WordPress plugin Endless Posts Navigation 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. There is...

PT-2026-20700

Missing Authorization vulnerability in Fahad Mahmood Endless Posts Navigation endless-posts-navigation allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Endless Posts Navigation: from n/a through = 2.2.9...

CVE-2019-25352

Crystal Live HTTP Server 6.01 contains a directory traversal vulnerability that allows remote attackers to access system files by manipulating URL path segments. Attackers can use multiple '../' sequences to navigate outside the web root and retrieve sensitive configuration files like Windows...

Command Injection

@signalk/set-system-time, is vulnerable to command injection. The vulnerability is due to unsafe construction of shell commands while processing navigation.datetime values via WebSocket delta messages, which allows an attacker with write access or unauthenticated access when security is disabled ...

CVE-2026-26011

In NAVIGATION2 (ROS 2 Navigation Framework) version 1.3.11 and earlier, a critical heap out-of-bounds write in Nav2 AMCL’s particle filter clustering can be triggered by publishing a crafted geometry_msgs/PoseWithCovarianceStamped to /initialpose, causing a negative index write into heap memory a...

CVE-2026-26011

navigation2 is a ROS 2 Navigation Framework and System. In 1.3.11 and earlier, a critical heap out-of-bounds write vulnerability exists in Nav2 AMCL's particle filter clustering logic. By publishing a single crafted geometrymsgs/PoseWithCovarianceStamped message with extreme covariance values to...

CVE-2026-26011 Critical Heap Out-of-bounds Access in `pf_cluster_stats()` via Malicious /initialpose Covariance -- Potential Remote Code Execution

navigation2 is a ROS 2 Navigation Framework and System. In 1.3.11 and earlier, a critical heap out-of-bounds write vulnerability exists in Nav2 AMCL's particle filter clustering logic. By publishing a single crafted geometrymsgs/PoseWithCovarianceStamped message with extreme covariance values to...

CVE-2025-54519

A DLL hijacking vulnerability (root cause: uncontrolled search paths) in Doc Nav (Documentation Navigator) related to Vivado 2024.2 installations could allow a local attacker to achieve privilege escalation and potentially arbitrary code execution. Affected component: Documentation Navigator. Exp...

PT-2026-7903

Name of the Vulnerable Software and Affected Versions navigation2 versions prior to 1.3.11 Description navigation2 is a ROS 2 Navigation Framework and System. A heap out-of-bounds write issue exists in Nav2 AMCL’s particle filter clustering logic. An unauthenticated attacker on the same ROS 2 DDS...

Prompt Injection Via Road Signs

Interesting research: "CHAI: Command Hijacking Against Embodied AI." Abstract: Embodied Artificial Intelligence AI promises to handle edge cases in robotic vehicle systems where data is scarce by using common-sense reasoning grounded in perception and action to generalize beyond training...

WordPress Master Addons plugin <= 2.0.6.1 - Missing Authorization to Unauthenticated Stored Cross-Site Scripting via Navigation Menu Widget vulnerability

Missing Authorization to Unauthenticated Stored Cross-Site Scripting via Navigation Menu Widget vulnerability discovered by Webbernaut in WordPress Plugin Master Addons for Elementor versions = 2.0.6.1...

PT-2026-31521

Name of the Vulnerable Software and Affected Versions Google Chrome versions prior to 147.0.7727.55 Description A security flaw exists within the iFrameSandbox component of the Google Chrome browser, impacting data protection mechanisms. Successful exploitation could allow a remote attacker to...

WordPress Endless Posts Navigation plugin <= 2.2.9 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Legion Hunter in WordPress Plugin Endless Posts Navigation versions = 2.2.9...

GNSS SpAmming: A Spoofing-Based GNSS Denial-Of-Service Attack

GNSSs are vulnerable to attacks of two kinds: jamming i.e. denying access to the signal and spoofing i.e. impersonating a legitimate satellite. These attacks have been extensively studied, and we have a myriad of countermeasures to mitigate them. In this paper we expose a new type of attack:...

CVE-2026-23515

Signal K Server is a server application that runs on a central hub in a boat. Prior to 1.5.0, a command injection vulnerability allows authenticated users with write permissions to execute arbitrary shell commands on the Signal K server when the set-system-time plugin is enabled. Unauthenticated...

PT-2026-5921

Name of the Vulnerable Software and Affected Versions Brocade Fabric OS versions prior to 9.2.1c2 Brocade Fabric OS versions 9.2.2 through 9.2.2a Description A flaw exists within Brocade Fabric OS that may allow an authenticated attacker possessing administrative privileges to manipulate path...

CVE-2026-23515

Signal K Server is a server application that runs on a central hub in a boat. Prior to 1.5.0, a command injection vulnerability allows authenticated users with write permissions to execute arbitrary shell commands on the Signal K server when the set-system-time plugin is enabled. Unauthenticated...

CVE-2026-23515

Signal K Server is a server application that runs on a central hub in a boat. Prior to 1.5.0, a command injection vulnerability allows authenticated users with write permissions to execute arbitrary shell commands on the Signal K server when the set-system-time plugin is enabled. Unauthenticated...

Command Injection

Overview @signalk/set-system-time is a Signal K server plugin to set system date & time on Signal K data, usually from a GPS Affected versions of this package are vulnerable to Command Injection via the stream.onValue function. An attacker can execute arbitrary shell commands on the server by...

Signal K set-system-time plugin vulnerable to RCE - Command Injection

Summary A Command Injection vulnerability allows authenticated users with write permissions to execute arbitrary shell commands on the Signal K server when the set-system-time plugin is enabled. Unauthenticated users can also exploit this vulnerability if security is disabled on the Signal K...