CVE-2026-42350 Kargo: Open Redirect in UI OIDC Login Flow via redirectTo Query Parameter

Kargo manages and automates the promotion of software artifacts. Prior to versions 1.7.10, 1.8.13, 1.9.8, and 1.10.2, Kargo is vulnerable to open redirect in UI OIDC login flow via the redirectTo query parameter. This issue has been patched in versions 1.7.10, 1.8.13, 1.9.8, and 1.10.2...

MAL-2026-2230 Malicious code in aquasecurityofficial.trivy-vulnerability-scanner (VSCode:https://open-vsx.org)

--- -= Per source details. Do not edit below this line.=- Source: google-open-source-security b6cab1dae06f51e2aaa57704d8374b6882440070d0796e7b719a85e6f803888b This extension is a compromised version of the offical Trivy VSCode extension available on the Microsoft Marketplace. Versions 1.8.11 and...

SUSE CVE-2025-48371

OpenFGA is an authorization/permission engine. OpenFGA versions 1.8.0 through 1.8.12 corresponding to Helm chart openfga-0.2.16 through openfga-0.2.30 and docker 1.8.0 through 1.8.12 are vulnerable to authorization bypass when certain Check and ListObject calls are executed. Users are affected...

OpenFGA Authorization Bypass

Overview OpenFGA v1.8.0 to v1.8.12 openfga-0.2.16 = Helm chart = openfga-0.2.31, v1.8.0 = docker = v.1.8.12 are vulnerable to authorization bypass when certain Check and ListObject calls are executed. Am I Affected? If you are using OpenFGA v1.8.0 to v1.8.12, specifically under the following...

CVE-2025-48371 OpenFGA Authorization Bypass

OpenFGA is an authorization/permission engine. OpenFGA versions 1.8.0 through 1.8.12 corresponding to Helm chart openfga-0.2.16 through openfga-0.2.30 and docker 1.8.0 through 1.8.12 are vulnerable to authorization bypass when certain Check and ListObject calls are executed. Users are affected...

CVE-2024-13228

The Qubely – Advanced Gutenberg Blocks plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.8.13 via the 'qubelygetcontent'. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive...

CVE-2024-13228

The Qubely – Advanced Gutenberg Blocks plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.8.13 via the 'qubelygetcontent'. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive...

WordPress plugin Qubely 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a set of blogging platforms developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A security...

WordPress Qubely plugin <= 1.8.13 - Authenticated (Contributor+) Sensitive Information Exposure via qubely_get_content vulnerability

Authenticated Contributor+ Sensitive Information Exposure via qubelygetcontent vulnerability discovered by Nishiv in WordPress Plugin Qubely versions = 1.8.13...

CVE-2023-25788

Cross-Site Request Forgery CSRF vulnerability in Saphali Saphali Woocommerce Lite plugin = 1.8.13 versions...

PT-2023-20304 · WordPress · Saphali Woocommerce Lite

Name of the Vulnerable Software and Affected Versions: Saphali Woocommerce Lite plugin versions = 1.8.13 Description: The issue is a Cross-Site Request Forgery CSRF vulnerability. This means an attacker can trick a user into performing unintended actions on a web application that the user is...

WordPress Popup Maker Plugin < 1.8.13 Authorization Bypass Vulnerability

The WordPress plugin SPDX-FileCopyrightText: 2023 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:code-atlantic:popupmaker"; ifdescription...

SUSE CVE-2010-2228

Cross-site scripting XSS vulnerability in the MNET access-control interface in Moodle before 1.8.13 and 1.9.x before 1.9.9 allows remote attackers to inject arbitrary web script or HTML via vectors involving extended characters in a username...

Cross site request forgery (csrf)

aad-pod-identity assigns Azure Active Directory identities to Kubernetes applications and has now been deprecated as of 24 October 2022. The NMI component in AAD Pod Identity intercepts and validates token requests based on regex. In this case, a token request made with backslash in the request...

CVE-2022-23551 AAD Pod Identity obtaining token with backslash

aad-pod-identity assigns Azure Active Directory identities to Kubernetes applications and has now been deprecated as of 24 October 2022. The NMI component in AAD Pod Identity intercepts and validates token requests based on regex. In this case, a token request made with backslash in the request...

CVE-2022-23551 AAD Pod Identity obtaining token with backslash

aad-pod-identity assigns Azure Active Directory identities to Kubernetes applications and has now been deprecated as of 24 October 2022. The NMI component in AAD Pod Identity intercepts and validates token requests based on regex. In this case, a token request made with backslash in the request...

CVE-2022-23551 AAD Pod Identity obtaining token with backslash

aad-pod-identity assigns Azure Active Directory identities to Kubernetes applications and has now been deprecated as of 24 October 2022. The NMI component in AAD Pod Identity intercepts and validates token requests based on regex. In this case, a token request made with backslash in the request...

PT-2022-7109 · Microsoft · Aad Pod Identity

Name of the Vulnerable Software and Affected Versions: AAD Pod Identity versions prior to 1.8.13 Description: The issue is related to the NMI component in AAD Pod Identity, which intercepts and validates token requests based on regex. A token request made with a backslash in the request, for...

Simple SEO < 1.8.13 - Subscriber+ Sitemap Creation/Deletion

The plugin does not have authorisation check when creating and deleting sitemaps, which could allow any authenticated users, such as subscriber to create and delete them...

Sql injection

An Argument Injection issue in the plugin management of Etherpad 1.8.13 allows privileged users to execute arbitrary code on the server by installing plugins from an attacker-controlled source...