CVE-2026-10567

A security vulnerability has been detected in 1Panel-dev CordysCRM up to 1.4.1. This impacts the function Save of the file src/main/java/cn/cordys/crm/system/service/ModuleFormService.java of the component ModuleFormController. The manipulation of the argument Description leads to cross site...

CVE-2026-10277

A vulnerability was found in j3k0 mcp-google-workspace up to 831790e7d5c2663325733d9f5579cc339a267c4c. This issue affects the function saveToDisk of the file src/tools/gmail.ts of the component MCP Gmail Tool. Performing a manipulation results in improper access controls. It is possible to initia...

CVE-2026-36761

A stored cross-site scripting XSS vulnerability in the /msg/msgInner/save endpoint of JeeSite v5.15.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted input into the msgContent parameter...

CVE-2026-9248

Authorization bypass in the entry duplication feature in Devolutions Server allows an authenticated user with write access to any vault to copy documentation and attachments from an entry in a vault they cannot access via a crafted save request. This issue affects : Devolutions Server 2026.1.6.0...

CVE-2026-4432

The YITH WooCommerce Wishlist WordPress plugin before 4.13.0 does not properly validate wishlist ownership in the savetitle AJAX handler before allowing wishlist renaming operations. The function only checks for a valid nonce, which is publicly exposed in the page source of the /wishlist/ page,...

CVE-2026-8256

A security vulnerability has been detected in Devs Palace ERP Online up to 4.0.0. This vulnerability affects unknown code of the file /accounts/mr-save. Such manipulation leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. T...

CVE-2026-8262

A vulnerability was identified in Devs Palace ERP Online up to 4.0.0. This impacts an unknown function of the file /accounts/chart-save. Such manipulation leads to cross site scripting. The attack may be performed from remote. The exploit is publicly available and might be used. The vendor was...

CVE-2026-8253

A vulnerability was identified in Devs Palace ERP Online up to 4.0.0. Affected by this vulnerability is an unknown functionality of the file /inventory/purchasesave. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. The exploit is publicly available a...

CVE-2026-25266

Memory corruption while processing IOCTL command when device is in power-save state...

CVE-2026-7194

A weakness has been identified in SourceCodester Pharmacy Sales and Inventory System 1.0. This impacts an unknown function of the file /ajax.php?action=saveproduct. This manipulation of the argument ID causes sql injection. The attack is possible to be carried out remotely. The exploit has been...

CVE-2026-7088

A weakness has been identified in SourceCodester Pharmacy Sales and Inventory System 1.0. The affected element is an unknown function of the file /ajax.php?action=savereceiving. Executing a manipulation of the argument ID can lead to sql injection. The attack can be launched remotely. The exploit...

CVE-2026-7126

A security flaw has been discovered in SourceCodester Pharmacy Sales and Inventory System 1.0. This affects an unknown part of the file /ajax.php?action=savecategory. The manipulation of the argument ID results in sql injection. The attack may be launched remotely. The exploit has been released t...

CVE-2026-7128

A security vulnerability has been detected in SourceCodester Pharmacy Sales and Inventory System 1.0. This issue affects some unknown processing of the file /ajax.php?action=savetype. Such manipulation of the argument ID leads to sql injection. The attack can be executed remotely. The exploit has...

CVE-2026-3426

The RTMKit Addons for Elementor plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on the savewidget and resetallwidgets functions in all versions up to, and including, 2.0.2. This makes it possible for authenticated attackers, with Author-lev...

CVE-2026-1934

The Motors – Car Dealership & Classified Listings plugin for WordPress is vulnerable to Payment Bypass via insecure user meta update in all versions up to, and including, 1.4.103 This is due to the stmsaveuserextrafields function updating sensitive user meta fields from POST data without verifyin...

CVE-2026-10236

A vulnerability has been found in SourceCodester Water Billing Management System 1.0. This issue affects some unknown processing of the file /classes/Users.php?f=save of the component User Management Endpoint. Such manipulation leads to improper authorization. The attack may be launched remotely...

CVE-2026-45551

Group-Office is an enterprise customer relationship management and groupware tool. Prior to 26.0.25, 25.0.100, and 6.8.165, GroupOffice allows authenticated users to persist arbitrary legacy settings for any userid via index.php?r=core/saveSetting. A separate client-side sink in the email module...

CVE-2026-6565

The Style Kits – Advanced Theme Styles for Elementor, Elementor Kits & Elementor Patterns plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the '/wp-json/agwp/v1/tokens/save' endpoint kit title parameter in versions up to, and including, 2.5.0 due to insufficient input...

CVE-2026-37503

Cross-Site Scripting XSS in V2Board thru 1.7.4. The customhtml field in theme configuration is rendered using Blade unescaped output in public/theme/v2board/dashboard.blade.php. An admin can inject arbitrary JavaScript via the saveThemeConfig API. All site visitors execute the payload, enabling...

CVE-2026-40549

SOPlanning is vulnerable to Cross‑Site Request Forgery CSRF in groupesave create, modify and delete endpoints. An attacker can craft a malicious website that, when visited by an authenticated user, automatically sends a forged GET or POST request to the application. This issue affects SOPlanning...