CVE-2026-46725 Remote Code Execution in extension "Content Element Selector" (ceselector)

The extension passes an attacker-controlled cookie directly to PHP's unserialize without safely processing the input. A remote, unauthenticated attacker can supply a crafted serialized payload to trigger PHP Object Injection, leading to Remote Code Execution on the TYPO3 server. Exploitation...

EUVD-2026-30865

The extension passes an attacker-controlled cookie directly to PHP's unserialize without safely processing the input. A remote, unauthenticated attacker can supply a crafted serialized payload to trigger PHP Object Injection, leading to Remote Code Execution on the TYPO3 server. Exploitation...

CVE-2026-46725

The CVE-2026-46725 vulnerability affects the TYPO3 extension Content Element Selector (ceselector). The issue arises when an attacker-controlled cookie is passed directly to PHP unserialize() without safe input handling, enabling PHP Object Injection that can lead to Remote Code Execution on the ...

SEPPMail Secure E-Mail Gateway Vulnerabilities Enable RCE and Mail Traffic Access

Critical security vulnerabilities have been disclosed in SEPPMail Secure E-Mail Gateway, an enterprise-grade email security solution, that could be exploited to achieve remote code execution and enable an attacker to read arbitrary mails from the virtual appliance. "These vulnerabilities could ha...

CVE-2026-31379 Apache OFBiz: Path Traversal and File Upload Validation Bypass Leading to Arbitrary File Write, Stored XSS and RCE in Catalog Manager

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting', Improper Limitation of a Pathname to a Restricted Directory 'Path Traversal', Improper Control of Generation of Code 'Code Injection' vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06...

CVE-2026-31379 Apache OFBiz: Path Traversal and File Upload Validation Bypass Leading to Arbitrary File Write, Stored XSS and RCE in Catalog Manager

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting', Improper Limitation of a Pathname to a Restricted Directory 'Path Traversal', Improper Control of Generation of Code 'Code Injection' vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06...

CVE-2026-31379

CVE-2026-31379 affects Apache OFBiz prior to version 24.09.06. The incident combines multiple flaws: improper neutralization of input (XSS), path traversal restricting directory access, and improper generation of code, enabling a path traversal/file upload validation bypass with potential arbitra...

CVE-2026-31378 Apache OFBiz: JSON Attribute Override and URL Allowlist Bypass Leads to Remote Code Execution

Improper Input Validation vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue...

CVE-2026-31378 Apache OFBiz: JSON Attribute Override and URL Allowlist Bypass Leads to Remote Code Execution

Improper Input Validation vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue...

CVE-2026-31378

The CVE relates to an Improper Input Validation vulnerability in Apache OFBiz . Affected software is Apache OFBiz versions before 24.09.06 . The issue’s root cause is input validation weaknesses, allowing potential impact as described in the linked records. The recommended remediation is to upgra...

CVE-2026-29207 Apache OFBiz: Low-Privilege SSTI Leading to RCE in the Content Component

Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue. Please note that in the updated version, "Data Resource" records with...

CVE-2026-29207 Apache OFBiz: Low-Privilege SSTI Leading to RCE in the Content Component

Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue. Please note that in the updated version, "Data Resource" records with...

CVE-2026-8727 Remote Code Execution in extension "Site Crawler" (crawler)

The Crawler extension passes the X-T3Crawler-Meta response header from crawled URLs directly to PHP's unserialize. An attacker controlling a crawled endpoint can inject arbitrary serialized PHP objects, leading to Remote Code Execution on the TYPO3 server. Exploitation requires administrative...

CVE-2026-8727

The Crawler extension passes the X-T3Crawler-Meta response header from crawled URLs directly to PHP's unserialize. An attacker controlling a crawled endpoint can inject arbitrary serialized PHP objects, leading to Remote Code Execution on the TYPO3 server. Exploitation requires administrative...

CVE-2026-8727

The CVE-2026-8727 affects the TYPO3 Crawler extension (Site Crawler). The root cause is that the Crawler extension forwards the X-T3Crawler-Meta response header directly to PHP’s unserialize(), allowing an attacker-controlled crawled endpoint to inject arbitrary serialized PHP objects, leading to...

CVE-2026-8727 Remote Code Execution in extension "Site Crawler" (crawler)

The Crawler extension passes the X-T3Crawler-Meta response header from crawled URLs directly to PHP's unserialize. An attacker controlling a crawled endpoint can inject arbitrary serialized PHP objects, leading to Remote Code Execution on the TYPO3 server. Exploitation requires administrative...

EUVD-2026-30854

The Crawler extension passes the X-T3Crawler-Meta response header from crawled URLs directly to PHP's unserialize. An attacker controlling a crawled endpoint can inject arbitrary serialized PHP objects, leading to Remote Code Execution on the TYPO3 server. Exploitation requires administrative...

BIT-FLINK-2026-35194 Apache Flink: Remote code execution via SQL injection in code generation

Code injection in SQL code generation in Apache Flink 1.15.0 through 1.20.x and 2.0.0 through 2.x allows authenticated users with query submission privileges to execute arbitrary code on TaskManagers via maliciously crafted SQL queries. The vulnerability affects JSON functions 1.15.0+ and LIKE...

CVE-2026-4885

The Piotnet Addons for Elementor Pro plugin for WordPress is vulnerable to arbitrary file upload due to missing file type validation in the 'pafeajaxformbuilder' function in all versions up to, and including, 7.1.70. The plugin uses an incomplete extension blacklist that only blocks php, phpt,...

CVE-2026-40460

creationtimestamp| type| source ---|---|--- 2026-05-19 08:05:32+00:00| seen| https://ccb.belgium.be/advisories/warning-multiple-vulnerabilities-nginx-leading-remote-code-execution-and-allowing-rate...