GHSA-9M6V-8FXC-4R44 Sulu: Used API Keys may be available via Admin API

Impact The users endpoint controller exposes a project's apiKey field to the logged-in user, provided they have permission for that endpoint. This only has impact if a project itself uses that specific field, Sulu itself does nothing with it and has no authentication per apiKey in its core. Patch...

CVE-2026-44721

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, a stored cross-site scripting XSS vulnerability that allows any authenticated user with model creation permission workspace.models to execute arbitrary JavaScript in the browser of a...

PT-2026-36969

The EmailKit plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to and including 1.6.5. This is due to a flawed path traversal validation in the create template method of the CheckForm class, where realpath is called on the allowed base directory...

Astra Linux - уязвимость в sssd

A race condition flaw was identified in sssd, where the GPO policy is not consistently applied to authenticated users. This could lead to improper authorization issues, granting or denying access to resources inappropriately...

CVE-2026-7551

The CVE describes a remote code execution vulnerability in HKUDS OpenHarness exposed via the /bridge command. An attacker-enabled /bridge spawn command can forward attacker-controlled text to the bridge session manager and execute commands through the shared shell subprocess helper, allowing shel...

CVE-2026-4805

The Woostify plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.5.0 This is due to insufficient input sanitization and output escaping in the bundled Lity.js lightbox library, where user-controlled input from the href attribute is concatenated...

CVE-2026-31952 Xibo CMS API has SQL Injection via DataSet Filter Parameter

Xibo is an open source digital signage platform with a web content management system and Windows display player software. Versions 1.7 through 4.4.0 have an SQL injection vulnerability in the API routes inside the CMS responsible for Filtering DataSets. This allows an authenticated user to to...

Xibo CMS SQL注入漏洞

Xibo CMS is an open-source content management system for Xibo Digital Signage. Versions 1.7 to 4.4.0 of Xibo CMS have SQL injection vulnerabilities. These vulnerabilities stem from SQL injection in the dataset filtering parameters within the API routing, which may allow authorized users to access...

Securing Remote Server Access: Why VPNs Matter for Administrators

VPNs help secure remote server access by encrypting traffic, restricting entry to authorized users, and reducing exposure of critical systems to the internet...

Apache Airflow 安全漏洞

Apache Airflow is an open-source platform developed by the Apache Foundation in the United States. It allows for the creation, management, and monitoring of workflows. This platform features scalability and dynamic monitoring capabilities. There is a security vulnerability in Apache Airflow, whic...

PT-2026-33239

Name of the Vulnerable Software and Affected Versions Drupal Orejime versions 0.0.0 through 2.0.15 Description Improper neutralization of input during web page generation allows Cross-Site Scripting XSS. The IframeConsent element writes HTML attributes without escaping their values. An attacker...

EUVD-2026-19697

An issue that could allow an authorized user to view the clear-text secrets for a subset of credential types and fields has been resolved. This is an instance of CWE-522: Insufficiently Protected Credentials, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N 5.3...

CVE-2026-20915 Stored cross-site scripting in Pending Changes sidebar

Stored cross-site scripting XSS in Checkmk version 2.5.0 beta before 2.5.0b2 allows authenticated users with permission to create pending changes to inject malicious JavaScript into the Pending Changes sidebar, which will execute in the browsers of other users viewing the sidebar...

GHSA-F4VQ-PJ32-GR4Q Concrete CMS has a stored Cross-site Scripting (XSS) vulnerability

In Concrete CMS below version 9.4.8, a Cross-site Scripting XSS vulnerability exists in the "Legacy Form" block. An authenticated user with permissions to create or edit forms e.g., a rogue administrator can inject a persistent JavaScript payload into the options of a multiple-choice question...

WordPress plugin Responsive Lightbox & Gallery 代码问题漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. There is...

UBUNTU-CVE-2026-0595

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.9 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that, under certain conditions could have allowed an authenticated user to add unauthorized email addresses to victim accounts through HTML injection in test...

MongoDB Server 安全漏洞

MongoDB Server is an open-source NoSQL database developed by MongoDB, a US-based company. This database offers features such as collection-oriented storage, dynamic querying, data replication, and automatic failover. There is a security vulnerability in MongoDB Server, which stems from authorized...

MongoDB Server 安全漏洞

MongoDB Server is an open-source NoSQL database developed by MongoDB, a company based in the United States. This database offers features such as collection-oriented storage, dynamic querying, data replication, and automatic failover. There is a security vulnerability in MongoDB Server, which ste...

PT-2026-6690

Name of the Vulnerable Software and Affected Versions Events Listing Widget plugin for WordPress versions up to and including 1.3.4 Description The software is susceptible to Stored Cross-Site Scripting through the 'Event URL' parameter. Insufficient input sanitization and output escaping allow...

CVE-2019-25264

Snipe-IT 4.7.5 contains a persistent cross-site scripting vulnerability that allows authorized users to upload malicious SVG files with embedded JavaScript. Attackers can craft SVG files with script tags to execute arbitrary JavaScript when the accessory is viewed by other users...