GHSA-C36C-7PC2-F2PH Gokapi has Data Leak in Upload Status Stream

Description The upload status SSE implementation on /uploadStatus publishes global upload state to any authenticated listener and includes fileid values that are not scoped to the requesting user. Impact Any authenticated user can observe other users' file identifiers and retrieve unauthorized...

SUSE CVE-2025-40926

Plack::Middleware::Session::Simple versions before 0.05 for Perl generates session ids insecurely. The default session id generator returns a SHA-1 hash seeded with the built-in rand function, the epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be...

CVE-2025-11143

A flaw was found in org.eclipse.jetty. The Jetty URI parser handles invalid or unusual Uniform Resource Identifiers URIs differently compared to other common parsers. This discrepancy, known as differential parsing, can lead to security bypasses in systems that use multiple components to process...

Security Bulletin: IBM Maximo Application Suite - IoT Component uses multiple third party dependencies which are vulnerable to CVEs.

Summary IBM Maximo Application Suite - IoT Component uses "lz4-java-1.8.0.jar, werkzeug-3.1.3-py3-none-any.whl, urllib3-2.3.0-py3-none-any.whl, urllib3-2.6.0-py3-none-any.whl, urllib3-2.6.2-py3-none-any.whl, pyasn1-0.6.1.tar.gz, github.com/opencontainers/runc v1.1.13,...

CVE-2026-1651

The Email Subscribers by Icegram Express plugin for WordPress is vulnerable to SQL Injection via the 'workflowids' parameter in all versions up to, and including, 5.9.16 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This...

CVE-2025-40931 Apache::Session::Generate::MD5 versions through 1.94 for Perl create insecure session id

Apache::Session::Generate::MD5 versions through 1.94 for Perl create insecure session id. Apache::Session::Generate::MD5 generates session ids insecurely. The default session id generator returns a MD5 hash seeded with the built-in rand function, the epoch time, and the PID. The PID will come fro...

CVE-2025-40931

Apache::Session::Generate::MD5 versions through 1.94 for Perl create insecure session id. Apache::Session::Generate::MD5 generates session ids insecurely. The default session id generator returns a MD5 hash seeded with the built-in rand function, the epoch time, and the PID. The PID will come fro...

PT-2026-23581

Name of the Vulnerable Software and Affected Versions Versions affected versions not specified Description The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows multiple endpoints to connect using the same session identifier. This results in predictable...

PT-2026-23582

Charging station authentication identifiers are publicly accessible via web-based mapping platforms...

CVE-2025-40931

Apache::Session::Generate::MD5 versions through 1.94 for Perl create insecure session id. Apache::Session::Generate::MD5 generates session ids insecurely. The default session id generator returns a MD5 hash seeded with the built-in rand function, the epoch time, and the PID. The PID will come fro...

PT-2026-23619

Name of the Vulnerable Software and Affected Versions Plane versions prior to 1.2.2 Description An issue exists in Plane that allows unauthenticated attackers to enumerate workspace members and extract sensitive information, including email addresses, user roles, and internal identifiers. This is...

PT-2026-23435

Name of the Vulnerable Software and Affected Versions Jetty affected versions not specified Description The Jetty URI parser exhibits differences in how it evaluates invalid or unusual URIs compared to other common parsers. This differential parsing of URIs, particularly in systems with multiple...

Plack::Middleware::Session::Simple 安全漏洞

Plack::Middleware::Session::Simple is a lightweight session management middleware developed by Masahiro Nagano. Versions of Plack::Middleware::Session::Simple prior to 0.04 contained security vulnerabilities, which stemmed from the use of insecure random number generators for generating session...

PT-2026-23602

Name of the Vulnerable Software and Affected Versions Gokapi versions prior to 2.2.3 Description Gokapi is a self-hosted file sharing server that supports automatic expiration and encryption. The upload status Server-Sent Events SSE implementation on the /uploadStatus API endpoint publishes globa...

EUVD-2026-9452

Craft CMS has unauthenticated activation email trigger with potential user enumeration...

CVE-2026-29069

Craft is a content management system CMS. Prior to 5.9.0-beta.2 and 4.17.0-beta.2, the actionSendActivationEmail endpoint is accessible to unauthenticated users and does not require a permission check for pending users. An attacker with no prior access can trigger activation emails for any pendin...

CVE-2026-28782

Craft is a content management system CMS. Prior to 5.9.0-beta.1 and 4.17.0-beta.1, the "Duplicate" entry action does not properly verify if the user has permission to perform this action on the specific target elements. Even with only "View Entries" permission where the "Duplicate" action is...

CVE-2026-29069 Craft has an unauthenticated activation email trigger with potential user enumeration

Craft is a content management system CMS. Prior to 5.9.0-beta.2 and 4.17.0-beta.2, the actionSendActivationEmail endpoint is accessible to unauthenticated users and does not require a permission check for pending users. An attacker with no prior access can trigger activation emails for any pendin...

CVE-2026-28782

CVE-2026-28782 affects Craft CMS prior to 5.9.0-beta.1 and 4.17.0-beta.1, allowing a user with only View Entries permission to bypass UI restrictions and duplicate other users’ entries by sending direct requests. The flaw is an improper permission check in the Duplicate action, enabling IDOR via ...

CVE-2026-28782 Craft has a Permission Bypass and IDOR in Duplicate Entry Action

Craft is a content management system CMS. Prior to 5.9.0-beta.1 and 4.17.0-beta.1, the "Duplicate" entry action does not properly verify if the user has permission to perform this action on the specific target elements. Even with only "View Entries" permission where the "Duplicate" action is...