CVE-2026-25230 FileRise affected by HTML Injection using color property in file tags

FileRise is a self-hosted web file manager / WebDAV server. Prior to 3.3.0, an HTML Injection vulnerability allows an authenticated user to modify the DOM and add e.g. form elements that call certain endpoints or link elements that redirect the user on active interaction. This vulnerability is...

Security Bulletin: Privileged User File Upload Vulnerability Leading to Limited Server-Side Execution affects watsonx.data

Summary Malicious File Upload by Privileged Users in IBM Lakehouse May Allow Limited File or Data Modification. This can affect watsonx.data. Vulnerability Details CVEID:CVE-2025-36183 DESCRIPTION: IBM Lakehouse could allow a privileged user to upload malicious files that could be executed server...

PT-2026-7196

Name of the Vulnerable Software and Affected Versions WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress versions up to and including 6.7.24 Description The software contains a flaw that allows unauthorized modification of data,...

PT-2026-7133

FileRise is a self-hosted web file manager / WebDAV server. Prior to 3.3.0, an HTML Injection vulnerability allows an authenticated user to modify the DOM and add e.g. form elements that call certain endpoints or link elements that redirect the user on active interaction. This vulnerability is...

CVE-2025-15476

The The Bucketlister plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the bucketlisterdoadminajax function in all versions up to, and including, 0.1.5. This makes it possible for authenticated attackers, with Subscriber-level access and...

CVE-2025-15476

The The Bucketlister plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the bucketlisterdoadminajax function in all versions up to, and including, 0.1.5. This makes it possible for authenticated attackers, with Subscriber-level access and...

CVE-2025-15476 The Bucketlister <= 0.1.5 - Missing Authorization to Authenticated (Subscriber+) Bucket List Modification

The The Bucketlister plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the bucketlisterdoadminajax function in all versions up to, and including, 0.1.5. This makes it possible for authenticated attackers, with Subscriber-level access and...

EUVD-2025-206893

The The Bucketlister plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the bucketlisterdoadminajax function in all versions up to, and including, 0.1.5. This makes it possible for authenticated attackers, with Subscriber-level access and...

CVE-2020-37147 ATutor 2.2.4 - 'id' SQL Injection

ATutor 2.2.4 contains a SQL injection vulnerability in the admin user deletion page that allows authenticated attackers to manipulate database queries through the 'id' parameter. Attackers can exploit the vulnerability by injecting malicious SQL code into the 'id' parameter of the admindelete.php...

CVE-2026-25593

OpenClaw is a personal AI assistant. Prior to 2026.1.20, an unauthenticated local client could use the Gateway WebSocket API to write config via config.apply and set unsafe cliPath values that were later used for command discovery, enabling command injection as the gateway user. This vulnerabilit...

CVE-2026-25593

OpenClaw is a personal AI assistant. Prior to 2026.1.20, an unauthenticated local client could use the Gateway WebSocket API to write config via config.apply and set unsafe cliPath values that were later used for command discovery, enabling command injection as the gateway user. This vulnerabilit...

CVE-2026-25752 FUXA Unauthenticated Remote Arbitrary Device Tag Write

FUXA is a web-based Process Visualization SCADA/HMI/Dashboard software. An authorization bypass vulnerability in FUXA allows an unauthenticated, remote attacker to modify device tags via WebSockets. Exploitation allows an unauthenticated, remote attacker to bypass role-based access controls and...

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization in the PutContents function accessible via the /repos/:owner/:repo/contents/ endpoint. A user with read permissions can modify repository contents via git push. Remediation Upgrade gogs.io/gogs/internal/osutil to...

CVE-2026-2062 Open5GS PGW S5U Address sgwc_sxa_handle_session_modification_response null pointer dereference

A vulnerability was identified in Open5GS up to 2.7.6. This affects the function sgwcs5chandlemodifybearerresponse/sgwcsxahandlesessionmodificationresponse of the component PGW S5U Address Handler. The manipulation leads to null pointer dereference. The attack can be initiated remotely. The explo...

CVE-2026-2062 Open5GS PGW S5U Address sgwc_sxa_handle_session_modification_response null pointer dereference

A vulnerability was identified in Open5GS up to 2.7.6. This affects the function sgwcs5chandlemodifybearerresponse/sgwcsxahandlesessionmodificationresponse of the component PGW S5U Address Handler. The manipulation leads to null pointer dereference. The attack can be initiated remotely. The explo...

CVE-2026-2062

Open5GS up to 2.7.6 is affected by CVE-2026-2062 in the PGW S5U Address Handler, specifically the sgwc_s5c_handle_modify_bearer_response and sgwc_sxa_handle_session_modification_response functions. The issue is a null pointer dereference that can be triggered remotely. Public exploit details exis...

SQL Injection

Overview devcode-it/openstamanager is a management software for technical assistance and electronic invoicing Affected versions of this package are vulnerable to SQL Injection via the ajaxselect.php page when handling the componenti operation. An attacker can access, extract, or modify database...

CVE-2019-25298

html5snmp 1.11 contains multiple SQL injection vulnerabilities that allow attackers to manipulate database queries through RouterID and RouterIP parameters. Attackers can exploit error-based, time-based, and union-based injection techniques to potentially extract or modify database information by...

CVE-2019-25300

thejshen Globitek CMS 1.4 contains a SQL injection vulnerability that allows attackers to manipulate database queries through the 'id' GET parameter. Attackers can exploit boolean-based, time-based, and UNION-based SQL injection techniques to potentially extract or modify database information...

CVE-2025-13379

IBM Aspera Console 3.4.0 through 3.4.8 is vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements, which could allow the attacker to view, add, modify, or delete information in the back-end database...