17887 matches found
EUVD-2026-43152
The Cost Calculator Builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.0.11 via the template body. This makes it possible for unauthenticated attackers to extract the plaintext Stripe secret key, Razorpay secret key, and PayPal...
CVE-2026-10865 Cost Calculator Builder <= 4.0.11 - Unauthenticated Sensitive Information Exposure of Payment Gateway Secret Keys
The Cost Calculator Builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.0.11 via the template body. This makes it possible for unauthenticated attackers to extract the plaintext Stripe secret key, Razorpay secret key, and PayPal...
Spring Cloud Gateway Code Injection
Applications using Spring Cloud Gateway prior to 3.1.1+ and 3.0.7+ are vulnerable to a code injection attack when the Gateway Actuator endpoint is enabled, exposed and unsecured. A remote attacker could make a maliciously crafted request that could allow arbitrary remote execution on the remote...
Citrix NetScaler ADC and NetScaler Gateway - Remote Code Execution
critical unauthenticated remote code execution RCE vulnerability affecting Citrix ADC NetScaler ADC and Citrix Gateway appliances configured as a Gateway VPN virtual server, ICA Proxy, CVPN, RDP Proxy or AAA virtual server. Exploitation can lead to arbitrary code execution. id: CVE-2023-3519 info...
CVE-2026-11990
The KiviCare – Clinic & Patient Management System EHR plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.4.0. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated...
CVE-2026-11990
The CVE-2026-11990 entry affects the KiviCare – Clinic & Patient Management System (EHR) WordPress plugin, specifically versions up to and including 4.4.0. The root issue is missing authorization checks for actions, allowing unauthenticated attackers to mark arbitrary pending appointments as Conf...
EUVD-2026-42864
The KiviCare – Clinic & Patient Management System EHR plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.4.0. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated...
CVE-2026-11990
The KiviCare – Clinic & Patient Management System EHR plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.4.0. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated...
CVE-2026-44342
New API is a large language mode LLM gateway and artificial intelligence AI asset management system. Prior to 0.12.0-alpha.1, the email and WeChat account binding endpoints GET /api/oauth/email/bind and GET /api/oauth/wechat/bind used GET requests for state-changing account operations, allowing a...
CVE-2026-33655
New API is a large language mode LLM gateway and artificial intelligence AI asset management system. Prior to 0.12.0-alpha.1, the default SSRF protection configuration did not apply IP filtering to hostnames; with ApplyIPFilterForDomain disabled by default, URL validation checked domain allow/blo...
CVE-2026-33801
An Improper Check for Unusual or Exceptional Conditions vulnerability in the routing protocol daemon RPD of Juniper Networks Junos OS and Junos OS Evolved allows an adjacent, unauthenticated attacker sending a specific BGP update over an established BGP session to cause a Denial-of-Service DoS...
CVE-2026-33801
CVE-2026-33801 affects Juniper Networks Junos OS and Junos OS Evolved. An adjacent, unauthenticated attacker can trigger a Denial-of-Service by sending a specifically malformed non-inet/inet6 unicast BGP update over an established BGP session, causing the Routing Protocol Daemon (RPD) to crash an...
EUVD-2026-42702
An Improper Check for Unusual or Exceptional Conditions vulnerability in the routing protocol daemon RPD of Juniper Networks Junos OS and Junos OS Evolved allows an adjacent, unauthenticated attacker sending a specific BGP update over an established BGP session to cause a Denial-of-Service DoS...
CVE-2026-0279
Multiple cross site scripting vulnerabilities in the User-ID™ Authentication Portal aka Captive Portal service, GlobalProtect™ gateway/portal features and Clientless VPN of Palo Alto Networks PAN-OS® software enables a malicious unauthenticated user to store or execute malicious JavaScript payloa...
CVE-2026-9027
The CorvusPay WooCommerce Payment Gateway plugin for WordPress is vulnerable to Payment Bypass via Improper Verification of Cryptographic Signature in all versions up to, and including, 2.7.4. The corvuspaysuccesshandler function registers the REST endpoint POST /wp-json/corvuspay/success/ with...
CVE-2026-9028 CorvusPay WooCommerce Payment Gateway <= 2.7.4 - Missing Authorization to Unauthenticated Arbitrary Order Cancellation via 'order_number' Parameter
The CorvusPay WooCommerce Payment Gateway plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.7.4. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers t...
Injection
Overview github.com/nats-io/nats-server/server is an A simple, secure and performant communications system for digital systems, services and devices. Affected versions of this package are vulnerable to Injection in the MQTT SUBSCRIBE handling, which forwards protocol control characters from...
CVE-2026-59822 LiteLLM: MCP Authentication Bypass via OAuth2 Passthrough Fallback
LiteLLM is a proxy server AI Gateway to call LLM APIs in OpenAI or native format. Prior to 1.84.0, LiteLLM's MCP Streamable HTTP endpoint allowed an unauthenticated attacker to use a fabricated Authorization header to trigger an OAuth2 passthrough fallback path that replaced failed LiteLLM key...
CVE-2026-59822 LiteLLM: MCP Authentication Bypass via OAuth2 Passthrough Fallback
LiteLLM is a proxy server AI Gateway to call LLM APIs in OpenAI or native format. Prior to 1.84.0, LiteLLM's MCP Streamable HTTP endpoint allowed an unauthenticated attacker to use a fabricated Authorization header to trigger an OAuth2 passthrough fallback path that replaced failed LiteLLM key...
CVE-2026-59897
Hono is a Web application framework that provides support for any JavaScript runtime. From 4.3.3 before 4.12.27, the AWS API Gateway v1 adapter can drop a distinct repeated request header value because it de-duplicates values using a substring comparison instead of an exact match, so middleware o...