CVE-2026-8608

The Event Monster – Event Management, Events Calendar, Tickets plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in versions up to, and including, 2.1.0. This is due to the capturepayment AJAX handler registered via wpajaxnoprivemcapturepayment trusting...

WWBN AVideo: Authenticated wallet credit bypass in AuthorizeNet processPayment endpoint

Summary plugin/AuthorizeNet/processPayment.json.php credits the logged-in user's wallet based only on the attacker-controlled amount POST parameter. The endpoint contains a TODO for real Authorize.Net charging, hardcodes $paymentSuccess = true, and then calls YPTWallet::addBalance without...

CVE-2026-47123 FreeScout: Agent Impersonation via Missing HMAC Verification on Notification Reply Message-ID Path

FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to 1.8.220, the email processing pipeline in FreeScout's FetchEmails command has two code paths for identifying agent user replies based on In-Reply-To / References headers. The notification reply path...

Improper Authentication

Apache HttpClient is vulnerable to Improper Authentication. The vulnerability is due to a missing verification step in SCRAM-SHA-256 authentication, which allows an attacker to bypass proper mutual authentication checks and be accepted by the client...

CVE-2026-3641

The Appmax plugin for WordPress is vulnerable to Improper Input Validation in all versions up to, and including, 1.0.3. This is due to the plugin registering a public REST API webhook endpoint at /webhook-system without implementing webhook signature validation, secret verification, or any...

CVE-2026-32597

A missing verification step has been discovered in PyJWT. PyJWT does not validate the crit Critical Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a crit array listing extensions that PyJWT does not understand, the library accepts the token instead of rejecting it. This...

WordPress plugin Guardian News Feed 跨站请求伪造漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...

CVE-2026-25921 Gogs: Cross-repository LFS object overwrite via missing content hash verification

Gogs is an open source self-hosted Git service. Prior to version 0.14.2, overwritable LFS object across different repos leads to supply-chain attack, all LFS objects are vulnerable to be maliciously overwritten by malicious attackers. This issue has been patched in version 0.14.2...

Improper Certificate Validation

Overview niquests is a Niquests is a simple, yet elegant, HTTP library. It is a drop-in replacement for Requests, which is under feature freeze. Affected versions of this package are vulnerable to Improper Certificate Validation due to missing OCSP response signature verification against the...

Man-In-The-Middle (MITM) Attack

MQTT is vulnerable to a Man-in-the-Middle MITM attack. The vulnerability is due to missing hostname verification by default, which allows an attacker to intercept and manipulate communication between clients and servers...

CVE-2025-42910

CVE-2025-42910 affects SAP Supplier Relationship Management (SRM). The issue stems from missing verification of uploaded file type/content, allowing an authenticated attacker to upload arbitrary files (potentially executable). Successful exploitation could impact confidentiality, integrity, and a...

PT-2025-41842

Name of the Vulnerable Software and Affected Versions SAP Supplier Relationship Management affected versions not specified Description SAP Supplier Relationship Management does not properly verify the type or content of uploaded files. This allows an authenticated attacker to upload arbitrary...

RockyLinux 10 : podman (RLSA-2025:10549)

The remote RockyLinux 10 host has packages installed that are affected by a vulnerability as referenced in the RLSA-2025:10549 advisory. podman: podman missing TLS verification CVE-2025-6032 Tenable has extracted the preceding description block directly from the RockyLinux security advisory. Note...

RLSA-2025:10550 Important: podman security update

The podman tool manages pods, container images, and containers. It is part of the libpod library, which is for applications that use container pods. Container pods is a concept in Kubernetes. Security Fixes: podman: podman missing TLS verification CVE-2025-6032 For more details about the security...

EUVD-2024-37979

Malicious code in bioql PyPI...

EUVD-2023-47153

Malicious code in bioql PyPI...

RLSA-2025:10549 Important: podman security update

The podman tool manages pods, container images, and containers. It is part of the libpod library, which is for applications that use container pods. Container pods is a concept in Kubernetes. Security Fixes: podman: podman missing TLS verification CVE-2025-6032 For more details about the security...

CVE-2025-59934 Formbricks missing JWT signature verification

Formbricks is an open source qualtrics alternative. Prior to version 4.0.1, Formbricks is missing JWT signature verification. This vulnerability stems from a token validation routine that only decodes JWTs jwt.decode without verifying their signatures. Both the email verification token login path...

CVE-2025-10457

The function responsible for handling BLE connection responses does not verify whether a response is expected—that is, whether the device has initiated a connection request. Instead, it relies solely on identifier matching...

CVE-2024-39435

In Logmanager service, there is a possible missing verification incorrect input. This could lead to local escalation of privilege with no additional execution privileges needed...