Threat Intelligence Database

Bitwarden Server versions prior to 2026.5.0 contain a JSON injection vulnerability in the IntegrationTemplateProcessor.ReplaceTokens() function. This vulnerability arises because user-controlled values are substituted into event-integration templates without proper JSON encoding. Authenticated members can exploit this by setting their display name to JSON metacharacters, injecting arbitrary key-value pairs into payloads sent to webhook, SIEM, Slack, Teams, or Datadog endpoints. The injected fields appear indistinguishable from legitimate template output. The vulnerability has a low CVSS score of 2.3 and no known exploits in the wild.

Bitwarden Server versions prior to 2026.5.0 have a broken access control vulnerability allowing any authenticated user to access billing data of arbitrary organizations without proper authorization. This occurs due to missing authorization checks on the PreviewInvoiceController endpoints, enabling attackers to retrieve sensitive billing details such as tax totals, subscription status, and customer subscription data. The vulnerability has a medium severity rating with a CVSS score of 5.3. No official patch or remediation guidance is currently confirmed.

Bitwarden Server versions before 2026.5.0 have a privilege escalation vulnerability due to missing authorization checks in the bulk user removal endpoint. Authenticated Custom users with ManageUsers permission can exploit this flaw to remove Admin accounts from an organization by bypassing role hierarchy checks. This allows unauthorized removal of Admin users via crafted bulk DELETE requests.

Improper input validation in the PAM AD discovery endpoints in Devolutions Server 2026.2.4.0 through 2026.2.7.0 allows an authenticated user with the UserGroupsView permission to coerce server-side authentication to an attacker-controlled host, exposing PAM provider credentials as a NTLMv2 challenge-response, via a crafted DomainName parameter.

Sync-in Server is a secure, open-source platform for file storage, sharing, collaboration, and syncing. Prior to version 2.3.0, the private IP blocklist regex used in the URL download feature does not match IPv4-mapped IPv6 addresses (e.g. ::ffff:127.0.0.1), allowing SSRF protection to be bypassed on dual-stack systems. Version 2.3.0 fixes the issue.

MariaDB server is a community developed fork of MySQL server. From versions 10.6.1 to before 10.6.27, 10.11.1 to before 10.11.18, 11.4.1 to before 11.4.12, 11.8.1 to before 11.8.8, and 12.3.1, a high-privileged MariaDB user could've used wsrep_sst_receive_address or wsrep_sst_donor global system variables to execute shell commands as the uid of the mariadbd process on the galera joiner node. This issue has been patched in versions 10.6.27, 10.11.18, 11.4.12, 11.8.8, and 12.3.2.

MariaDB server is a community developed fork of MySQL server. From versions 10.6.1 to before 10.6.27, 10.11.1 to before 10.11.18, 11.4.1 to before 11.4.12, 11.8.1 to before 11.8.8, and 12.3.1, during the SST the donor node is interpolating parameters that the joiner sent into the command line. Not all parameters were properly validated which could allow a malicious joiner to execute arbitrary shell commands on the donor side via the rsync SST method. This issue has been patched in versions 10.6.27, 10.11.18, 11.4.12, 11.8.8, and 12.3.2.

MariaDB server versions 10.6.1 to before 10.6.26, 10.11.1 to before 10.11.17, 11.4.1 to before 11.4.11, 11.8.1 to before 11.8.7, and exactly 12.3.1 allowed execution of SELECT ... INTO OUTFILE and SELECT ... INTO DUMPFILE statements without verifying the FILE privilege when the FROM clause contained only subqueries. This incorrect authorization issue has been fixed in later versions.

A SQL injection vulnerability exists in MariaDB server versions 3.3.18 and 3.4.8 when using mysql_real_escape_string() with the text protocol and big5 character set. This vulnerability allows SQL injection despite the use of escaping functions. The issue has been fixed in versions 3.3.19 and 3.4.9.

A path traversal vulnerability (CWE-22) exists in the mbstream component of MariaDB server versions 10.6.1 to before 10.6.26, 10.11.1 to before 10.11.17, 11.4.1 to before 11.4.11, 11.8.1 to before 11.8.7, and exactly 12.3.1. The vulnerability allows specially crafted archives containing '/../' sequences to cause mbstream to write files outside the intended target directory during archive unpacking. This issue has been addressed in MariaDB server versions 10.6.26, 10.11.17, 11.4.11, 11.8.7, and 12.3.2.