Open eClass 代码问题漏洞

Open eClass is an open-source e-classroom system developed by the Greek Universities Network. Versions of Open eClass prior to 4.2 had code vulnerabilities; these vulnerabilities stemmed from a bypass in file upload validation, allowing attackers to upload files with prohibited extensions using Z...

Open VSX Supply Chain Attack Used Compromised Dev Account to Spread GlassWorm

Cybersecurity researchers have disclosed details of a supply chain attack targeting the Open VSX Registry in which unidentified threat actors compromised a legitimate developer's resources to push malicious updates to downstream users. "On January 30, 2026, four established Open VSX extensions...

EUVD-2020-30927

Navigate CMS 2.8.7 contains a cross-site request forgery vulnerability that allows attackers to upload malicious extensions through a crafted HTML page. Attackers can trick authenticated administrators into executing arbitrary file uploads by leveraging the extension upload functionality without...

CVE-2020-37054

Navigate CMS 2.8.7 contains a cross-site request forgery vulnerability that allows attackers to upload malicious extensions through a crafted HTML page. Attackers can trick authenticated administrators into executing arbitrary file uploads by leveraging the extension upload functionality without...

CVE-2020-37054 Navigate CMS 2.8.7 - Cross-Site Request Forgery

Navigate CMS 2.8.7 contains a cross-site request forgery vulnerability that allows attackers to upload malicious extensions through a crafted HTML page. Attackers can trick authenticated administrators into executing arbitrary file uploads by leveraging the extension upload functionality without...

CVE-2020-37054 Navigate CMS 2.8.7 - Cross-Site Request Forgery

Navigate CMS 2.8.7 contains a cross-site request forgery vulnerability that allows attackers to upload malicious extensions through a crafted HTML page. Attackers can trick authenticated administrators into executing arbitrary file uploads by leveraging the extension upload functionality without...

CVE-2020-37054

Navigate CMS 2.8.7 is affected by a cross-site request forgery vulnerability that lets attackers upload malicious extensions via a crafted HTML page. By abusing the extension upload functionality without additional validation, an authenticated administrator can be tricked into performing arbitrar...

CVE-2020-37054

Navigate CMS 2.8.7 contains a cross-site request forgery vulnerability that allows attackers to upload malicious extensions through a crafted HTML page. Attackers can trick authenticated administrators into executing arbitrary file uploads by leveraging the extension upload functionality without...

Researchers Uncover Chrome Extensions Abusing Affiliate Links and Stealing ChatGPT Access

Cybersecurity researchers have discovered malicious Google Chrome extensions that come with capabilities to hijack affiliate links, steal data, and collect OpenAI ChatGPT authentication tokens. One of the extensions in question is Amazon Ads Blocker ID: pnpchphmplpdimbllknjoiopmfphellj, which...

Naviwebs Navigate CMS Cross-Site Request Forgery Vulnerability

Naviwebs Navigate CMS is an open-source content management system developed by Naviwebs Inc. In the version 2.8.7 of Naviwebs Navigate CMS, there is a cross-site request forgeing vulnerability. This vulnerability stems from the extended upload feature, which allows for cross-site request forgery,...

EUVD-2026-4858

Podman Desktop is a graphical tool for developing on containers and Kubernetes. A critical authentication bypass vulnerability in Podman Desktop prior to version 1.25.1 allows any extension to completely circumvent permission checks and gain unauthorized access to all authentication sessions. The...

CVE-2026-24835

Podman Desktop is a graphical tool for developing on containers and Kubernetes. A critical authentication bypass vulnerability in Podman Desktop prior to version 1.25.1 allows any extension to completely circumvent permission checks and gain unauthorized access to all authentication sessions. The...

AZL-78933 CVE-2025-61730 affecting package golang 1.25.7-1

During the TLS 1.3 handshake if multiple messages are sent in records that span encryption level boundaries for instance the Client Hello and Encrypted Extensions messages, the subsequent messages may be processed before the encryption level changes. This can cause some minor information disclosu...

CVE-2025-66488

Discourse is an open source discussion platform. A vulnerability present in versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0 affects anyone who uses S3 for uploads. While scripts may be executed, they will only be run in the context of the S3/CDN domain, with no site credentials...

aiohttp: AIOHTTP HTTP Request/Response Smuggling

A request smuggling flaw was found in the aiohttp python library. If a pure Python version of aiohttp is installed, without the usual C extensions, for example, or if AIOHTTPNOEXTENSIONS is enabled, an attacker can execute a request smuggling attack to bypass certain firewalls or proxy protection...

DotNetNuke.Core Vulnerable to Stored XSS in Scheduler LogNotes

Extensions could write richtext in log notes which can include scripts that would run in the PersonaBar when displayed...

Malicious Chrome extensions can spy on your ChatGPT chats

Researchers discovered 16 malicious browser extensions for Google Chrome and Microsoft Edge that steal ChatGPT session tokens, giving attackers access to accounts, including conversation history and metadata. The 16 malicious extensions 15 for Chrome and 1 for Edge claim to improve and optimize...

php:8.2 security update

An update is available for module.php, module.php-pear, module.php-pecl-apcu, php-pecl-rrd, module.php-pecl-xdebug3, php, php-pear, php-pecl-zip, module.php-pecl-zip, module.php-pecl-rrd, php-pecl-apcu, php-pecl-xdebug3, module.libzip, libzip. This update affects Rocky Linux 8. A Common...

CVE-2026-24836

DNN formerly DotNetNuke is an open-source web content management platform CMS in the Microsoft ecosystem. Starting in version 9.0.0 and prior to versions 9.13.10 and 10.2.0, extensions could write richtext in log notes which can include scripts that would run in the PersonaBar when displayed...

16 Fake ChatGPT Extensions Caught Hijacking User Accounts

A coordinated campaign of 16 malicious GPT optimisers has been caught hijacking ChatGPT accounts. These tools steal session tokens to access private chats, Slack, and Google Drive files...