CVE-2026-12862 XLSX formula injection in exports

Untrusted user data was passed verbatim to Excel exports for administrators. This allowed formula injection which can be used to compromise the environment of the user loading the file or other data in the file...

File Browser: Cross-user unauthorized share-link deletion via unbounded prefix match in DeleteWithPathPrefix

Summary A low-privileged authenticated user of filebrowser with create + delete permissions in their own isolated scope can silently destroy share-link records belonging to any other user — including the administrator — by performing a legitimate DELETE on a file in their own directory whose...

CVE-2025-48707

An issue was discovered in Stormshield Network Security SNS before 5.0.1. TPM authentication information could, in some HA use cases, be shared among administrators, which can cause secret sharing...

CVE-2024-8979

The Essential Addons for Elementor – Best Elementor Addon, Templates, Widgets, Kits & WooCommerce Builders plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 6.0.9 via the 'initcontentlostpassworduseremailcontrols' function. This makes it...

CVE-2020-1779

When dynamic templates are used OTRSTicketForms, admin can use OTRS tags which are not masked properly and can reveal sensitive information. This issue affects: OTRS AG OTRSTicketForms 6.0.x version 6.0.40 and prior versions; 7.0.x version 7.0.29 and prior versions; 8.0.x version 8.0.3 and prior...

CVE-2019-9867

An issue was discovered in the Web Console in Veritas NetBackup Appliance through 3.1.2. The proxy server password is displayed to an administrator...

CVE-2018-11105

There is stored cross site scripting in the wp-live-chat-support plugin before 8.0.08 for WordPress via the "name" aka wplcname and "email" aka wplcemail input fields to wp-json/wplivechatsupport/v1/startchat whenever a malicious attacker would initiate a new chat with an administrator. NOTE: thi...