CVE-2026-6127

The Elementor Website Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the elementordata meta field in versions up to, and including, 4.0.4. This is due to insufficient input sanitization when processing form-encoded REST API requests. The plugin registers the...

PT-2026-36300

Name of the Vulnerable Software and Affected Versions Elementor Website Builder versions prior to 4.0.5 Description Insufficient input sanitization in the processing of form-encoded REST API requests allows authenticated attackers with contributor-level access and above to perform Stored Cross-Si...

Cisco Firepower Threat Defense (FTD) Software VPN DoS Vulnerabilities (cisco-sa-asaftd-vpn-m9sx6MbC)

According to its self-reported version, Cisco Secure Firewall Threat Defense FTD Software is affected by multiple vulnerabilities. - A vulnerability in the Lua interpreter of the Remote Access SSL VPN functionality of Cisco Secure Firewall Adaptive Security Appliance ASA Software and Cisco Secure...

CVE-2026-36765

An XML external entity XXE vulnerability in the /designer/loadReport endpoint of SpringBlade v4.8.0 allows authenticated attackers to execute arbitrary code via injecting a crafted payload...

n8n Vulnerable to Hijacking of Unauthenticated Chat Execution

Impact The /chat WebSocket endpoint used by the Chat Trigger node's Hosted Chat feature did not verify that an incoming connection was authorized to interact with the target execution. An unauthenticated remote attacker who could identify a valid execution ID for a workflow in a waiting state cou...

Exploit for CRLF Injection in Useplunk Plunk

CVE-2026-34975 — CRLF Email Header Injection in Plunk via raw...

VideoFlow Digital Video Protection 路径遍历漏洞

VideoFlow Digital Video Protection is a broadcast-grade video transmission device developed by VideoFlow Corporation in the United States. Version 2.10 of VideoFlow Digital Video Protection contains a path traversal vulnerability. This vulnerability stems from authenticated directory traversal,...

PT-2026-37139

Name of the Vulnerable Software and Affected Versions Admidio versions prior to 5.0.9 Description The 'ecard preview.php' endpoint fails to validate that the ecard template POST parameter is a safe filename before it is processed by the getEcardTemplate function. An authenticated user can exploit...

Exploit for Stack-based Buffer Overflow in Asustor Data_Master

CVE-2026-6643 — ASUSTOR ADM 5.1.2 RCE Format String CWE-134...

GHSA-72H4-MXFC-JX37 Heimdall: Case-sensitive host matching may lead to policy bypass

Summary Heimdall performs host matching in a case-sensitive manner, while HTTP hostnames are case-insensitive. This discrepancy can result in heimdall failing to match a rule for a request host that differs only in letter casing, potentially causing the request to be classified differently than...

Cross-site Scripting (XSS)

Overview org.apache.activemq:activemq-web is a message broker and JMS 1.1 implementation. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the JMS selector field in the web console. An attacker can display malicious content in the browser by injecting HTML and...

CVE-2026-31956

CVE-2026-31956 affects Xibo CMS prior to 4.4.1. An authenticated user can manually construct URLs to preview campaigns/regions and export saved reports belonging to other users due to an IDOR issue triggered by disableUserCheck without proper controller-level authorization. Impact is limited to u...

PT-2026-35066

SiYuan is an open-source personal knowledge management system. Prior to 3.6.5, the fix for CVE-2026-30869 only added a denylist check IsSensitivePath but did not address the root cause — a redundant url.PathUnescape call in serveExport. An authenticated attacker can use double URL encoding...

CVE-2026-41270

Flowise (drag‑and‑drop UI for building LLM flows) contains an SSRF protection bypass in the Custom Function sandbox prior to version 3.1.0. The app blocks SSRF via HTTP_DENY_LIST for axios and node-fetch, but it allows use of built‑in Node.js http, https, and net modules inside the NodeVM sandbox...

CVE-2026-41228 Froxlor has Local File Inclusion via path traversal in API `def_language` parameter that leads to Remote Code Execution

Froxlor is open source server administration software. Prior to version 2.3.6, the Froxlor API endpoint Customers.update and Admins.update does not validate the deflanguage parameter against the list of available language files. An authenticated customer can set deflanguage to a path traversal...

CVE-2026-41175

Statamic is a Laravel and Git powered content management system CMS. Prior to versions 5.73.20 and 6.13.0, manipulating query parameters on Control Panel and REST API endpoints, or arguments in GraphQL queries, could result in the loss of content, assets, and user accounts. The Control Panel...

CVE-2026-41175 Statamic: Unsafe method invocation via query value resolution allows data destruction

Statamic is a Laravel and Git powered content management system CMS. Prior to versions 5.73.20 and 6.13.0, manipulating query parameters on Control Panel and REST API endpoints, or arguments in GraphQL queries, could result in the loss of content, assets, and user accounts. The Control Panel...

CVE-2026-41175

Statamic CMS (Laravel/Git-based) prior to 5.73.20 and 6.13.0 is affected. The issue stems from unsafe method invocation during query value resolution, enabling data destruction via manipulated query parameters on Control Panel, REST API endpoints, or GraphQL queries. Exploitation requires REST/Gr...

CVE-2026-2717

The CVE concerns the WordPress HTTP Headers plugin (versions up to and including 1.19.2) vulnerable to CRLF Injection. The issue arises from insufficient sanitization of custom header name/value fields before they are written to the Apache .htaccess file via insert_with_markers(), enabling authen...

Rclone 访问控制错误漏洞

Rclone is a software developed by the Rclone team that can synchronize data asynchronously from cloud storage. This software supports various cloud storage services such as Google Drive, Amazon Drive, S3, Dropbox, Backblaze B2, One Drive, Swift, Hubic, Cloudfiles, Google Cloud Storage, and Yandex...