CVE-2026-47190

The CVE concerns IPAM (Metal3) where the IPAM controller’s ClusterRole granted full CRUD access to core/v1 Secrets prior to versions 1.11.7, 1.12.4, and 1.13.0. Although the controller does not access Secrets during normal operation, a compromised IPAM pod (e.g., via supply‑chain attack or contai...

EUVD-2026-36463

IPAM is the IP address Manager for Cluster API Provider Metal3. Prior to versions 1.11.7, 1.12.4, and 1.13.0, the IPAM controller's ClusterRole granted full CRUD permissions create, delete, get, list, patch, update, watch on core/v1 Secrets. The controller never accesses Secrets during normal...

Malicious code in js-shared-modules (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b5d28882e3ff8afe78db631ca5e1129d2b08f976f17f66ffe2b14834184ce09a package.json declares "postinstall": "node poc.js", which fires automatically on every npm install. poc.js reads os.hostname, hex-encodes it, and...

MAL-2026-5098 Malicious code in js-shared-modules (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b5d28882e3ff8afe78db631ca5e1129d2b08f976f17f66ffe2b14834184ce09a package.json declares "postinstall": "node poc.js", which fires automatically on every npm install. poc.js reads os.hostname, hex-encodes it, and...

GHSA-49PM-43HF-6XFQ IPAM controller service account granted unnecessary full access to Secrets

Impact IPAM is the IP address Manager for Cluster API Provider Metal3. The IPAM controller's ClusterRole granted full CRUD permissions create, delete, get, list, patch, update, watch on core/v1 Secrets. The controller never accesses Secrets during normal operation. If the controller pod were...

EUVD-2025-7797

Malicious code in bioql PyPI...

CVE-2024-54206

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in URBAN BASE Z-Downloads z-downloads allows Stored XSS.This issue affects Z-Downloads: from n/a through = 1.11.7...

CVE-2023-33926

Cross-Site Request Forgery CSRF vulnerability in Supsystic Easy Google Maps plugin = 1.11.7 versions...

CVE-2025-27604

XWiki Confluence Migrator Pro helps admins to import confluence packages into their XWiki instance. The homepage of the application is public which enables a guest to download the package which might contain sensitive information. This vulnerability is fixed in 1.11.7...

CVE-2025-27604 XWiki Confluence Migrator Pro's homepage is public

XWiki Confluence Migrator Pro helps admins to import confluence packages into their XWiki instance. The homepage of the application is public which enables a guest to download the package which might contain sensitive information. This vulnerability is fixed in 1.11.7...

CVE-2025-27604 XWiki Confluence Migrator Pro's homepage is public

XWiki Confluence Migrator Pro helps admins to import confluence packages into their XWiki instance. The homepage of the application is public which enables a guest to download the package which might contain sensitive information. This vulnerability is fixed in 1.11.7...

CVE-2025-27604

CVE-2025-27604 affects XWiki Confluence Migrator Pro. The vulnerability arises because the application homepage is public, allowing a guest to download the migration package that may contain sensitive information. Impact is information disclosure; no exploitation details are provided in the sourc...

Confluence Migrator Application 信息泄露漏洞

Confluence Migrator Application is an open source migrator application from XWiki SAS. An information disclosure vulnerability exists in Confluence Migrator Application versions prior to 1.11.7. An attacker can exploit this vulnerability to obtain sensitive information...

PT-2024-36083 · Unknown · Urban Base Z-Downloads

Name of the Vulnerable Software and Affected Versions: URBAN BASE Z-Downloads versions 1.11.7 and earlier Description: The issue is related to Improper Neutralization of Input During Web Page Generation, also known as Cross-site Scripting. This allows for Stored XSS attacks. Recommendations: For...

CVE-2023-2526

The Easy Google Maps plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.11.7. This is due to missing or incorrect nonce validation on the AJAX action handler. This makes it possible for unauthenticated attackers to executes AJAX actions via a forg...

Cross site request forgery (csrf)

The Easy Google Maps plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.11.7. This is due to missing or incorrect nonce validation on the AJAX action handler. This makes it possible for unauthenticated attackers to executes AJAX actions via a forg...

PT-2023-20002 · WordPress · Easy Google Maps

Name of the Vulnerable Software and Affected Versions: Easy Google Maps plugin for WordPress versions up to and including 1.11.7 Description: The issue is related to Cross-Site Request Forgery due to missing or incorrect nonce validation on the AJAX action handler. This allows unauthenticated...

CVE-2023-33926

Cross-Site Request Forgery CSRF vulnerability in Supsystic Easy Google Maps plugin = 1.11.7 versions...

WordPress plugin Easy Google Maps 跨站请求伪造漏洞

WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL. A cross-site request forgery vulnerability exists in WordPress Easy Google Maps plugin version 1.11.7 and earlier versions. The vulnerability stem...

PT-2023-24573 · WordPress · Supsystic Easy Google Maps

Name of the Vulnerable Software and Affected Versions: Supsystic Easy Google Maps plugin versions = 1.11.7 Description: The issue is related to a Cross-Site Request Forgery CSRF vulnerability. This means an attacker could potentially trick a user into performing unintended actions on a web...