Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools

danpros

Source -

CNA

BOS Name -

N/A

CNA CVEs -

2

ADP CVEs -

0

CISA CVEs -

0

NVD CVEs -

0
Related CVEsRelated ProductsRelated AssignersReports
2Vulnerabilities found

CVE-2026-57940
Assigner-MITRE Corporation
ShareView Details
Assigner-MITRE Corporation
CVSS Score-2.1||LOW
EPSS-0.23% / 13.65%
||
7 Day CHG~0.00%
Published-26 Jun, 2026 | 13:08
Updated-26 Jun, 2026 | 20:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

HTMLy 3.1.1 contains a Server-Side Request Forgery (SSRF) vulnerability in the RSS feed import functionality. The function get_feed() in system/admin/admin.php passes user-supplied $feed_url directly to file_get_contents() without any validation. An authenticated attacker with administrative privileges can exploit this by entering a crafted URL (e.g., http://dnslog.example.com, file:///etc/passwd, or http://169.254.169.254 in cloud contexts) via Tools -> Import RSS. The server will then make a request to the attacker-controlled target.

Action-Not Available
Vendor-danpros
Product-HTMLy
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2026-45233
Assigner-VulnCheck
ShareView Details
Assigner-VulnCheck
CVSS Score-7.2||HIGH
EPSS-0.57% / 42.84%
||
7 Day CHG~0.00%
Published-25 Jun, 2026 | 15:50
Updated-25 Jun, 2026 | 19:25
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
HTMLy CMS 3.1.1 Path Traversal via oldfile Parameter in Autosave

HTMLy CMS through 3.1.1 contains a path traversal vulnerability that allows low-privileged authenticated attackers to relocate arbitrary files by supplying directory traversal sequences in the oldfile parameter at the admin autosave endpoint. Attackers can pass unsanitized traversal sequences directly to file_exists() and rename() functions in admin.php without canonicalization or directory boundary enforcement to cause unintended relocation of any file writable by the web server process to an attacker-specified draft location.

Action-Not Available
Vendor-danpros
Product-htmly
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')