CVE-2026-41885

CVE-2026-41885 affects i18next-locize-backend prior to version 9.0.2. The issue arises when the backend interpolates values (lng, ns, projectId, version) directly into URL templates (loadPath/privatePath/addPath/updatePath/getLanguagesPath) without encoding or validation, enabling user-controlled...

CVE-2026-41885 Path traversal / URL injection via unsanitised lng/ns/projectId/version in i18next-locize-backend

i18next-locize-backend is a simple i18next backend for locize.com which can be used in Node.js, in the browser and for Deno. Prior to version 9.0.2, i18next-locize-backend interpolates lng, ns, projectId, and version directly into the configured loadPath / privatePath / addPath / updatePath /...

@bechara/crux (>=6.0.0 <=6.6.2), @cappa/cli (>=0.1.0 <=0.8.2) +11 more potentially affected by CVE-2026-33804 via @fastify/middie (>=9.0.2 <=9.3.1)

@fastify/middie NPM version =9.0.2, =6.0.0, =0.1.0, =0.1.0, =1.0.0, =1.0.11, =0.1.51, =1.0.36, =11.0.0, =1.3.0, =5.0.0, =0.6.1-dev, =1.1.48 Source cves: CVE-2026-33804 Source advisory: SNYK:JS-FASTIFYMIDDIE-16098212...

WordPress ExactMetrics plugin 7.1.0-9.0.2 - Authenticated (Custom) Improper Privilege Management to Role Privilege Escalation via Settings Update vulnerability

Authenticated Custom Improper Privilege Management to Role Privilege Escalation via Settings Update vulnerability discovered by Ali Sünbül in WordPress Plugin ExactMetrics versions 7.1.0-9.0.2...

WordPress ExactMetrics plugin 8.6.0-9.0.2 - Authenticated (Custom) Insecure Direct Object Reference to Arbitrary Plugin Installation

Authenticated Custom Insecure Direct Object Reference to Arbitrary Plugin Installation vulnerability discovered by Ali Sünbül in WordPress Plugin ExactMetrics versions 8.6.0-9.0.2...

EUVD-2026-11127

The ExactMetrics – Google Analytics Dashboard for WordPress plugin is vulnerable to Insecure Direct Object Reference in versions 8.6.0 through 9.0.2. This is due to the storesettings method in the ExactMetricsOnboarding class accepting a user-supplied triggeredby parameter that is used instead of...

CVE-2026-1992

The ExactMetrics – Google Analytics Dashboard for WordPress plugin is vulnerable to Insecure Direct Object Reference in versions 8.6.0 through 9.0.2. This is due to the storesettings method in the ExactMetricsOnboarding class accepting a user-supplied triggeredby parameter that is used instead of...

CVE-2026-1993 ExactMetrics 7.1.0 - 9.0.2 - Authenticated (Custom) Improper Privilege Management to Role Privilege Escalation via Settings Update

The ExactMetrics – Google Analytics Dashboard for WordPress plugin is vulnerable to Improper Privilege Management in versions 7.1.0 through 9.0.2. This is due to the updatesettings function accepting arbitrary plugin setting names without a whitelist of allowed settings. This makes it possible fo...

WordPress plugin ExactMetrics – Google Analytics Dashboard for WordPress 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows users to create personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be installed t...

SUSE CVE-2025-67733

Valkey is a distributed key-value database. Prior to versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12, a malicious user can use scripting commands to inject arbitrary information into the response stream for the given client, potentially corrupting or returning tampered data to other users on the same...

CVE-2026-27623

Valkey is a distributed key-value database. Starting in version 9.0.0 and prior to version 9.0.3, a malicious actor with network access to Valkey can cause the system to abort by triggering an assertion. When processing incoming requests, the Valkey system does not properly reset the networking...

PT-2026-21544

Name of the Vulnerable Software and Affected Versions Valkey versions prior to 9.0.2 Valkey versions prior to 8.1.6 Valkey versions prior to 8.0.7 Valkey versions prior to 7.2.12 Description Valkey is a distributed key-value database. Prior to versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12, a malicious...

WordPress Quiz And Survey Master plugin < 9.0.2 - Contributor+ SQLi vulnerability

Contributor+ SQLi vulnerability discovered by Project Black in WordPress Plugin Quiz And Survey Master versions 9.0.2...

CVE-2019-7135

Adobe Bridge CC versions 9.0.2 have an out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure...

CVE-2025-11785

Stack-based buffer overflow vulnerability in Circutor SGE-PLC1000/SGE-PLC50 v9.0.2. In the 'ShowMeterPasswords' function, there is an unlimited user input that is copied to a fixed-size buffer via 'sprintf'. The 'GetParametermeter' function retrieves the user input, which is directly incorporated...

EUVD-2025-200227

Out-of-bounds read vulnerability in Circutor SGE-PLC1000/SGE-PLC50 v9.0.2. The 'DownloadFile' function converts a parameter to an integer using 'atoi' and then uses it as an index in the 'FilesDownload' array with '&FilesDownloadiVar2'. If the parameter is too large, it will access memory beyond...

CVE-2025-11787

CVE-2025-11787 affects Circutor SGE-PLC1000/SGE-PLC50 running v9.0.2. The OS exposes a command injection vulnerability in GetDNS(), CheckPing(), and TraceRoute() functions. Impact is high (CVE scores indicate network-based, unauthenticated/low-privilege access with potential total impact on confi...

CVE-2025-11787 Command injection vulnerability in Circutor SGE-PLC1000/SGE-PLC50

Command injection vulnerability in the operating system in Circutor SGE-PLC1000/SGE-PLC50 v9.0.2 through the 'GetDNS', 'CheckPing' and 'TraceRoute' functions...

PT-2025-48673

Name of the Vulnerable Software and Affected Versions Circutor SGE-PLC1000/SGE-PLC50 version 9.0.2 Description A stack-based buffer overflow exists in the AddEvent function when handling user-supplied usernames. The issue occurs because the function copies the username input to a fixed-size buffe...

CVE-2025-33077

IBM Engineering Systems Design Rhapsody 9.0.2, 10.0, and 10.0.1 is vulnerable to a stack-based buffer overflow, caused by improper bounds checking. A local user could overflow the buffer and execute arbitrary code on the system...