106684 matches found
CVE-2026-44974
CVE-2026-44974 affects the @hapi/content header parser. Before v6.0.2, Content.disposition() kept the last value for duplicate parameters while Content.type() kept the first for duplicate charset/boundary parameters, creating a parameter-smuggling primitive when duplicates are resolved inconsiste...
CVE-2026-44974 Parameter smuggling in @hapi/content header parser allows upload-filter bypass via duplicate parameters
@hapi/content provided HTTP Content- headers parsing. Prior to 6.0.2, Content.disposition retained the last occurrence of each duplicate parameter while Content.type retained the first occurrence of duplicate charset and boundary parameters, creating a parameter-smuggling primitive when another...
CVE-2026-8056 Parameter Injection Vulnerability in API Graph Execution Engine
IBM Langflow OSS 1.0.0 through 1.10.0 allows authenticated users to override component parameters at runtime via the API. A critical security flaw exists in the parameter filtering mechanism within the applytweaks function...
CVE-2026-8056
Summary: IBM Langflow OSS 1.0.0–1.10.0 contains a parameter injection vulnerability in the API Graph Execution Engine. A flaw in the parameter filtering logic in the apply_tweaks() function allows authenticated users to override component parameters at runtime via the tweaks API, potentially exec...
CVE-2026-9587
An authenticated local file inclusion vulnerability exists in Sangoma Switchvox SMB Edition 8.3 104997. The playfile functionality accepts user-controlled input through the soundpath parameter and fails to properly validate file paths before accessing the underlying filesystem. By supplying...
CVE-2026-9585
An unauthenticated reflected cross-site scripting XSS vulnerability exists in Sangoma Switchvox SMB Edition version 8.3 104997. The application fails to properly sanitize the portal parameter supplied to the invalidbrowser and invalidbrowserlogin handlers. User-supplied data is reflected into...
CVE-2026-9587
CVE-2026-9587 describes an authenticated local file inclusion in Sangoma Switchvox SMB Edition 8.3 (104997). The issue resides in the play_file function where the sound_path input is not properly validated, allowing an attacker to supply absolute paths to read files outside the intended directory...
CVE-2026-9587 Authenticated Local File Inclusion (LFI) in Switchvox SMB Web Portal
An authenticated local file inclusion vulnerability exists in Sangoma Switchvox SMB Edition 8.3 104997. The playfile functionality accepts user-controlled input through the soundpath parameter and fails to properly validate file paths before accessing the underlying filesystem. By supplying...
CVE-2026-9585
CVE-2026-9585 affects Sangoma Switchvox SMB Edition 8.3 (104997). The vulnerability is an unauthenticated reflected XSS in the portal parameter sent to invalid_browser and invalid_browser_login handlers, where user-supplied data is reflected into JavaScript, enabling attacker-controlled script ex...
CVE-2026-9585 Unauthenticated Reflected Cross-Site Scripting (XSS) in Switchvox SMB Web Portal
An unauthenticated reflected cross-site scripting XSS vulnerability exists in Sangoma Switchvox SMB Edition version 8.3 104997. The application fails to properly sanitize the portal parameter supplied to the invalidbrowser and invalidbrowserlogin handlers. User-supplied data is reflected into...
EUVD-2026-45203
An unauthenticated reflected cross-site scripting XSS vulnerability exists in Sangoma Switchvox SMB Edition version 8.3 104997. The application fails to properly sanitize the portal parameter supplied to the invalidbrowser and invalidbrowserlogin handlers. User-supplied data is reflected into...
CVE-2024-23567
HCL Aftermarket EPC is affected by Sensitive Information in GET method & in URL which allows application to pass sensitive data via URL parameters during normal usage. Data passed in this manner can be exposed because it may end up stored in unintended locations, including server logs, local...
CVE-2024-23567
Technical details about CVE-2024-23567 are not publicly available in the provided documents. Monitor for updates from vendor advisories or trusted sources before assessing impact or remediation.
CVE-2026-16009
A vulnerability was detected in itsourcecode Hospital Management System 1.0. Affected is an unknown function of the file /prescriptionorderdetail.php. The manipulation of the argument delid results in sql injection. The attack can be launched remotely. The exploit is now public and may be used...
CVE-2026-16009 itsourcecode Hospital Management System prescriptionorderdetail.php sql injection
A vulnerability was detected in itsourcecode Hospital Management System 1.0. Affected is an unknown function of the file /prescriptionorderdetail.php. The manipulation of the argument delid results in sql injection. The attack can be launched remotely. The exploit is now public and may be used...
CVE-2026-16009 itsourcecode Hospital Management System prescriptionorderdetail.php sql injection
A vulnerability was detected in itsourcecode Hospital Management System 1.0. Affected is an unknown function of the file /prescriptionorderdetail.php. The manipulation of the argument delid results in sql injection. The attack can be launched remotely. The exploit is now public and may be used...
WAVLINK WN579X3 - Remote Command Execution
Remote Command Execution vulnerability in WAVLINK WN579X3 routers via pingIp parameter in /cgi-bin/adm.cgi. id: CVE-2023-3380 info: name: WAVLINK WN579X3 - Remote Command Execution author: pussycat0x severity: critical description: | Remote Command Execution vulnerability in WAVLINK WN579X3 route...
JS Help Desk <= 2.8.1 - SQL Injection
The JS Help Desk – Best Help Desk & Support Plugin plugin for WordPress is vulnerable to SQL Injection via the ‘email' and 'trackingid' parameters in all versions up to 2.8.2 exclusive due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing S...
SPIP <3.1.2 - Cross-Site Scripting
SPIP 3.1.2 and earlier contains a cross-site scripting vulnerability in validerxml.php which allows remote attackers to inject arbitrary web script or HTML via the varurl parameter in a validerxml action. id: CVE-2016-7981 info: name: SPIP 3.1.2 - Cross-Site Scripting author: pikpikcu severity:...
MapTiler Tileserver-php v2.0 - Unauthenticated XSS
MapTiler Tileserver-php v2.0 contains a reflected XSS caused by unencoded reflection of the GET parameter "layer" in an error message, letting unauthenticated attackers execute arbitrary script on victim browsers. id: CVE-2025-44136 info: name: MapTiler Tileserver-php v2.0 - Unauthenticated XSS...