Rce

1. Overview A path traversal vulnerability exists in the SharePoint Server file upload page (Upload.aspx). The UploadPage.CurrentFolder property resolves the upload destination from the user-supplied RootFolder query string parameter without validating that the resolved folder belongs to the document library specified by the List parameter. An authenticated attacker with upload permissions to one document library can craft a request that uploads files to a different, restricted document library on the same site — including the Master Page Gallery (_catalogs/masterpage). ...

1. Overview A critical SQL injection vulnerability exists in the dotCMS Core content management system’s Publish Audit API. The /api/auditPublishing/getAll REST endpoint accepts a JSON array of bundle identifiers and passes them unsanitized into a SQL query via string concatenation, allowing an attacker to inject arbitrary SQL statements. The endpoint requires no authentication, enabling an unauthenticated remote attacker to read, modify, or destroy the entire dotCMS PostgreSQL database with a single HTTP request. dotCMS addressed this vulnerability in version 26.04.28-03 by parameterizing the SQL query and adding Push Publish JWT token authentication to the affected endpoints. ...

1. Overview A heap buffer overflow vulnerability exists in the NGINX ngx_http_rewrite_module when processing rewrite directives that use overlapping Perl-Compatible Regular Expression (PCRE) capture groups with a redirect or query-string replacement. When a rewrite rule like ^/((.*))$ produces multiple captures referencing the same URI content and the replacement string references both captures (e.g., $1$2), the buffer allocation underestimates the space needed for URI-escaped output, leading to a heap overflow in the worker process. An unauthenticated remote attacker can send crafted HTTP requests containing URI characters that require escaping (such as +) to crash the NGINX worker process or potentially achieve remote code execution. The vulnerability provides both a controlled heap write primitive and an information disclosure primitive — the overflow causes adjacent heap data (including pool pointers) to leak into the HTTP response, enabling ASLR bypass. Combined with the attacker-controlled overflow content and nginx’s deterministic pool allocator, this creates a viable path to code execution. F5/NGINX addressed this vulnerability in nginx 1.31.1 (mainline) and 1.30.2 (stable), released May 22, 2026. ...

1. Overview A vulnerability exists in Apache OFBiz’s login authentication workflow that allows an attacker to bypass a forced password-change restriction and achieve remote code execution. When an administrator sets the requirePasswordChange flag on a user account — for example after a credential leak, during new employee onboarding, or as a default on demo accounts — the account is supposed to be locked out of all functionality until the user changes their password through the dedicated ChangePassword form. However, LoginWorker.checkLogin() fails to recognize "requirePasswordChange" as an authentication failure, treating it identically to a successful login. An attacker who knows the current password of a locked account can bypass the restriction by injecting requirePasswordChange=Y as an HTTP request parameter along with a new password, causing the login and password change to execute inline and granting immediate access to the requested endpoint. Combined with ProgramExport.groovy lacking permission checks and a Groovy sandbox in versions prior to 24.09.06, this enables arbitrary OS command execution in a single HTTP request. Apache addressed this vulnerability in version 24.09.06. ...

1. Overview A stack-based buffer overflow vulnerability exists in the Windows Netlogon service’s DC locator ping response handler. When a domain controller processes a CLDAP search request, it serializes response data including attacker-supplied and server-side strings into a fixed-size stack buffer without adequate bounds checking. An unauthenticated remote attacker can send a single crafted CLDAP packet to a domain controller’s UDP port 389, causing the Netlogon service to crash the LSASS process and force the domain controller to reboot. The exploitability depends on the target domain controller’s DNS naming configuration — domain controllers with longer DNS domain names and hostnames are vulnerable. Microsoft addressed this vulnerability in the May 2026 security update. ...