EUVD-2025-208401

A user with access to the DB could craft a database entry that would result in executing code on Triggerer - which gives anyone who have access to DB the same permissions as Dag Author. Since direct DB access is not usual and recommended for Airflow, the likelihood of it making any damage is low...

EUVD-2025-208402

A user with access to the DB could craft a database entry that would result in executing code on Triggerer - which gives anyone who have access to DB the same permissions as Dag Author. Since direct DB access is not usual and recommended for Airflow, the likelihood of it making any damage is low...

CVE-2025-69219

A user with access to the DB could craft a database entry that would result in executing code on Triggerer - which gives anyone who have access to DB the same permissions as Dag Author. Since direct DB access is not usual and recommended for Airflow, the likelihood of it making any damage is low...

CVE-2024-56373

DAG Author who already has quite a lot of permissions could manipulate database of Airflow 2 in the way to execute arbitrary code in the web-server context, which they should normally not be able to do, leading to potentially remote code execution in the context of web-server server-side as a...

EUVD-2024-55432

DAG Author who already has quite a lot of permissions could manipulate database of Airflow 2 in the way to execute arbitrary code in the web-server context, which they should normally not be able to do, leading to potentially remote code execution in the context of web-server server-side as a...

CVE-2025-12836

The VK Google Job Posting Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Job Description field in versions up to, and including, 1.2.23 due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticat...

CVE-2023-4141

The WP Ultimate CSV Importer plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 7.9.8 via the '-cus2' parameter. This allows authenticated attackers with author-level permissions or above, if the administrator previously grants access in the plugin...

CVE-2025-14059

The EmailKit plugin for WordPress is vulnerable to Arbitrary File Read via Path Traversal in all versions up to, and including, 1.6.1. This is due to missing path validation in the createtemplate REST API endpoint where user-controlled input from the emailkit-editor-template parameter is passed...

CVE-2025-13891 Image Gallery – Photo Grid & Video Gallery (Modula) <= 2.13.3 - Missing Authorization to Arbitrary Directory Listing

The Image Gallery – Photo Grid & Video Gallery plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 2.13.3. This is due to the modulalistfolders AJAX endpoint that lacks proper path validation and base directory restrictions. While the endpoint verifies user...

CVE-2025-13891

The CVE CVE-2025-13891 affects Modula Image Gallery – Photo Grid & Video Gallery (WordPress). A path traversal flaw exists in the modula_list_folders AJAX endpoint across all versions up to 2.13.3, allowing authenticated users with Author+ permissions to enumerate arbitrary server directories due...

CVE-2024-12302

CVE-2024-12302 affects Icegram Engage – Ultimate WP Popup Builder for WordPress, prior to version 3.1.32. The issue arises from insufficient sanitization/escaping of Campaign settings, enabling Stored Cross-Site Scripting by authors and higher-privilege users. The vulnerability is documented with...

CVE-2024-2619

The Elementor Header & Footer Builder for WordPress is vulnerable to HTML Injection in all versions up to, and including, 1.6.26 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level permissions and above, to inject...

CVE-2023-4141

The WP Ultimate CSV Importer plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 7.9.8 via the '-cus2' parameter. This allows authenticated attackers with author-level permissions or above, if the administrator previously grants access in the plugin...

CVE-2023-4141 WP Ultimate CSV Importer <= 7.9.8 - Authenticated (Author+) PHP File Creation to Remote Code Execution

The WP Ultimate CSV Importer plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 7.9.8 via the '-cus2' parameter. This allows authenticated attackers with author-level permissions or above, if the administrator previously grants access in the plugin...

PT-2023-27942 · WordPress · Wp Ultimate Csv Importer

Name of the Vulnerable Software and Affected Versions: WP Ultimate CSV Importer plugin for WordPress versions up to, and including, 7.9.8 Description: The issue allows authenticated attackers with author-level permissions or above to execute code on the server via the -cus1 parameter, if the...

CVE-2011-4341

Multiple SQL injection vulnerabilities in symphony/content/content.publish.php in Symphony CMS 2.2.3 and possibly other versions before 2.2.4 allow remote authenticated users with Author permissions to execute arbitrary SQL commands via the filter parameter to 1 symphony/publish/comments or 2...

Sql injection

Multiple SQL injection vulnerabilities in symphony/content/content.publish.php in Symphony CMS 2.2.3 and possibly other versions before 2.2.4 allow remote authenticated users with Author permissions to execute arbitrary SQL commands via the filter parameter to 1 symphony/publish/comments or 2...