GHSA-GRP3-H8M8-45P7 Glances has CQL Injection in its Cassandra Export Module via Unsanitized Config Values

Summary The Cassandra export module glances/exports/glancescassandra/init.py interpolates keyspace, table, and replicationfactor configuration values directly into CQL statements without validation. A user with write access to glances.conf can redirect all monitoring data to an attacker-controlle...

CVE-2026-40520

CVE-2026-40520 concerns the FreePBX API module (version 17.0.8 and earlier). The root cause is that the function initiateGqlAPIProcess() forwards GraphQL mutation input fields directly to shell_exec() without sanitization or escaping. An authenticated user with a valid bearer token can issue a Gr...

CVE-2026-40520 FreePBX api module Command Injection via GraphQL

FreePBX api module version 17.0.8 and prior contain a command injection vulnerability in the initiateGqlAPIProcess function where GraphQL mutation input fields are passed directly to shellexec without sanitization or escaping. An authenticated user with a valid bearer token can send a GraphQL...

CVE-2026-40520 FreePBX api module Command Injection via GraphQL

FreePBX api module version 17.0.8 and prior contain a command injection vulnerability in the initiateGqlAPIProcess function where GraphQL mutation input fields are passed directly to shellexec without sanitization or escaping. An authenticated user with a valid bearer token can send a GraphQL...

CVE-2026-35588

A flaw was found in Glances, an open-source system monitoring tool. A user with write access to the glances.conf configuration file can exploit a CQL Cassandra Query Language injection vulnerability in the Cassandra export module. This allows an attacker to manipulate configuration values,...

WordPress WPGraphQL plugin < 2.11.1 - SQL Injection vulnerability

SQL Injection vulnerability discovered by daroo in WordPress Plugin WPGraphQL versions 2.11.1...

CVE-2026-3317 Reflected Cross-Site Scripting in Navigate CMS application

Reflected Cross-Site Scripting XSS vulnerability in Navigate Content Management System. The vulnerability is present in the '/blog' endpoint because user input is not properly sanitized through designed query parameters. This results in unsafe HTML rendering, which could allow a remote attacker t...

CVE-2026-3317

CVE-2026-3317 is a reflected XSS vulnerability in Navigate Content Management System affecting the /blog endpoint. The root cause is unsanitized user input via designed query parameters, leading to unsafe HTML rendering and the potential execution of JavaScript in a victim’s browser. The issue is...

CVE-2026-3317

Reflected Cross-Site Scripting XSS vulnerability in Navigate Content Management System. The vulnerability is present in the '/blog' endpoint because user input is not properly sanitized through designed query parameters. This results in unsafe HTML rendering, which could allow a remote attacker t...

vulnerability-scanner

vulnerability-scanne...

PT-2026-34003

Name of the Vulnerable Software and Affected Versions October versions prior to 3.7.14 October versions prior to 4.1.10 Description A flaw in the Twig sandbox security policy allows database write operations when cms.safe mode is enabled. Backend users with Developer permissions can use Twig...

Unity Linux 20.1070e Security Update: kernel (UTSA-2026-013335)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-013335 advisory. In the Linux kernel, the following vulnerability has been resolved: ACPI: EC: Fix oops when removing custom query handlers When removing custom query handlers, the...

Genesys Latitude 安全漏洞

Genesys Latitude is a debt collection and account management platform developed by Genesys Corporation. Version 25.1.0.420 of Genesys Latitude contains a security vulnerability. This vulnerability arises from the direct concatenation of user input into SQL statements without proper cleaning, whic...

CVE-2025-70420

A SQL injection vulnerability exists in Genesys Latitude v25.1.0.420 that allows an authenticated attacker to execute arbitrary SQL queries against the backend database. The vulnerability is caused by unsanitized user-supplied input being concatenated directly into SQL statements...

PT-2026-34004

October is a Content Management System CMS and web platform. Prior to 3.7.16 and 4.1.16, a reflected Cross-Site Scripting XSS vulnerability was identified in the backend DataTable widget where a query parameter was rendered without proper output escaping. This vulnerability is fixed in 3.7.16 and...

CVE-2025-70420

Summary: CVE-2025-70420 affects Genesys Latitude v25.1.0.420 and is caused by unsanitized user input concatenated into SQL statements, allowing an authenticated attacker to execute arbitrary SQL against the backend database. Impact/details present: authenticated remote access with low privileges ...

Unity Linux 20.1070e Security Update: kernel (UTSA-2026-010699)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-010699 advisory. An issue was discovered in ksmbd in the Linux kernel 5.15 through 5.19 before 5.19.2. There is a heap- based buffer overflow in setntacldacl, related to use of...

WordPress plugin CMS für Motorrad Werkstätten SQL注入漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application plugin. The WordPre...

October 跨站脚本漏洞

October is an open-source content management system CMS and network platform developed by October. Versions prior to October 3.7.16 and 4.1.16 contained a cross-site scripting vulnerability. This vulnerability stemmed from insufficient escaping of query parameters during the rendering of the...

PT-2026-34207

Name of the Vulnerable Software and Affected Versions WWBN AVideo versions 29.0 and earlier Description A directory traversal flaw exists where a security check in 'objects/aVideoEncoderReceiveImage.json.php' only validates the URL path component for traversal sequences. However, the try get...