600 matches found
Giga Messenger WordPress - Cross-Site Scripting
Giga Messenger WordPress plugin = 2.3.1 contains a reflected cross-site scripting caused by lack of sanitization and escaping of a parameter before outputting it in the page, letting attackers execute malicious scripts in the context of high privilege users, exploit requires attacker to craft a...
CVE-2026-51538
EIPStackGroup OpENer 2.3.0 commit 76b95cf suffers from an Incorrect Access Control vulnerability in its handling of encapsulation sessions. When the server processes critical encapsulation commands, it verifies whether the provided sessionhandle exists in the global session list, but it fails to...
CVE-2026-54431
In liboauth2 the Demonstrating Proof-of-Possession DPoP verifier accepts a proof whose JSON Web Key jwk header contains private key material. RFC 9449 section 4.3 step 7 requires the verifier to reject such a proof but oauth2tokenverify function returns success for a malformed DPoP proof that...
PYSEC-2026-434 Remote unauthenticated attackers able to upload files in Onionshare
OnionShare 2.3 before 2.4 allows remote unauthenticated attackers to upload files on a non-public node when using the --receive functionality...
PYSEC-2026-270 OS Command Injection in Apache Airflow
Improper Neutralization of Special Elements used in an OS Command 'OS Command Injection' vulnerability in Apache Airflow Pig Provider, Apache Airflow allows an attacker to control commands executed in the task execution context, without write access to DAG files. This issue affects Pig Provider...
CVE-2026-51219
A heap buffer overflow in the HighPriorityASDUQueuehasUnconfirmedIMessages function of lib60870 v2.3.3 to v2.3.6 allows attackers to cause a Denial of Service DoS via a crafted payload...
CVE-2026-54834 WordPress Object Cache 4 everyone plugin <= 2.3.2 - Sensitive Data Exposure vulnerability
Unauthenticated Sensitive Data Exposure in Object Cache 4 everyone = 2.3.2 versions...
CVE-2026-46733
Dell Display and Peripheral Manager DDPM Windows, versions prior to 2.3, contain an Improper Access Control vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Code execution...
EUVD-2026-39363
Subscriber Sensitive Data Exposure in Visual Link Preview = 2.3.1 versions...
CVE-2026-54821
The CVE-2026-54821 entry concerns the WordPress Visual Link Preview plugin, affected versions are
CVE-2026-55392
NILFS utilities through 2.3.0, fixed in commit 26efb5d, nilfssbisvalid function fails to validate slogblocksize field in NILFS2 superblock before bit-shift operations. Attackers supplying crafted NILFS2 images trigger undefined behavior through oversized shifts or out-of-memory conditions, crashi...
CVE-2026-48997
e107 is a content management system CMS. Versions 2.3.5 and earlier contain a command injection vulnerability in the ImageMagick resize destination path. In resizeimage, the source path is escaped with escapeshellarg, but the destination path is inserted inside raw double quotes in the convert...
WordPress Visual Link Preview plugin <= 2.3.1 - Sensitive Data Exposure vulnerability
Sensitive Data Exposure vulnerability discovered by she11f in WordPress Plugin Visual Link Preview versions = 2.3.1...
EUVD-2026-36988
Unauthenticated Broken Access Control in WPAdverts = 2.3.0 versions...
CVE-2026-48889
Subscriber Privilege Escalation in Amelia = 2.3 versions...
CVE-2025-68851
Unauthenticated Cross Site Scripting XSS in Okay Toolkit = 2.3 versions...
CVE-2025-68851
CVE-2025-68851 refers to the WordPress Okay Toolkit plugin (<= 2.3) and describes an unauthenticated Reflected Cross-Site Scripting (XSS) vulnerability. The vulnerability was identified by Skalucy. The provided documents do not specify the exact vulnerable input, affected product version(s) be...
PT-2026-49351
Unauthenticated Cross Site Scripting XSS in Okay Toolkit = 2.3 versions...
GHSA-P5J5-4J3Q-8MQ8 TYPO3 HTML Sanitizer allows Cross-site Scripting
Namespace attributes are not encoded correctly during HTML serialization. This allows bypassing the cross-site scripting prevention mechanism of typo3/html-sanitizer before version 2.3.2. Credits to Doyensec in collaboration with Claude and Anthropic Research for reporting this vulnerability...
EUVD-2026-36301
SolidInvoice is an open-source invoicing platform. Prior to version 2.3.17, API tokens used to authenticate all REST API requests are stored as plaintext strings in the apitokens database table. Any attacker who obtains read access to the database — through SQL injection, a leaked backup, a...