CVE-2026-48774

ProxySQL is a proxy for MySQL and its forks, as well as PostgreSQL. In versions 3.0.0 through 3.0.8, ProxySQL's GenAI/MCP runsqlreadonly tool violates its documented read-only contract for MySQL targets. The tool validates only the full input string with a substring blacklist and first-keyword...

CVE-2025-69103 WordPress Brikk theme <= 3.0.0 - Arbitrary Content Deletion vulnerability

Subscriber Arbitrary Content Deletion in Brikk = 3.0.0 versions...

PT-2026-50080

Subscriber Arbitrary Content Deletion in Brikk = 3.0.0 versions...

EUVD-2026-36807

Unauthenticated SQL Injection in wpForo Forum = 3.0.4 versions...

EUVD-2026-37002

Cursor is a code editor built for programming with AI. In versions prior to 3.0.0, the Cursor Desktop could execute workspace-defined Claude hook commands from .claude/settings.local.json without dedicated user approval. A malicious workspace or agent-created file could configure hooks that run...

Thai Palliative SQL注入漏洞

Thai Palliative is a modified version of the PHP framework developed by DAMASAC KKU. Versions of Thai Palliative 3.0 and earlier have a SQL injection vulnerability. This vulnerability arises from the lack of cleaning or parameterization of the idFormMain parameter and the id parameter, which may...

EUVD-2026-34977

clash-verge-service-ipc before 2.3.0 has a world-reachable IPC endpoint, leading to local privilege escalation...

CVE-2026-45300

CVE-2026-45300 affects AsyncHttpClient: vulnerable in the 2.x branch before 2.15.0 and the 3.x branch before 3.0.10. When following cross-origin redirects, propagatedHeaders() strips Authorization and Proxy-Authorization but leaves Cookie intact, causing session cookies and other sensitive cookie...

EUVD-2026-32001

epa4all-client is the Java Client for epa4all / ePA 3.0 in the Telematik Infrastruktur. Prior to 1.2.2, an attacker on the network path between the ePA service and the Konnektor can present any TLS certificate self-signed, expired, wrong CN and intercept all SOAP traffic. This includes patient...

Exploit for Missing Authentication for Critical Function in Flowiseai Flowise

Silentium — HackTheBox Writeup Platform: HackTheBox...

Astra Linux – Vulnerabilities in Linux 5.10, Linux 5.15

In the Linux kernel, the following vulnerability has been resolved: can: mcan: mcantxhandler: fixed the issue where skb was freed after it had been used. The canPUTechoskb function clones a skb and then frees it. This function should be moved directly before the start of the xmit in hardware for...

CVE-2018-25289

Softdisk 3.0.3 contains a buffer overflow vulnerability in the registration code dialog that allows local attackers to crash the application by supplying an oversized string. Attackers can trigger the vulnerability by entering a 6000-byte payload in the Registration Name field through the Help...

EUVD-2026-23935

The wpForo Forum plugin for WordPress is vulnerable to Arbitrary File Deletion in versions up to and including 3.0.5. This is due to two compounding flaws: the Members::update method does not validate or restrict the value of file-type custom profile fields, allowing authenticated users to store ...

CVE-2026-39665

The CVE describes a DOM-Based XSS vulnerability in the WordPress plugin SEO Friendly Images (seo-image) by Vladimir Prelovac, affecting versions from n/a up to 3.0.5. Root cause: Improper neutralization of input during web page generation. Impact stated across sources as cross-site scripting acce...

runZero Platform 安全漏洞

runZero Platform is an asset discovery and attack surface management platform developed by the US company runZero. Versions of runZero Platform prior to 4.0.260203.0 contained security vulnerabilities. These vulnerabilities were due to improper authorization, which could allow the MCP proxy to...

UBUNTU-CVE-2026-25645

Requests is a HTTP library. Prior to version 2.33.0, the requests.utils.extractzippedpaths utility function uses a predictable filename when extracting files from zip archives into the system temporary directory. If the target file already exists, it is reused without validation. A local attacker...

PT-2026-27927

Name of the Vulnerable Software and Affected Versions eyecix Addon Jobsearch Chat versions through 3.0 Description The software contains a flaw related to improper input handling during web page generation, which allows for Reflected Cross-Site Scripting XSS. This issue impacts the Addon Jobsearc...

WordPress plugin Contact List 跨站脚本漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...

CVE-2026-32711

pydicom is a pure Python package for working with DICOM files. Versions 2.0.0-rc.1 through 3.0.1 are vulnerable to Path Traversal through a maliciously crafted DICOMDIR ReferencedFileID when it is set to a path outside the File-set root. pydicom resolves the path only to confirm that it exists, b...

CVE-2016-20027 ZKTeco ZKBioSecurity 3.0 Multiple Reflected XSS Vulnerabilities

ZKTeco ZKBioSecurity 3.0 contains multiple reflected cross-site scripting vulnerabilities that allow attackers to execute arbitrary HTML and script code by injecting malicious payloads through unsanitized parameters in multiple scripts. Attackers can craft malicious URLs with XSS payloads in...