CVE-2026-48909

SP LMS comsplms 4.1.4 by JoomShaper deserializes user-controlled cookie data without validation, enabling an unauthenticated remote attacker to execute arbitrary code on the server...

CVE-2026-48909 Joomla Extension - joomshaper.com - PHP Object injection in SP LMS extension for Joomla < 4.1.4

SP LMS comsplms 4.1.4 by JoomShaper deserializes user-controlled cookie data without validation, enabling an unauthenticated remote attacker to execute arbitrary code on the server...

EUVD-2026-38108

SP LMS comsplms 4.1.4 by JoomShaper deserializes user-controlled cookie data without validation, enabling an unauthenticated remote attacker to execute arbitrary code on the server...

CVE-2026-48909

The CVE concerns SP LMS (com_splms) for Joomla, specifically versions earlier than 4.1.4. The root cause is deserializing user-controlled cookie data without validation, which allows an unauthenticated remote attacker to execute arbitrary code on the server. No exploitation details or fixes are e...

Cross-Origin Resource Sharing (CORS) Misconfiguration

hono is vulnerable to Cross-Origin Resource Sharing CORS Misconfiguration. The vulnerability is due to reflecting arbitrary Origin headers while allowing credentials when no explicit origin is configured, which allows an attacker-controlled website to make authenticated cross-origin requests and...

CVE-2026-5229

The Form Notify plugin for WordPress is vulnerable to Authentication Bypass in versions up to and including 1.1.10. This is due to the plugin trusting user-controlled cookie data to determine which WordPress account to authenticate after a LINE OAuth login. When LINE doesn't provide an email...

CVE-2024-58343

Vision Helpdesk before 5.7.0 patched in 5.6.10 allows attackers to read user profiles via modified serialized cookie data to visclientid...

OESA-2026-2563 python-aiohttp security update

Async http client/server framework asyncio. Security Fixes: Most applications using this function will be doing so with the user's own data, so this is unlikely to affect many applications.CVE-2026-34993 If a developer uses the cookies parameter on a per-request basis then sensitive data might be...

OESA-2026-2562 python-aiohttp security update

Async http client/server framework asyncio. Security Fixes: Most applications using this function will be doing so with the user's own data, so this is unlikely to affect many applications.CVE-2026-34993 If a developer uses the cookies parameter on a per-request basis then sensitive data might be...

Astra Linux - уязвимость в python3.11

When using http.cookies.Morsel, user-controlled cookie values and parameters may allow the injection of HTTP headers into messages. The patch rejects all control characters within cookie names, values, and parameters...

CVE-2026-41181

Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.44, 3.6.15, and 3.7.0-rc.3, there is an information disclosure vulnerability in Traefik's errors custom error pages middleware. When the backend returns a response matching the configured status range, the middleware forwards the...

CVE-2026-41181 Traefik: Errors middleware forwards Authorization and Cookie headers to separate error page service

Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.44, 3.6.15, and 3.7.0-rc.3, there is an information disclosure vulnerability in Traefik's errors custom error pages middleware. When the backend returns a response matching the configured status range, the middleware forwards the...

CVE-2026-5229

The Form Notify plugin for WordPress is vulnerable to Authentication Bypass in versions up to and including 1.1.10. This is due to the plugin trusting user-controlled cookie data to determine which WordPress account to authenticate after a LINE OAuth login. When LINE doesn't provide an email...

WordPress plugin Form Notify 授权问题漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. The...

RHEL 10 : libsoup3 (RHSA-2026:17482)

The remote Redhat Enterprise Linux 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2026:17482 advisory. Libsoup is an HTTP library implementation in C. It was originally part of a SOAP Simple Object Access Protocol implementation called Soup,...

CVE-2026-2892

Summary (CVE-2026-2892): The Otter Blocks WordPress plugin (all versions up to 3.1.4) is vulnerable to a Purchase Verification Bypass. The root cause is the get_customer_data function relying on an unsigned o_stripe_data cookie to determine Stripe product ownership for unauthenticated users, whil...

EUVD-2024-55551

Vision Helpdesk before 5.7.0 patched in 5.6.10 allows attackers to read user profiles via modified serialized cookie data to visclientid...

CVE-2024-58343

CVE-2024-58343 affects Vision Helpdesk versions prior to 5.7.0, with a patch available in 5.6.10. The issue allows attackers to read user profiles by tampering serialized cookie data in vis_client_id. The CVSS v3.1 base score is 4.3 (MEDIUM) with network attack vector, low attack complexity, and ...

CVE-2024-58343

Vision Helpdesk before 5.7.0 patched in 5.6.10 allows attackers to read user profiles via modified serialized cookie data to visclientid...

CVE-2024-58343

Vision Helpdesk before 5.7.0 patched in 5.6.10 allows attackers to read user profiles via modified serialized cookie data to visclientid...