CVE-2026-34613

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo endpoint objects/pluginSwitch.json.php allows administrators to enable or disable any installed plugin. The endpoint checks for an active admin session but does not validate a CSRF token. Additionally, the plugin...

CVE-2026-34613

The CVE affects WWBN AVideo (versions 26.0 and earlier). The endpoint objects/pluginSwitch.json.php lets an admin enable/disable plugins without validating a CSRF token, and the plugin list is exempt from ORM-level Referer/Origin checks via ignoreTableSecurityCheck(), bypassing domain validation ...

PT-2026-29359

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo endpoint objects/pluginSwitch.json.php allows administrators to enable or disable any installed plugin. The endpoint checks for an active admin session but does not validate a CSRF token. Additionally, the plugin...

EUVD-2026-13245

Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, users who do not belong to the allowed policy creation groups can create functional policy acceptance widgets in posts under the right conditions. Versions 2026.3.0-latest.1, 2026.2.1, an...

CVE-2026-28218

Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, fail-open access control in Data Explorer plugin allows any authenticated user to execute SQL queries that have no explicit group assignments, including built-in system queries. Versions 2025.12....

CVE-2026-28218

Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, fail-open access control in Data Explorer plugin allows any authenticated user to execute SQL queries that have no explicit group assignments, including built-in system queries. Versions 2025.12....

CVE-2025-67723

CVE-2025-67723 affects Discourse server with the Discourse Math plugin when using KaTeX. The issue is a content-security-policy-mitigated cross-site scripting vulnerability in the KaTeX variant, present in versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. The vulnerability is addressed...

EUVD-2021-24187

Malware in sbrugna...

EUVD-2021-1462

Malware in sbrugna...

EUVD-2025-5369

Malicious code in bioql PyPI...

EUVD-2023-53718

Malicious code in bioql PyPI...

EUVD-2021-30707

Malicious code in bioql PyPI...

EUVD-2022-52713

Malicious code in bioql PyPI...

Linux Distros Unpatched Vulnerability : CVE-2025-23024

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - GLPI is a free asset and IT management software package. Starting in version 0.72 and prior to version 10.0.18, an anonymous user can disable all the active...

CVE-2025-46824 Discourse Code Review Plugin vulnerable to XSS via auto link commits

The Discourse Code Review Plugin allows users to review GitHub commits on Discourse. Prior to commit eed3a80, an attacker can execute arbitrary JavaScript on users' browsers by posting links to malicious GitHub commits. This problem is patched in commit eed3a80 of the discourse-code-review plugin...

PT-2025-11148 · WordPress · Wp E-Customers Beta

Name of the Vulnerable Software and Affected Versions: WP e-Customers Beta WordPress plugin version 0.0.1 Description: The issue concerns a Reflected Cross-Site Scripting problem. It arises because the WP e-Customers Beta WordPress plugin does not properly sanitise and escape a parameter before...

CVE-2025-23024 GLPI: Plugins are disabled accessing one page

GLPI is a free asset and IT management software package. Starting in version 0.72 and prior to version 10.0.18, an anonymous user can disable all the active plugins. Version 10.0.18 contains a patch. As a workaround, one may delete the install/update.php file...

glpi-project -- GLPI multiple vulnerabilities

[email protected] reports: CVE-2024-11955: A vulnerability was found in GLPI up to 10.0.17. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /index.php. The manipulation of the argument redirect leads to open redirect. The...

CVE-2024-53994 Potential bypass of chat permissions in Discourse

Discourse is an open source platform for community discussion. In affected versions users who disable chat in preferences could still be reachable in some cases. This problem has been patched in the latest version of Discourse. Users are advised to upgrade. Users unable to upgrade should disable...

CVE-2023-2717

The Groundhogg plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.7.9.8. This is due to missing nonce validation on the 'enablesafemode' function. This makes it possible for unauthenticated attackers to enable safe mode, which disables all other...