CVE-2025-71281

CVE-2025-71281 concerns XenForo before 2.3.7 where template access restrictions on methods were too permissive. The root cause is a loose prefix match for methods accessible through callbacks and variable method calls in templates, allowing unauthorized method invocations. Documented impact is hi...

CVE-2026-30402

An issue in wgcloud v.2.3.7 and before allows a remote attacker to execute arbitrary code via the test connection function...

CVE-2025-64723

Summary: Arduino IDE for macOS prior to 2.3.7 had overly permissive security entitlements that could bypass the macOS Hardened Runtime protections, enabling an attacker to inject malicious dynamic libraries into the process and access all TCC permissions granted to the app. Impact (as stated): by...

CVE-2025-62415 bagisto - Cross Site Scripting (XSS) in TinyMCE Image Upload (HTML)

Bagisto is an open source laravel eCommerce platform. In Bagisto v2.3.7, the TinyMCE image upload functionality allows an attacker with sufficient privileges e.g. admin to upload a crafted HTML file containing embedded JavaScript. When viewed, the malicious code executes in the context of the...

PT-2024-36184 · Unknown · Yalla Ya! Simple Payment

Name of the Vulnerable Software and Affected Versions: yalla ya! Simple Payment versions 2.3.7 and earlier Description: The issue is related to Improper Neutralization of Input During Web Page Generation, also known as Cross-site Scripting. This allows for Reflected XSS, where an attacker can...

mojarra: Path traversal in ResourceManager.java:getLocalePrefix() via the loc parameter

The getLocalePrefix function in ResourceManager.java in Eclipse Mojarra before 2.3.7 is affected by Directory Traversal via the loc parameter. A remote attacker can download configuration files or Java bytecodes from applications...