Security Vulnerabilities
A weakness has been identified in ZenTao up to 21.7.6-85642. The impacted element is the function fetchHook of the file module/webhook/model.php of the component Webhook Module. This manipulation causes server-side request forgery. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Score
4.7
EPSS Score
0.0
Published
2026-02-04
IBM Concert 1.0.0 through 2.1.0 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system.
CVSS Score
6.3
EPSS Score
0.0
Published
2026-02-04
IBM Concert 1.0.0 through 2.1.0 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking.
CVSS Score
6.5
EPSS Score
0.0
Published
2026-02-04
Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.150, 25.0.82, and 26.0.5, an authenticated user within the System Administrator group can trigger a full SSRF via the WOPI service discovery URL, including access to internal hosts/ports. The SSRF response body can be exfiltrated via the built‑in debug system, turning it into a visible SSRF. This also allows full server-side file read. This issue has been patched in versions 6.8.150, 25.0.82, and 26.0.5.
CVSS Score
4.9
EPSS Score
0.0
Published
2026-02-04
Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.150, 25.0.82, and 26.0.5, there is a remote code execution (RCE) vulnerability in Group-Office. The endpoint email/message/tnefAttachmentFromTempFile directly concatenates the user-controlled parameter tmp_file into an exec() call. By injecting shell metacharacters into tmp_file, an authenticated attacker can execute arbitrary system commands on the server. This issue has been patched in versions 6.8.150, 25.0.82, and 26.0.5.
CVSS Score
8.8
EPSS Score
0.004
Published
2026-02-04
Terraform / OpenTofu Provider adds support for Proxmox Virtual Environment. Prior to version 0.93.1, in the SSH configuration documentation, the sudoer line suggested is insecure and can result in escaping the folder using ../, allowing any files on the system to be edited. This issue has been patched in version 0.93.1.
CVSS Score
7.5
EPSS Score
0.001
Published
2026-02-04
Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") vulnerability in Drupal AT Internet Piano Analytics allows Cross-Site Scripting (XSS).This issue affects AT Internet Piano Analytics: from 0.0.0 before 1.0.1, from 2.0.0 before 2.3.1.
CVSS Score
4.8
EPSS Score
0.0
Published
2026-02-04
Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Microsoft Entra ID SSO Login allows Privilege Escalation.This issue affects Microsoft Entra ID SSO Login: from 0.0.0 before 1.0.4.
CVSS Score
6.5
EPSS Score
0.0
Published
2026-02-04
Incorrect Authorization vulnerability in Drupal Drupal Canvas allows Forceful Browsing.This issue affects Drupal Canvas: from 0.0.0 before 1.0.4.
CVSS Score
4.8
EPSS Score
0.0
Published
2026-02-04
XML Injection (aka Blind XPath Injection) vulnerability in Drupal Central Authentication System (CAS) Server allows Privilege Escalation.This issue affects Central Authentication System (CAS) Server: from 0.0.0 before 2.0.3, from 2.1.0 before 2.1.2.
CVSS Score
4.2
EPSS Score
0.0
Published
2026-02-04