CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST - in English
CISA KEV catalog updated: (v2026.07.10)
In Kestra before versions 1.0.45 and 1.3.23, the local internal-storage backend improperly validates user-supplied paths, allowing an attacker to smuggle a traversal sequence using backslashes (..\..\..\) before conversion to forward slashes. An authenticated user with the lowest privilege can read any file on the server filesystem, including the H2 database, stored secrets, and credentials.
In Kestra OSS prior to versions 1.0.45 and 1.3.21, the AuthenticationFilter uses request.getPath().endsWith("/configs") to whitelist the public configuration endpoint from Basic Auth. Because the check is a suffix match rather than an exact path match, any API path whose last segment is configs bypasses authentication entirely. An unauthenticated remote attacker can exploit this to create and execute arbitrary workflows without credentials.
In Kestra before versions 1.0.43 and 1.3.19, several API endpoints accept a kestra:// URI from the client and pass it through StorageInterface.parentTraversalGuard before reading the underlying file from the local storage backend. The guard only inspects the literal URI.toString(), so a URL-encoded .. written as %2E%2E slips through. The downstream code then calls URI.getPath(), which decodes %2E%2E back to .., and the resulting path is handed to Paths.get(...) without normalization. The OS resolves the .. segments at open(2) time, so an authenticated user with a single execution can read any file the Kestra process has access to on the host filesystem (/etc/passwd, mounted secrets, other tenants' execution outputs, etc.).
In the unauthenticated UART debug console of the Tenda N300 F3 (V603) router, WPA2 credentials are stored and exposed in cleartext, and the rr/wr memory read/write commands lack authentication. A physically proximate attacker can obtain these credentials and arbitrarily read or write memory via the serial port.
A stack overflow vulnerability was found in the AP4_Array<AP4_TrunAtom::Entry>::EnsureCapacity component of Bento4 before version 1.8.9. Attackers can exploit this by providing a crafted MP4 file, causing a Denial of Service (DoS).
A stack overflow vulnerability in the AP4_StsdAtom::AP4_StsdAtom component of Bento4 before version 1.8.9 allows attackers to cause a Denial of Service (DoS) via a crafted MP4 file.
A vulnerability in Technitium DNS Server version 14.3 and earlier allows a remote attacker to cause a denial of service (DoS) via the DnsServerApp.exe, DnsServerApp.dll, and TechnitiumLibrary.Net/Dns/DnsClient.cs components.
Budibase before version 3.39.9 is vulnerable to SSRF via DNS rebinding. Authenticated users with automation permissions can bypass the IP blacklist because hostname validation before the request is not pinned to the actual connection.
Budibase before version 3.39.9 contains a vulnerability due to improper validation of symbolic links during ZIP file processing. A builder-level attacker can inject a symbolic link pointing to any file on the system, which will be read and uploaded to MinIO, then served via the API.
Budibase prior to version 3.39.9 has a vulnerability in the webhook trigger endpoint, which is publicly accessible and passes the full HTTP request body into automation execution parameters. An attacker can overwrite the internal appId property, allowing automation execution in the victim's context and granting full read/write access to the victim's database.
Budibase before version 3.39.12 contains a vulnerability that allows an unauthenticated user to read all documents from MongoDB, CouchDB, Elasticsearch, DynamoDB-PartiQL, or REST-with-JSON-body collections, and if a public write query exists, to modify all documents in a single HTTP request. The issue stems from improper input validation in the validateQueryInputs function, which only rejects Handlebars markers but does not escape JSON metacharacters, enabling injection of additional fields into the filter object.
In Notepad++ prior to 8.9.6.4, a TOCTOU vulnerability exists in handling shortcuts.xml. The HMAC check occurs at command execution time, but the command payload is taken from memory that is not synchronized with the disk file. An attacker can swap the file before launch and restore it afterward, allowing malicious commands to execute.
Notepad++ version 8.9.6.1 has a vulnerability where the isInTrustedDirectory() function does not canonicalize the path before checking. It uses a prefix-based check that can be bypassed with a path containing ..\..\ after a trusted directory prefix, resolving to an untrusted location. This issue is fixed in version 8.9.6.2.
Budibase prior to version 3.39.0 contains a vulnerability allowing an anonymous attacker to obtain a pre-signed PUT URL for any S3 bucket the victim has access to. The attack requires knowledge of a workspace ID and S3 datasource ID but no authentication.
Budibase prior to 3.39.3 exposes an unauthenticated endpoint that generates S3 PutObject presigned URLs using credentials from a workspace datasource. The route is protected only by recaptcha middleware and does not require authentication, table permission, datasource permission, or builder access.
A vulnerability in Budibase before 3.39.0 allows an attacker to permanently link a victim's account to an external chat identity (Slack/Discord/MS Teams) without user consent. The public endpoint lacks authentication and CSRF protection, and the attack requires tricking an authenticated user into visiting a crafted URL.
Notepad++ prior to version 8.9.6.1 contains a vulnerability due to missing validation of the <Command> tag content in shortcuts.xml. An attacker can inject arbitrary commands that execute when the user clicks the corresponding entry in the Run menu.
Notepad++ prior to version 8.9.6.1 has a vulnerability due to missing validation of the <GUIConfig name="commandLineInterpreter"> tag in config.xml. An attacker can modify this file to execute arbitrary commands with user privileges when the console is opened via File → Open Containing Folder → cmd.
Notepad++ prior to version 8.9.6.1 contains a vulnerability in handling WM_COPYDATA messages. A local process in the same Windows session can send a malformed message that does not enforce data length checking, potentially leading to a buffer overflow.
Notepad++ versions 8.9.4 through 8.9.6 contain a local privilege escalation vulnerability in the installer. During installation, the installer invokes powershell.exe without an absolute path after setting the working directory to the contextMenu directory. If an attacker places a malicious powershell.exe in a user-writable installation directory and a privileged user runs the installer selecting that directory, the attacker-controlled executable runs with elevated privileges.

