JSONPath Plus < 10.3.0 - Remote Code Execution

Versions of the package jsonpath-plus before 10.3.0 are vulnerable to Remote Code Execution RCE due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of eval='safe' mode. Note: This is caused by an incomplete fix for...

Cockpit Web Console < 360 - Remote Code Execution

Cockpit's remote login feature passes user-supplied hostnames and usernames from the web interface to the SSH client without validation or sanitization. An attacker with network access to the Cockpit web service can craft a single HTTP request to the login endpoint that injects malicious SSH...

WordPress Transbank Webpay plugin < 1.14.0 - Unauthenticated Stored XSS vulnerability

Unauthenticated Stored XSS vulnerability discovered by Mateo Contenla & Matías Schiappacasse in WordPress Plugin Transbank Webpay REST versions 1.14.0...

Astra Linux – Vulnerability in PHP 7.3

In PHP versions 7.3.x below 7.3.27, 7.4.x below 7.4.15, and 8.0.x below 8.0.2, when using the SOAP extension to connect to a SOAP server, a malicious SOAP server may return malformed XML data as a response. This could cause PHP to access a null pointer, resulting in a crash...

Astra Linux – Vulnerability in Firefox, Thunderbird

Race condition in the Graphics component. This vulnerability was fixed in Firefox 145, Firefox ESR 140.5, Firefox ESR 115.30, Thunderbird 145, and Thunderbird 140.5...

Astra Linux – Vulnerability in Firefox

Memory safety bugs exist in Firefox 114. Some of these bugs exhibited signs of memory corruption, and we assume that with sufficient effort, some of these bugs could have been exploited to execute arbitrary code. This vulnerability affects Firefox versions prior to 115...

EUVD-2026-37812

BBOT: Path traversal Zip-Slip in unarchive module - incomplete fix for CVE-2025-10284...

EUVD-2025-210250

Unauthenticated SQL Injection in Advanced Ads – Tracking 3.0.7 versions...

EUVD-2026-37621

Unauthenticated SQL Injection in JetEngine 3.8.9.1 versions...

EUVD-2025-210212

Netskope was notified about a potential gap in its Netskope Client for Windows systems where a malicious insider with administrative privileges can potentially tamper with the customer IOCTL by sending crafted IOCTL requests to the driver. A successful exploit can result in the bypassing of all...

EUVD-2025-210211

Netskope is notified about a potential gap in its Netskoped Client for Windows systems where a malicious insider with admin privileges can lead to bypassing the NSClient Tamper Protections due to weak Discretionary Access Control List DACLs on the service object and related registry keys,. Produc...

CVE-2026-20265 Insecure Default Domain Allowlist in Splunk AI Toolkit

In Splunk AI Toolkit versions below 5.7.4, a low-privileged user that does not hold the "admin" or "power" Splunk roles could cause the Splunk AI Toolkit to make outbound requests over HTTP to a server that an attacker controls, which could allow for data exfiltration. The vulnerability exists...

CVE-2026-20265

Splunk AI Toolkit has a vulnerability in versions below 5.7.4 where a low-privilege user (not admin/power) can cause the toolkit to issue outbound HTTP requests to an attacker-controlled server due to an insecure default domain allowlist. This could enable data exfiltration. Root cause: outbound ...

CVE-2025-15657

Unauthenticated Insecure Direct Object References IDOR in School Management = 93.1.0 versions...

CVE-2026-54811

Unauthenticated SQL Injection in WP eMember v10.9.4 versions...

CVE-2026-42629

Unauthenticated Broken Authentication in PowerPack Pro for Elementor v2.13.0 versions...

CVE-2026-41557

Unauthenticated Cross Site Scripting XSS in Kapee 1.7.1 versions...

CVE-2026-24611

Unauthenticated Broken Access Control in MetForm Pro = 3.9.1 versions...

CVE-2026-22338

Unauthenticated Local File Inclusion in EcoBlue = 1.15 versions...

CVE-2025-15642

Netskope is notified about a potential gap in its Netskoped Client for Windows systems where a malicious insider with admin privileges can lead to bypassing the NSClient Tamper Protections due to weak Discretionary Access Control List DACLs on the service object and related registry keys,. Produc...