Fortra FileCatalyst Workflow <= v5.1.6 - SQL Injection

A SQL Injection vulnerability in Fortra FileCatalyst Workflow allows an attacker to modify application data. Likely impacts include creation of administrative users and deletion or modification of data in the application database. Data exfiltration via SQL injection is not possible using this...

CVE-2026-2812

ArcGIS Server contains an improper authentication vulnerability in an undocumented administrative endpoint. An unauthenticated attacker could exploit this issue by sending a crafted request to the endpoint. Successful exploitation may result in disruption of the web-based browsing interface. This...

PT-2026-37674

Vulnerability in the Java SE product of Oracle Java SE component: JavaFX. The supported version that is affected is Java SE: 8u251. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human...

grav-exploit

GravCMS 1.10.7 - Unauthenticated Remote Code Execution RCE...

CVE-2026-1643

The CVE-2026-1643 entry concerns the MP-Ukagaka WordPress plugin with Reflected Cross-Site Scripting vulnerabilities in all versions up to 1.5.2, caused by insufficient input sanitization and output escaping. This allows unauthenticated attackers to inject arbitrary scripts into pages that are ex...

CVE-2026-1801

A flaw was found in libsoup, an HTTP client/server library. This HTTP Request Smuggling vulnerability arises from non-RFC-compliant parsing in the soupfilterinputstreamreadline logic, where libsoup accepts malformed chunk headers, such as lone line feed LF characters instead of the required...

SolarWinds Web Help Desk Deserialization of Untrusted Data Vulnerability

SolarWinds Web Help Desk contains a deserialization of untrusted data vulnerability that could lead to remote code execution, which would allow an attacker to run commands on the host machine. This could be exploited without authentication...

CVE-2025-57792

CVE-2025-57792 affects Explorance Blue prior to version 8.14.9 with a SQL injection vulnerability caused by insufficient input validation in a web endpoint. The flaw allows crafted input to be executed as part of backend queries and is exploitable without authentication. Affected product/version ...

CVE-2023-45005

Unauth. Reflected Cross-Site Scripting XSS vulnerability in Castos Seriously Simple Stats plugin = 1.5.1 versions...

CVE-2025-14611 Gladinet CentreStack and TrioFox Hard Coded AES Keys

Gladinet CentreStack and Triofox prior to version 16.12.10420.56791 used hardcoded values for their implementation of the AES cryptoscheme. This degrades security for public exposed endpoints that may make use of it and may offer arbitrary local file inclusion when provided a specially crafted...

CVE-2025-62716 Plane Vulnerable to Cross-Site Scripting via Open Redirect in ?next_path Parameter

Plane is open-source project management software. Prior to version 1.1.0, an open redirect vulnerability in the ?nextpath query parameter allows attackers to supply arbitrary schemes e.g., javascript: that are passed directly to router.push. This results in a cross-site scripting XSS vulnerabilit...

EUVD-2020-30105

Malware in sbrugna...

EUVD-2025-21056

Malicious code in bioql PyPI...

CVE-2022-37718

The management portal component of JetNexus/EdgeNexus ADC 4.2.8 was discovered to contain a command injection vulnerability. This vulnerability allows authenticated attackers to execute arbitrary commands through a specially crafted payload. This vulnerability can also be exploited from an...

CVE-2022-27104

An Unauthenticated time-based blind SQL injection vulnerability exists in Forma LMS prior to v.1.4.3...

CVE-2022-1560

The Amministrazione Aperta WordPress plugin before 3.8 does not validate the open parameter before using it in an include statement, leading to a Local File Inclusion issue. The original advisory mentions that unauthenticated users can exploit this, however the affected file generates a fatal err...

CVE-2020-9352

An issue was discovered in SmartClient 12.0. Unauthenticated exploitation of blind XXE can occur in the downloadWSDL feature by sending a POST request to /tools/developerConsoleOperations.jsp with a valid payload in the transaction parameter. NOTE: the documentation states "These tools are, by...

CVE-2024-10907

In lm-sys/fastchat Release v0.2.36, the server fails to handle excessive characters appended to the end of multipart boundaries. This flaw can be exploited by sending malformed multipart requests with arbitrary characters at the end of the boundary. Each extra character is processed in an infinit...

CVE-2024-10713

A vulnerability in szad670401/hyperlpr v3.0 allows for a Denial of Service DoS attack. The server fails to handle excessive characters appended to the end of multipart boundaries, regardless of the character used. This flaw can be exploited by sending malformed multipart requests with arbitrary...

CVE-2023-6978

The WP Job Manager – Company Profiles plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'company' parameter in all versions up to, and including, 1.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inje...