SQL Injection

Overview Affected versions of this package are vulnerable to SQL Injection via the AddressRepository::getSqlQuery method that constructs a database query without properly sanitizing user input, leading to SQL Injection. The method is not invoked anywhere within the extension itself and therefore...

CVE-2026-44212

CVE-2026-44212 concerns PrestaShop's back-office Customer Service view. A stored XSS exists where an unauthenticated attacker can submit the public Contact Us form with a malicious email; the payload is stored in the database and executes when a back-office employee opens the affected customer th...

@fastify/static vulnerable to path traversal in directory listing

Impact @fastify/static v9.1.0 and earlier serves directory listings outside the configured static root when the list option is enabled. A request such as /public/../outside/ causes dirList.path to resolve a directory outside the root via path.join without a containment check. A remote...

EUVD-2026-23227

@fastify/static vulnerable to route guard bypass via encoded path separators...

CVE-2026-6410

@fastify/static versions 8.0.0 through 9.1.0 allow path traversal when directory listing is enabled via the list option. The dirList.path function resolves directories outside the configured static root using path.join without a containment check. A remote unauthenticated attacker can obtain...

CVE-2026-6410 @fastify/static vulnerable to path traversal in directory listing

@fastify/static versions 8.0.0 through 9.1.0 allow path traversal when directory listing is enabled via the list option. The dirList.path function resolves directories outside the configured static root using path.join without a containment check. A remote unauthenticated attacker can obtain...

CVE-2026-6410

Affected product/component: @fastify/static, versions 8.0.0–9.1.0. Root cause: dirList.path() uses path.join() to resolve directories outside the configured static root without containment checks, enabling path traversal when directory listing is enabled via the list option. Impact: remote unauth...

CVE-2026-6410

@fastify/static versions 8.0.0 through 9.1.0 allow path traversal when directory listing is enabled via the list option. The dirList.path function resolves directories outside the configured static root using path.join without a containment check. A remote unauthenticated attacker can obtain...

CVE-2026-6414

@fastify/static versions 8.0.0 through 9.1.0 decode percent-encoded path separators %2F before filesystem resolution, while Fastify's router treats them as literal characters. This mismatch allows attackers to bypass route-based middleware or guards that protect files served by @fastify/static. F...

CVE-2026-6414 @fastify/static vulnerable to route guard bypass via encoded path separators

@fastify/static versions 8.0.0 through 9.1.0 decode percent-encoded path separators %2F before filesystem resolution, while Fastify's router treats them as literal characters. This mismatch allows attackers to bypass route-based middleware or guards that protect files served by @fastify/static. F...

Improper Handling of URL Encoding (Hex Encoding)

Overview @fastify/static is a Plugin for serving static files as fast as possible. Affected versions of this package are vulnerable to Improper Handling of URL Encoding Hex Encoding via the handling of percent-encoded path separators in the fastifyStatic function. This creates a mismatch between...

CVE-2026-6414

@fastify/static versions 8.0.0 through 9.1.0 decode percent-encoded path separators %2F before filesystem resolution, while Fastify's router treats them as literal characters. This mismatch allows attackers to bypass route-based middleware or guards that protect files served by @fastify/static. F...

CVE-2026-6414 @fastify/static vulnerable to route guard bypass via encoded path separators

@fastify/static versions 8.0.0 through 9.1.0 decode percent-encoded path separators %2F before filesystem resolution, while Fastify's router treats them as literal characters. This mismatch allows attackers to bypass route-based middleware or guards that protect files served by @fastify/static. F...

PT-2026-33313

Name of the Vulnerable Software and Affected Versions @fastify/static versions 8.0.0 through 9.1.0 Description @fastify/static decodes percent-encoded path separators '%2F' before filesystem resolution, whereas the Fastify router treats them as literal characters. This discrepancy allows for a...

PT-2026-22056

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 8.6.3 Parse Server versions prior to 9.1.1-alpha.4 Description Parse Server is susceptible to a security issue where an unauthenticated attacker can create a forged Google authentication token using alg: "none" t...

CVE-2025-68853

Deserialization of Untrusted Data vulnerability in Kleor Contact Manager contact-manager allows Object Injection.This issue affects Contact Manager: from n/a through = 9.1.1...

CVE-2025-68853

The CVE CVE-2025-68853 affects WordPress Contact Manager plugin (contact-manager) up to version 9.1.1 and is a Deserialization of Untrusted Data (PHP Object Injection) vulnerability. Public sources (NVD/Red Hat/Patchstack/Wordfence) identify the root cause as untrusted data deserialization in con...

CVE-2025-68853 WordPress Contact Manager plugin <= 9.1.1 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in Kleor Contact Manager contact-manager allows Object Injection.This issue affects Contact Manager: from n/a through = 9.1.1...

PT-2026-21112

Name of the Vulnerable Software and Affected Versions Kleor Contact Manager versions through 9.1.1 Description A flaw exists in Kleor Contact Manager that allows for object injection due to deserialization of untrusted data. This issue impacts the contact-manager component. Recommendations At the...

WordPress plugin Contact Manager 代码问题漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. There we...