10397 matches found
CVE-2026-7517 Custom Payment Gateways for WooCommerce <= 2.1.0 - Unauthenticated Stored Cross-Site Scripting via 'alg_wc_cpg_input_fields' Parameter
The Custom Payment Gateways for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'algwccpginputfields' parameter in all versions up to, and including, 2.1.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated...
CVE-2026-7517
The CVE-2026-7517 entry concerns the Custom Payment Gateways for WooCommerce WordPress plugin. It is vulnerable to Stored Cross-Site Scripting via the alg_wc_cpg_input_fields parameter in all versions up to 2.1.0 due to insufficient input sanitization and output escaping. Exploitation is possible...
PT-2026-54785
Name of the Vulnerable Software and Affected Versions Foreman affected versions not specified Description A broken access control issue allows an authenticated user with host-edit permissions to retarget an existing lookup value override to a different host. This is performed by modifying the mat...
BIT-GHOST-2026-53949 Ghost Content API filter bypass reveals private fields
Ghost is a Node.js content management system. From 5.46.1 until 6.21.2, the validation applied to filters on the public API endpoints could be partially bypassed, making it possible to reveal private fields via a brute force attack. If SQLite was used as the database password hashes were fully...
EUVD-2026-40383
IBM Langflow OSS 1.0.0 through 1.10.0 could allow arbitrary code execution due to improper validation of flow nodes with missing or empty component type fields...
EUVD-2026-36100
Fission Environment CRD podspec passthrough enables hostPID/hostNetwork/privileged pods, node escape...
EUVD-2026-36098
Fission Environment CRD PodSpec Injection Leading to Node Escape and Cluster Takeover...
SUSE-SU-2026:2690-1 Security update for sg3_utils
This update for sg3utils fixes the following issue Update to version 1.44763+23.769c9b5b: - sginq: --export output conformance for SCSI name string and ATA fields bsc1267823...
SUSE-SU-2026:2689-1 Security update for sg3_utils
This update for sg3utils fixes the following issue Update to version 1.43+49.47792c16: - sginq: --export output conformance for SCSI name string and ATA fields bsc1267823...
SUSE-SU-2026:2688-1 Security update for sg3_utils
This update for sg3utils fixes the following issue - sginq: --export output conformance for SCSI name string and ATA fields bsc1267823...
SUSE-SU-2026:2687-1 Security update for sg3_utils
This update for sg3utils fixes the following issue Update to version 1.44763+20.e416e091: - sginq: --export output conformance for SCSI name string and ATA fields bsc1267823...
atril: evince: xreader: PDF /GoToR action argv injection enables single-click RCE via --gtk-module dlopen
A flaw was found in Atril, Evince and Xreader. A malicious link inside a specially crafted PDF document can cause arbitrary code execution when clicked due to improper quoting of attacker-controlled PDF link-destination fields during remote go-to /GoToR actions. This issue allows an attacker to...
CVE-2026-57954
Vulnerability summary (CVE-2026-57954) Elide 7.1.17 has a flaw in SortingImpl.getValidSortingRules where @ReadPermission is not enforced on client-supplied sort expressions. This allows attackers to sort collections by forbidden fields and infer hidden field values via row ordering analysis, leak...
CVE-2026-57954 Elide 7.1.17 - Permission Bypass in Sort Expression Validation
Elide through 7.1.17 fails to enforce @ReadPermission on client-supplied sort expressions in SortingImpl.getValidSortingRules, allowing attackers to sort collections by forbidden fields. Attackers can infer hidden field values through row ordering analysis, leaking relative field ordering across...
CVE-2026-56781 Teable - Unauthenticated Hidden Field Disclosure via Projection Parameter Override
Teable before 2026-06-15T04-43-24Z.1912 contains an improper access control vulnerability that allows anonymous attackers to access hidden field data by supplying arbitrary field IDs in the projection parameter of the share view records endpoint. Attackers can enumerate hidden field IDs from shar...
CVE-2026-56781 Teable - Unauthenticated Hidden Field Disclosure via Projection Parameter Override
Teable before 2026-06-15T04-43-24Z.1912 contains an improper access control vulnerability that allows anonymous attackers to access hidden field data by supplying arbitrary field IDs in the projection parameter of the share view records endpoint. Attackers can enumerate hidden field IDs from shar...
CVE-2026-56781
The CVE-2026-56781 entry details an improper access control in Teable prior to 2026-06-15T04-43-24Z.1912 where anonymous attackers can access hidden field data by supplying arbitrary field IDs in the projection parameter of the share view records endpoint. Attackers can enumerate hidden field IDs...
CVE-2026-13567 code-projects Online Music Site POST Request Feedback.php cross site scripting
A security flaw has been discovered in code-projects Online Music Site 1.0. This affects an unknown part of the file /Frontend/Feedback.php of the component POST Request Handler. The manipulation of the argument fname/femail/faddress/fmessage results in cross site scripting. The attack may be...
EUVD-2026-40082
A security flaw has been discovered in code-projects Online Music Site 1.0. This affects an unknown part of the file /Frontend/Feedback.php of the component POST Request Handler. The manipulation of the argument fname/femail/faddress/fmessage results in cross site scripting. The attack may be...
CVE-2026-54270
A flaw was found in protobufjs. This library compiles protobuf definitions into JavaScript JS functions. A remote attacker could send a specially crafted protobuf payload containing numerous unknown fields. This could cause the decoded message to retain substantially more memory than expected,...