| CVE ID | Title | Vendor | Product | Severity | CVSS Score | Published At | AI Analysis |
|---|---|---|---|---|---|---|---|
| CVE-2026-27806 | Fleet Affected by Local Privilege Escalation via Tcl Command Injection in Orbit | fleetdm | fleet | High | 7.8 | 2026-04-08 17:40:24 | Deep Dive |
| CVE-2026-34391 | Fleet Vulnerable to Windows MDM cross-device command disclosure | fleetdm | fleet | 中危 | - | 2026-03-27 19:19:48 | Deep Dive |
| CVE-2026-34389 | Fleet's user account creation via invite does not enforce invited email address | fleetdm | fleet | 中危 | - | 2026-03-27 19:18:19 | Deep Dive |
| CVE-2026-34388 | Fleet vulnerable to Denial of Service via unhandled gRPC log type in launcher endpoint | fleetdm | fleet | 高危 | - | 2026-03-27 19:13:00 | Deep Dive |
| CVE-2026-34387 | Fleet vulnerable to OS command injection via crafted software package metadata in uninstall scripts | fleetdm | fleet | 高危 | - | 2026-03-27 18:31:28 | Deep Dive |
| CVE-2026-34386 | Fleet vulnerable to SQL injection in MDM bootstrap package by authenticated team or global admin | fleetdm | fleet | 高危 | - | 2026-03-27 18:30:11 | Deep Dive |
| CVE-2026-34385 | Fleet's Apple MDM profile delivery has second-order SQL injection that can compromise the database | fleetdm | fleet | 高危 | - | 2026-03-27 18:29:06 | Deep Dive |
| CVE-2026-29180 | Fleet's team maintainer can transfer hosts from any team via missing source team authorization | fleetdm | fleet | 中危 | - | 2026-03-27 18:27:16 | Deep Dive |
| CVE-2026-26061 | Fleet's unbounded request body read allows remote Denial of Service | fleetdm | fleet | 高危 | - | 2026-03-27 18:23:50 | Deep Dive |
| CVE-2026-26060 | Fleet: Password reset tokens remain valid after password change for 24 hours | fleetdm | fleet | 高危 | - | 2026-03-27 18:22:43 | Deep Dive |
| CVE-2026-27465 | Fleet: Sensitive Google Calendar credentials disclosed to low-privileged users | fleetdm | fleet | - | - | 2026-02-26 02:54:05 | Deep Dive |
| CVE-2026-25963 | Fleet: Authorization Bypass in certificate template batch deletion for team administrators | fleetdm | fleet | - | - | 2026-02-26 02:49:21 | Deep Dive |
| CVE-2026-23999 | Fleet: Device lock PIN can be predicted if lock time is known | fleetdm | fleet | - | - | 2026-02-26 02:45:48 | Deep Dive |
| CVE-2026-24004 | Fleet: Unauthenticated Android device disenrollment vulnerability via Pub/Sub endpoint | fleetdm | fleet | - | - | 2026-02-26 02:43:15 | Deep Dive |
| CVE-2026-26186 | Fleet has a SQL injection via backtick escape in ORDER BY parameter | fleetdm | fleet | - | - | 2026-02-26 00:05:02 | Deep Dive |
| CVE-2026-23518 | Fleet has a JWT signature bypass vulnerability in Azure AD MDM enrollment | fleetdm | fleet | - | - | 2026-01-21 21:50:48 | Deep Dive |
| CVE-2026-23517 | Fleet has an Access Control vulnerability in debug/pprof endpoints | fleetdm | fleet | - | - | 2026-01-21 21:45:35 | Deep Dive |
| CVE-2026-22808 | Fleet Windows MDM endpoint has a Cross-site Scripting vulnerability | fleetdm | fleet | - | - | 2026-01-21 21:18:26 | Deep Dive |
| CVE-2025-13819 | Open redirect in web server of MiR robots and MiR fleet | MiR | Robot | Medium | 6.1 | 2025-12-01 09:41:08 | Deep Dive |
| CVE-2025-12538 | Fleet Manager <= 2.5.1 - Authenticated (Editor+) Stored Cross-Site Scripting | iworks | Fleet Manager | Medium | 4.4 | 2025-11-11 03:30:37 | Deep Dive |