EUVD-2026-11688

Cap'n Proto is a data interchange format and capability-based RPC system. Prior to 1.4.0, when using Transfer-Encoding: chunked, if a chunk's size parsed to a value of 2^64 or larger, it would be truncated to a 64-bit integer. In theory, this bug could enable HTTP request/response smuggling. This...

Tactical RMM Jinja2 SSTI Remote Code Execution

This module exploits a Server-Side Template Injection SSTI vulnerability in Tactical RMM versions prior to 1.4.0 CVE-2025-69516. The reporting template preview endpoint passes user-controlled Jinja2 template content to Environment.fromstring without sandboxing, allowing arbitrary Python code...

SUSE CVE-2026-23737

seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0 and below, improper input handling in the JSON deserialization component can lead to arbitrary JavaScript code execution. Exploitation is possible via overriding consta...

CVE-2025-69056

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in e-plugins Hotel Listing hotel-listing allows Reflected XSS.This issue affects Hotel Listing: from n/a through = 1.4.0...

CVE-2026-23737

CVE-2026-23737 affects the seroval JavaScript library. The flaw resides in the JSON deserialization path, specifically the fromJSON and fromCrossJSON functions, where improper input handling can permit arbitrary JavaScript code execution. Exploitation is described as requiring multiple (four) req...

CVE-2025-14324

CVE-2025-14324 describes a JIT miscompilation in the JavaScript Engine’s JIT component affecting Firefox < 146, Firefox ESR < 115.31 and < 140.6, and Thunderbird

WordPress plugin Media Library Downloader 跨站请求伪造漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform has the ability to host personal blog sites on PHP and MySQL based servers.WordPress plugin is an application plugin. A cross-site request...

PT-2025-43792

Name of the Vulnerable Software and Affected Versions ClickSend SMS Contact Form 7 Notifications versions through 1.4.0 Description An authorization issue exists in ClickSend SMS Contact Form 7 Notifications. The issue involves incorrectly configured access control security levels, potentially...

Oracle WebLogic Server (October 2025 CPU)

The 12.2.1.4.0, 14.1.1.0.0, and 14.1.2.0.0 versions of WebLogic Server installed on the remote host are affected by multiple vulnerabilities as referenced in the October 2025 CPU advisory. - Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware component: Centralized...

PT-2025-42792

Name of the Vulnerable Software and Affected Versions FileRise versions prior to 1.4.0 Description FileRise is a self-hosted web-based file manager. A flaw in file/folder handling allows low-privilege users to perform unauthorized operations view, delete, modify on files created by other users...

CVE-2025-6038

The CVE-2025-6038 entry concerns the Lisfinity Core plugin for the Lisfinity WordPress theme. It describes a privilege-escalation path via password updates in all versions up to 1.4.0, caused by inadequate validation of a user’s identity before applying password changes. The documented impact is ...

AlmaLinux 10 : valkey (ALSA-2025:11401)

The remote AlmaLinux 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALSA-2025:11401 advisory. redis: Redis Stack Buffer Overflow CVE-2025-27151 redis: Redis Unauthenticated Denial of Service CVE-2025-48367 redis: Redis Hyperloglog Out-of-Bounds...

CVE-2024-20992

Vulnerability in the Oracle WebCenter Portal product of Oracle Fusion Middleware component: Content integration. The supported version that is affected is 12.2.1.4.0. Difficult to exploit vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle WebCenter...

AbanteCart 跨站脚本漏洞

AbanteCart is an open source PHP-based e-commerce platform from AbanteCart. A cross-site scripting vulnerability exists in AbanteCart v1.4.0, which stems from the presence of reflective cross-site scripting in the /eyes parameter, which could lead to the execution of malicious code...

ai.acolite:openai-agent-sdk (>=0.1.0 <=0.4.0), ai.ancf.lmos-router:lmos-router-llm-in-spring-cloud-gateway-demo (>=0.2.0 <=0.28.0) +16301 more potentially affected by CVE-2024-12801 via ch.qos.logback:logback-core (>=1.4.0 <=1.5.12)

ch.qos.logback:logback-core MAVEN version =1.4.0, =0.1.0, =0.2.0, =0.114.0, =0.103.0, =0.114.0, =0.2.0, =0.8.0, =0.9.0 - ai.djl.spring:djl-spring-boot-starter-autoconfigure =0.26 - ai.djl.spring:djl-spring-boot-starter-mxnet-auto =0.26 - ai.djl.spring:djl-spring-boot-starter-mxnet-linux-x8664 =0....

PT-2024-24341 · Mealie · Mealie

Name of the Vulnerable Software and Affected Versions: Mealie versions prior to 1.4.0 Description: The issue concerns the safe scrape html function, which uses a user-controlled URL to issue a request to a remote server. This function does not restrict the URL that can be provided, allowing an...

WordPress Ultimate Bootstrap Elements for Elementor plugin <= 1.4.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Image Widget vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Image Widget vulnerability discovered by Francesco Carlucci in WordPress Plugin Ultimate Bootstrap Elements for Elementor versions = 1.4.0...

PT-2024-20903 · Unknown · Libiec61850

Name of the Vulnerable Software and Affected Versions: libiec61850 versions 1.4.0 Description: The issue allows a remote attacker to cause a denial of service via the mmsServer handleGetNameListRequest function to the mms getnamelist service component. Recommendations: For version 1.4.0, consider...

WordPress Plugin Realia Cross-Site Request Forgery Vulnerability

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on PHP and MySQL servers.WordPress plugin is an application plugin. A cross-site request forgery vulnerability...

PT-2023-5377 · D Link · D-Link Di-7200Gv2

Name of the Vulnerable Software and Affected Versions: D-Link DI-7200G V2 version 21.04.09E1 Description: The issue is related to a buffer overflow in the arp sys.asp component of the D-Link DI-7200G V2 router's firmware when processing the zn jb parameter. This can allow a remote attacker to...