Vulnerabilities
Vulnerable Software
Security Vulnerabilities
Coder allows organizations to provision remote development environments via Terraform. Starting in version 2.30.0 and prior to versions 2.32.7, 2.33.8, and 2.34.2, AI Bridge proxy endpoints authenticate via `Server.IsAuthorized` in `coderd/aibridgedserver`, which validates key format, expiry, secret and deleted or system users but does not check whether the account is suspended. Because suspension does not revoke existing API keys, a suspended user's unexpired token keeps working. Practical impact is limited to already-issued API keys of suspended users until those keys are deleted. Versions 2.32.7, 2.33.8, and 2.34.2 patch the issue. As a workaround, on suspension, delete the user's API keys via `DELETE /api/v2/users/{user}/keys`.
CVSS Score
5.4
EPSS Score
0.003
Published
2026-07-07
Lack of validation leads to an XSS vulnerability in the MFA management views.
CVSS Score
5.9
EPSS Score
0.001
Published
2026-07-07
Lack of escaping leads to an XSS vulnerability in the file management view of com_templates.
CVSS Score
5.9
EPSS Score
0.001
Published
2026-07-07
Lack of escaping leads to XSS vulnerabilities in modalreturn layouts of various components.
CVSS Score
5.9
EPSS Score
0.001
Published
2026-07-07
Lack of escaping leads to an XSS vulnerability in the update list view of com_installer.
CVSS Score
5.9
EPSS Score
0.001
Published
2026-07-07
Lack of escaping leads to an XSS vulnerability in the generic image output layout.
CVSS Score
5.9
EPSS Score
0.001
Published
2026-07-07
An improper access check allows privileged users to overwrite media files without editing permissions.
CVSS Score
6.4
EPSS Score
0.002
Published
2026-07-07
An improper access check allows user to download vcard exports of com_contact contacts that are inaccessible.
CVSS Score
6.4
EPSS Score
0.002
Published
2026-07-07
Esri Portal for ArcGIS versions 12.1 and earlier on Windows, Linux and Kubernetes have a missing authentication for critical function vulnerability allows a remote, unauthenticated attacker to access an unprotected API.
CVSS Score
9.8
EPSS Score
0.004
Published
2026-07-07
A Weak Password Recovery Mechanism for Forgotten Password exists in Esri Portal for ArcGIS versions 12.1 and earlier on Windows, Linux and Kubernetes. A remote, unauthorized attacker may assume ownership of a user’s account by manipulating this mechanism. ArcGIS Administrators should configure an email server with ArcGIS Enterprise to facilitate user self-service password recovery. The ability for an administrator to reset a user’s password remains unchanged.
CVSS Score
8.1
EPSS Score
0.002
Published
2026-07-07


Contact Us

Shodan ® - All rights reserved