CVE-2026-39511

Unauthenticated SQL Injection in WP Photo Album Plus = 9.1.08.001 versions...

Security Bulletin: IBM Maximo Application Suite - Predict Component uses WebSphere Application Server Liberty was affected by a prototype pollution vulnerability due to immutable (CVE-2026-29063)

Summary Security Bulletin: IBM Maximo Application Suite - Predict Component uses WebSphere Application Server Liberty was affected by prototype pollution vulnerability due to immutable CVE-2026-29063. This bulletin contains information regarding the vulnerability and its fixture. Vulnerability...

Astra Linux - уязвимость в linux, linux-5.15, linux-5.10

In the Linux kernel, the following vulnerabilities have been resolved: ALSA: hda: Fixed an error related to surround channel names in version 9.1. The getlineoutpfx function may trigger an error due to overflowing a static array with more than 8 channels. This issue was reported on MacBookPro 12....

CVE-2026-5340 Fancy Image Show <= 9.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The Fancy Image Show plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's fancy-img-show shortcode in all versions up to, and including, 9.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticat...

CVE-2022-50958

WordPress Plugin Jetpack 9.1 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the postid parameter. Attackers can craft URLs to the grunion-form-view.php endpoint with script payloads in the postid parameter ...

Security Bulletin: IBM Maximo Application Suite - Monitor Component uses dompurify-3.2.7.tgz, dompurify-3.3.0.tgz, dompurify-3.3.1.tgz which is vulnerable to CVE-2026-0540.

Summary IBM Maximo Application Suite - Monitor Component uses dompurify-3.2.7.tgz, dompurify-3.3.0.tgz, dompurify-3.3.1.tgz which is vulnerable to CVE-2026-0540. This bulletin contains information addressing the vulnerability. Vulnerability Details CVEID:CVE-2026-0540 DESCRIPTION: DOMPurify 3.1.3...

CVE-2024-8354 affecting package qemu for versions less than 9.1.0-3

CVE-2024-8354 affecting package qemu for versions less than 9.1.0-3. A patched version of the package is available...

EUVD-2026-20001

IBM Verify Identity Access Container 11.0 through 11.0.2 and IBM Security Verify Access Container 10.0 through 10.0.9.1 and IBM Verify Identity Access 11.0 through 11.0.2 and IBM Security Verify Access 10.0 through 10.0.9.1 could allow a locally authenticated user to escalate their privileges to...

CVE-2019-25669

qdPM 9.1 contains an SQL injection vulnerability that allows attackers to manipulate database queries by injecting SQL code through the searchbyextrafields parameter. Attackers can send POST requests to the users endpoint with malicious searchbyextrafields values to trigger SQL syntax errors and...

CVE-2026-34400

Alerta is a monitoring tool. Prior to version 9.1.0, the Query string search API q= was vulnerable to SQL injection via the Postgres query parser, which built WHERE clauses by interpolating user-supplied search terms directly into SQL strings via f-strings. This issue has been patched in version...

CVE-2026-34400

Alerta is a monitoring tool. Prior to version 9.1.0, the Query string search API q= was vulnerable to SQL injection via the Postgres query parser, which built WHERE clauses by interpolating user-supplied search terms directly into SQL strings via f-strings. This issue has been patched in version...

CVE-2026-34400 alerta-server has potential SQL Injection vulnerability in Query String Syntax (q=) API

Alerta is a monitoring tool. Prior to version 9.1.0, the Query string search API q= was vulnerable to SQL injection via the Postgres query parser, which built WHERE clauses by interpolating user-supplied search terms directly into SQL strings via f-strings. This issue has been patched in version...

CVE-2026-34400 alerta-server has potential SQL Injection vulnerability in Query String Syntax (q=) API

Alerta is a monitoring tool. Prior to version 9.1.0, the Query string search API q= was vulnerable to SQL injection via the Postgres query parser, which built WHERE clauses by interpolating user-supplied search terms directly into SQL strings via f-strings. This issue has been patched in version...

Security Bulletin: IBM Edge Data Collector uses time-0.3.37.crate which is vulnerable to CVE-2026-25727.

Summary IBM Edge Data Collector uses time-0.3.37.crate which is vulnerable to CVE-2026-25727. This bulletin contains information addressing the vulnerability. Vulnerability Details CVEID:CVE-2026-25727 DESCRIPTION: time provides date and time handling in Rust. From 0.3.6 to before 0.3.47, when...

CVE-2026-32517

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Kleor Contact Manager contact-manager allows Reflected XSS.This issue affects Contact Manager: from n/a through = 9.1...

CVE-2018-25208

CVE-2018-25208 affects qdPM 9.1. It describes an SQL injection vulnerability in the timeReport endpoint where unauthenticated attackers can craft requests with filter_by[CommentCreatedFrom] and filter_by[CommentCreatedTo] to execute arbitrary SQL and retrieve data. The vulnerability is tied to th...

CVE-2026-32517

CVE-2026-32517 : A Reflected Cross-site Scripting (XSS) vulnerability exists in Kleor Contact Manager (contact-manager), caused by improper neutralization of input during web page generation. The issue affects Contact Manager versions up to 9.1. Successful exploitation could allow an attacker to ...

PT-2026-28031

Name of the Vulnerable Software and Affected Versions Kleor Contact Manager versions through 9.1 Description A Reflected Cross-site Scripting XSS issue exists in Kleor Contact Manager. The issue is due to improper neutralization of input during web page generation. This allows an attacker to inje...

WordPress Contact Manager plugin <= 9.1 - Reflected Cross Site Scripting (XSS) vulnerability

Reflected Cross Site Scripting XSS vulnerability discovered by johska in WordPress Plugin Contact Manager versions = 9.1...

CVE-2026-1948 NEX-Forms – Ultimate Forms Plugin for WordPress <= 9.1.9 - Missing Authorization to Authenticated (Subscriber+) License Deactivation via deactivate_license

The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the deactivatelicense function in all versions up to, and including, 9.1.9. This makes it possible for authenticated attackers, with...