CVE-2026-0397

When the internal webserver is enabled default is disabled, an attacker might be able to trick an administrator logged to the dashboard into visiting a malicious website and extract information about the running configuration from the dashboard. The root cause of the issue is a misconfiguration o...

PT-2026-26801

The Survey plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above,...

GHSA-RJHH-M223-9QQV SiYuan importStdMd: unvalidated localPath imports arbitrary host directories as persistent notes

Summary POST /api/import/importStdMd passes the localPath parameter directly to model.ImportFromLocalPath with zero path validation. The function recursively reads every file under the given path and permanently stores their content as SiYuan note documents in the workspace database, making them...

EUVD-2026-10001

The WP eCommerce WordPress plugin through 3.15.1 does not have CSRF check in place when deleting coupons, which could allow attackers to make a logged in admin remove them via a CSRF attack...

CVE-2025-54161

An allocation of resources without limits or throttling vulnerability has been reported to affect File Station 5. If a remote attacker gains an administrator account, they can then exploit the vulnerability to prevent other systems, applications, or processes from accessing the same type of...

CVE-2025-59386

A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service DoS attack. We have already fixed the vulnerability in the...

Qnap QTS and QuTS hero NULL Pointer Dereference (CVE-2025-48727)

A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service DoS attack. We have already fixed the vulnerability in the...

CVE-2025-13971

The TWW Protein Calculator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Header' setting in all versions up to, and including, 1.0.24 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-lev...

EUVD-2025-199581

The Zweb Social Mobile – Ứng Dụng Nút Gọi Mobile plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘vithanhlamzsocialsavemessager’, 'vithanhlamzsocialsavezalo', 'vithanhlamzsocialsavehotline', and 'vithanhlamzsocialsavecontact' parameters in all versions up to, and...

EUVD-2025-60953

The Double the Donation – A workplace giving tool to help your fundraising efforts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.0.0 due to insufficient input sanitization and output escaping. This makes it possible fo...

CVE-2025-10723 PixelYourSite < 11.1.2 - Admin+ LFI

The PixelYourSite WordPress plugin before 11.1.2 does not validate some URL parameters before using them to generate paths passed to function/s, allowing any admins to perform LFI attacks...

CVE-2025-61997

CVE-2025-61997 : OPEXUS FOIAXpress versions before 11.13.3.0 are affected by a stored XSS via the Annual Report Banner image/upload field. An administrative user can inject JavaScript or content that is executed in the context of other users when they generate an Annual Report, enabling actions o...

EUVD-2018-10854

Malware in sbrugna...

EUVD-2024-2997

Malicious code in bioql PyPI...

EUVD-2022-34687

Malicious code in bioql PyPI...

EUVD-2022-24901

Malicious code in bioql PyPI...

EUVD-2023-44023

Malicious code in bioql PyPI...

CVE-2025-52855

A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service DoS attack. We have already fixed the vulnerability in the...

CVE-2025-52866 QTS, QuTS hero

A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service DoS attack. We have already fixed the vulnerability in the...

PT-2025-40582

Name of the Vulnerable Software and Affected Versions QNAP versions prior to QTS 5.2.6.3195 build 20250715 QNAP versions prior to QuTS hero h5.2.6.3195 build 20250715 Description A flaw exists where a remote attacker with administrator privileges can trigger a denial-of-service DoS condition...