EUVD-2026-37974

The User Admin Simplifier plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0.0. This is due to missing or incorrect nonce validation on the useradminsimplifieroptionspage function. This makes it possible for unauthenticated attackers to rese...

CVE-2026-25041

Budibase is a low code platform for creating internal tools, workflows, and admin panels. In 3.23.22 and earlier, the PostgreSQL integration constructs shell commands using user-controlled configuration values database name, host, password, etc. without proper sanitization. The password and other...

PT-2026-24106

Budibase is a low code platform for creating internal tools, workflows, and admin panels. In 3.23.22 and earlier, the PostgreSQL integration constructs shell commands using user-controlled configuration values database name, host, password, etc. without proper sanitization. The password and other...

Podman Vulnerable to Arbitrary File Write via Symbolic Link Traversal in 'play.go' File

Podman contains a symbolic link traversal vulnerability when the kube play command is used with a 'ConfigMap' or secret volume mount. A remote attacker could exploit this by creating a malicious symbolic link on the volume in order to overwrite the contents of arbitrary files, however the attacke...

Craft CMS 安全漏洞

Craft CMS is an open-source content management system developed by Craft CMS. Versions 4.0.0-RC1 to 4.16.17, and 5.0.0-RC1 to 5.8.21 of Craft CMS have security vulnerabilities. These vulnerabilities stem from the assembleLayoutFromPost function not properly cleaning user configuration data, which...

Mocha Telnet Lite security vulnerabilities

Mocha Telnet Lite is an open-source terminal emulation tool developed by Mocha. Version 4.2 of Mocha Telnet Lite contains a security vulnerability, which stems from improper handling of user configuration inputs, potentially leading to application crashes...

CVE-2026-22993

In the Linux kernel, the following vulnerability has been resolved: idpf: Fix RSS LUT NULL ptr issue after soft reset During soft reset, the RSS LUT is freed and not restored unless the interface is up. If an ethtool command that accesses the rss lut is attempted immediately after reset, it will...

Unity Linux 20.1060e / 20.1070e Security Update: kernel (UTSA-2026-002595)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-002595 advisory. An issue was discovered in the Linux kernel before 4.19.3. cryptoreportone and related functions in crypto/cryptouser.c the crypto user configuration API do not full...

CVE-2022-50927

Cyclades Serial Console Server 3.3.0 contains a local privilege escalation vulnerability due to overly permissive sudo privileges for the admin user and admin group. Attackers can exploit the default user configuration to gain root access by manipulating system binaries and leveraging unrestricte...

CVE-2022-50927

Cyclades Serial Console Server 3.3.0 contains a local privilege escalation vulnerability due to overly permissive sudo privileges for the admin user and admin group. Attackers can exploit the default user configuration to gain root access by manipulating system binaries and leveraging unrestricte...

CVE-2024-39033

In Newgensoft OmniDocs 11.0SP103006, Insecure Direct Object Reference IDOR in the getuserproperty function allows user's configuration and PII to be stolen...

CVE-2023-50313

IBM WebSphere Application Server 8.5 and 9.0 could provide weaker than expected security for outbound TLS connections caused by a failure to honor user configuration. IBM X-Force ID: 274812...

CVE-2019-12348

An issue was discovered in zzcms 2019. SQL Injection exists in user/ztconfig.php via the daohang or img POST parameter...

theshit vulnerable to unsafe loading of user-owned Python rules when running as root

The application loads custom Python rules and configuration files from user-writable locations e.g., /.config/theshit/ without validating ownership or permissions when executed with elevated privileges. If the tool is invoked with sudo or otherwise runs with an effective UID of root, it continues...

CVE-2023-53879 NVClient 5.0 Stack Buffer Overflow Vulnerability via User Configuration

NVClient 5.0 contains a stack buffer overflow vulnerability in the user configuration contact field that allows attackers to crash the application. Attackers can overwrite 846 bytes of memory by pasting a crafted payload into the contact box, causing a denial of service condition...

CVE-2025-56802

The Reolink desktop application uses a hard-coded and predictable AES encryption key to encrypt user configuration files allowing attackers with local access to decrypt sensitive application data stored in %APPDATA%. A different vulnerability than CVE-2025-56801. NOTE: the Supplier's position is...

CVE-2025-56802

The connected Red Hat and NVD entries confirm CVE-2025-56802 affects the Reolink desktop application and centers on a hard-coded and predictable AES encryption key used to encrypt user configuration files. This allows attackers with local access to decrypt sensitive data stored in %APPDATA%. The ...

Remote Code Execution

Flowise is vulnerable toRemote Code Execution. The vulnerability is due to unsafe evaluation of user-supplied configuration in the convertToValidJSONString function executing the mcpServerConfig input as JavaScript, An attackers can use this to execute arbitrary Node.js code to run commands or...

EUVD-2019-3154

Malware in sbrugna...

EUVD-2014-8502

Malware in sbrugna...