1134 matches found
WordPress Hummingbird <= 3.18.0 - Sensitive Information Exposure via Log File
Hummingbird Performance WordPress plugin = 3.18.0 contains a sensitive information exposure caused by improper handling in the 'request' function, letting unauthenticated attackers extract sensitive data including Cloudflare API credentials, exploit requires no authentication. id: CVE-2025-14437...
Astro Cloudflare Adapter - Server Side Request Forgery
Astro is a web framework for content-driven websites. Versions 11.0.3 through 12.6.5 are vulnerable to SSRF when using Astro's Cloudflare adapter. When configured with output: 'server' while using the default imageService: 'compile', the generated image optimization endpoint doesn't check the URL...
Malicious code in ipa-user-collector (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: kam193 f6740d6a9e24bf6219b8f1c07ef005df676552e1b9656d5e0b1c7b6cfc6f3086 During installation the obfuscated code downloads a malicious executable from a remote location. Code is designed to survive different blocks: first, there is ...
MAL-2026-6749 Malicious code in ipa-user-collector (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: kam193 f6740d6a9e24bf6219b8f1c07ef005df676552e1b9656d5e0b1c7b6cfc6f3086 During installation the obfuscated code downloads a malicious executable from a remote location. Code is designed to survive different blocks: first, there is ...
Malicious code in haproxy-config-client (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: kam193 f3231df36fad882782125a817ad5881080ef595dc1941b5d77aac3c19e7b2bab During installation the obfuscated code downloads a malicious executable from a remote location. Code is designed to survive different blocks: first, there is ...
MAL-2026-6748 Malicious code in haproxy-config-client (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: kam193 f3231df36fad882782125a817ad5881080ef595dc1941b5d77aac3c19e7b2bab During installation the obfuscated code downloads a malicious executable from a remote location. Code is designed to survive different blocks: first, there is ...
CVE-2026-14440 Cloudflare Universal SSL automatically managed CAA RRset supersedes customer-configured CAA records
Description: To issue and renew TLS certificates on behalf of customers, Cloudflare's Universal SSL feature automatically manages the CAA RRset for the customer's zone. This auto-managed RRset is permissive by design e.g. 'issue "letsencrypt.org"' without parameters. On Universal SSL zones,...
Malicious code in hexo-deployer-wrangler (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ebc95a6a1ae1e522feabf03446f9791372191e27ca9da454717559b6cc6948eb The package ships a binding.gyp file line 6 containing GYP command-expansion syntax !... inside the targets/sources fields. npm implicitly runs...
CVE-2026-56221
Cap-go before 12.128.2 contains multiple SQL injection vulnerabilities in cloudflare.ts where user-controlled values from API request bodies are interpolated directly into SQL query strings without sanitization or parameterization. Authenticated users with read-level API key permissions can injec...
CVE-2026-56221 Cap-go - SQL Injection in Cloudflare Analytics Engine Queries via cloudflare.ts
Cap-go before 12.128.2 contains multiple SQL injection vulnerabilities in cloudflare.ts where user-controlled values from API request bodies are interpolated directly into SQL query strings without sanitization or parameterization. Authenticated users with read-level API key permissions can injec...
EUVD-2026-38364
Cap-go before 12.128.2 contains multiple SQL injection vulnerabilities in cloudflare.ts where user-controlled values from API request bodies are interpolated directly into SQL query strings without sanitization or parameterization. Authenticated users with read-level API key permissions can injec...
CVE-2026-56221
CVE-2026-56221 : Cap-go before 12.128.2 contains SQL injection flaws in cloudflare.ts. User-controlled values from API request bodies are interpolated directly into SQL strings without sanitization or parameterization. Authenticated users with read-level API key permissions can inject arbitrary S...
CVE-2026-56221
Cap-go before 12.128.2 contains multiple SQL injection vulnerabilities in cloudflare.ts where user-controlled values from API request bodies are interpolated directly into SQL query strings without sanitization or parameterization. Authenticated users with read-level API key permissions can injec...
PT-2026-51402
Name of the Vulnerable Software and Affected Versions Cap-go versions prior to 12.128.2 Description Multiple SQL injection issues exist in cloudflare.ts where user-controlled values from API request bodies are interpolated directly into SQL query strings without sanitization or parameterization...
CVE-2026-56307
Cap-go before 12.128.12 contains a broken cursor pagination vulnerability in the /private/devices endpoint on the Cloudflare/workerd path that allows authenticated attackers to cause duplicate-page loops and make later rows unreachable. Attackers with app.readdevices access can exploit...
CVE-2026-56307
Cap-go before 12.128.12 contains a broken cursor pagination vulnerability in the /private/devices endpoint on the Cloudflare/workerd path that allows authenticated attackers to cause duplicate-page loops and make later rows unreachable. Attackers with app.readdevices access can exploit...
Cloudflare Quiche: Use-after-free in connection ID iterator FFI functions
Impact Cloudflare Quiche was affected by 2 use-after-free vulnerabilities in the connection ID iterator FFI functions. The quicheconnectioniditernext and quicheconnretiredscidnext functions would return a pointer to a ConnectionId to the applications via function arguments, but the the owned...
ROOT-APP-GOBINARY-CVE-2026-1229 CVE-2026-1229 in rootio-github.com/cloudflare/circl - Patched by Root
Root has patched CVE-2026-1229 in the rootio-github.com/cloudflare/circl package for Root:Go. Multiple fixed versions available...
WordPress Offload, AI & Optimize with Cloudflare Images plugin <= 1.10.2 - Authenticated (Author+) Remote Code Execution vulnerability
Authenticated Author+ Remote Code Execution vulnerability discovered by Yat in WordPress Plugin Offload, AI & Optimize with Cloudflare Images versions = 1.10.2...
CVE-2026-9860
The Offload, AI & Optimize with Cloudflare Images plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.10.2 via the 'account-id' parameter parameter. This is due to insufficient privilege enforcement on the cfimagesdosetup AJAX handler, which require...