24h | 7d | 30d

CVE-2026-4670

Overview

  • Progress Software
  • MOVEit Automation
30 Apr 2026
Published
01 May 2026
Updated
CVSS v3.1
CRITICAL (9.8)
EPSS
0.22%
KEV

Description

Authentication bypass by primary weakness vulnerability in Progress Software MOVEit Automation allows Authentication Bypass. This issue affects MOVEit Automation: from 2025.0.0 before 2025.0.9, from 2024.0.0 before 2024.1.8, versions prior to 2024.0.0.

Statistics

  • 1 Post
Last activity: 22 hours ago

Bluesky

Profile picture fallback
Undercode Testing @undercode.bsky.social
Critical 98 MOVEit Automation Flaw Opens Enterprise File Transfer Systems to Unauthenticated Takeover + Video Introduction: A critical authentication bypass vulnerability (CVE-2026-4670, CVSS 9.8) and a high-severity privilege escalation flaw (CVE-2026-5174, CVSS 7.7) have been disclosed in…
  • 0
  • 0
  • 0
  • 22h ago

CVE-2025-41691

Overview

  • CODESYS
  • Control RTE (SL)
04 Aug 2025
Published
04 Aug 2025
Updated
CVSS v3.1
HIGH (7.5)
EPSS
0.15%
KEV

Description

An unauthenticated remote attacker may trigger a NULL pointer dereference in the affected CODESYS Control runtime systems by sending specially crafted communication requests, potentially leading to a denial-of-service (DoS) condition.

Statistics

  • 1 Post
Last activity: 19 hours ago

Fediverse

Profile picture fallback
CERT@VDE @certvde

VDE-2026-005
ifm: Multiple Vulnerabilities in CR3171

The Firmware installed on the CR3171 is impacted by various CODESYS vulnerabilities.
CVE-2025-41659, CVE-2025-41691, CVE-2025-41658

certvde.com/en/advisories/vde-

ifm.csaf-tp.certvde.com/.well-

  • 0
  • 0
  • 0
  • 19h ago

CVE-2025-41659

Overview

  • CODESYS
  • Control RTE (SL)
04 Aug 2025
Published
04 Aug 2025
Updated
CVSS v3.1
HIGH (8.3)
EPSS
0.05%
KEV

Description

A low-privileged attacker can remotely access the PKI folder of the CODESYS Control runtime system and thus read and write certificates and its keys. This allows sensitive data to be extracted or to accept certificates as trusted. Although all services remain available, only unencrypted communication is possible if the certificates are deleted.

Statistics

  • 1 Post
Last activity: 19 hours ago

Fediverse

Profile picture fallback
CERT@VDE @certvde

VDE-2026-005
ifm: Multiple Vulnerabilities in CR3171

The Firmware installed on the CR3171 is impacted by various CODESYS vulnerabilities.
CVE-2025-41659, CVE-2025-41691, CVE-2025-41658

certvde.com/en/advisories/vde-

ifm.csaf-tp.certvde.com/.well-

  • 0
  • 0
  • 0
  • 19h ago

CVE-2025-41658

Overview

  • CODESYS
  • Runtime Toolkit
04 Aug 2025
Published
04 Aug 2025
Updated
CVSS v3.1
MEDIUM (5.5)
EPSS
0.02%
KEV

Description

CODESYS Runtime Toolkit-based products may expose sensitive files to local low-privileged operating system users due to default file permissions.

Statistics

  • 1 Post
Last activity: 19 hours ago

Fediverse

Profile picture fallback
CERT@VDE @certvde

VDE-2026-005
ifm: Multiple Vulnerabilities in CR3171

The Firmware installed on the CR3171 is impacted by various CODESYS vulnerabilities.
CVE-2025-41659, CVE-2025-41691, CVE-2025-41658

certvde.com/en/advisories/vde-

ifm.csaf-tp.certvde.com/.well-

  • 0
  • 0
  • 0
  • 19h ago

CVE-2022-40635

Overview

  • Crafter Software
  • Crafter CMS
13 Sep 2022
Published
16 Sep 2024
Updated
CVSS v3.1
MEDIUM (6.4)
EPSS
12.99%
KEV

Description

Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of Crafter CMS allows authenticated developers to execute OS commands via Groovy Sandbox Bypass.

