Labstack Echo 4.8.0 - Open Redirect

Labstack Echo 4.8.0 contains an open redirect vulnerability via the Static Handler component. An attacker can leverage this vulnerability to cause server-side request forgery, making it possible to obtain sensitive information, modify data, and/or execute unauthorized operations. id: CVE-2022-400...

Artica Pandora FMS <=7.42 - Arbitrary File Read

Artica Pandora FMS through 7.42 is susceptible to arbitrary file read. An attacker can read the chat history, which is in JSON format and contains user names, user IDs, private messages, and timestamps. This can potentially lead to unauthorized data modification and other operations. id:...

Zoo Management System 1.0 - SQL Injection

Zoo Management System 1.0 contains a SQL injection vulnerability via the username parameter on the login page. An attacker can possibly obtain sensitive information from a database, modify data, and execute unauthorized administrative operations in the context of the affected site. id:...

WCFM Membership <= 2.10.0 - Broken Access Control

The WCFM Membership plugin for WordPress is vulnerable to unauthorized modification and access of data in versions up to, and including, 2.10.0 due to missing capability checks true the AJAX actions: wcfm-memberships, wcfm-memberships-manage, and wcfm-memberships-settings. id: CVE-2022-4940 info:...

Apache Superset <=1.3.2 - Default Login

Apache Superset through 1.3.2 contains a default login vulnerability via registered database connections for authenticated users. An attacker can obtain access to user accounts and thereby obtain sensitive information, modify data, and/or execute unauthorized operations. id: CVE-2021-44451 info:...

WordPress TS Poll < 2.4.0 - SQL Injection

WordPress TS Poll plugin 2.4.0 contains a SQL injection caused by lack of sanitization and escaping of a parameter before using it in a SQL statement, letting attackers perform SQL injection attacks, exploit requires admin privileges. id: CVE-2024-8625 info: name: WordPress TS Poll 2.4.0 - SQL...

Fortra FileCatalyst Workflow <= v5.1.6 - SQL Injection

A SQL Injection vulnerability in Fortra FileCatalyst Workflow allows an attacker to modify application data. Likely impacts include creation of administrative users and deletion or modification of data in the application database. Data exfiltration via SQL injection is not possible using this...

CrushFTP < 10.5.1 - Unauthenticated Remote Code Execution

CrushFTP prior to 10.5.1 is vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes. id: CVE-2023-43177 info: name: CrushFTP 10.5.1 - Unauthenticated Remote Code Execution author: iamnoooob,rootxharsh,pdresearch severity: critical description: | CrushFTP prior...

WordPress Widgets for Social Photo Feed <= 1.8 - Information Disclosure

Widgets for Social Photo Feed WordPress plugin = 1.8 contains a broken access control caused by missing capability checks on specific REST API endpoints, letting unauthenticated attackers access and modify plugin settings remotely. id: CVE-2025-14726 info: name: WordPress Widgets for Social Photo...

KevinLAB BEMS 1.0 - SQL Injection

KevinLAB BEMS 1.0 contains a SQL injection vulnerability. Input passed through inputid POST parameter in /http/index.php is not properly sanitized before being returned to the user or used in SQL queries. An attacker can possibly obtain sensitive information from a database, modify data, and...

Emlog 2.1.9 - SQL Injection

emlog v2.1.9 contains a SQL injection caused by unsanitized input in the data backup/restore functionality, allowing attackers to execute arbitrary SQL commands through crafted backup files. id: CVE-2023-39121 info: name: Emlog 2.1.9 - SQL Injection author: wjch611 severity: high description: |...

CVE-2026-7792

Technical details about CVE-2026-7792 are not publicly available in the provided documents. Monitor for updates.

RHEL 10 : samba (RHSA-2026:22963)

The remote Redhat Enterprise Linux 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2026:22963 advisory. Samba is an open-source implementation of the Server Message Block SMB protocol and the related Common Internet File System CIFS protocol,...

PT-2026-47131

The WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in versions up to and including 1.10.0.1. This is due to the PayPal Commerce webhook endpoint processing unauthenticat...

CVE-2026-7047 Frontend User Notes <= 2.1.1 - Cross-Site Request Forgery to Note Content Modification via 'confirmEdit' Action

The Frontend User Notes plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.1. This is due to missing or incorrect nonce validation on the funpajaxmodifynotes function. This makes it possible for unauthenticated attackers to trick a logged-in...

CVE-2026-7047

CVE-2026-7047 concerns the WordPress plugin Frontend User Notes up to version 2.1.1. The vulnerability is a Cross-Site Request Forgery (CSRF) stemming from missing or incorrect nonce validation in the funp_ajax_modify_notes function. This allows an unauthenticated attacker to lure a logged-in use...

CVE-2026-7047 Frontend User Notes <= 2.1.1 - Cross-Site Request Forgery to Note Content Modification via 'confirmEdit' Action

The Frontend User Notes plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.1. This is due to missing or incorrect nonce validation on the funpajaxmodifynotes function. This makes it possible for unauthenticated attackers to trick a logged-in...

CVE-2026-42497

Archive::Tar versions before 3.08 for Perl extract hardlinks to attacker controlled paths outside the extraction directory. makespecialfile passes the tar header's linkname to link without validating it against absolute paths or .. segments, creating a hardlink that shares the victim file's inode...

CVE-2026-28908

A denial of service issue was addressed by removing the vulnerable code. This issue is fixed in macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5. An app may be able to modify protected parts of the file system...

CVE-2026-31014

Dovestones Softwares AD Self Update 4.0.0.5 is vulnerable to Cross Site Request Forgery CSRF. The affected endpoint processes state-changing requests without requiring a CSRF token or equivalent protection. The endpoint accepts application/x-www-form-urlencoded requests, and an originally...