CVE-2026-34460

NamelessMC (Minecraft server website software) is affected in versions up to 2.2.4 where the OAuth callback handling does not validate the state parameter server‑side before exchanging the authorization code. This can let an attacker capture a valid OAuth callback URL for their own account and ca...

CVE-2026-33398

NamelessMC 2.2.4 is affected by an insecure access control in modules/Forum/pages/forum/get_quotes.php, which only checks that a caller is logged in and reads a post by an attacker-controlled post ID. The backend helper in modules/Forum/classes/Forum.php does not enforce forum or topic ACLs, allo...

PT-2026-45801

NamelessMC is website software for Minecraft servers. In version 2.2.4, the profile page modules/Core/pages/profile.php processes wall post submissions and replies before verifying whether the viewer is authorized to access the profile. This allows any user with the profile.post permission to wri...

CVE-2026-39649

Missing Authorization vulnerability in themebeez Royale News royale-news allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Royale News: from n/a through = 2.2.4...

CVE-2019-25599 Backup Key Recovery 2.2.4 Denial of Service via Name Field

Backup Key Recovery 2.2.4 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long string in the Name field. Attackers can paste a buffer of 300 or more characters into the Name field during registration to trigger a crash wh...

CVE-2025-54421

NamelessMC (NamelessMC) is affected by a stored XSS vulnerability in versions prior to 2.2.4, exploitable via the default_keywords crafted parameter. The issue affects authenticated remote users and allows injection of arbitrary web script/HTML. The vulnerability is fixed in version 2.2.4; upgrad...

PT-2022-16585 · Apache · Apache Airflow

Name of the Vulnerable Software and Affected Versions: Apache Airflow versions prior to 2.2.4 Description: The issue arises from some example DAGs in Apache Airflow not properly sanitizing user-provided params, making them susceptible to OS Command Injection from the web UI. Recommendations: For...

CVE-2019-2526

Vulnerability in the Oracle VM VirtualBox component of Oracle Virtualization subcomponent: Core. Supported versions that are affected are prior to 5.2.24 and prior to 6.0.2. Difficult to exploit vulnerability allows low privileged attacker with logon to the infrastructure where Oracle VM VirtualB...

JDK: unspecified vulnerability fixed in 5.0u71, 6u71 and 7u51 (2D)

Unspecified vulnerability in Oracle Java SE 5.0u55, 6u65, and 7u45; JavaFX 2.2.45; and Java SE Embedded 7u45 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D...

PT-2010-2453 · Fonality · Fonality Trixbox

Name of the Vulnerable Software and Affected Versions: Fonality Trixbox version 2.2.4 Description: The issue allows remote attackers to execute arbitrary SQL commands. This is achieved via the ID parameter in the /cisco/services/PhonecDirectory.php API endpoint. Recommendations: For Fonality...