Plane 安全漏洞

Plane is an open-source, self-hosted project planning tool developed by Plane OpenSource. Versions of Plane 1.3.0 and earlier contained security vulnerabilities. These vulnerabilities stemmed from SavedAnalyticEndpoint directly passing user-controlled segment parameters into Django F expressions...

CVE-2026-42408

When BIG-IP DNS is provisioned, a vulnerability exists in an undisclosed TMOS Shell tmsh command that may allow a highly privileged authenticated attacker to view sensitive information. Note: Software versions which have reached End of Technical Support EoTS are not evaluated...

Wikimedia Echo 信息泄露漏洞

Wikimedia Echo is a messaging extension provided by the Wikimedia Foundation that offers features for sending notifications within the site and reminding users. Wikimedia Echo has a vulnerability related to information leakage, which stems from the exposure of sensitive information in the program...

CVE-2026-44349 Daptin fuzzy search injects unvalidated column name into raw SQL

Daptin is a GraphQL/JSON-API headless CMS. Prior to version 0.11.5, processFuzzySearch in server/resource/resourcefindallpaginated.go:1484 splits the user-supplied column parameter by comma and interpolates each segment directly into goqu.Lfmt.Sprintf"LOWER%s LIKE ?", prefix+col raw SQL with no...

CVE-2026-35484

text-generation-webui is an open-source web interface for running Large Language Models. Prior to 4.3, an unauthenticated path traversal vulnerability in loadpreset allows reading any .yaml file on the server filesystem. The parsed YAML key-value pairs including passwords, API keys, connection...

CVE-2026-35516 LinkAce has SSRF via CheckLinksCommand - Link URL Update Bypasses laravel-html-meta Protection

LinkAce is a self-hosted archive to collect website links. Prior to 2.5.4, LinkRepository::update and CheckLinksCommand::checkLink do not check for private IPs. An authenticated user can read responses from internal services AWS IMDSv1, cloud metadata, internal APIs by creating a link with a publ...

CVE-2026-33887

Statamic is a Laravel and Git powered content management system CMS. Prior to versions 5.73.16 and 6.7.2, authenticated Control Panel users could view entry revisions for any collection with revisions enabled, regardless of whether they had the required collection permissions. This bypasses the...

CVE-2026-2747

SEPPmail Secure Email Gateway before version 15.0.1 decrypts inline PGP messages without isolating them from surrounding unencrypted content, allowing exposure of sensitive information to an unauthorized actor...

CVE-2026-25517

Wagtail is an open source content management system built on Django. Prior to versions 6.3.6, 7.0.4, 7.1.3, 7.2.2, and 7.3, due to a missing permission check on the preview endpoints, a user with access to the Wagtail admin and knowledge of a model's fields can craft a form submission to obtain a...

QNAP Systems License Center 缓冲区错误漏洞

QNAP Systems License Center is a license management center of Taiwan, China-based QNAP Systems. A buffer error vulnerability exists in QNAP Systems License Center versions prior to 2.0.36, which originates from an out-of-bounds read and could lead to the acquisition of secret data...

CVE-2021-4471

TG8 Firewall exposes a /data/ directory over HTTP without authentication, storing credential files for previously logged-in users. This enables a remote unauthenticated attacker to enumerate and download files to obtain usernames and passwords, leading to loss of confidentiality and potential una...

Inside an Automotive Giant’s Data Leak — A Cloud Misconfiguration Lesson for AWS Users

70 TB+ of data, hard-coded keys, and weak IAM controls. For even the most experienced enterprises, one configuration decision can be enough to surface how interdependent and vulnerable modern cloud systems truly are. The recent data exposure incident at a large automotive firm highlights this...

EUVD-2023-0551

Malicious code in bioql PyPI...

CVE-2025-55243

Exposure of sensitive information to an unauthorized actor in Microsoft Office Plus allows an unauthorized attacker to perform spoofing over a network...

CVE-2025-45968

An issue in System PDV v1.0 allows a remote attacker to obtain sensitive information via the hash parameter in a URL. The application contains an Insecure Direct Object Reference IDOR vulnerability, which occurs due to a lack of proper authorization checks when accessing objects referenced by thi...

WordPress B Slider - Gutenberg Slider Block for WP plugin <= 2.0.0 - Authenticated (Subscriber+) Sensitive Information Exposure vulnerability

WordPress B Slider - Gutenberg Slider Block for WP plugin = 2.0.0 - Authenticated Subscriber+ Sensitive Information Exposure vulnerability discovered by wesley wcraft in WordPress Plugin B Slider versions = 2.0.0...

Cleartext Storage of Sensitive Information

Overview org.jenkins-ci.plugins:soapui-pro-functional-testing is a plugin used to run SoapUI Pro tests from Jenkins builds. Affected versions of this package are vulnerable to Cleartext Storage of Sensitive Information due to the storage of sensitive information such as SLM License Access Keys,...

CVE-2023-0354

The Akuvox E11 web server can be accessed without any user authentication, and this could allow an attacker to access sensitive information, as well as create and download packet captures with known default URLs...

CVE-2023-51451

Symbolicator is a service used in Sentry. Starting in Symbolicator version 0.3.3 and prior to version 21.12.1, an attacker could make Symbolicator send GET HTTP requests to arbitrary URLs with internal IP addresses by using an invalid protocol. The responses of those requests could be exposed via...

SpyCloud Analysis Reveals 94% of Fortune 50 Companies Have Employee Data Exposed in Phishing Attacks

Austin, USA / Texas, 7th May 2025, CyberNewsWire...