EUVD-2026-23286

DataEase is an open-source data visualization and analytics platform. Versions 2.10.20 and below contain a SQL injection vulnerability in the API datasource saving process. The deTableName field from the Base64-encoded datasource configuration is used to construct a DDL statement via simple strin...

haproxy: Fix of CVE-2019-18277

CVE-2019-18277: reject messages where "chunked" is missing from transfer-encoding...

CLSA-2026-1776337242 haproxy: Fix of CVE-2019-18277

CVE-2019-18277: reject messages where "chunked" is missing from transfer-encoding...

OPENSUSE-SU-2026:20554-1 Security update for dovecot24

This update for dovecot24 fixes the following issues: - Update to v2.4.3 - CVE-2025-59028: Invalid base64 authentication can cause DoS for other logins bsc1260894. - CVE-2025-59031: decode2text.sh OOXML extraction may follow symlinks and read unintended files during indexing bsc1260895. -...

Improper Handling of URL Encoding (Hex Encoding)

Overview @fastify/static is a Plugin for serving static files as fast as possible. Affected versions of this package are vulnerable to Improper Handling of URL Encoding Hex Encoding via the handling of percent-encoded path separators in the fastifyStatic function. This creates a mismatch between...

CLSA-2026-1776336742 haproxy: Fix of CVE-2019-18277

CVE-2019-18277: reject messages where "chunked" is missing from transfer-encoding...

CVE-2025-6024

The authentication endpoint fails to encode user-supplied input before rendering it in the web page, allowing for script injection. An attacker can leverage this by injecting malicious scripts into the authentication endpoint. This can result in the user's browser being redirected to a malicious...

CVE-2025-6024

The authentication endpoint fails to encode user-supplied input before rendering it in the web page, allowing for script injection. An attacker can leverage this by injecting malicious scripts into the authentication endpoint. This can result in the user's browser being redirected to a malicious...

CVE-2024-4867

The CVE-2024-4867 entry describes a cross-site scripting (XSS) vulnerability in the WSO2 API Manager developer portal. User-supplied input is not properly validated or output-encoded, enabling injection of script content executed in the user’s browser. Exploitation can cause the UI to redirect to...

CLSA-2026-1776329620 glib2: Fix of 6 CVEs

CVE-2026-1489: fix integer overflow in Unicode case conversion functions - CVE-2026-1484: fix integer overflow in GLib Base64 encoding - CVE-2025-14512: fix integer overflow in escapebytestring for byte strings with many invalid characters - CVE-2026-1485: fix buffer underflow in content type...

WSO2 API Manager 安全漏洞

The WSO2 API Manager is a set of API lifecycle management solutions provided by the American company WSO2. There is a security vulnerability present in the WSO2 API Manager developer portal. This vulnerability stems from the lack of enforceable validation constraints on user inputs and output...

PT-2026-33305

The authentication endpoint fails to encode user-supplied input before rendering it in the web page, allowing for script injection. An attacker can leverage this by injecting malicious scripts into the authentication endpoint. This can result in the user's browser being redirected to a malicious...

WordPress plugin Accessibility Suite by Ability, Inc 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application plugin. The WordPre...

WordPress plugin DirectoryPress – Business Directory And Classified Ad Listing 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application plugin. The WordPre...

PT-2026-33373

Name of the Vulnerable Software and Affected Versions openCryptoki versions prior to 3.26.1 Description The BER/DER decoding functions in the shared common library asn1.c accept a raw pointer without a buffer length parameter and trust attacker-controlled BER length fields without validating them...

CLSA-2026-1776246056 glib2: Fix of 5 CVEs

CVE-2026-1489: fix integer overflow in Unicode case conversion functions - CVE-2026-1484: fix integer overflow in GLib Base64 encoding - CVE-2026-1485: fix buffer underflow in content type treemagic parsing - CVE-2026-0988: fix integer overflow in gbufferedinputstreampeek - CVE-2025-7039: fix...

Grafana Loki Path Traversal - CVE-2021-36156 Bypass

The CVE-2021-36156 fix validates the namespace parameter for path traversal sequences after a single URL decode, by double encoding, an attacker can read files at the Ruler API endpoint /loki/api/v1/rules/namespace Thanks to Prasanth Sundararajan for reporting this vulnerability...

GHSA-497X-RRR9-68JP Grafana Loki Path Traversal - CVE-2021-36156 Bypass

The CVE-2021-36156 fix validates the namespace parameter for path traversal sequences after a single URL decode, by double encoding, an attacker can read files at the Ruler API endpoint /loki/api/v1/rules/namespace Thanks to Prasanth Sundararajan for reporting this vulnerability...

EUVD-2026-23100

The CVE-2021-36156 fix validates the namespace parameter for path traversal sequences after a single URL decode, by double encoding, an attacker can read files at the Ruler API endpoint /loki/api/v1/rules/namespace Thanks to Prasanth Sundararajan for reporting this vulnerability...

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal via the namespace parameter in the Ruler API endpoint after double URL encoding. An attacker can access arbitrary files by sending specially crafted requests. Details A Directory Traversal attack also known as path...