| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| Cleartext Transmission of Sensitive Information, Insufficiently Protected Credentials vulnerability in rustdesk-client RustDesk Client rustdesk-client on Windows, MacOS, Linux, iOS, Android (Address book sync, Heartbeat sync loop modules) allows Sniffing Attacks.
The client places the preset address-book password verbatim into the heartbeat sync JSON body (src/hbbs_http/sync.rs). Over an intact HTTPS session it is not exposed in transit, but it is a reusable shared secret rather than a zero-knowledge proof, so it is recovered by any party that becomes the API endpoint - under the automatic invalid-certificate TLS downgrade (CVE-2026-30794) or a re-homed/rogue API server (CVE-2026-30797) - and the leaked credential then authorizes the server-side address book.
This vulnerability is associated with program files src/hbbs_http/sync.rs and program routines heartbeat sync body builder (emits preset-address-book-password).
This issue affects RustDesk Client: through 1.4.8. |
| Unauthenticated Local File Inclusion in Softlab Core < 1.2.11 versions. |
| Unauthenticated PHP Object Injection in EmallShop <= 2.4.21 versions. |
| Unauthenticated PHP Object Injection in Kapee < 1.7.0 versions. |
| Unauthenticated Cross Site Scripting (XSS) in MagOne <= 9.0 versions. |
| Unauthenticated PHP Object Injection in Laurits <= 1.5.1 versions. |
| Unauthenticated PHP Object Injection in Behold <= 1.5 versions. |
| Unauthenticated PHP Object Injection in Valeska <= 1.2.2 versions. |
| Unauthenticated Broken Access Control in JobSearch <= 3.2.7 versions. |
| Subscriber Arbitrary Code Execution in Cornerstone < 7.8.8 versions. |
| DataSource API Missing Authorization Check Leads to Arbitrary Data Source Metadata Disclosure in Apache DolphinScheduler.
This issue affects Apache DolphinScheduler: before 3.4.2.
Users are recommended to upgrade to version 3.4.2, which fixes the issue. |
| Unauthenticated Cross Site Scripting (XSS) in my flatonica <= 0.0.8 versions. |
| Unauthenticated Cross Site Scripting (XSS) in Sonaar <= 4.27.4 versions. |
| Subscriber Privilege Escalation in Sonaar <= 4.27.4 versions. |
| Subscriber Arbitrary File Deletion in WPBot Pro Wordpress Chatbot <= 13.6.5 versions. |
| Unauthenticated Local File Inclusion in AirSupply <= 2.0.0 versions. |
| Subscriber SQL Injection in Events Schedule - WordPress Events Calendar Plugin <= 2.7.2 versions. |
| Subscriber Privilege Escalation in Genemy <= 1.6.6 versions. |
| Unauthenticated Local File Inclusion in Snowy <= 1.13 versions. |
| Unauthenticated Local File Inclusion in Orpheus <= 1.3 versions. |
