2891 matches found
Uptime-Kuma < v1.23.0 - Improper Access Control
Uptime-Kuma before v1.23.0 is vulnerable to an information disclosure issue due to missing authorization on the /api/badge/1/ping/24 endpoint. An unauthenticated attacker can access this endpoint to leak ping statistics, such as average ping and ping history, for existing monitors without needing...
WP Visitor Statistics (Real Time Traffic) < 6.9 - SQL Injection
The plugin does not escape user input which is concatenated to an SQL query, allowing unauthenticated visitors to conduct SQL Injection attacks. id: CVE-2023-0600 info: name: WP Visitor Statistics Real Time Traffic 6.9 - SQL Injection author: r3Y3r53,j4vaovo severity: critical description: | The...
LearnPress < 4.3.2 - Broken Access Control
The LearnPress – WordPress LMS Plugin plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the statistic function in all versions up to, and including, 4.3.1. This makes it possible for unauthenticated attackers to view the plugin's orders...
WordPress Plugin WP Statistics <= 13.1.5 - SQL Injection
The WP Statistics WordPress plugin is vulnerable to SQL Injection due to insufficient escaping and parameterization of the currentpagetype parameter found in the /includes/class-wp-statistics-hits.php file which allows attackers without authentication to inject arbitrary SQL queries to obtain...
WordPress Burst Statistics 3.4.0-3.4.1.1 - Authentication Bypass
Burst Statistics – Privacy-Friendly WordPress Analytics plugin 3.4.0 to 3.4.1.1 contains an authentication bypass caused by incorrect return-value handling in ismainwpauthenticated function, letting unauthenticated attackers impersonate administrators, exploit requires knowledge of an administrat...
CVE-2026-57959
CVE-2026-57959 affects Hi.Events up to version 1.9.0. The vulnerability arises in promo code validation where the reservation path checks the usage count before the asynchronous UpdateEventStatisticsJob increments it, enabling a race condition. Attackers can sequentially reserve multiple orders u...
CVE-2026-57959 Hi.Events 1.9.0 - Promo Code Max-Usage Bypass via Asynchronous Job Race Condition
Hi.Events through 1.9.0 contains a promo code validation vulnerability where reservation validates usage count before asynchronous UpdateEventStatisticsJob increments it, allowing attackers to redeem limited promo codes unlimited times. Attackers can sequentially reserve multiple orders with the...
WordPress Visitor Statistics (Real Time Traffic) <4.8 -SQL Injection
WordPress Visitor Statistics Real Time Traffic plugin before 4.8 does not properly sanitize and escape the refUrl in the refDetails AJAX action, which is available to any authenticated user. This could allow users with a role as low as subscriber to perform SQL injection attacks. id: CVE-2021-247...
SUSE CVE-2026-53323
In the Linux kernel, the following vulnerability has been resolved: net: dsa: remove redundant netdevlockops from conduit ethtool ops DSA replaces the conduit master device's ethtoolops with its own wrappers that aggregate stats from both the conduit and DSA switch ports. Taking the lock again...
WordPress Plugin WP Statistics <= 13.1.5 - SQL Injection
The WP Statistics WordPress plugin is vulnerable to SQL Injection due to insufficient escaping and parameterization of the IP parameter found in the /includes/class-wp-statistics-hits.php file which allows attackers without authentication to inject arbitrary SQL queries to obtain sensitive...
EUVD-2026-39825
Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.34.0 until 1.35.13, 1.36.9, 1.37.5, and 1.38.3, a vulnerability exists in Envoy's TCP StatsD sink TcpStatsdSink, where the thread-local flusher buffer can be overflowed by exceptionally long statistic...
CVE-2026-55202
A flaw was found in Tinyproxy. This vulnerability allows unauthenticated remote attackers to gain unauthorized access to internal proxy statistics or misroute requests. This is possible due to improper validation of the Host header during stathost detection, which can be exploited by injecting a...
CVE-2026-56319
Capgo before 12.128.2 contains an information disclosure vulnerability in the GET /statistics/app/:appid endpoint that allows app-limited API keys to distinguish existing sibling app IDs through differential error responses. Attackers can enumerate real app IDs outside their allowed scope by...
CVE-2026-56319 Capgo - App Existence Oracle via GET /statistics/app/:app_id
Capgo before 12.128.2 contains an information disclosure vulnerability in the GET /statistics/app/:appid endpoint that allows app-limited API keys to distinguish existing sibling app IDs through differential error responses. Attackers can enumerate real app IDs outside their allowed scope by...
EUVD-2026-38125
Capgo before 12.128.2 contains an information disclosure vulnerability in the GET /statistics/app/:appid endpoint that allows app-limited API keys to distinguish existing sibling app IDs through differential error responses. Attackers can enumerate real app IDs outside their allowed scope by...
PT-2026-51157
Name of the Vulnerable Software and Affected Versions Capgo versions prior to 12.128.2 Description An information disclosure issue exists in the 'GET /statistics/app/:app id' endpoint. This allows users with app-limited API keys to identify existing sibling app IDs by analyzing differential error...
Astra Linux – Vulnerability in Linux 5.10
In the Linux kernel, the following vulnerability has been resolved: iommu/s390: Fixed memory corruption when using the identity domain. The function zpcigetiommuctrs returns counter information that needs to be reported as part of device statistics. These counters are stored as part of the...
Astra Linux – Vulnerability in Linux 6.1
In the Linux kernel, the following vulnerability has been resolved: bpf: Fixed an invalid prog-stats access when updateeffectiveprogs fails. The issue occurs due to a fault-injected code sequence in updateeffectiveprogs. The problem can be described as follows: c cgroupbpfdetach...
Astra Linux – Vulnerability found in Linux 5.10, Linux 6.1, and Linux 5.15
In the Linux kernel, the following vulnerabilities have been resolved: RDMA/irdma: Fixed a data race on CQP completion statistics. CQP completion statistics is locked when used in irdmawaitevent and irdmacheckcqpprogress. However, it can also be updated in the completion thread irdmascccqgetcqein...
Astra Linux – Vulnerabilities in Linux 5.10, Linux 5.15, Linux 6.1
In the Linux kernel, the following vulnerability has been resolved: BUG: NULL pointer dereference in the kernel, address: 0000000000000038 RIP efxnicupdatestats Abridged calltrace: efxef10updatestatspf, efxnetstats, devgetstats, devseqprintfstats The issue occurs when trying to retrieve the lates...