Jasperx

**Name of the Vulnerable Software and Affected Versions** vertex-app vertex versions prior to 2026.02.12 **Description** An issue exists in the Log Viewer Endpoint component within the file app/model/LogMod.js. Improper processing of the `req.query` argument allows for remote OS command injection, which occurs when an attacker can execute arbitrary operating system commands on the server. **Recommendations** Apply patch 805d82e7100d49b79b3beb1b9420e8e458987198 for versions prior to 2026.02.12.

**Name of the Vulnerable Software and Affected Versions** crocodilestick Calibre-Web-Automated versions prior to 4.0.7 **Description** Improper authorization in the Kobo auth-token Route allows a remote attacker to manipulate the `generate auth token()` function within the `cps/kobo auth.py` file. **Recommendations** Update to version 4.0.7.

**Name of the Vulnerable Software and Affected Versions** crocodilestick Calibre-Web-Automated versions prior to 4.0.7 **Description** A flaw in the Admin Endpoint component, specifically within the `cps/cwa functions.py` file, allows for missing authentication. This issue enables a remote attacker to bypass authentication mechanisms. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** janeczku Calibre-Web versions prior to 0.6.27 **Description** Improper authorization occurs in the Endpoint component due to the manipulation of the `user id` argument within the `generate auth token()` function located in the cps/kobo auth.py file. This issue allows a remote attacker to bypass authorization mechanisms. **Recommendations** As a temporary workaround, restrict access to the `generate auth token()` function until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.