OpenAM <= 16.0.5 - Pre-Auth RCE via jato.clientSession Deserialization

Open Access Management OpenAM is an access management solution. Prior to 16.0.6, OpenIdentityPlatform OpenAM is vulnerable to pre-authentication Remote Code Execution RCE via unsafe Java deserialization of the jato.clientSession HTTP parameter. This bypasses the WhitelistObjectInputStream...

EUVD-2026-33354

Dokploy is a free, self-hostable Platform as a Service PaaS. In 0.26.7 and earlier, the schedule router does not enforce organization/role checks. As a result, any authenticated user can create, update, run, or delete schedules belonging to other organizations if they know the scheduleId/serverId...

CVE-2026-5790

CVE-2026-5790 describes a stored XSS in Stel Order (v3.25.1 and earlier) at the /app/FrontController endpoint, exploitable via the legalName and employeeID parameters. Lack of input sanitization allows injection that is persisted in the database and executed in other users’ browsers, enabling the...

jq 输入验证错误漏洞

jq is a lightweight and flexible command-line JSON processor developed by jqlang. Jq versions 1.8.1 and earlier have a vulnerability related to input validation errors. This vulnerability arises when decNumberFromString receives an integer with exactly INTMAX-1 digits. During signed integer...

CVE-2026-39706

Missing Authorization vulnerability in Netro Systems Make My Trivia trivialy allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Make My Trivia: from n/a through = 1.1.0...

CVE-2026-35569 ApostropheCMS: Stored XSS in SEO Fields Leads to Authenticated API Data Exposure in ApostropheCMS

ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain a stored cross-site scripting vulnerability in SEO-related fields SEO Title and Meta Description, where user-controlled input is rendered without proper output encoding into HTML contexts includin...

Mozilla Firefox ESR < 115.34.1

The version of Firefox ESR installed on the remote Windows host is prior to 115.34.1. It is, therefore, affected by a vulnerability as referenced in the mfsa2026-26 advisory. - Memory safety bugs present in Firefox ESR 115.34.0, Firefox ESR 140.9.0, Thunderbird ESR 140.9.0, Firefox 149.0.1 and...

Cockpit CMS has SQL Injection in MongoLite Aggregation Optimizer via toJsonExtractRaw()

Impact This is a SQL Injection vulnerability in the MongoLite Aggregation Optimizer. Any Cockpit CMS instance running version 2.13.4 or earlier with API access enabled is potentially affected. Who is impacted: - Any deployment where the /api/content/aggregate/model endpoint is publicly accessible...

Amazon Linux 2 : openssl-snapsafe, --advisory ALAS2OPENSSL-SNAPSAFE-2026-009 (ALASOPENSSL-SNAPSAFE-2026-009)

The version of openssl-snapsafe installed on the remote host is prior to 1.0.2k-24. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2OPENSSL-SNAPSAFE-2026-009 advisory. Writing large, newline-free data into a BIO chain using the line-buffering filter where the next...

Drupal AT Internet SmartTag 安全漏洞

Drupal AT Internet SmartTag is a data analysis integration module developed by the Drupal company. Versions of Drupal AT Internet SmartTag prior to 1.0.1 contained security vulnerabilities, which were caused by improper input during web page generation. These vulnerabilities could lead to...

Amazon Linux 2 : ImageMagick, --advisory ALAS2-2026-3123 (ALAS-2026-3123)

The version of ImageMagick installed on the remote host is prior to 6.9.10.97-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2026-3123 advisory. ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to version...

EUVD-2026-1668

Kanboard is project management software focused on Kanban methodology. Versions 1.2.48 and below is vulnerable to a critical authentication bypass when REVERSEPROXYAUTH is enabled. The application blindly trusts HTTP headers for user authentication without verifying the request originated from a...

WordPress Booking Calendar and Notification plugin <= 4.0.3 - Missing Authorization via wpcb_all_bookings, wpcb_update_booking_post, and wpcb_delete_posts Functions vulnerability

Missing Authorization via wpcballbookings, wpcbupdatebookingpost, and wpcbdeleteposts Functions vulnerability discovered by WordFence in WordPress Plugin Booking Calendar and Notification versions = 4.0.3...

CVE-2025-15112

Ksenia Security lares legacy model version 1.6 contains a URL redirection vulnerability in the 'cmdOk.xml' script that allows attackers to manipulate the 'redirectPage' GET parameter. Attackers can craft malicious links that redirect authenticated users to arbitrary websites when clicking on a...

CVE-2025-58709

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in axiomthemes Legacy legacy allows PHP Local File Inclusion.This issue affects Legacy: from n/a through = 1.9...

Mozilla Thunderbird < 17.0.7

The version of Thunderbird installed on the remote macOS or Mac OS X host is prior to 17.0.7. It is, therefore, affected by a vulnerability as referenced in the mfsa2013-54 advisory. - Do not send data XHR HEAD requestCVE-2013-1692 CVE-2013-1692 Note that Nessus has not tested for this issue but...

CVE-2025-62993 WordPress Notification for Telegram plugin <= 3.5.1 - Broken Access Control vulnerability

Missing Authorization vulnerability in rainafarai Notification for Telegram notification-for-telegram allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Notification for Telegram: from n/a through = 3.5.1...

Malicious code in airbnb-react-router-legacy-v3 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 64d31fa6c9b6cd0a9e87216ce93110698b49f1fede30d3f090902284a5153613 The package airbnb-react-router-legacy-v3 was found to contain malicious code. Source: ossf-package-analysis...

CVE-2025-58060 affecting package cups for versions less than 2.4.13-1

CVE-2025-58060 affecting package cups for versions less than 2.4.13-1. An upgraded version of the package is available that resolves this issue...

Linux Distros Unpatched Vulnerability : CVE-2025-53537

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - LibHTP is a security-aware parser for the HTTP protocol and its related bits and pieces. In versions 0.5.50 and below, there is a traffic-induced memory leak th...