9973 matches found
U.S. Sanctions First VPN Service and Malware Cryptor Seller Over Ransomware Support
The U.S. Treasury Department's Office of Foreign Assets Control OFAC has designated two individuals and a VPN service provider for enabling ransomware actors' and other cybercriminals' malicious activities, including ransomware attacks against Americans. The VPN, named First VPN Service 1VPNS, ha...
LogDash Activity Log <= 1.1.3 - SQL Injection
The LogDash Activity Log plugin for WordPress is vulnerable to SQL Injection via the username parameter in all versions up to, and including, 1.1.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for...
Kaseya VSA 2017 ConnectWise ManagedITSync - Remote Code Execution
ConnectWise ManagedITSync integration through 2017 for Kaseya VSA is vulnerable to unauthenticated remote commands that allow full direct access to the Kaseya VSA database. If the ManagedIT.asmx page is available via the Kaseya VSA web interface, anyone with access to the page is able to run...
CVE-2026-57714
creationtimestamp| type| source ---|---|--- 2026-07-13 10:56:05+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mqjjrvbgcs2g 2026-07-13 11:11:34+00:00| seen| https://bsky.app/profile/kriptabiz.bsky.social/post/3mqjknmwz7j2a 2026-07-13 11:20:04+00:00| seen|...
CVE-2026-9492
creationtimestamp| type| source ---|---|--- 2026-07-13 04:30:25+00:00| seen| https://infosec.exchange/users/offseq/statuses/116910786151566204 2026-07-13 04:30:27+00:00| seen| https://bsky.app/profile/offseq.bsky.social/post/3mqiuaepo5j2r 2026-07-13 05:00:25+00:00| seen|...
CVE-2026-15486
creationtimestamp| type| source ---|---|--- 2026-07-12 09:28:06+00:00| seen| https://bsky.app/profile/kriptabiz.bsky.social/post/3mqgufolnd62c 2026-07-12 11:27:59+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mqh342n5je26...
CVE-2026-9282
creationtimestamp| type| source ---|---|--- 2026-07-11 07:30:25+00:00| seen| https://infosec.exchange/users/offseq/statuses/116900169327845158 2026-07-11 07:30:27+00:00| seen| https://bsky.app/profile/offseq.bsky.social/post/3mqe5efmorb2x 2026-07-11 07:36:29+00:00| seen|...
CSV Injection
Overview snipe/snipe-it is an asset management system built on Laravel. Affected versions of this package are vulnerable to CSV Injection through the postActivityReport process. An attacker can cause arbitrary formula execution in spreadsheet software by injecting a specially crafted User-Agent...
CVE-2026-55452
Snipe-IT is an IT asset/license management system. Prior to 8.5.0, Actionlog::logaction stores the request User-Agent header and ReportsController::postActivityReport writes that value to the Activity Report CSV without formula escaping, allowing a low-privileged authenticated user to store a...
EUVD-2026-42997
Snipe-IT is an IT asset/license management system. Prior to 8.5.0, Actionlog::logaction stores the request User-Agent header and ReportsController::postActivityReport writes that value to the Activity Report CSV without formula escaping, allowing a low-privileged authenticated user to store a...
CVE-2026-55452 Snipe-IT: CSV formula injection in Activity Report export
Snipe-IT is an IT asset/license management system. Prior to 8.5.0, Actionlog::logaction stores the request User-Agent header and ReportsController::postActivityReport writes that value to the Activity Report CSV without formula escaping, allowing a low-privileged authenticated user to store a...
CVE-2026-55452
CVE-2026-55452 concerns Snipe-IT (IT asset/license management) where pre-8.5.0 builds store the User-Agent header via Actionlog::logaction() and export it in Activity Report CSV without formula escaping. This allows a low-privileged authenticated user to inject a formula-like payload that can exe...
CVE-2026-61460
Krayin CRM through 2.2.3 contains an insecure direct object reference vulnerability in LeadController, PersonController, OrganizationController, QuoteController, and ActivityController that allows authenticated users to edit, update, or delete records owned by other users. Attackers can modify CR...
EUVD-2026-42981
Krayin CRM through 2.2.3 contains an insecure direct object reference vulnerability in LeadController, PersonController, OrganizationController, QuoteController, and ActivityController that allows authenticated users to edit, update, or delete records owned by other users. Attackers can modify CR...
CVE-2026-15378
creationtimestamp| type| source ---|---|--- 2026-07-10 10:08:04+00:00| seen| https://bsky.app/profile/stackflag.bsky.social/post/3mqbvpddyrq2r 2026-07-10 10:30:26+00:00| seen| https://infosec.exchange/users/offseq/statuses/116895214843907721 2026-07-10 10:30:28+00:00| seen|...
Malicious code in testing-d3do (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6c008bcf9a72a02f11c556396a39d6de999bfad0cfa389ddac01929d19bb34d8 On npm install, this package's postinstall script collects host identifiers os.hostname, os.userInfo, current working directory, and external IPv4...
CVE-2026-13450
The GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 7.9.4 via the 'access' parameter due to missing validation on a user controlled key. This...
CVE-2026-13450 GamiPress <= 7.9.4 - Insecure Direct Object Reference to Unauthenticated Sensitive Information Disclosure via 'access' Parameter
The GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 7.9.4 via the 'access' parameter due to missing validation on a user controlled key. This...
CVE-2026-13450
The GamiPress – Gamification plugin to reward points, achievements, badges & ranks in WordPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 7.9.4 via the 'access' parameter due to missing validation on a user controlled key. This...
CVE-2026-13450
The CVE describes a vulnerability in the GamiPress WordPress plugin (versions up to 7.9.4) where Insecure Direct Object Reference is triggered via the access parameter due to missing validation on a user-controlled key. This allows unauthenticated attackers to view private GamiPress activity log ...