS Score
6.4
EPSS Score
0.0
Published
2026-04-01
Blind server-side request forgery (SSRF) vulnerability in legacy connection methods of document co-authoring features in M-Files Server before 26.3 allow an unauthenticated attacker to cause the server to send HTTP GET requests to arbitrary URLs.
CVSS Score
7.3
EPSS Score
0.001
Published
2026-04-01
Insufficient permission validation on multiple REST API Quick Setup endpoints in Checkmk 2.5.0 (beta) before version 2.5.0b2 and 2.4.0 before version 2.4.0p25 allows low-privileged users to perform unauthorized actions or obtain sensitive information
CVSS Score
8.8
EPSS Score
0.0
Published
2026-04-01
Lack of output escaping leads to a XSS vector in the multilingual associations component.
CVSS Score
5.4
EPSS Score
0.0
Published
2026-04-01
Lack of output escaping for article titles leads to XSS vectors in various locations.
CVSS Score
5.4
EPSS Score
0.0
Published
2026-04-01
Lack of input validation leads to an arbitrary file deletion vulnerability in the autoupdate server mechanism.
CVSS Score
7.2
EPSS Score
0.0
Published
2026-04-01