CVE-2026-27194

D-Tale (Python package dtale) is affected by CVE-2026-27194 due to a flaw in the /save-column-filter endpoint that allows Remote Code Execution. The issue arises from improper validation when constructing column filters via pandas DataFrame.query(), enabling an attacker to execute arbitrary code ...

CVE-2026-27194 D-Tale affected by Remote Code Execution through the /save-column-filter endpoint

D-Tale is a visualizer for pandas data structures. Versions prior to 3.20.0 are vulnerable to Remote Code Execution through the /save-column-filter endpoint. Users hosting D-Tale publicly can be vulnerable to remote code execution allowing attackers to run malicious code on the server. This issue...

CVE-2026-27194

D-Tale is a visualizer for pandas data structures. Versions prior to 3.20.0 are vulnerable to Remote Code Execution through the /save-column-filter endpoint. Users hosting D-Tale publicly can be vulnerable to remote code execution allowing attackers to run malicious code on the server. This issue...

CVE-2026-27194 D-Tale affected by Remote Code Execution through the /save-column-filter endpoint

D-Tale is a visualizer for pandas data structures. Versions prior to 3.20.0 are vulnerable to Remote Code Execution through the /save-column-filter endpoint. Users hosting D-Tale publicly can be vulnerable to remote code execution allowing attackers to run malicious code on the server. This issue...

CVE-2026-27194 D-Tale affected by Remote Code Execution through the /save-column-filter endpoint

D-Tale is a visualizer for pandas data structures. Versions prior to 3.20.0 are vulnerable to Remote Code Execution through the /save-column-filter endpoint. Users hosting D-Tale publicly can be vulnerable to remote code execution allowing attackers to run malicious code on the server. This issue...

D-Tale affected by Remote Code Execution through the /save-column-filter endpoint

Impact Users hosting D-Tale publicly can be vulnerable to remote code execution allowing attackers to run malicious code on the server. Patches Users should upgrade to version 3.20.0. Workarounds There are no workarounds for versions 3.20.0...

Arbitrary Code Injection

Overview dtale is a Web Client for Visualizing Pandas Objects Affected versions of this package are vulnerable to Arbitrary Code Injection via the /save-column-filter endpoint due to the improper validation of input to pandas' DataFrame.query used to construct Column filters. An attacker can...

GHSA-C87C-78RC-VMV2 D-Tale affected by Remote Code Execution through the /save-column-filter endpoint

Impact Users hosting D-Tale publicly can be vulnerable to remote code execution allowing attackers to run malicious code on the server. Patches Users should upgrade to version 3.20.0. Workarounds There are no workarounds for versions 3.20.0...

CVE-2026-23610

GFI MailEssentials AI versions prior to 22.4 contain a stored cross-site scripting vulnerability in the POP2Exchange configuration endpoint. An authenticated user can supply HTML/JavaScript in the POP3 server login field within the JSON "popServers" payload to...

CVE-2026-23610 GFI MailEssentials AI < 22.4 POP2Exchange POP3 Server Login Stored XSS

GFI MailEssentials AI versions prior to 22.4 contain a stored cross-site scripting vulnerability in the POP2Exchange configuration endpoint. An authenticated user can supply HTML/JavaScript in the POP3 server login field within the JSON "popServers" payload to...

CVE-2026-1455

The Whatsiplus Scheduled Notification for Woocommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing nonce validation on the 'wsnfwsaveuserssettings' AJAX action. This makes it possible for unauthenticated...

CVE-2026-1455 Whatsiplus Scheduled Notification for Woocommerce <= 1.0.1 - Cross-Site Request Forgery to 'wsnfw_save_users_settings' AJAX Action

The Whatsiplus Scheduled Notification for Woocommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing nonce validation on the 'wsnfwsaveuserssettings' AJAX action. This makes it possible for unauthenticated...

CVE-2026-1455 Whatsiplus Scheduled Notification for Woocommerce <= 1.0.1 - Cross-Site Request Forgery to 'wsnfw_save_users_settings' AJAX Action

The Whatsiplus Scheduled Notification for Woocommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing nonce validation on the 'wsnfwsaveuserssettings' AJAX action. This makes it possible for unauthenticated...

CVE-2026-0912 Toret Manager <= 1.2.7 - Authenticated (Subscriber+) Arbitrary Options Update via AJAX actions

The Toret Manager plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the 'trmansaveoption' function and on the 'trmansaveoptionitems' in all versions up to, and including, 1.2.7. This makes it possible...

CVE-2025-15041

The CVE refers to BackWPup – WordPress Backup & Restore Plugin for WordPress, where a missing capability check in save_site_option() in versions

CVE-2025-15041 BackWPup <= 5.6.2 - Authenticated (BackWPup Helper+) Privilege Escalation via Arbitrary Options Update

The BackWPup – WordPress Backup & Restore Plugin plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the savesiteoption function in all versions up to, and including, 5.6.2. This makes it possible for...

CVE-2025-15041 BackWPup <= 5.6.2 - Authenticated (BackWPup Helper+) Privilege Escalation via Arbitrary Options Update

The BackWPup – WordPress Backup & Restore Plugin plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the savesiteoption function in all versions up to, and including, 5.6.2. This makes it possible for...

CVE-2025-70152

code-projects Community Project Scholars Tracking System 1.0 is vulnerable to SQL Injection in the admin user management endpoints /admin/saveuser.php and /admin/updateuser.php. These endpoints lack authentication checks and directly concatenate user-supplied POST parameters firstname, lastname,...

PT-2026-20623

Name of the Vulnerable Software and Affected Versions BackWPup – WordPress Backup & Restore Plugin versions prior to 5.6.3 Description The BackWPup – WordPress Backup & Restore Plugin for WordPress is susceptible to unauthorized data modification, potentially leading to privilege escalation. A...

PT-2026-21349

Name of the Vulnerable Software and Affected Versions D-Tale versions prior to 3.20.0 Description D-Tale, a visualizer for pandas data structures, has an issue allowing for Remote Code Execution. This is due to a flaw in the /save-column-filter API endpoint. Publicly hosted instances of D-Tale ar...