647 matches found
WordPress Events Manager plugin <= 7.3.6 - PHP Object Injection vulnerability
PHP Object Injection vulnerability discovered by dutafi in WordPress Plugin Events Manager versions = 7.3.6...
CVE-2026-12154
The CVE concerns the WordPress plugin Reviews Widgets for Google, Yelp & TripAdvisor (fb-reviews-widget)
GHSA-3VCG-PV95-PQ54 SFTPGo has stored XSS via inline parameter on public shares and user file download
Summary The inline query parameter on the browsable-share file download and on the authenticated user file download suppressed Content-Disposition: attachment, so an HTML file stored in a share or home directory could be served as text/html and execute in SFTPGo's web origin stored XSS. Impact Lo...
GHSA-H64P-8H4R-6GFH SFTPGo has path confinement bypass in public browsable share partial ZIP download
Summary The public web-client endpoint for partial ZIP downloads of a browsable share did not correctly confine the client-supplied files entries to the shared directory. A requester able to reach a public share could read files located outside the shared directory, as long as the target's...
CVE-2026-53622 Traefik: HTTP/3 mTLS bypass via exact SNI TLSOptions lookup for wildcard and mixed-case hosts
Traefik is an HTTP reverse proxy and load balancer. Prior to 3.7.3, there is a critical vulnerability in Traefik's HTTP/3 QUIC TLS configuration selection that allows unauthenticated clients to bypass router-specific mTLS enforcement. When HTTP/3 is enabled on an entrypoint, the TLS handshake...
CVE-2026-10852
IBM WebSphere Application Server and IBM WebSphere Application Server Liberty are vulnerable to denial of service in the WebSphere WebServer Plug-in component when an attacker can pass crafted requests to the web server...
CVE-2026-10852
CVE-2026-10852 affects IBM WebSphere Application Server and IBM WebSphere Application Server Liberty via the WebSphere WebServer Plug-in. The IBM and NVD entries describe a denial-of-service vulnerability triggered by crafted requests to the web server. Affected versions include IBM WebSphere App...
EUVD-2026-38346
IBM i 7.6, 7.5, 7.4, and 7.3, IBM WebSphere Application Server, and IBM WebSphere Application Server Liberty are vulnerable to denial of service in the WebSphere WebServer Plug-in component when an attacker can pass crafted requests to the web server...
CVE-2025-52465
GeoServer is an open source server that allows users to share and edit geospatial data. Prior to versions 2.26.4 and 2.27.3, a vulnerability exists that allows an authenticated administrator with access to GeoServer's security system to pass arbitrary file names to the Master Password Dump web pa...
WordPress APIExperts Square for WooCommerce plugin <= 4.7.3 - Sensitive Data Exposure vulnerability
Sensitive Data Exposure vulnerability discovered by Peng Zhou in WordPress Plugin APIExperts Square for WooCommerce versions = 4.7.3...
CVE-2026-49080
Unauthenticated SQL Injection in wpDataTables = 7.3.6 versions...
CVE-2026-7870
CVE-2026-7870 affects IBM i 7.3–7.6 (5770-SS1). Root cause: an unqualified library call (CWE-427) could let a user’s code run with administrator privileges, enabling privilege escalation. Impact: allows elevated rights, with CVSSv3.1 base score 8.8 (HIGH) — attack vector: network, complexity: low...
PT-2026-48675
IBM i 7.6, 7.5, 7.4, and 7.3 could allow a user to gain elevated privileges due to an unqualified library call. A malicious actor could cause user-controlled code to run with administrator privilege...
EUVD-2026-35985
The Xstore WordPress theme before 9.7.3 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection...
CVE-2025-46311
An inconsistent user interface issue was addressed with improved state management. This issue is fixed in iOS 18.7.3 and iPadOS 18.7.3, iOS 26.2 and iPadOS 26.2. An app may be able to access sensitive user data...
WordPress ARMember Premium – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup plugin <= 7.3.1 - Authenticated (Subscriber+) SQL Injection vulnerability
Authenticated Subscriber+ SQL Injection vulnerability discovered by h0xilo in WordPress Plugin ARMember Premium versions = 7.3.1...
VulnCheck KEV: CVE-2026-5073
The ARMember Premium plugin for WordPress is vulnerable to SQL Injection via the 'order' parameter of the 'armdirectorypagingaction' AJAX action in all versions up to, and including, 7.3.1. This is due to insufficient escaping on the user-supplied 'order' and 'orderby' parameters and the lack of...
NetApp Active IQ OneCollect 安全漏洞
NetApp Active IQ OneCollect is a platform provided by the US-based NetApp company that collects, analyzes, and validates diagnostic data from storage infrastructure. Version 2.7.3 of NetApp Active IQ OneCollect contains a security vulnerability. This vulnerability stems from the use of hardcoded...
PT-2026-46068
Name of the Vulnerable Software and Affected Versions Active IQ Config Advisor version 6.7.3 Description Hard-coded credentials exist within the software, which could allow an authenticated attacker with low privileges to perform unauthorized AutoSupport operations. Recommendations At the moment,...
EUVD-2026-34005
The ARMember Premium plugin for WordPress is vulnerable to SQL Injection via the 'order' parameter of the 'armdirectorypagingaction' AJAX action in all versions up to, and including, 7.3.1. This is due to insufficient escaping on the user-supplied 'order' and 'orderby' parameters and the lack of...