CVE-2026-47119

Agent Zero before version 1.15 contains a stored cross-site scripting vulnerability that allows attackers to execute arbitrary JavaScript in the application origin by serving SVG files through the imageget API endpoint without Content-Security-Policy, X-Content-Type-Options, or Content-Dispositio...

MAL-2026-4669 Malicious code in shiroai (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8cde2f64fd59e62071433f92eab83a4817f0b306ff1735aa8c31ae31dcaf9830 shiroai is advertised as a CLI where the installer authenticates with their own API key via shiroai login . In practice, cli.js ignores any...

CVE-2026-20223

Cisco Secure Workload is affected by a vulnerability in the access validation of internal REST APIs that could allow an unauthenticated, remote attacker to access site resources with Site Admin privileges. The issue arises from insufficient validation/authentication when accessing REST API endpoi...

CVE-2026-6393

The CVE concerns the WordPress plugin BetterDocs (versions up to and including 4.3.11). The vulnerability lies in the function generate_openai_content_callback() , which lacks proper permission checks and relies on a nonce, allowing authenticated attackers with subscriber-level access or higher t...

CVE-2026-24177

NVIDIA KAI Scheduler contains a vulnerability where an attacker could access API endpoints without authorization. A successful exploit of this vulnerability might lead to information disclosure...

CVE-2025-55274

HCL Aftermarket DPC is affected by Cross-Origin Resource Sharing vulnerability. CORS misconfigurations includes the exposure of sensitive user information to attackers, unauthorized access to APIs, and possible data manipulation or leakage. If an attacker to exploit CORS misconfiguration, they...

Authentication Bypass Using an Alternate Path or Channel

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Authentication Bypass Using an Alternate Path or Channel via the route classification process. An attacker can gain unauthorized access to protected API endpoints by submitting requests...

CVE-2026-23693 ElementsKit Elementor Addons < 3.7.9 Unauthenticated Mailchimp REST Endpoint

ElementsKit Elementor Addons – Advanced Widgets & Templates Addons for Elementor elementskit-lite WordPress plugin versions prior to 3.7.9 expose the REST endpoint /wp-json/elementskit/v1/widget/mailchimp/subscribe without authentication. The endpoint accepts client-supplied Mailchimp API...

GitLab 17.7 < 18.6.4 / 18.7 < 18.7.2 / 18.8 < 18.8.2 (CVE-2025-13928)

The version of GitLab installed on the remote host is affected by a vulnerability, as follows: - GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.7 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2 that could have allowed an unauthenticated user to cause a...

PT-2026-3768

Name of the Vulnerable Software and Affected Versions Apache Solr versions 5.3.0 through 9.10.0 Description Deployments of Apache Solr utilizing the Rule Based Authorization Plugin are susceptible to unauthorized access to certain Solr APIs. This occurs due to insufficient input validation within...

EUVD-2025-202990

The Kirim.Email WooCommerce Integration plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.9. This is due to missing nonce validation on the plugin's settings page. This makes it possible for unauthenticated attackers to modify the plugin's...

CVE-2025-61075

Multiple Incorrect Access Control vulnerabilities in adata Software GmbH Mitarbeiterportal 2.15.2.0 allow remote authenticated, low-privileged users to carry out administrative functions and manipulate data of other users via unauthorized API calls...

CVE-2025-61075

Multiple Incorrect Access Control vulnerabilities in adata Software GmbH Mitarbeiterportal 2.15.2.0 allow remote authenticated, low-privileged users to carry out administrative functions and manipulate data of other users via unauthorized API calls...

CVE-2025-11862

A security issue was discovered within Verve Asset Manager allowing unauthorized read-only users to read, update, and delete users via the API...

CVE-2025-11997

The Document Pro Elementor – Documentation & Knowledge Base plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.0.9. This is due to the plugin exposing sensitive Algolia API keys through the frontend JavaScript code via wplocalizescript without prope...

CVE-2025-12360 Better Find and Replace <= 1.7.7 - Missing Authorization

The Better Find and Replace – AI-Powered Suggestions plugin for WordPress is vulnerable to unauthorized API usage due to a missing capability check on the rtafarajax function in all versions up to, and including, 1.7.7. This makes it possible for authenticated attackers, with Subscriber-level...

Liferay Portal和Liferay DXP 安全漏洞

Liferay Portal and Liferay DXP are both products of Liferay, Inc.Liferay Portal is a J2EE based portal solution. The solution uses technologies such as EJB as well as JMS and can be used as a Web publishing and sharing workspace, enterprise collaboration platform, social network, etc. Liferay DXP...

CVE-2025-40773

A vulnerability has been identified in SiPass integrated All versions V3.0. Affected server applications contains a broken access control vulnerability. The authorization mechanism lacks sufficient server-side checks, allowing an attacker to execute a specific API request. Successful exploitation...

CVE-2025-40773

A vulnerability has been identified in SiPass integrated All versions V3.0. Affected server applications contains a broken access control vulnerability. The authorization mechanism lacks sufficient server-side checks, allowing an attacker to execute a specific API request. Successful exploitation...

CVE-2025-40773

A vulnerability has been identified in SiPass integrated All versions V3.0. Affected server applications contains a broken access control vulnerability. The authorization mechanism lacks sufficient server-side checks, allowing an attacker to execute a specific API request. Successful exploitation...