CVE-2025-52606

Technical details about CVE-2025-52606 are not publicly provided in the supplied documents. No affected products, versions, exploit info, or remediation are specified here. Monitor for updates.

EUVD-2026-34076

The ugw-restoreinfo method allows a remote attacker with user privileges to delete arbitrary local files due to insufficient validation of user-controlled input...

ASB-A-475228205

In multiple functions of DevicePolicyManagerService.java, there is a possible desync from persistence due to improper input validation. This could lead to local denial of service with no additional execution privileges needed. User interaction is not needed for exploitation...

EUVD-2026-32586

Budibase is an open-source low-code platform. Prior to 3.35.10, the Plugin URL upload endpoint POST /api/plugin validates the submitted URL with a single substring check: url.includes".tar.gz". Any URL containing .tar.gz anywhere in the string — in the path, query string, or fragment — passes thi...

CVE-2026-42001

CVE-2026-42001 affects PowerDNS (pdns). Debian advisory DSA-6284-1 notes multiple vulnerabilities in pdns that could lead to denial of service or information disclosure, including CVE-2026-42001 (insufficient validation of autoprimary SOA queries). The issue is in the PowerDNS DNS server’s handli...

CVE-2025-14870

Removed by vendor...

Improper Certificate Validation

CKAN is vulnerable to Improper Certificate Validation. The vulnerability is due to insufficient validation of SMTP server certificates, allowing attackers to spoof the configured mail server using invalid or self-signed certificates and enabling man-in-the-middle attacks against email traffic and...

PraisonAI 输入验证错误漏洞

PraisonAI is a low-code multi-agent collaboration framework developed by Mervin Praison. Versions of PraisonAI prior to 4.6.34 contained a vulnerability related to input validation errors. This vulnerability stemmed from the file processing tool in the MCP server failing to perform containment...

WordPress plugin Gravity Forms 跨站脚本漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. WordPres...

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the POST /api/lunchflow/link endpoint, which insufficiently validates user-supplied URLs and fails to restrict access to internal or sensitive network addresses. An attacker can cause the server to...

EUVD-2026-24688

The Breaking News WP plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 1.3. This is due to the brnwpajaxform AJAX endpoint lacking both authorization checks and CSRF verification, combined with insufficient path validation when the brnwptheme option...

Improper Validation Of OAuth State Tokens

github.com/mattermost/mattermost-server is vulnerable to improper validation of OAuth state tokens. The vulnerability is due to insufficient validation during the OpenID Connect OAuth flow, which allows an attacker to manipulate authentication data and take over a user account under specific...

GHSA-RX35-6RHX-7858 Tekton Pipelines: VolumeMount path restriction bypass via missing filepath.Clean in /tekton/ check

Summary A validation bypass in the VolumeMount path restriction allows mounting volumes under restricted /tekton/ internal paths by using .. path traversal components. The restriction check uses strings.HasPrefix without filepath.Clean, so a path like /tekton/home/../results passes validation but...

net/url: Incorrect parsing of IPv6 host literals in net/url

The Go standard library function net/url.Parse insufficiently validated the host/authority component and accepted some invalid URLs by effectively treating garbage before an IP-literal as ignorable. The function should have rejected this as invalid...

CVE-2026-6388

The CVE describes a vulnerability in ArgoCD Image Updater where a user with rights to create/modify an ImageUpdater in a multi-tenant environment can bypass namespace boundaries due to insufficient validation. This leads to cross-namespace privilege escalation and unauthorized image updates on ap...

CVE-2026-1782

CVE-2026-1782 affects MetForm Pro plugin for WordPress up to version 3.9.7. The issue is Improper Input Validation in the payment flow: Stripe/PayPal integrations trust a user-submitted calculation field value without recomputing or validating it against the configured form price. This allows una...

CVE-2026-6328

CVE-2026-6328 concerns XQUIC’s Linux QUIC implementation (project XQUIC, xquic) where the STREAM frame handler modules suffer from improper input validation and improper verification of a cryptographic signature, enabling protocol manipulation. Affected version: XQUIC up to and including 1.8.3. I...

Red Hat OpenShift GitOps 安全漏洞

Red Hat OpenShift GitOps is an automated deployment service provided by the American company Red Hat. Red Hat OpenShift GitOps has a security vulnerability, which stems from insufficient validation. This vulnerability could allow attackers to bypass namespace boundaries, triggering cross-namespac...

GHSA-PQ8P-WC4F-VG7J WWBN AVideo has an incomplete fix for CVE-2026-33502: Command Injection

Summary The incomplete fix for AVideo's test.php adds escapeshellarg for wget but leaves the filegetcontents and curl code paths unsanitized, and the URL validation regex /^http/ accepts strings like httpevil.com. Affected Package - Ecosystem: Other - Package: AVideo - Affected versions: = commit...

MyT SQL注入漏洞

MyT is a task management system developed by domgio as an individual project. Version 1.5.1 of MyT contains a SQL injection vulnerability. This vulnerability stems from insufficient input validation for the Chargegrouptotal parameter in the /charge/admin endpoint, which may lead to SQL injection...