CVE-2026-45410

TREK is a collaborative travel planner. Prior to 3.0.18, early return on missing user during login flow allowed an attacker to enumerate valid user accounts via response timing discrepancy. When an email address existed in the database, the backend performed a bcrypt password comparison before...

EUVD-2026-33070

TREK is a collaborative travel planner. Prior to 3.0.18, early return on missing user during login flow allowed an attacker to enumerate valid user accounts via response timing discrepancy. When an email address existed in the database, the backend performed a bcrypt password comparison before...

CVE-2026-45410

TREK (collaborative travel planner) has a time-based user enumeration vulnerability in the authentication endpoint prior to version 3.0.18. When an email exists, the backend performs a bcrypt password comparison before returning 401, adding ~370 ms; when it does not exist, it returns immediately ...

CVE-2026-45410 Time-based user enumeration in TREK authentication endpoint

TREK is a collaborative travel planner. Prior to 3.0.18, early return on missing user during login flow allowed an attacker to enumerate valid user accounts via response timing discrepancy. When an email address existed in the database, the backend performed a bcrypt password comparison before...

PT-2026-44554

TREK is a collaborative travel planner. Prior to 3.0.18, early return on missing user during login flow allowed an attacker to enumerate valid user accounts via response timing discrepancy. When an email address existed in the database, the backend performed a bcrypt password comparison before...

CVE-2026-3516 Contact List <= 3.0.18 - Authenticated (Contributor+) Stored Cross-Site Scripting via '_cl_map_iframe' Parameter

The Contact List plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'clmapiframe' parameter in all versions up to, and including, 3.0.18. This is due to insufficient input sanitization and output escaping when handling the Google Maps iframe custom field. The saveCustomFiel...

MiracleLinux 3 : firefox-3.0.18-1.1.AXS3 (AXSA:2010-126:01)

The remote MiracleLinux 3 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2010-126:01 advisory. Mozilla Firefox is an open-source web browser, designed for standards compliance, performance and portability. Security issues fixed with this releas...

Argo CD 代码问题漏洞

Argo CD is an Argo open source declarative GitOps continuous delivery tool for Kubernetes. A code issue vulnerability exists in Argo CD that stems from a malicious API request that is not handled correctly, which could lead to an API server crash and denial of service. The following versions are...

CVE-2025-54870 VTun-ng's failure to initialize encryption modules may cause reversion to plaintext

VTun-ng is a Virtual Tunnel over TCP/IP network. In versions 3.0.17 and below, failure to initialize encryption modules might cause reversion to plaintext due to insufficient error handling. The bug was first introduced in VTun-ng version 3.0.12. This is fixed in version 3.0.18. To workaround thi...

CVE-2023-47771

Missing Authorization vulnerability in ThemePunch OHG Essential Grid.This issue affects Essential Grid: from n/a through 3.0.18...

PT-2024-35315 · Unknown · Automation Web Platform Wawp

Name of the Vulnerable Software and Affected Versions: Automation Web Platform Wawp versions prior to 3.0.18 Description: The issue is related to an Authentication Bypass Using an Alternate Path or Channel vulnerability in the Automation Web Platform Wawp. This vulnerability allows authentication...

WordPress Wawp plugin < 3.0.18 - Account Takeover vulnerability

Account Takeover vulnerability discovered by stealthcopter Patchstack Alliance in WordPress Plugin Wawp versions 3.0.18...

CVE-2023-47771

Missing Authorization vulnerability in ThemePunch OHG Essential Grid.This issue affects Essential Grid: from n/a through 3.0.18...

OPENSUSE-SU-2022:10252-1 Security update for vlc

This update for vlc fixes the following issues: - Update to version 3.0.18 CVE-2022-41325, boo1206142: + macOS: Fix audio device listing with non-latin names. + Misc: Fix rendering and performance issue with older GPUs. + Updated translations. - Changes from version 3.0.18-rc2: + Codec/Demux: - A...

Security update for vlc (important)

openSUSE Security Update: Security update for vlc Announcement ID: openSUSE-SU-2022:10252-1 Rating: important References: 1200944 1206142 Cross-References: CVE-2020-0499 CVE-2021-0561 CVE-2022-41325 CVSS scores: CVE-2020-0499 NVD : 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L CVE-2020-0499...

Design/Logic Flaw

EC-CUBE 3.0.0 to 3.0.18-p3 and EC-CUBE 4.0.0 to 4.1.1 improperly handle HTTP Host header values, which may lead a remote unauthenticated attacker to direct the vulnerable version of EC-CUBE to send an Email with some forged reissue-password URL to EC-CUBE users...

CVE-2022-25355

EC-CUBE 3.0.0 to 3.0.18-p3 and EC-CUBE 4.0.0 to 4.1.1 improperly handle HTTP Host header values, which may lead a remote unauthenticated attacker to direct the vulnerable version of EC-CUBE to send an Email with some forged reissue-password URL to EC-CUBE users...

Stack overflow

Stack overflow vulnerability in function jsievalcodesub in jsish before 3.0.18, allows remote attackers to cause a Denial of Service via a crafted value to the execute parameter...

Jshish 缓冲区错误漏洞

Jshish is a javascript-ish interpreter with built-in websocket-server, sqlite and C extensibility. Jshish suffers from a buffer error vulnerability that stems from the product's jsievalcodesub function failing to properly validate data boundaries, which could allow an attacker to cause a denial o...

Ec-cube 输入验证错误漏洞

Ec-cube is an open source e-commerce system of the Japanese company Ec-cube . An input validation error vulnerability exists in EC-CUBE versions 3.0.5 through 3.0.18, which allows remote attackers to exploit the vulnerability to cause a denial of service DoS condition via an unspecified vector...