CVE-2026-39347

OrangeHRM is a comprehensive human resource management HRM system. From 5.0 to 5.8, OrangeHRM Open Source accepts changes to self-appraisal submissions for administrator users after those submissions have been marked completed, breaking integrity of finalized appraisal records. This vulnerability...

CVE-2026-39348

OrangeHRM is a comprehensive human resource management HRM system. From 5.0 to 5.8, OrangeHRM Open Source omits authorization on job specification and vacancy attachment download handlers, allowing authenticated low-privilege users to read attachments via direct reference to attachment identifier...

CVE-2026-39348 OrangeHRM is Missing Authorization Checks in AbstractFileController Subclasses Expose Job Specification and Vacancy Attachments

OrangeHRM is a comprehensive human resource management HRM system. From 5.0 to 5.8, OrangeHRM Open Source omits authorization on job specification and vacancy attachment download handlers, allowing authenticated low-privilege users to read attachments via direct reference to attachment identifier...

CVE-2026-39345 OrangeHRM Affected by Arbitrary File Read via Path Traversal in Email Template Loader

OrangeHRM is a comprehensive human resource management HRM system. From 5.0 to 5.8, OrangeHRM Open Source fails to restrict email template file resolution to the intended plugins directory, allowing an authenticated actor who can influence the template path to read arbitrary local files. This...

PT-2026-30873

An issue that allowed administrators to create and update users outside of their authorized organization scope has been resolved. This is an instance of CWE-863: Incorrect Authorization, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:H/A:N 5.8 Medium. This issue was fix...

PT-2026-30879

An issue that could allow a credential to be updated and used for a task from outside of the authorized organization scope has been resolved. This is an instance of CWE-863: Incorrect Authorization, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N 5.8 Medium. This...

SUSE CVE-2026-31890

Inspektor Gadget is a set of tools and framework for data collection and system inspection on Kubernetes clusters and Linux hosts using eBPF. Prior to 0.50.1, in a situation where the ring-buffer of a gadget is - incidentally or maliciously - already full, the gadget will silently drop events. Th...

Meneame English Pligg SQL注入漏洞

Meneame English Pligg is a social news website aggregation script developed by the Meneame community. Version 5.8 of Meneame English Pligg contains an SQL injection vulnerability. This vulnerability stems from the search parameter in the index.php file, which allows for SQL injections, potentiall...

PT-2026-7145

Name of the Vulnerable Software and Affected Versions Craft versions 4.0.0-RC1 through 4.16.17 Craft versions 5.0.0-RC1 through 5.8.21 Description Craft is a platform for creating digital experiences. The element-indexes/get-elements API endpoint is susceptible to SQL Injection via the...

Unity Linux 20.1060a / 20.1070a Security Update: kernel (UTSA-2026-004017)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-004017 advisory. Use-after-free vulnerability in fs/blockdev.c in the Linux kernel before 5.8 allows local users to gain privileges or cause a denial of service by leveraging imprope...

Unity Linux 20.1060a / 20.1070a Security Update: kernel (UTSA-2026-004187)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-004187 advisory. An issue was discovered in the Linux kernel before 5.8. arch/x86/kvm/svm/svm.c allows a setmemoryregiontest infinite loop for certain nested page faults, aka...

Unity Linux 20.1070e Security Update: kernel (UTSA-2026-000319)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-000319 advisory. Use-after-free vulnerability in fs/blockdev.c in the Linux kernel before 5.8 allows local users to gain privileges or cause a denial of service by leveraging imprope...

@datatitian/vega (=5.17.0), @lumere/vega (=5.17.0) +4 more potentially affected by CVE-2025-66648 via vega-functions (>=5.8.0 <=6.0.0)

vega-functions NPM version =5.8.0, =2.5.0, =5.16.0, =5.16.0, =6.1.2 Source cves: CVE-2025-66648 Source advisory: SNYK:JS-VEGAFUNCTIONS-14872001...

CVE-2025-60086

Missing Authorization vulnerability in Matt WP Voting Contest wp-voting-contest allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Voting Contest: from n/a through = 5.8...

CVE-2025-66291 OrangeHRM is Vulnerable to Improper Authorization Allowing Unauthorized Access to Interview Attachments

OrangeHRM is a comprehensive human resource management HRM system. From version 5.0 to 5.7, the interview attachment retrieval endpoint in the Recruitment module serves files based solely on an authenticated session and user-supplied identifiers, without verifying whether the requester has...

EUVD-2025-199904

OrangeHRM is a comprehensive human resource management HRM system. From version 5.0 to 5.7, the application’s recruitment attachment retrieval endpoint does not enforce the required authorization checks before serving candidate files. Even users restricted to ESS-level access, who have no...

CVE-2025-66224 OrangeHRM is Vulnerable to Code Execution Through Arbitrary File Write from Sendmail Parameter Injection

OrangeHRM is a comprehensive human resource management HRM system. From version 5.0 to 5.7, the application contains an input-neutralization flaw in its mail configuration and delivery workflow that allows user-controlled values to flow directly into the system’s sendmail command. Because these...

EUVD-2021-25584

Malware in sbrugna...

EUVD-2021-16511

Malware in sbrugna...

EUVD-2020-22388

Malware in sbrugna...