CVE-2026-40545

SOPlanning (versions ≤ 1.55) is vulnerable to Reflected XSS via the taches parameter. An attacker who can craft a malicious URL and entice an authenticated user to click it can cause arbitrary JavaScript execution in the victim’s browser. The CVE entry for CVE-2026-40545 explicitly documents this...

delve security update

An update is available for delve. This update affects Rocky Linux 10. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list Delve is a debugger for the Go programming language. The goal of the project i...

CVE-2026-7881

CVE-2026-7881 affects Concrete CMS 9.5.0 and earlier. The vulnerability is an Insecure Direct Object Reference (IDOR) in the Express Entry Detail block via the exEntryID parameter, enabling unauthorized access to all Express form submissions. The CVSS v4.0 score is 6.3 (AV:N/AC:L/AT:P/PR:N/UI:N/V...

PT-2026-41565

Zechat 1.5 contains a SQL injection vulnerability in the v parameter that allows unauthenticated attackers to extract database information using time-based blind techniques. Attackers can exploit the v parameter with sleep-based blind injection to confirm vulnerability and extract data...

EUVD-2026-28540

The Auto Affiliate Links plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 6.8.8 This is due to insufficient input sanitization on the 'url' POST parameter in the aalurlstatssaveaction function and a complete absence of output escaping in...

CVE-2026-8098 code-projects Feedback System checklogin.php sql injection

A security vulnerability has been detected in code-projects Feedback System 1.0. Impacted is an unknown function of the file /admin/checklogin.php. Such manipulation of the argument email leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed publicly...

CVE-2026-7567 Temporary Login <= 1.0.0 - Authentication Bypass to Account Takeover

The Temporary Login plugin for WordPress is vulnerable to Authentication Bypass in versions up to and including 1.0.0. This is due to improper input validation in the maybelogintemporaryuser function, which fails to verify that the 'temp-login-token' GET parameter is a scalar string before...

CVE-2026-36763

The CVE-2026-36763 entry describes a stored XSS in SpringBlade v4.8.0, exploitable via the /api/blade-desk/notice/submit endpoint by injecting crafted input into the content parameter. The NVD entry confirms the issue and lists a CVSS v3.1 base score of 6.1 (Medium) with network attack vector, lo...

TOTOLINK A3300R user parameter command injection vulnerability

TOTOLINK A3300R is a wireless router from China's Gion Electronics TOTOLINK. A command injection vulnerability exists in the TOTOLINK A3300R user parameter, which originates from the failure of the user parameter in cstecgi.cgi to properly filter special characters, and can be exploited by an...

CVE-2026-1923

The Social Rocket – Social Sharing Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ parameter in all versions up to, and including, 1.3.4.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

CVE-2026-4005

The Coachific Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'userhash' shortcode attribute in all versions up to and including 1.0. This is due to insufficient input sanitization and output escaping. The plugin uses sanitizetextfield on the 'userhash'...

CVE-2026-4664 Customer Reviews for WooCommerce <= 5.103.0 - Unauthenticated Authentication Bypass to Arbitrary Review Submission via 'key' Parameter

The Customer Reviews for WooCommerce plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 5.103.0. This is due to the createreviewpermissionscheck function comparing the user-supplied key parameter against the order's ivolesecretkey meta value using...

CVE-2025-45057

D-Link DI-8300 v16.07.26A1 was discovered to contain a buffer overflow via the ip parameter in the ippositionasp function. This vulnerability allows attackers to cause a Denial of Service DoS via a crafted input...

Belkin F9K1122 安全漏洞

The Belkin F9K1122 is a WiFi signal extender produced by the Canadian company Belkin. The version 1.00.33 of the Belkin F9K1122 contains a security vulnerability. This vulnerability stems from incorrect handling of the “page” parameter, which may lead to a stack buffer overflow attack...

PT-2026-30416

A security flaw has been discovered in UTT HiPER 1250GW up to 3.2.7-210907-180535. The impacted element is an unknown function of the file /goform/formRemoteControl. The manipulation of the argument Profile results in stack-based buffer overflow. The attack can be executed remotely. The exploit h...

Victor CMS SQL注入漏洞

Victor CMS is an open-source content management system developed by Victor Alagwu in Nigeria. Version 1.0 of Victor CMS has a SQL injection vulnerability. This vulnerability stems from post parameters that allow SQL injections, which may enable unverified attackers to manipulate database queries,...

CVE-2026-34797 Endian Firewall /cgi-bin/logs_smtp.cgi DATE Perl Command Injection

Endian Firewall version 3.3.25 and prior allow authenticated users to execute arbitrary OS commands via the DATE parameter to /cgi-bin/logssmtp.cgi. The DATE parameter value is used to construct a file path that is passed to a Perl open call, which allows command injection due to an incomplete...

CVE-2026-5180 SourceCodester Simple Doctors Appointment System ajax.php sql injection

A flaw has been found in SourceCodester Simple Doctors Appointment System 1.0. This vulnerability affects unknown code of the file /admin/ajax.php?action=login2. This manipulation of the argument email causes sql injection. The attack is possible to be carried out remotely. The exploit has been...

CVE-2016-20048

The CVE-2016-20048 entry concerns iSelect version 1.4.0-2+b1 that contains a local buffer overflow in the -k/--key parameter. An attacker can supply an oversized argument to overflow a 1024-byte stack buffer, enabling local code execution with the attacker’s privileges. The description details cr...

CVE-2026-23814

A vulnerability in the command parameters of a certain AOS-CX CLI command could allow a low-privilege authenticated remote attacker to inject malicious commands resulting in unwanted behavior...