7157 matches found
The vulnerability of the Directum HR Pro system, which exists due to insufficient verification of input data, allows a perpetrator to disclose protected information.
The vulnerability of the Directum HR Pro system exists due to insufficient verification of input data. Exploiting this vulnerability can allow a malicious actor to disclose protected information by sending a specially crafted POST request...
AntD Admin - Sensitive Information Disclosure
AntD Admin has a security vulnerability that stems from Antd-admin 5.5.0 being affected by an incorrect access control vulnerability. Attackers can exploit this vulnerability to gain unauthorized access to some front-end interfaces, resulting in the leakage of sensitive information such as user...
WordPress AI ChatBot (WPBot) <= 4.8.9 - SQL Injection
ChatBot plugin for WordPress up to 4.8.9 contains a sqlinjection caused by insufficient escaping and lack of preparation on the $strid parameter, letting unauthenticated attackers extract sensitive data, exploit requires no authentication. id: CVE-2023-5204 info: name: WordPress AI ChatBot WPBot ...
Vendure Core - SQL Injection
Vendure, an open-source headless commerce platform built on Node.js/TypeScript, contains a critical SQL injection vulnerability in its Shop API. The languageCode query parameter is interpolated directly into a raw SQL CASE expression in ProductService.findOneBySlug without parameterization or inp...
CVE-2025-70796
An unauthenticated path traversal vulnerability exists in the web management interface of WTI Wireless Technology, Inc. version 3.5.0.r 2024/05/24 00:00:00. An unauthenticated attacker can craft malicious HTTP requests containing traversal sequences to access files outside of the intended web roo...
CVE-2026-15143 Guardrails-detectors: guardrails-detectors: ssrf and local file read via user-supplied xml schema (xml-with-schema:)
A flaw was found in the filetype content detector of guardrails-detectors. This vulnerability allows a remote attacker to supply an arbitrary XML Schema Definition XSD string, which is processed without proper restrictions. This can lead to server-side requests to arbitrary URLs or local file...
CVE-2026-39822
A flaw was found in the os.Root functionality of Go on Unix systems. This vulnerability allows an attacker to bypass intended directory restrictions by crafting a path that ends with a symbolic link and a trailing slash. When a file is opened in os.Root with such a path, the symbolic link is...
CVE-2026-14475
The Cookie Banner for GDPR / CCPA – WPLP Cookie Consent plugin for WordPress is vulnerable to generic SQL Injection via the 'scanid' parameter in all versions up to, and including, 4.3.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing...
libcurl 8.11.0 < 8.21.0 HTTP/3 Early Data Information Disclosure (CVE-2026-9545)
The version of libcurl installed on the remote host is 8.11.0 prior to 8.21.0. It is, therefore, affected by an information disclosure vulnerability: - When libcurl returns to a hostname with a cached SSL session and early data enabled, libcurl might send the request bytes before enforcing the...
CVE-2025-70796
An unauthenticated path traversal in the web management interface of WTI (Wireless Technology, Inc.), version 3.5.0.r 2024/05/24 00:00:00, allows crafted HTTP requests with traversal sequences to access files outside the web root, potentially disclosing sensitive system files and configuration da...
CVE-2026-0284
An XML injection vulnerability in the Large Scale VPN LSVPN functionality of Palo Alto Networks PAN-OS® software enables an unauthenticated attacker with network access to inject malicious XML content, potentially leading to information disclosure or corruption of internal LSVPN satellite data...
CVE-2026-0284 PAN-OS: XML Injection Vulnerability in Large Scale VPN (LSVPN)
An XML injection vulnerability in the Large Scale VPN LSVPN functionality of Palo Alto Networks PAN-OS® software enables an unauthenticated attacker with network access to inject malicious XML content, potentially leading to information disclosure or corruption of internal LSVPN satellite data...
CVE-2026-56374
A heap buffer overflow vulnerability exists in ImageMagick and Magick.NET's FTXT encoder due to missing boundary checks for the ftxt:format parameter. A remote attacker could exploit this using a specially crafted FTXT image to cause a denial of service or disclose sensitive information. Mitigati...
netty: io.netty/netty-codec-http: Netty: Incorrect HTTP response parsing leads to data confusion
A flaw was found in Netty, an asynchronous, event-driven network application framework. A remote attacker could exploit this vulnerability by sending a specific sequence of HTTP responses 103, followed by a 200 with a GET body, then another 200 for a HEAD request when the client pipelines GET the...
CVE-2026-13320
A flaw was found in GitLab. Under certain conditions, an authenticated user could exploit improper sanitization of user-supplied input. This vulnerability allows for the execution of arbitrary scripts within another user's browser session, commonly known as Cross-Site Scripting XSS. This could le...
gstreamer1-plugins-bad-free: GStreamer: Signed integer overflow in VMnc decoder cursor payload handling
A signed integer overflow vulnerability was found in GStreamer's VMnc decoder. A crafted VMnc stream with large cursor dimensions can overflow signed integer payload-size arithmetic, bypassing a length check and leading to out-of-bounds reads. A remote attacker could trick a user into opening a...
CVE-2026-57481 Parse Server: LiveQuery discloses object data to a subscriber across an ACL read-access change
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.9.1-alpha.13 and 8.6.83, a LiveQuery subscriber could receive object field values they were not authorized to read when a single save changed both an object field and the subscriber'...
CVE-2026-56374
ImageMagick before 7.1.2-19 contains a heap buffer overflow vulnerability in the FTXT encoder due to missing boundary checks when parsing ftxt:format. Remote attackers can trigger an out of bounds read by crafting malicious FTXT image files to cause denial of service or information disclosure...
CVE-2026-41122
Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.7, LTS2026 release version 8.6.1.0 through 8.6.1.10, LTS2025 release version 8.3.1.0 through 8.3.1.30, LTS2024 release versions 7.13.1.0 through 7.13.1.70 contain a stored cross-site scripting vulnerability. An unauthenticated attacker wit...
CVE-2026-41122
Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.7, LTS2026 release version 8.6.1.0 through 8.6.1.10, LTS2025 release version 8.3.1.0 through 8.3.1.30, LTS2024 release versions 7.13.1.0 through 7.13.1.70 contain a stored cross-site scripting vulnerability. An unauthenticated attacker wit...