Fedora 43 : SDL2_image (2026-f1f87b465a)

The remote Fedora 43 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2026-f1f87b465a advisory. Update to bugfix release 2.8.12. Tenable has extracted the preceding description block directly from the Fedora security advisory. Note that Nessus...

Fedora 44 : SDL2_image (2026-7fe0476df9)

The remote Fedora 44 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2026-7fe0476df9 advisory. Update to bugfix release 2.8.12. Tenable has extracted the preceding description block directly from the Fedora security advisory. Note that Nessus...

CVE-2025-67509

Neuron is a PHP framework for creating and orchestrating AI Agents. Versions 2.8.11 and below use MySQLSelectTool, which is vulnerable to Read-Only Bypass. MySQLSelectTool is intended to be a read-only SQL tool e.g., for LLM agent querying, however, validation based on the first keyword e.g.,...

CVE-2025-67510

Neuron is a PHP framework for creating and orchestrating AI Agents. In versions 2.8.11 and below, the MySQLWriteTool executes arbitrary SQL provided by the caller using PDO::prepare + execute without semantic restrictions. This is consistent with the name “write tool”, but in an LLM/agent context...

CVE-2025-67509 MySQLSelectTool Read-Only Bypass via SELECT INTO OUTFILE Allows Arbitrary File Write

Neuron is a PHP framework for creating and orchestrating AI Agents. Versions 2.8.11 and below use MySQLSelectTool, which is vulnerable to Read-Only Bypass. MySQLSelectTool is intended to be a read-only SQL tool e.g., for LLM agent querying, however, validation based on the first keyword e.g.,...

CVE-2025-67510 MySQLWriteTool allows arbitrary/destructive SQL when exposed to untrusted prompts (agent “footgun”)

Neuron is a PHP framework for creating and orchestrating AI Agents. In versions 2.8.11 and below, the MySQLWriteTool executes arbitrary SQL provided by the caller using PDO::prepare + execute without semantic restrictions. This is consistent with the name “write tool”, but in an LLM/agent context...

PT-2025-50555

Name of the Vulnerable Software and Affected Versions Neuron versions 2.8.11 and below Description Neuron is a PHP framework used for creating and orchestrating AI Agents. The framework utilizes MySQLSelectTool, which has a Read-Only Bypass issue. The tool’s validation, based on the first keyword...

PT-2025-50556

Name of the Vulnerable Software and Affected Versions Neuron versions prior to 2.8.12 Description The PHP framework Neuron has an issue where the MySQLWriteTool can execute arbitrary SQL queries provided by a caller, utilizing PDO::prepare and execute without restrictions. This occurs because the...

Execution with Unnecessary Privileges

Overview neuron-core/neuron-ai is a The PHP Agentic Framework. Affected versions of this package are vulnerable to Execution with Unnecessary Privileges via the MySQLWriteTool which us PDO::prepare + execute without semantic restrictions. An attacker can execute arbitrary and potentially...

WordPress WPeMatico RSS Feed Fetcher plugin <= 2.8.11 - Authenticated (Subscriber+) Server-Side Request Forgery via wpematico_test_feed vulnerability

Authenticated Subscriber+ Server-Side Request Forgery via wpematicotestfeed vulnerability discovered by Rafshanzani Suhada in WordPress Plugin WPeMatico RSS Feed Fetcher versions = 2.8.11...

EUVD-2022-45055

Malicious code in bioql PyPI...

CVE-2024-47377

Improper Neutralization of Input During Web Page Generation XSS or 'Cross-site Scripting' vulnerability in ThemeKraft BuddyForms allows Stored XSS.This issue affects BuddyForms: from n/a through 2.8.12...

WordPress plugin BuddyForms 跨站脚本漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A cross-site scripting...

WordPress BuddyForms Plugin <= 2.8.12 is vulnerable to Cross Site Scripting (XSS)

Software BuddyForms Type Plugin Vulnerable versions = 2.8.12 Fixed in 2.8.13 OWASP Top 10 A3: Injection Classification Cross Site Scripting XSS CVE CVE-2024-47377 Patch priority Low CVSS severity Low 5.9 Developer Claim ownership PSID 9418faef5fbf Credits SOPROBRO Required privilege Editor...

PT-2023-26459 · WordPress · Campaign Monitor For Wordpress

Name of the Vulnerable Software and Affected Versions: Campaign Monitor for WordPress versions through 2.8.12 Description: The issue is related to Improper Neutralization of Input During Web Page Generation, also known as Cross-site Scripting, allowing Reflected XSS. This enables potential...

CKAN < 2.8.12 Shared Session Secret

The version of CKAN installed can be impacted by a shared session secret if the application is based on one of the CKAN Docker images and if the users didn't set a custom value via an environment variable. Note that the scanner has not tested for these issues but has instead relied only on the...

Yellow Yard < 2.8.12 - Contributor+ Stored XSS

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks PoC yyfilter field='"...

Discourse < 2.8.12 Information Disclosure Vulnerability

Discourse is prone to an information disclosure vulnerability. SPDX-FileCopyrightText: 2022 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE =...

PT-2022-26174 · Discourse · Discourse

Name of the Vulnerable Software and Affected Versions: Discourse versions prior to 2.8.12 Discourse versions prior to 2.9.0.beta13 Description: Discourse is an open-source discussion platform. Under certain conditions, a user can see notifications for topics they no longer have access to,...

An incomplete fix was found for the fix of the flaw CVE-2020-1733 ansible: insecure temporary directory when running become_user from become directive. The provided fix is insufficient to prevent the race condition on systems using ACLs and FUSE filesystems. Ansible Engine 2.7.18 2.8.12 and 2.9.9 as well as previous versions are affected and Ansible Tower 3.4.5 3.5.6 and 3.6.4 as well as previous versions are affected.

...