CVE-2026-47076 SSRF allowlist bypass via percent-encoded host in hackney

Interpretation Conflict vulnerability in benoitc hackney allows Server Side Request Forgery. hackneyurl:normalize/2 URL-decodes the host component after the URL has been parsed into a hackneyurl record. OTP's uristring:parse/1 and inet:parseaddress/1 do not decode percent-escapes in the host, so ...

Hackney 安全漏洞

Hackney is a program library from Hackney, Inc. A security vulnerability exists in Hackney versions 2.0.0-beta.1 through prior to 4.0.1, which stems from the Alt-Svc response header parser's inability to guarantee forward progress, potentially leading to infinite loops and CPU exhaustion...

CVE-2026-27417

Deserialization of Untrusted Data vulnerability in SeventhQueen Sweet Date sweetdate allows Object Injection.This issue affects Sweet Date: from n/a through 4.0.1...

WordPress Sweet Date theme < 4.0.1 - PHP Object Injection vulnerability

PHP Object Injection vulnerability discovered by João Pedro S Alcântara Kinorth in WordPress Theme Sweet Date versions 4.0.1...

CVE-2017-20209

Nagios Fusion prior to version 4.0.1 is vulnerable to cross-site scripting (XSS) via the Users and Servers pages. The issue arises from insufficient validation or escaping of user-supplied input, potentially allowing an attacker to inject and execute arbitrary script in a victim’s browser. The pr...

CVE-2024-13296

Deserialization of Untrusted Data vulnerability in Drupal Mailjet allows Object Injection.This issue affects Mailjet: from 0.0.0 before 4.0.1...

PT-2024-30456 · Atarim · Atarim

Name of the Vulnerable Software and Affected Versions: Atarim versions prior to 4.0.1 Description: The issue is related to missing authorization, allowing access to functionality not properly constrained by Access Control Lists ACLs. This means that certain features or resources can be accessed...

Drupal Freelinking module < 4.0.1 - Authenticated Sensitive Data Exposure vulnerability

Authenticated Sensitive Data Exposure vulnerability discovered by Matthew Radcliffe in WordPress Module Freelinking versions 4.0.1...

CVE-2023-46886

Dreamer CMS before version 4.0.1 is vulnerable to Directory Traversal. Background template management allows arbitrary modification of the template file, allowing system sensitive files to be read...

Dreamer CMS Security Vulnerability

Dreamer CMS is a dreamer content management system developed by Junnan Wang, an individual developer in China. A security vulnerability exists in Dreamer CMS versions prior to 4.0.1, which stems from an arbitrary file download vulnerability in the attachment management office feature...

CVE-2023-33559

A local file inclusion vulnerability via the lang parameter in OcoMon before v4.0.1 allows attackers to execute arbitrary code by supplying a crafted PHP file...

CVE-2023-33558

An information disclosure vulnerability in the component users-grid-data.php of Ocomon before v4.0.1 allows attackers to obtain sensitive information such as e-mails and usernames...

PT-2023-7397 · Splunk · Splunk App For Lookup File Editing

Name of the Vulnerable Software and Affected Versions: Splunk App for Lookup File Editing versions prior to 4.0.1 Description: The issue allows a user to insert potentially malicious JavaScript code into the app, causing it to run on the user's machine. This does not require the app itself to...

SUSE CVE-2020-7774

The package y18n before 3.2.2, 4.0.1 and 5.0.5, is vulnerable to Prototype Pollution...

CVE-2022-31478

The UserTakeOver plugin before 4.0.1 for ILIAS allows an attacker to list all users via the search function...

CVE-2022-0355

Improper Removal of Sensitive Information Before Storage or Transfer in NPM simple-get prior to 4.0.1...

DEBIAN-CVE-2021-45452

Storage.save in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1 allows directory traversal if crafted filenames are directly passed to it...

CVE-2014-9032

Cross-site scripting XSS vulnerability in the media-playlists feature in WordPress before 3.9.x before 3.9.3 and 4.x before 4.0.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors...