WordPress Contact Form 7 Captcha <0.1.2 - Cross-Site Scripting

WordPress Contact Form 7 Captcha plugin before 0.1.2 contains a reflected cross-site scripting vulnerability. It does not escape the $SERVER'REQUESTURI' parameter before outputting it back in an attribute. id: CVE-2022-2187 info: name: WordPress Contact Form 7 Captcha 0.1.2 - Cross-Site Scripting...

Contact Form 7 Math Captcha <= 2.0.1 - Cross-site Scripting

The Contact Form 7 Math Captcha WordPress plugin through 2.0.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users. id: CVE-2024-6517 info: name: Contact Form 7 Math Captcha =...

CVE-2026-49201 Acer Wave 7 router: Hardcoded Cryptographic Key

The upload.cgi binary, responsible for processing device backups, contains a hardcoded AES encryption key. This allows an attacker to decrypt, modify, and re-encrypt system backups, facilitating persistent backdoor injection...

CVE-2026-49200

The CVE-2026-49200 entry affects Acer Wave 7 router firmware. The root issue is that the acer_cgi.log file is accessible without authentication via the web interface, and this log contains cleartext credentials for web and Telnet. This exposure can lead to unauthorized system access and high impa...

Acer Wave 7 router 安全漏洞

The Acer Wave 7 router is a three-band wireless router from Acer, a company based in Taiwan, China. The Acer Wave 7 router has a security vulnerability. This vulnerability arises from the acercgi.log file, which can be accessed via a web interface without authentication, containing plaintext logi...

WordPress plugin Contact Form 7 – PayPal & Stripe Add-on 数据伪造问题漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...

Acer Wave 7 router 安全漏洞

The Acer Wave 7 router is a three-band wireless router from Acer, a company based in Taiwan, China. The Acer Wave 7 router has a security vulnerability. This vulnerability allows attackers to decrypt, modify, and re-encrypt system backups, enabling persistent backdoors attacks...

CVE-2026-6816 TFA Basic Plugins - Access Bypass

An access bypass vulnerability in Drupal TFA Basic Plugins allows users with the administer users permission to view or generate recovery codes for other users. This issue affects TFA Basic Plugins: from 7.x-1.0 through 7.x-1.2...

MS16-032-Cobalt-Strike-LPE-BOF

MS16-032 Beacon Object File BOF A Cobalt Strike Beacon Obje...

CVE-2026-4929 Simple Hierarchical Select (Drupal 7) XSS in term-derived output

Simple Hierarchical Select SHS for Drupal 7 contains cross-site scripting risk due to improper output escaping of term-derived text. Confirmed affected paths include field formatter output shsfieldformatterview and term-tree child-term data generation shstermgetchildren. Malicious taxonomy term...

Drupal 安全漏洞

Drupal is an open-source content management system developed using the PHP language by the Drupal community. Versions 7.x-1.0 to 7.x-1.10 of Drupal have security vulnerabilities. These vulnerabilities stem from improper output escaping of term-derived text in Simple Hierarchical Select, which may...

Drupal 跨站脚本漏洞

Drupal is an open-source content management system developed using the PHP language by the Drupal community. Versions of Drupal 7.x-1.11 and earlier, including 7.x-1.x, have a cross-site scripting vulnerability. This vulnerability stems from the rendering pipeline of the Term Reference Tree...

PT-2026-42187

Incorrect default permissions vulnerability in Progress Software MOVEit Automation allows Retrieve Embedded Sensitive Data. This issue affects MOVEit Automation: before 2025.0.11, from 2025.1.0 before 2025.1.7...

CVE-2026-35469 affecting package cert-manager for versions less than 1.12.15-7

CVE-2026-35469 affecting package cert-manager for versions less than 1.12.15-7. A patched version of the package is available...

BIT-TOMCAT-2020-1938

When using the Apache JServ Protocol AJP, care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that...

HSC MailInspector 跨站脚本漏洞

HSC MailInspector is a mail security analysis and filtering system developed by the Brazilian company HSC. Version 5.3.3-7 of HSC MailInspector contains a cross-site scripting vulnerability. This vulnerability arises from the use of alternative or obfuscated JavaScript syntax in user inputs withi...

HSC MailInspector 跨站脚本漏洞

HSC MailInspector is a mail security analysis and filtering system developed by the Brazilian company HSC. Version 5.3.3-7 of HSC MailInspector contains a cross-site scripting vulnerability. This vulnerability arises from the use of alternative or obfuscated JavaScript syntax in user-controlled...

Oracle Linux 7 : vim (ELSA-2026-6617)

The remote Oracle Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2026-6617 advisory. - Security update CVE-2026-25749 CVE-2026-28417 Tenable has extracted the preceding description block directly from the Oracle Linux security advisory...

CVE-2026-44437

The Angular SSR is a server-rise rendering tool for Angular applications. From 19.0.0-next.0 to before 19.2.25, 20.3.25, 21.2.9, and 22.0.0-next.7, a vulnerability exists in the X-Forwarded-Prefix header processing logic within Angular SSR. The internal validation mechanism fails to properly...

CVE-2026-6709 Coinbase Commerce for Contact Form 7 <= 1.1.2 - Missing Authorization to Authenticated (Subscriber+) API Key Modification via 'cccf7_api_key' Parameter

The Coinbase Commerce for Contact Form 7 plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 1.1.2. This is due to a missing capability check and missing nonce verification in the savesettings function, which is registered on the adminpostcccf7savesettings...