673 matches found
ZimaOS <= v1.2.4 - Sensitive Information Disclosure
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.2.4 and all prior versions, the API endpoints in ZimaOS, such as http:///v1/users/image?path=/var/lib/casaos/1/apporder.json and http:///v1/users/image?path=/var/lib/casaos/1/system.json,...
CVE-2026-57752
Contributor SQL Injection in iNET Webkit 1.2.4 versions...
EUVD-2026-41308
Contributor SQL Injection in iNET Webkit 1.2.4 versions...
CVE-2026-57752 WordPress iNET Webkit plugin 1.2.4 - SQL Injection vulnerability
Contributor SQL Injection in iNET Webkit 1.2.4 versions...
CVE-2026-57752
The CVE-2026-57752 entry covers a Contributor SQL Injection in the WordPress iNET Webkit plugin version 1.2.4. The vulnerability is described without attack details; CVSS 3.1 base score 8.5 (Network attack, Low complexity, Privileges Required: Low, User Interaction: None, Confidentiality Impact: ...
CVE-2026-8335
A missing authentication check on the Aix‑DB "/llm/processllmout" endpoint allows unauthenticated clients to execute arbitrary "SELECT" SQL queries and retrieve database data, as the endpoint lacks the token validation enforced on all other application endpoints. All releases up to 1.2.4 are...
CVE-2026-42563 Dulwich Vulnerable to Command Injection via Merge Driver Path
Dulwich is a pure-Python implementation of the Git file formats and protocols. Starting in version 0.24.0 and prior to version 1.2.5, Dulwich's ProcessMergeDriver substitutes the file path from the git tree, controllable by an attacker via a malicious branch into the merge driver command via the ...
CVE-2026-8335
A missing authentication check on the Aix‑DB "/llm/processllmout" endpoint allows unauthenticated clients to execute arbitrary "SELECT" SQL queries and retrieve database data, as the endpoint lacks the token validation enforced on all other application endpoints. All releases up to 1.2.4 are...
EUVD-2026-36050
A missing authentication check on the Aix‑DB "/llm/processllmout" endpoint allows unauthenticated clients to execute arbitrary "SELECT" SQL queries and retrieve database data, as the endpoint lacks the token validation enforced on all other application endpoints. All releases up to 1.2.4 are...
CVE-2026-8335
CVE-2026-8335 affects Aix-DB. A missing authentication check on the "/llm/process_llm_out" endpoint allows unauthenticated clients to execute arbitrary SQL (e.g., arbitrary SELECTs) and retrieve database data, because token validation enforced on other endpoints is absent here. All releases up to...
Inefficient CPU Computation
Overview Nerdbank.MessagePack is an A modern, fast and NativeAOT-compatible MessagePack serialization library Affected versions of this package are vulnerable to Inefficient CPU Computation in the WithExpandoObjectConverter. An attacker can cause excessive CPU consumption by deserializing special...
WordPress NS Product icon badge plugin <= 1.2.4 - Reflected Cross-Site Scripting vulnerability
Reflected Cross-Site Scripting vulnerability discovered by Abdulsamad Yusuf 0xVenus - Envorasec in WordPress Plugin NS Product icon badge versions = 1.2.4...
CVE-2026-8707
The NS Product icon badge plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via PHPSELF in all versions up to, and including, 1.2.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts i...
CVE-2026-8707
The NS Product icon badge plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via PHPSELF in all versions up to, and including, 1.2.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts i...
CVE-2026-8707 NS Product icon badge <= 1.2.4 - Reflected Cross-Site Scripting via PHP_SELF
The NS Product icon badge plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via PHPSELF in all versions up to, and including, 1.2.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts i...
CVE-2026-8707
The NS Product icon badge plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via PHP_SELF in all versions up to 1.2.4 due to insufficient input sanitization and output escaping. Affected: WordPress plugin NS Product icon badge; vulnerable component: code handling user input/outp...
CVE-2026-8707 NS Product icon badge <= 1.2.4 - Reflected Cross-Site Scripting via PHP_SELF
The NS Product icon badge plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via PHPSELF in all versions up to, and including, 1.2.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts i...
CVE-2026-47672
epa4all-client is the Java Client for epa4all / ePA 3.0 in the Telematik Infrastruktur. In 1.2.4 and earlier, any network-reachable caller can write arbitrary documents to any patient's electronic health record accessible by the institution's SMC-B card. In a misconfigured deployment e.g.,...
CVE-2026-41205 affecting package python-mako for versions less than 1.2.4-3
CVE-2026-41205 affecting package python-mako for versions less than 1.2.4-3. A patched version of the package is available...
CVE-2026-5802
A vulnerability was identified in idachev mcp-javadc up to 1.2.4. Impacted is an unknown function of the component HTTP Interface. Such manipulation of the argument jarFilePath leads to os command injection. It is possible to launch the attack remotely. The exploit is publicly available and might...