EUVD-2026-39278

In the Linux kernel, the following vulnerability has been resolved: RDMA/core: Validate cpuid against nrcpuids in DMAH alloc The cpuid attribute supplied by user space through UVERBSATTRALLOCDMAHCPUID is passed directly to cpumasktestcpu without first verifying that the value is within the valid...

GamiPress <= 2.8.9 - SQL Injection

GamiPress WordPress plugin version 2.8.9 and below suffers from an SQL injection vulnerability due to insufficient sanitization of user input, allowing attackers to execute arbitrary SQL commands. id: CVE-2024-13496 info: name: GamiPress = 2.8.9 - SQL Injection author: ritikchaddha severity: high...

Push Notification for Post and BuddyPress <= 1.93 - SQL Injection

Push Notification for Post and BuddyPress plugin for WordPress is vulnerable to SQL Injection via the 'onesignalexternalid' and 'onesignalgetsubscriptionoptionsid' paramters in all versions up to, and including, 1.93 due to insufficient escaping on the user supplied parameter and lack of sufficie...

WWBN AVideo 11.6 - Cross-Site Scripting

A reflected XSS vulnerability exists in the functiongetOpenGraph videoName functionality of WWBN AVideo 11.6 and dev master commit 3c6bb3ff, allowing arbitrary Javascript execution. id: CVE-2023-48728 info: name: WWBN AVideo 11.6 - Cross-Site Scripting author: ritikchaddha severity: medium...

Online Fire Reporting System v1.0 - SQL injection

Online Fire Reporting System v1.0 is vulnerable to SQL Injection via /ofrs/classes/Master.php?f=deleteinquiry. id: CVE-2022-31978 info: name: Online Fire Reporting System v1.0 - SQL injection author: theamanrawat severity: critical description: | Online Fire Reporting System v1.0 is vulnerable to...

Backdrop CMS version 1.23.0 - Cross Site Scripting (Stored)

Backdrop CMS version 1.23.0 was discovered to contain a stored cross-site scripting XSS vulnerability via Post content. id: CVE-2022-42096 info: name: Backdrop CMS version 1.23.0 - Cross Site Scripting Stored author: theamanrawat severity: medium description: | Backdrop CMS version 1.23.0 was...

IBAX - SQL Injection

IBAX go-ibax functionality is susceptible to SQL injection via the file /api/v2/open/rowsInfo. The manipulation of the argument tablename leads to SQL injection, and the attack may be launched remotely. An attacker can potentially obtain sensitive information, modify data, and/or execute...

rConfig 3.9.4 - Cross-Site Scripting

rConfig 3.9.4 is vulnerable to reflected XSS. The configDevice.php file improperly validates user input. An attacker can exploit this vulnerability by crafting arbitrary JavaScript in the rid GET parameter of devicemgmnt.php id: CVE-2020-12259 info: name: rConfig 3.9.4 - Cross-Site Scripting...

Moodle LMS Jmol Plugin <= 6.1 - Cross-Site Scripting

A reflected cross-site scripting XSS vulnerability exists in the Moodle LMS Jmol plugin version 6.1 and prior via the data parameter in jsmol.php. The application fails to properly sanitize user input before embedding it into the HTTP response, allowing an attacker to execute arbitrary JavaScript...

WordPress AnyComment <0.3.5 - Open Redirect

WordPress AnyComment plugin before 0.3.5 contains an open redirect vulnerability via an API endpoint which passes user input via the redirect parameter to the wpredirect function without being validated. An attacker can redirect a user to a malicious site and possibly obtain sensitive information...

Hongdian H8922 3.0.5 Devices - Local File Inclusion

Hongdian H8922 3.0.5 devices are vulnerable to local file inclusion. The /logdownload.cgi log export handler does not validate user input and allows a remote attacker with minimal privileges to download any file from the device by substituting ../ e.g., ../../etc/passwd This can be carried out wi...

OpenAM<=15.0.3 FreeMarker - Template Injection

OpenAM is an open access management solution. In versions 15.0.3 and prior, the getCustomLoginUrlTemplate method in RealmOAuth2ProviderSettings.java is vulnerable to template injection due to its usage of user input id: CVE-2024-41667 info: name: OpenAM=15.0.3 FreeMarker - Template Injection...

PuneethReddyHC Online Shopping System homeaction.php SQL Injection

An unauthenticated SQL injection vulnerability exists in PuneethReddyHC Online Shopping System through the /homeaction.php catid parameter. Using a post request does not sanitize the user input. id: CVE-2021-41649 info: name: PuneethReddyHC Online Shopping System homeaction.php SQL Injection...

CVE-2026-50701

A Reflected Cross-Site Scripting XSS vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the dashboard-view component...

CVE-2026-50704

A Stored Cross-Site Scripting XSS vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the File View breadcrumb renderer...

CVE-2026-50700

A Stored Cross-Site Scripting XSS vulnerability exists in Frappe Framework version 17.0.0-dev due to improper neutralization of user-controlled input in the frappe.getavatar function...

EUVD-2026-38570

Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in ash-project ash allows a user to set the value of a private action argument that is intended to be controlled only by trusted server-side code. Action arguments declared with public?: false are meant t...

CVE-2026-55736

CVE-2026-55736 (Ash project) : A logic flaw in Ash allows end-user input to set private action arguments intended to be server-controlled. In non-atomic paths, private arguments are stripped only when the parameter key is an atom; if the key is a string, the private argument remains controllable ...

CVE-2026-55736

Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in ash-project ash allows a user to set the value of a private action argument that is intended to be controlled only by trusted server-side code. Action arguments declared with public?: false are meant t...

PT-2026-51644

Name of the Vulnerable Software and Affected Versions motionEye versions prior to 0.44.0 Description An absolute path traversal issue exists in multiple media file handlers within the media playback and download functionality. The affected handlers accept a user-controlled filename parameter and...