CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST - in English
CISA KEV catalog updated: (v2026.07.10)
Budibase before version 3.39.9 contains a vulnerability due to improper validation of symbolic links during ZIP file processing. A builder-level attacker can inject a symbolic link pointing to any file on the system, which will be read and uploaded to MinIO, then served via the API.
Budibase prior to version 3.39.9 has a vulnerability in the webhook trigger endpoint, which is publicly accessible and passes the full HTTP request body into automation execution parameters. An attacker can overwrite the internal appId property, allowing automation execution in the victim's context and granting full read/write access to the victim's database.
Budibase before version 3.39.12 contains a vulnerability that allows an unauthenticated user to read all documents from MongoDB, CouchDB, Elasticsearch, DynamoDB-PartiQL, or REST-with-JSON-body collections, and if a public write query exists, to modify all documents in a single HTTP request. The issue stems from improper input validation in the validateQueryInputs function, which only rejects Handlebars markers but does not escape JSON metacharacters, enabling injection of additional fields into the filter object.
In Notepad++ prior to 8.9.6.4, a TOCTOU vulnerability exists in handling shortcuts.xml. The HMAC check occurs at command execution time, but the command payload is taken from memory that is not synchronized with the disk file. An attacker can swap the file before launch and restore it afterward, allowing malicious commands to execute.
Notepad++ version 8.9.6.1 has a vulnerability where the isInTrustedDirectory() function does not canonicalize the path before checking. It uses a prefix-based check that can be bypassed with a path containing ..\..\ after a trusted directory prefix, resolving to an untrusted location. This issue is fixed in version 8.9.6.2.
Budibase prior to version 3.39.0 contains a vulnerability allowing an anonymous attacker to obtain a pre-signed PUT URL for any S3 bucket the victim has access to. The attack requires knowledge of a workspace ID and S3 datasource ID but no authentication.
Budibase prior to 3.39.3 exposes an unauthenticated endpoint that generates S3 PutObject presigned URLs using credentials from a workspace datasource. The route is protected only by recaptcha middleware and does not require authentication, table permission, datasource permission, or builder access.
A vulnerability in Budibase before 3.39.0 allows an attacker to permanently link a victim's account to an external chat identity (Slack/Discord/MS Teams) without user consent. The public endpoint lacks authentication and CSRF protection, and the attack requires tricking an authenticated user into visiting a crafted URL.
Notepad++ prior to version 8.9.6.1 contains a vulnerability due to missing validation of the <Command> tag content in shortcuts.xml. An attacker can inject arbitrary commands that execute when the user clicks the corresponding entry in the Run menu.
Notepad++ prior to version 8.9.6.1 has a vulnerability due to missing validation of the <GUIConfig name="commandLineInterpreter"> tag in config.xml. An attacker can modify this file to execute arbitrary commands with user privileges when the console is opened via File → Open Containing Folder → cmd.
Notepad++ prior to version 8.9.6.1 contains a vulnerability in handling WM_COPYDATA messages. A local process in the same Windows session can send a malformed message that does not enforce data length checking, potentially leading to a buffer overflow.
Notepad++ versions 8.9.4 through 8.9.6 contain a local privilege escalation vulnerability in the installer. During installation, the installer invokes powershell.exe without an absolute path after setting the working directory to the contextMenu directory. If an attacker places a malicious powershell.exe in a user-writable installation directory and a privileged user runs the installer selecting that directory, the attacker-controlled executable runs with elevated privileges.
The TIFF decoder can panic when decoding an invalid image with an out-of-bounds strip offset.
The vulnerability in Lansweeper lsrunase 2.0 and lsencrypt 2.0 uses RC4 encryption with a hardcoded 142-byte static key. An 8-character prefix is stored in cleartext alongside the ciphertext, allowing a local attacker to recover any encrypted password to plaintext without brute force.
A vulnerability in the DSO::mmap_and_copy function of relibc (commit 61f42d) allows attackers to cause a Denial of Service (DoS) by loading a crafted shared library.
A vulnerability in the parse_month function (/time/strptime.rs) of relibc (commit ab6a2e) allows an attacker to cause a Denial of Service (DoS) by parsing a crafted input.
HCL Traveler for Microsoft Outlook libraries are being falsely flagged as potentially malicious software or an unrecognized application. This may prevent installation or execution of the software by security systems.
In RustFS version 1.0.0-beta.7 and earlier, the real-time metrics endpoint /rustfs/admin/v3/metrics is accessible to any valid IAM user regardless of their assigned policy. The validate_admin_request call is missing, allowing restricted users to read sensitive cluster-wide operational data.
In RustFS from version 1.0.0-alpha.1 to 1.0.0-beta.9, when the FTP frontend is enabled, the read and probe handlers (RETR, SIZE, MDTM, CWD) bypass the IAM authorization function, allowing any authenticated FTP user to read and stat any object in any bucket regardless of their IAM policy.
In RustFS versions from 1.0.0-alpha.1 to 1.0.0-beta.9, an authorization bypass was found in the bucket replication admin API. The ListRemoteTargetHandler for listing remote replication targets only checks whether request credentials exist, but does not verify that the caller has replication or administrator permissions. As a result, an authenticated user with no effective bucket or admin permissions can list remote replication target configuration for a bucket.

