Vulnerabilities
Vulnerable Software
Security Vulnerabilities
An improper access check allows unauthorized users to create custom fields via webservices endpoints.
CVSS Score
6.4
EPSS Score
0.003
Published
2026-07-07
Coder allows organizations to provision remote development environments via Terraform. Starting in version 2.30.0 and prior to versions 2.32.7, 2.33.8, and 2.34.2, AI Bridge proxy endpoints authenticate via `Server.IsAuthorized` in `coderd/aibridgedserver`, which validates key format, expiry, secret and deleted or system users but does not check whether the account is suspended. Because suspension does not revoke existing API keys, a suspended user's unexpired token keeps working. Practical impact is limited to already-issued API keys of suspended users until those keys are deleted. Versions 2.32.7, 2.33.8, and 2.34.2 patch the issue. As a workaround, on suspension, delete the user's API keys via `DELETE /api/v2/users/{user}/keys`.
CVSS Score
5.4
EPSS Score
0.003
Published
2026-07-07
Lack of validation leads to an XSS vulnerability in the MFA management views.
CVSS Score
5.9
EPSS Score
0.001
Published
2026-07-07
Lack of escaping leads to an XSS vulnerability in the file management view of com_templates.
CVSS Score
5.9
EPSS Score
0.001
Published
2026-07-07
Lack of escaping leads to XSS vulnerabilities in modalreturn layouts of various components.
CVSS Score
5.9
EPSS Score
0.001
Published
2026-07-07
Lack of escaping leads to an XSS vulnerability in the update list view of com_installer.
CVSS Score
5.9
EPSS Score
0.001
Published
2026-07-07
Lack of escaping leads to an XSS vulnerability in the generic image output layout.
CVSS Score
5.9
EPSS Score
0.001
Published
2026-07-07
An improper access check allows privileged users to overwrite media files without editing permissions.
CVSS Score
6.4
EPSS Score
0.002
Published
2026-07-07
An improper access check allows user to download vcard exports of com_contact contacts that are inaccessible.
CVSS Score
6.4
EPSS Score
0.002
Published
2026-07-07
Esri Portal for ArcGIS versions 12.1 and earlier on Windows, Linux and Kubernetes have a missing authentication for critical function vulnerability allows a remote, unauthenticated attacker to access an unprotected API.
CVSS Score
9.8
EPSS Score
0.004
Published
2026-07-07


Contact Us

Shodan ® - All rights reserved