CVE-2026-6146

Amazon::Credentials versions through 1.2.0 for Perl uses rand to generate encryption keys. Amazon::Credentials stores credentials in an obfuscated form to prevent access to the secrets from a data dump of the object. Before version 1.3.0, the secrets were encrypted using a 64-bit key that was...

CVE-2026-6146 Amazon::Credentials versions through 1.2.0 for Perl uses rand to generate encryption keys

Amazon::Credentials versions through 1.2.0 for Perl uses rand to generate encryption keys. Amazon::Credentials stores credentials in an obfuscated form to prevent access to the secrets from a data dump of the object. Before version 1.3.0, the secrets were encrypted using a 64-bit key that was...

CVE-2026-6146

CVE-2026-6146 affects Perl module Amazon::Credentials up to version 1.2.0. The root cause is the use of Perl’s built‑in rand to generate encryption keys, with secrets stored in an obfuscated form but not securely encrypted. Prior to 1.3.0, a 64‑bit key derived from rand is used, which is predicta...

CVE-2026-34064 nimiq-account: Vesting insufficient funds error can panic

nimiq-account contains account primitives to be used in Nimiq's Rust implementation. Prior to version 1.3.0, VestingContract::canchangebalance returns AccountError::InsufficientFunds when newbalance balance, the node crashes while trying to return an error. The mincap balance precondition is...

CVE-2026-34062 Nimiq has Allocation of Resources Without Limits or Throttling in its libp2p request/response

nimiq-libp2p is a Nimiq network implementation based on libp2p. Prior to version 1.3.0, MessageCodec::readrequest and readresponse call readtoend on inbound substreams, so a remote peer can send only a partial frame and keep the substream open. because Behaviour::new also sets...

CVE-2026-39843

Plane is an an open-source project management tool. From 0.28.0 to before 1.3.0, the remediation of GHSA-jcc6-f9v6-f7jw is incomplete which could lead to the same full read Server-Side Request Forgery when a normal html page contains a link tag with an href that redirects to a private IP address ...

CVE-2026-39374

The CVE describes an IDOR-style flaw in Plane (open‑source project management tool) prior to version 1.3.0. The IssueBulkUpdateDateEndpoint lets a project member with ADMIN/MEMBER privileges modify start_date and target_date of ANY issue across the entire instance by fetching issues by ID without...

CVE-2026-35167

CVE-2026-35167 affects Kedro. The _get_versioned_path() function constructs filesystem paths by directly interpolating user-supplied version strings, preserving traversal sequences like ../ and enabling access outside the intended versioned dataset directory. This affects multiple entry points (c...

CVE-2026-33184 nimiq/core-rs-albatross: Discovery handshake limit could underflow and later provoke a deterministic overflow panic

nimiq/core-rs-albatross is a Rust implementation of the Nimiq Proof-of-Stake protocol based on the Albatross consensus algorithm. Prior to version 1.3.0, the discovery handler accepts a peer-controlled limit during handshake and stores it unchanged. The immediate HandshakeAck path then honors lim...

Aureus ERP 代码注入漏洞

Aureus ERP is an enterprise resource planning system developed by aureuserp. Versions of Aureus ERP 1.3.0-BETA2 and earlier had a code injection vulnerability. This vulnerability stemmed from incorrect handling of parameters “subject” and “body” in the file...

CVE-2026-27743

The SPIP refererspam plugin versions prior to 1.3.0 contain an unauthenticated SQL injection vulnerability in the refererspamajouter and refererspamsupprimer action handlers. The handlers read the url parameter from a GET request and interpolate it directly into SQL LIKE clauses without input...

CVE-2025-67971 WordPress FluentCart plugin < 1.3.0 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in WPManageNinja FluentCart fluent-cart allows Reflected XSS.This issue affects FluentCart: from n/a through 1.3.0...

CyreneAdmin 路径遍历漏洞

CyreneAdmin is a backend management system developed by CoCoTea’s individual developers. Versions of CyreneAdmin prior to 1.3.0 contained a path traversal vulnerability. This vulnerability stemmed from incorrect handling of the parameter “Avatar” in files/api/system/user/getAvatar, which could le...

CVE-2025-67745 Myhoard logs backup encryption key in plain text

MyHoard is a daemon for creating, managing and restoring MySQL backups. Starting in version 1.0.1 and prior to version 1.3.0, in some cases, myhoard logs the whole backup info, including the encryption key. Version 1.3.0 fixes the issue. As a workaround, direct logs into /dev/null...

MyHoard 安全漏洞

MyHoard is an open source database backup recovery tool from Aiven Open. A security vulnerability exists in MyHoard versions prior to 1.3.0, which stems from improper logging of backup information and could lead to encryption key disclosure...

EUVD-2025-38076

Unrestricted Upload of File with Dangerous Type vulnerability in Case-Themes Case Addons case-addons.This issue affects Case Addons: from n/a through 1.3.0...

CVE-2025-62047

Unrestricted Upload of File with Dangerous Type vulnerability in Case-Themes Case Addons case-addons.This issue affects Case Addons: from n/a through 1.3.0...

WordPress plugin Case Addons 安全漏洞

The WordPress Case Addons plugin is a plugin for the Elementor page builder that offers a wide range of functional components and templates for enhancing website design and content presentation. The WordPress Case Addons plugin suffers from a file upload vulnerability that stems from the...

PT-2025-45312

Unrestricted Upload of File with Dangerous Type vulnerability in Case-Themes Case Addons case-addons.This issue affects Case Addons: from n/a through 1.3.0...

CVE-2025-57821 Basecamp's Google Sign-In for Rails allowed redirects to a malformed URL

Basecamp's Google Sign-In adds Google sign-in to Rails applications. Prior to version 1.3.0, it is possible to craft a malformed URL that passes the "same origin" check, resulting in the user being redirected to another origin. Rails applications configured to store the flash information in a...