Security Vulnerabilities
Tina is a headless content management system. Prior to version 2.2.2, a path traversal vulnerability in @tinacms/graphql allows unauthenticated users to write and overwrite arbitrary files within the project root. This is achieved by manipulating the relativePath parameter in GraphQL mutations. The impact includes the ability to replace critical server configuration files and potentially execute arbitrary commands by sabotaging build script. This issue has been patched in version 2.2.2.
CVSS Score
8.1
EPSS Score
0.002
Published
2026-04-01
Docker Model Runner (DMR) is software used to manage, run, and deploy AI models using Docker. Prior to version 1.1.25, Docker Model Runner contains an SSRF vulnerability in its OCI registry token exchange flow. When pulling a model, Model Runner follows the realm URL from the registry's WWW-Authenticate header without validating the scheme, hostname, or IP range. A malicious OCI registry can set the realm to an internal URL (e.g., http://127.0.0.1:3000/), causing Model Runner running on the host to make arbitrary GET requests to internal services and reflect the full response body back to the caller. Additionally, the token exchange mechanism can relay data from internal services back to the attacker-controlled registry via the Authorization: Bearer header. This issue has been patched in version 1.1.25. For Docker Desktop users, enabling Enhanced Container Isolation (ECI) blocks container access to Model Runner, preventing exploitation. However, if the Docker Model Runner is exposed to localhost over TCP in specific configurations, the vulnerability is still exploitable.
CVSS Score
6.8
EPSS Score
0.0
Published
2026-04-01
pandas-ai v3.0.0 was discovered to contain a SQL injection vulnerability via the pandasai.agent.base._execute_sql_query component.
CVSS Score
7.3
EPSS Score
0.0
Published
2026-04-01
There is an injection vulnerability in jeecg boot versions 3.0.0 to 3.5.3 due to lax character filtering, which allows attackers to execute arbitrary code on components through specially crafted HTTP requests.
CVSS Score
9.8
EPSS Score
0.01
Published
2026-04-01
A command injection vulnerability in the component /jmreport/show of jeecg boot v3.0.0 to v3.5.3 allows attackers to execute arbitrary code via a crafted HTTP request.
CVSS Score
9.8
EPSS Score
0.008
Published
2026-04-01
Improper access control in the multi-factor authentication (MFA) management API in Devolutions Server allows an authenticated attacker to delete their own configured MFA factors and reduce account protection to password-only authentication via crafted HTTP requests.
This issue affects Server: from 2026.1.6 through 2026.1.11.
CVSS Score
5.0
EPSS Score
0.0
Published
2026-04-01
Improper authentication in the OAuth login functionality in Devolutions Server 2026.1.11 and earlier allows a remote attacker with valid credentials to bypass multi-factor authentication via a crafted login request.
CVSS Score
8.2
EPSS Score
0.0
Published
2026-04-01
Improper authentication in the external OAuth authentication flow in Devolutions Server 2026.1.11 and earlier allows an authenticated user to authenticate as other users, including administrators, via reuse of a session code from an external authentication flow.
CVSS Score
5.4
EPSS Score
0.0
Published
2026-04-01
Improper
authentication in the two-factor authentication (2FA) feature in
Devolutions Server 2026.1.11 and earlier allows a remote attacker with valid
credentials to bypass multifactor authentication and gain unauthorized
access to the victim account via reuse of a partially authenticated
session token.
CVSS Score
8.2
EPSS Score
0.0
Published
2026-04-01
Improper access control in the users MFA feature in Devolutions Server allows an authenticated user to bypass administrator-enforced restrictions and remove their own multi-factor authentication (MFA) configuration via a crafted request.
This issue affects Server: from 2026.1.6 through 2026.1.11.
CVSS Score
5.0
EPSS Score
0.0
Published
2026-04-01