CVE-2019-25734

Contact Form by WD 1.13.1 contains a cross-site request forgery vulnerability combined with local file inclusion that allows unauthenticated attackers to include arbitrary files by exploiting unsanitized action parameters. Attackers can craft malicious forms targeting the admin-ajax.php endpoint...

ThreatsDay Bulletin: AI Agents Gone Wrong, Sketchy C2 Tools, ClickFix Tricks, JS Backdoors & 20+ New Stories

It got stupid again. The internet still feels held together with tape. Bad plugins, old bugs, fake tools, trusted apps doing shady things. Same mess, new wrapper. And now the weird stuff is normal. Forums go down and come back worse. Cheap hackers get better toys. AI starts breaking real systems...

CVE-2019-25734

The CVE-2019-25734 entry concerns the WordPress plugin Contact Form by WD version 1.13.1. It describes a combined cross-site request forgery and local file inclusion vulnerability that lets unauthenticated attackers include arbitrary files by exploiting unsanitized action parameters. Attacks targ...

CVE-2019-25734 Contact Form by WD 1.13.1 CSRF to Local File Inclusion

Contact Form by WD 1.13.1 contains a cross-site request forgery vulnerability combined with local file inclusion that allows unauthenticated attackers to include arbitrary files by exploiting unsanitized action parameters. Attackers can craft malicious forms targeting the admin-ajax.php endpoint...

CVE-2019-25734

Contact Form by WD 1.13.1 contains a cross-site request forgery vulnerability combined with local file inclusion that allows unauthenticated attackers to include arbitrary files by exploiting unsanitized action parameters. Attackers can craft malicious forms targeting the admin-ajax.php endpoint...

EUVD-2019-20170

Contact Form by WD 1.13.1 contains a cross-site request forgery vulnerability combined with local file inclusion that allows unauthenticated attackers to include arbitrary files by exploiting unsanitized action parameters. Attackers can craft malicious forms targeting the admin-ajax.php endpoint...

CVE-2019-25729

CVE-2019-25729 : PDF Signer 3.0 is affected by a server-side template injection vulnerability that allows unauthenticated attackers to execute arbitrary code via the CSRF-TOKEN cookie parameter. Attackers can craft cookie values containing template payloads (e.g., shell_exec()) to run system comm...

Lack of transparency in Cisco Unified Communications Manager

Cisco has identified a vulnerability in Unified Communications Manager CM and Unified Communications Manager Session Management Edition CM SME. A malicious individual could exploit this vulnerability to carry out a Server-Side Request Forgery SSRF attack. Successful exploitation could result in t...

CVE-2026-48598

Improper Encoding or Escaping of Output vulnerability in elixir-tesla tesla allows multipart part header injection via unescaped Content-Disposition parameter values. Tesla.Multipart.partheadersfordisposition/1 interpolates each disposition parameter as k="v" with no validation of CR \r, LF \n, o...

EUVD-2026-34231

Fixed AES-128-CBC keys inside the AcerConnect OTA application let attackers forge authorization credentials for arbitrary IMEI numbers. This allows unauthorized actors to list catalog items and extract protected binaries from pre-signed cloud links...

CVE-2026-50226

CVE-2026-50226 affects the AcerConnect OTA application. The issue arises from fixed AES-128-CBC keys inside the app, allowing attackers to forge authorization credentials for arbitrary IMEI numbers. This enables unauthorized actors to list catalog items and extract protected binaries from pre-sig...

SUSE CVE-2026-46244

In the Linux kernel, the following vulnerability has been resolved: netfilter: nftinner: Fix IPv6 innerthoff desync In nftinnerparsel2l3, when processing inner IPv6 packets, ipv6findhdr correctly computes the transport header offset traversing all extension headers, but the result is immediately...

EUVD-2026-34182

A vulnerability was found in crmeb crmebjava 1.4. Affected is the function RestTemplate.getForEntity of the file crmeb-common/src/main/java/com/zbkj/common/utils/RestTemplateUtil.java of the component base64 Qrcode Endpoint. The manipulation of the argument url results in server-side request...

PT-2026-46258

Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Versions prior to 2.17.1 expose configUpdate as a state-changing administrator endpoint, but the route does not enforce POST and does not use any anti-CSRF token. In the default form and JWT-based authentication mode,...

PT-2026-46390

Name of the Vulnerable Software and Affected Versions IRIS versions prior to 2.4.28 Description IRIS is a web collaborative platform designed for incident responders to share technical details during investigations. The software is susceptible to a cross-site request forgery attack, which occurs...

PT-2026-46763

Name of the Vulnerable Software and Affected Versions Gutenberg Essential Blocks – Page Builder for Gutenberg Blocks & Patterns versions prior to 6.1.4 Description The plugin is susceptible to Server-Side Request Forgery SSRF, a flaw where an attacker can induce the server-side application to mak...

Tautulli 安全漏洞

Tautulli is an open-source application developed by Tautulli for monitoring Plex Media Server. Versions of Tautulli prior to 2.17.1 contained security vulnerabilities. These vulnerabilities stemmed from the configUpdate endpoint not enforcing the POST method and not using a CSRF token...

Simcy Creative PDF Signer 跨站请求伪造漏洞

Simcy Creative PDF Signer is a PDF document signing and editing software developed by Simcy Creative. Version 3.0 of Simcy Creative PDF Signer contains a cross-site request forgeing vulnerability. This vulnerability stems from injecting PHP commands through the CSRF-TOKEN cookie parameter, allowi...

wordpress plugin Contact Form 路径遍历漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. The...

Iris 安全漏洞

Iris is a fast, simple, yet fully functional and highly efficient Go web framework developed under the DFIR-IRIS open source project. Versions of IRIS prior to 2.4.28 contained security vulnerabilities; these vulnerabilities stemmed from the use of the HTTP GET method to alter server state, makin...