Statistics

  • 1 Post
Last activity: 14 hours ago

Fediverse

Profile picture fallback
pentest-tools.com @pentesttools

The Crafter CMS Groovy sandbox has been patched three times. CVE-2021-23259, CVE-2022-40635, CVE-2025-6384.

Our team went back in anyway and found 14 distinct RCE bypass techniques in v5.0.0: AST Transformations, SpelExpressionParser, GroovyShell, Template Engines, XStream, BeanShell, Jakarta EL, Commons Exec, Object Factories, MBeans, and more.

The sandbox wasn't broken in one place. It was porous.

CVE-2026-1770 (PTT-2025-022). Full PoC: pentest-tools.com/research

  • 0
  • 0
  • 0
  • 14h ago

CVE-2026-1770

Overview

  • CrafterCMS
  • CrafterCMS
  • Studio
02 Feb 2026
Published
02 Feb 2026
Updated
CVSS v4.0
MEDIUM (4.5)
EPSS
0.04%
KEV

Description

Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of Crafter CMS allows authenticated developers to execute OS commands via Groovy Sandbox Bypass. By inserting malicious Groovy elements, an attacker may bypass sandbox restrictions and obtain RCE (Remote Code Execution).

Statistics

  • 1 Post
Last activity: 14 hours ago

Fediverse

Profile picture fallback
pentest-tools.com @pentesttools

The Crafter CMS Groovy sandbox has been patched three times. CVE-2021-23259, CVE-2022-40635, CVE-2025-6384.

Our team went back in anyway and found 14 distinct RCE bypass techniques in v5.0.0: AST Transformations, SpelExpressionParser, GroovyShell, Template Engines, XStream, BeanShell, Jakarta EL, Commons Exec, Object Factories, MBeans, and more.

The sandbox wasn't broken in one place. It was porous.

CVE-2026-1770 (PTT-2025-022). Full PoC: pentest-tools.com/research

  • 0
  • 0
  • 0
  • 14h ago

CVE-2025-6384

Overview

  • CrafterCMS
  • CrafterCMS
  • Studio
19 Jun 2025
Published
23 Jun 2025
Updated
CVSS v4.0
HIGH (7.3)
EPSS
0.32%
KEV

Description

Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of CrafterCMS allows authenticated developers to execute OS commands via Groovy Sandbox Bypass. By inserting malicious Groovy elements, an attacker may bypass Sandbox restrictions and obtain RCE (Remote Code Execution). This issue affects CrafterCMS: from 4.0.0 through 4.2.2.

Statistics

  • 1 Post
Last activity: 14 hours ago

Fediverse

Profile picture fallback
pentest-tools.com @pentesttools

The Crafter CMS Groovy sandbox has been patched three times. CVE-2021-23259, CVE-2022-40635, CVE-2025-6384.

Our team went back in anyway and found 14 distinct RCE bypass techniques in v5.0.0: AST Transformations, SpelExpressionParser, GroovyShell, Template Engines, XStream, BeanShell, Jakarta EL, Commons Exec, Object Factories, MBeans, and more.

The sandbox wasn't broken in one place. It was porous.

CVE-2026-1770 (PTT-2025-022). Full PoC: pentest-tools.com/research

  • 0
  • 0
  • 0
  • 14h ago

CVE-2021-23259

Overview

  • Crafter Software
  • Crafter CMS
02 Dec 2021
Published
16 Sep 2024
Updated
CVSS v3.1
MEDIUM (4.2)
EPSS
0.39%
KEV

Description

Authenticated users with Administrator or Developer roles may execute OS commands by Groovy Script which uses Groovy lib to render a webpage. The groovy script does not have security restrictions, which will cause attackers to execute arbitrary commands remotely(RCE).

Statistics

  • 1 Post
Last activity: 14 hours ago

Fediverse

Profile picture fallback
pentest-tools.com @pentesttools

The Crafter CMS Groovy sandbox has been patched three times. CVE-2021-23259, CVE-2022-40635, CVE-2025-6384.

Our team went back in anyway and found 14 distinct RCE bypass techniques in v5.0.0: AST Transformations, SpelExpressionParser, GroovyShell, Template Engines, XStream, BeanShell, Jakarta EL, Commons Exec, Object Factories, MBeans, and more.

The sandbox wasn't broken in one place. It was porous.

CVE-2026-1770 (PTT-2025-022). Full PoC: pentest-tools.com/research

  • 0
  • 0
  • 0
  • 14h ago
Showing 21 to 28 of 28 CVEs