371 matches found
CVE-2025-15565
The Nexi XPay plugin for WordPress (all versions up to and including 8.3.0) is vulnerable to unauthorized data modification due to missing authorization checks on the redirect function. This allows unauthenticated attackers to mark pending WooCommerce orders as paid or completed. CVSS 3.1 base sc...
CVE-2026-39972 vulnerabilities
Vulnerabilities for packages: frankenphp-8.2, frankenphp-8.4, frankenphp-8.3, frankenphp-8.5...
GHSA-HWR4-MQ23-WCV5 vulnerabilities
Vulnerabilities for packages: frankenphp-8.2, frankenphp-8.4, frankenphp-8.3, frankenphp-8.5...
GHSA-W8RR-5GCM-PP58 vulnerabilities
Vulnerabilities for packages: envoy-ratelimit, zot, cilium, beats-fips, docker-cli-buildx-fips, kiali, tempo, falcosidekick, tkn, argo-workflows-fips, net-kourier, opa-fips, flyte, splunk-otel-collector-fips, net-kourier-fips, weaviate, aws-otel-collector, thanos, caddy-fips, opentofu-fips,...
Command Injection
Overview Affected versions of this package are vulnerable to Command Injection via the rotateFileVaultKey function in orbit/pkg/useraction/useractiondarwin.go. An attacker can execute arbitrary commands on macOS by supplying a crafted FileVault username or password that is interpolated into the...
ALPINE-CVE-2026-34743
XZ Utils provide a general-purpose data-compression library plus command-line tools. Prior to version 5.8.3, if lzmaindexdecoder was used to decode an Index that contained no Records, the resulting lzmaindex was left in a state where where a subsequent lzmaindexappend would allocate too little...
CVE-2026-34743
XZ Utils contains a vulnerability (CVE-2026-34743) in lzma_index_append() when decoding an empty index with lzma_index_decoder(), which could leave the index in a state that permits a buffer overflow. The issue affects versions prior to 5.8.3; a patch is available in 5.8.3. Affected component is ...
CVE-2026-34743 XZ Utils: Buffer overflow in lzma_index_append()
XZ Utils provide a general-purpose data-compression library plus command-line tools. Prior to version 5.8.3, if lzmaindexdecoder was used to decode an Index that contained no Records, the resulting lzmaindex was left in a state where where a subsequent lzmaindexappend would allocate too little...
RHEL 9 : grafana-pcp (RHSA-2026:6383)
The remote Redhat Enterprise Linux 9 host has a package installed that is affected by a vulnerability as referenced in the RHSA-2026:6383 advisory. The Grafana plugin for Performance Co-Pilot includes datasources for scalable time series from pmseries and Redis, live PCP metrics and bpftrace...
EUVD-2026-16943
A flaw has been found in elecV2 elecV2P up to 3.8.3. This issue affects the function pm2run of the file /rpc. Executing a manipulation can lead to os command injection. The attack can be executed remotely. The exploit has been published and may be used. The project was informed of the problem ear...
CVE-2026-33532 yaml is vulnerable to Stack Overflow via deeply nested YAML collections
yaml is a YAML parser and serialiser for JavaScript. Parsing a YAML document with a version of yaml on the 1.x branch prior to 1.10.3 or on the 2.x branch prior to 2.8.3 may throw a RangeError due to a stack overflow. The node resolution/composition phase uses recursive function calls without a...
PT-2026-27843
CVE-2026-23971 Deserialization of Untrusted Data vulnerability in xtemos WoodMart woodmart allows Object Injection.This issue affects WoodMart: from n/a through = 8.3.8. https://t.co/0me4zW3qJ4...
PT-2026-26660
Cryptomator for IOS offers multi-platform transparent client-side encryption for files in the cloud. Prior to version 2.8.3, an integrity check vulnerability allows an attacker tamper with the vault configuration file leading to a man-in-the-middle vulnerability in Hub key loading mechanism. Befo...
PT-2026-26206
Name of the Vulnerable Software and Affected Versions HAPI FHIR versions prior to 6.9.0 Description HAPI FHIR, a Java implementation of the HL7 FHIR standard, is affected by an issue where HTTP headers, potentially containing privacy-sensitive information, are sent to both the initial host and an...
PT-2026-24842
A security vulnerability has been detected in elecV2P up to 3.8.3. Affected by this issue is the function runJSFile of the file source-code/elecV2P-master/webser/wbjs.js of the component jsfile Endpoint. Such manipulation leads to code injection. The attack may be launched remotely. The exploit h...
Oracle Linux 10 : mysql8.4 (ELSA-2026-4162)
The remote Oracle Linux 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2026-4162 advisory. 8.4.8-1 - Rebase to 8.4.8 8.4.7-2 - Skip tests that are failing on Konflux - Resolves: ROK-831 Tenable has extracted the preceding description block...
EUVD-2025-208340
Snipe-IT versions prior to 8.3.7 contain sensitive user attributes related to account privileges that are insufficiently protected against mass assignment. An authenticated, low-privileged user can craft a malicious API request to modify restricted fields of another user account, including the...
CVE-2025-15602
Summary: CVE-2025-15602 affects Snipe-IT
CVE-2025-15602 Snipe-IT < 8.3.7 Mass Assignment Vulnerability Leading to Privilege Escalation
Snipe-IT versions prior to 8.3.7 contain sensitive user attributes related to account privileges that are insufficiently protected against mass assignment. An authenticated, low-privileged user can craft a malicious API request to modify restricted fields of another user account, including the...
chartbrew SQL注入漏洞
Chartbrew is an open-source data visualization and dashboard building tool developed by Chartbrew. Versions of Chartbrew prior to 4.8.3 contained a SQL injection vulnerability. This vulnerability allows unverified attackers to inject arbitrary SQL queries into the database, potentially leading to...