CVE-2026-4135

During an internal security assessment, a potential vulnerability was discovered in Lenovo Software Fix, that during installation could allow a local authenticated user to perform an arbitrary file write with elevated privileges...

CVE-2026-4134

During an internal security assessment, a potential vulnerability was discovered in Lenovo Software Fix, that during installation could allow a local authenticated user to execute code with elevated privileges...

CVE-2026-39394

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, the Install::index controller reads the host POST parameter without any validation and passes it directly into updateEnvSettings, which...

OESA-2026-2544 python-pip security update

%changelog Thu May 14 2026 markeryang [email protected] - 23.3.1-11 - Fix CVE-2026-3219 Security Fixes: When following cross-origin redirects for requests made using urllib3's high-level APIs, such as urllib3.request, PoolManager.request, and ProxyManager.request, sensitive headers — Authorization...

Canon CUPS Printer Driver 安全漏洞

The Canon CUPS Printer Driver is a printer driver suite developed by the Japanese company Canon. Versions of the Canon CUPS Printer Driver 16.91.0.0 and earlier contained security vulnerabilities. These vulnerabilities were due to improper handling of symbolic links in the installation process,...

CVE-2026-44444

Lumiverse is a full-featured AI chat application. Prior to 0.9.7, the Spindle extension build pipeline calls bun install without the --ignore-scripts flag before running the static backend safety scan assertSafeBackendBundle. A malicious extension that ships a package.json with a preinstall,...

Amazon Linux 2023 : python3.13-pip, python3.13-pip-wheel (ALAS2023-2026-1654)

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2026-1654 advisory. pip prior to version 26.1 would run self-update check functionality after installing wheel files which required importing well-known Python modules names. These module imports were intentionally deferr...

CVE-2025-58074

This CVE concerns Norton Secure VPN installation via the Microsoft Store. A privilege-escalation exists when installing Norton Secure VPN, where an unprivileged user can influence the installation by manipulating a writable 7z payload in C:\ProgramData\NortonInstaller\Settings before setup runs. ...

Froxlor 后置链接漏洞

Froxlor is a set of lightweight server management software developed by the Froxlor team. Versions of Froxlor prior to 2.3.6 had a post-installation link vulnerability. This vulnerability stemmed from the DataDump.add function not passing the $fixedhomedir parameter when constructing the export...

uutils coreutils 后置链接漏洞

uutils coreutils is a cross-platform core command-line toolset developed by Uutils Open Source. uutils coreutils has a post-installation link vulnerability. This vulnerability stems from the rm utility allowing bypass of the --preserve-root protection. Instead of using device and inode numbers fo...

CVE-2026-4134

CVE-2026-4134 involves a potential privilege-escalation in Lenovo Software Fix. The available details indicate that during installation, a local authenticated user could execute code with elevated privileges. The CVSS scores from the referenced LENOVO sources show high impact for confidentiality,...

Microsoft DirectX End-User Runtime Web Installer 安全漏洞

Microsoft DirectX End-User Runtime Web Installer is a component installation tool provided by the American company Microsoft. The version 9.29.1974.0 of Microsoft DirectX End-User Runtime Web Installer contains a security vulnerability. This vulnerability arises from the possibility for...

WordPress WowOptin: Next-Gen Popup Maker - Create Stunning Popups and Optins for Lead Generation plugin <= 1.4.24 - Missing Authorization to Authenticated (Subscriber+) Arbitrary plugin Installation vulnerability

WordPress WowOptin: Next-Gen Popup Maker - Create Stunning Popups and Optins for Lead Generation plugin = 1.4.24 - Missing Authorization to Authenticated Subscriber+ Arbitrary plugin Installation vulnerability discovered by WordFence in WordPress Plugin WowOptin versions = 1.4.24...

CVE-2026-3091

An uncontrolled search path element vulnerability in Synology Presto Client before 2.1.3-0672 allows local users to read or write arbitrary files and conduct denial-of-service during installation by placing a malicious DLL in advance in the same directory as the installer...

Intego Personal Backup 后置链接漏洞

Intego Personal Backup is a backup tool developed by the Intego company. Intego Personal Backup has a post-installation vulnerability that stems from the fact that backup task definitions are stored in a location that can be written to by non-privileged users. However, these tasks are processed...

CVE-2025-70958

Multiple reflected cross-site scripting XSS vulnerabilities in the installation module of Subrion CMS v4.2.1 allows attackers to execute arbitrary Javascript in the context of the user's browser via injecting a crafted payload into the dbuser, dbpwd, and dbname parameters...

Exploit for Deserialization of Untrusted Data in E107

CVE-2025-61505 Insecure Deserialization in e107 CMS install.ph...

CVE-2020-7807

A vulnerability that can hijack a DLL file that is loaded during productsLGPCSuiteSetup, IPSFULLHD, LGULTRAWIDE, ULTRAHDDriver Setup installation into a DLL file that the hacker wants. Missing Support for Integrity Check vulnerability in COMPONENT of LG Electronics LGPCSuiteSetup, IPSFULLHD,...

CVE-2023-29080

Potential privilege escalation vulnerability in Revenera InstallShield versions 2022 R2 and 2021 R2 due to adding InstallScript custom action to a Basic MSI or InstallScript MSI project extracting few binaries to a predefined writable folder during installation time. The standard user account has...

CVE-2025-62521 ChurchCRM has unauthenticated RCE in its Install Wizard

ChurchCRM is an open-source church management system. Prior to version 5.21.0, a pre-authentication remote code execution vulnerability in ChurchCRM's setup wizard allows unauthenticated attackers to inject arbitrary PHP code during the initial installation process, leading to complete server...