GHSA-43W5-MMXV-CPVH Micronaut vulnerable to DoS via crafted form-urlencoded body binding with descending array indices

In JsonBeanPropertyBinder::expandArrayToThreshold in io.micronaut:micronaut-json-core before Micronaut 4 4.10.16 and in Micronaut 3 before 3.10.5 does not correctly handle descending array index order during form-urlencoded body binding, which allows remote attackers to cause a denial of service...

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the JsonBeanPropertyBinder::expandArrayToThreshold function of the form-urlencoded body binding process. An attacker can cause sustained CPU usage and unbounded memory growth,...

Micronaut vulnerable to DoS via crafted form-urlencoded body binding with descending array indices

In JsonBeanPropertyBinder::expandArrayToThreshold in io.micronaut:micronaut-json-core before Micronaut 4 4.10.16 and in Micronaut 3 before 3.10.5 does not correctly handle descending array index order during form-urlencoded body binding, which allows remote attackers to cause a denial of service...

EUVD-2026-12576

A vulnerability was determined in UTT HiPER 810G up to 1.7.7-171114. Affected is the function strcpy of the file /goform/formApLbConfig. This manipulation of the argument loadBalanceNameOld causes buffer overflow. The attack can be initiated remotely. The exploit has been publicly disclosed and m...

golang: net/url: Memory exhaustion in query parameter parsing in net/url

A flaw was found in the net/url package in the Go standard library. The package does not enforce a limit on the number of unique query parameters it parses. A Go application using the net/http.Request.ParseForm method will try to process all parameters provided in the request. A specially crafted...

WordPress NEX-Forms - Ultimate Forms Plugin for WordPress plugin <= 9.1.9 - Missing Authorization to Unauthenticated Arbitrary Form Entry Modification via nf_set_entry_update_id vulnerability

WordPress NEX-Forms - Ultimate Forms Plugin for WordPress plugin = 9.1.9 - Missing Authorization to Unauthenticated Arbitrary Form Entry Modification via nfsetentryupdateid vulnerability discovered by Youssef Elouaer in WordPress Plugin NEX-Forms versions = 9.1.9...

EUVD-2026-12537

The Royal Addons for Elementor – Addons and Templates Kit for Elementor plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.7.1049 via the getmainqueryargs function due to insufficient restrictions on which posts can be included. This makes it possib...

CVE-2026-2373 Royal Addons for Elementor – Addons and Templates Kit for Elementor <= 1.7.1049 - Missing Authorization to Unauthenticated Custom Post Type Contents Exposure

The Royal Addons for Elementor – Addons and Templates Kit for Elementor plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.7.1049 via the getmainqueryargs function due to insufficient restrictions on which posts can be included. This makes it possib...

PT-2026-26180

In JsonBeanPropertyBinder::expandArrayToThreshold in io.micronaut:micronaut-json-core before Micronaut 4 4.10.16 and in Micronaut 3 before 3.10.5 does not correctly handle descending array index order during form-urlencoded body binding, which allows remote attackers to cause a denial of service...

Admidio has an HTMLPurifier Bypass in eCard Message Allows HTML Email Injection

Summary The eCard send handler in Admidio uses the raw $POST'ecardmessage' value instead of the HTMLPurifier-sanitized $formValues'ecardmessage' when constructing the greeting card HTML. This allows an authenticated attacker to inject arbitrary HTML and JavaScript into greeting card emails sent t...

Admidio is Missing CSRF Protection on Role Membership Date Changes

Summary The savemembership action in modules/profile/profilefunction.php saves changes to a member's role membership start and end dates but does not validate the CSRF token. The handler checks stopmembership and removeformermembership against the CSRF token but omits savemembership from that...

GHSA-WWG8-6FFR-H4Q2 Admidio is Missing CSRF Validation on Role Delete, Activate, and Deactivate Actions

Summary The delete, activate, and deactivate modes in modules/groups-roles/groupsroles.php perform destructive state changes on organizational roles but never validate an anti-CSRF token. The client-side UI passes a CSRF token to callUrlHideElement, which includes it in the POST body, but the...

EUVD-2026-12200

The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 9.1.9 via the submitnexform function due to missing validation on a user controlled key. This makes it possible for unauthenticated...

EUVD-2015-9413

Next Click Ventures RealtyScript 4.0.2 fails to properly sanitize CSV file uploads, allowing attackers to inject malicious scripts through filename parameters in multipart form data. Attackers can upload files with XSS payloads in the filename field to execute arbitrary JavaScript in users'...

CVE-2026-4188

A security flaw has been discovered in D-Link DIR-619L 2.06B01. The affected element is the function formSchedule of the file /goform/formSchedule of the component boa. Performing a manipulation of the argument curTime results in stack-based buffer overflow. The attack may be initiated remotely...

CVE-2026-3024

Stored Cross-Site Scripting XSS vulnerability in the Wakyma web application, specifically in the endpoint 'vets.wakyma.com/configuracion/agenda/modelo-formulario-evento'. A user with permission to create personalized accounts could exploit this vulnerability simply by creating a malicious survey...

CVE-2015-20116

Next Click Ventures RealtyScript 4.0.2 fails to properly sanitize CSV file uploads, allowing attackers to inject malicious scripts through filename parameters in multipart form data. Attackers can upload files with XSS payloads in the filename field to execute arbitrary JavaScript in users'...

CVE-2026-3024 Stored Cross-Site Scripting (XSS) vulnerability in the Wakyma application web

Stored Cross-Site Scripting XSS vulnerability in the Wakyma web application, specifically in the endpoint 'vets.wakyma.com/configuracion/agenda/modelo-formulario-evento'. A user with permission to create personalized accounts could exploit this vulnerability simply by creating a malicious survey...

WordPress plugin NEX-Forms – Ultimate Forms Plugin for WordPress 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows users to create personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be installed t...

PT-2026-25719

Next Click Ventures RealtyScript 4.0.2 fails to properly sanitize CSV file uploads, allowing attackers to inject malicious scripts through filename parameters in multipart form data. Attackers can upload files with XSS payloads in the filename field to execute arbitrary JavaScript in users'...