My personnal CVEs Pokedex and my Preferred Way to Spend Time
LIST OF Reported CVE
CVE-2026-22809
Regular Expression Denial of Service (ReDoS) vulnerability
CVE-2026-22809
CVSS 4.4
tarteaucitron.js
A Regular Expression Denial of Service (ReDoS) vulnerability was identified in tarteaucitron.js, affecting the processing of the issuu_id parameter. Due to poorly constrained regular expressions applied to user-controlled input, an attacker could trigger excessive backtracking, leading to high CPU usage and potential service disruption. The issue has been fixed by simplifying and hardening the input validation logic.
13 janvier 2026
CVE-2026-40519
RCE via Shell Injection in DNS Credentials
CVE-2026-40519
CVSS 7.7
Nginx Proxy Manager
Nginx Proxy Manager is vulnerable to authenticated remote code execution due to a shell injection in setupCertbotPlugins() (backend/setup.js).
The user-controlled field dns_provider_credentials is interpolated into a shell command executed via child_process.exec() without proper escaping.
An attacker with certificates:manage permission can inject arbitrary commands, executed on backend restart (typically as root in Docker deployments).
8 juin 2026
CVE-2026-41462
Unauthenticated SQL Injection via Login page
CVE-2026-41462
CVSS 9.3
ProjeQtor
A SQL injection vulnerability was identified: user inputs are not properly validated or parameterized, allowing query manipulation, unauthorized database access or modification, and potentially command execution.
23 avril 2026
CVE-2026-41463
ZipSlip Path Traversal via Plugin Upload
CVE-2026-41463
CVSS 9.4
ProjeQtor
A Zip Slip vulnerability was identified in the plugin upload feature: file paths are not validated, allowing writes outside the intended directory and the upload of malicious files (webshells).
23 avril 2026
CVE-2026-41464
Missing Authorization via objectDetail.php
CVE-2026-41464
CVSS 7.1
ProjeQtor
An isolation flaw allows low-privileged users to access shared resources without proper access controls. As a result, a guest user can view sensitive data via /view/objectDetail.php, including password hashes and API keys of all users, even administrators.
24 avril 2026
CVE-2026-41465
Path Traversal via dynamicDialog.php
CVE-2026-41465
CVSS 7.1
ProjeQtor
The application allows log file access via the logname parameter in /tool/dynamicDialog.php, but lacks proper validation. This enables Path Traversal (e.g., ../), allowing attackers to access files outside the intended directory. The only restriction is the .log extension, making filesystem traversal possible.
