CVE-2026-34372

Sulu is an open-source PHP content management system based on the Symfony framework. From versions 1.0.0 to before 2.6.22, and 3.0.0 to before 3.0.5, a user which has permission for the Sulu Admin via at least one role could have access to the sub-entities of contacts via the admin API without ev...

Authentication Bypass Using an Alternate Path or Channel

Overview sulu/sulu is a highly extensible open-source PHP content management system based on the Symfony framework. Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel via the admin API. An attacker can gain unauthorized access to...

CVE-2026-34372

The CVE refers to a permission-check issue in Sulu’s Admin API where a user with at least one Admin role could access subentities (e.g., contacts) via the Admin API without having explicit permission for those contacts. This was fixed in Sulu releases 2.6.22 and 3.0.5. A Symfony Request Listener ...

CVE-2026-34372 Sulu checks fix permissions for subentities endpoints

Sulu is an open-source PHP content management system based on the Symfony framework. From versions 1.0.0 to before 2.6.22, and 3.0.0 to before 3.0.5, a user which has permission for the Sulu Admin via at least one role could have access to the sub-entities of contacts via the admin API without ev...

Sulu checks fix permissions for subentities endpoints

Impact A user which has permission for the Sulu Admin via atleast one role could have access to the subentities of contacts via the admin API without even have permission for contacts. Patches The issue was patched in release 2.6.22 and 3.0.5. Workarounds Create a Symfony Request Listener checkin...

GHSA-6H7H-M7P5-HJQP Sulu checks fix permissions for subentities endpoints

Impact A user which has permission for the Sulu Admin via atleast one role could have access to the subentities of contacts via the admin API without even have permission for contacts. Patches The issue was patched in release 2.6.22 and 3.0.5. Workarounds Create a Symfony Request Listener checkin...

EUVD-2025-8471

Malicious code in bioql PyPI...

CVE-2025-2541

The WP Project Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 2.6.22 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and...

WordPress plugin WP Project Manager 跨站脚本漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A cross-site scripting...

CVE-2025-3100

The WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 2.6.22 due to insufficient input sanitization and output escaping...

WordPress plugin WP Project Manager 跨站脚本漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A cross-site scripting...

WordPress plugin WP Project Manager 跨站请求伪造漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A cross-site request forger...

CVE-2025-22649

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in weDevs WP Project Manager wedevs-project-manager allows Stored XSS.This issue affects WP Project Manager: from n/a through 2.6.22...

WordPress plugin WP Project Manager 跨站脚本漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A cross-site scripting...

PT-2023-34945 · Linux · Linux Kernel

Name of the Vulnerable Software and Affected Versions: Linux Kernel versions prior to v6.1.11 Description: The issue concerns checking font dimension limits. It was introduced in version v2.6.22 and fixed in version v6.1.11. The actual impact and attack plausibility have not yet been proven...

PT-2023-35111 · Linux · Linux Kernel

Name of the Vulnerable Software and Affected Versions: Linux Kernel versions prior to v5.15.93 Description: The issue concerns checking font dimension limits. It was introduced in version v2.6.22 and fixed in version v5.15.93. The actual impact and attack plausibility have not yet been proven...

GSD-2023-1000875 usb: rndis_host: Secure rndis_query check against int overflow

usb: rndishost: Secure rndisquery check against int overflow This is an automated ID intended to aid in discovery of potential security vulnerabilities. The actual impact and attack plausibility have not yet been proven. This ID is fixed in Linux Kernel version v5.15.87 by commit...

PT-2022-35195 · Linux · Linux Kernel

Name of the Vulnerable Software and Affected Versions: Linux Kernel versions 2.6.22 through 5.15.76 Description: A possible memory leak was identified in the ehea register port function. The actual impact and attack plausibility have not yet been proven. Recommendations: For Linux Kernel versions...

PT-2022-34828 · Linux · Linux Kernel

Name of the Vulnerable Software and Affected Versions: Linux Kernel versions prior to v5.15.71 Description: A potential security issue exists where kmalloc failure is not properly handled, potentially leading to undefined behavior. The issue was introduced in version v2.6.22 and is fixed in versi...

Ubuntu: Security Advisory (USN-751-1)

The remote host is missing an update for the SPDX-FileCopyrightText: 2022 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...