PT-2026-35202

A weakness has been identified in SmythOS sre up to 0.0.15. This impacts an unknown function of the file packages/sdk/src/LLM/utils.ts of the component Connector Service. This manipulation of the argument baseURL causes information disclosure. It is possible to initiate the attack remotely. The...

EUVD-2026-16949

A vulnerability was determined in elecV2 elecV2P up to 3.8.3. The impacted element is an unknown function of the file /logs of the component Endpoint. This manipulation of the argument filename causes cross site scripting. It is possible to initiate the attack remotely. The exploit has been...

PT-2026-23669

QuickCMS is vulnerable to Cross-Site Request Forgery across multiple endpoints. An attacker can craft special website, which when visited by the victim, will automatically send a POST request with victim's privileges. This software does not implement any protection against this type of attack. Al...

security-research

Security Research This project hosts security advisories and...

CVE-2025-10912

Authorization Bypass Through User-Controlled Key vulnerability in Saastech Cleaning and Internet Services Inc. TemizlikYolda allows Manipulating User-Controlled Variables. This issue affects TemizlikYolda: through 11022026. NOTE: The vendor was contacted early about this disclosure but did not...

CVE-2025-6397

Improper Neutralization of Input During Web Page Generation XSS or 'Cross-site Scripting' vulnerability in Ankara Hosting Website Design Website Software allows Reflected XSS. This issue affects Website Software: through 03022026. NOTE: The vendor was contacted early about this disclosure but did...

CVE-2026-1598

CVE-2026-1598 affects Bdtask Bhojon All-In-One Restaurant Management System (up to 20260116). The vulnerability lies in the User Information Module, specifically the /dashboard/home/profile function, where manipulating the fullname argument triggers cross-site scripting. The issue is exploitable ...

CVE-2026-1520 rethinkdb Secondary Index cross site scripting

A vulnerability was identified in rethinkdb up to 2.4.3. Affected by this issue is some unknown functionality of the component Secondary Index Handler. Such manipulation leads to cross site scripting. It is possible to launch the attack remotely. The exploit is publicly available and might be use...

PT-2026-4913

A vulnerability in the Pix-Link LV-WR21Q router's language module allows remote attackers to trigger a denial of service DoS by sending a specially crafted HTTP POST request containing non-existing language parameter. This renders the server unable to serve correct lang.js file, which causes...

CVE-2025-15496

A vulnerability was determined in guchengwuyue yshopmall up to 1.9.1. Affected is the function getPage of the file /api/jobs. This manipulation of the argument sort causes sql injection. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. The project...

CVE-2025-65010

WODESYS WD-R608U router also known as WDR122B V2.0 and WDR28 is vulnerable to Broken Access Control in initial configuration wizard.cgi endpoint. Malicious attacker can change admin panel password without authorization. The vulnerability can also be exploited after the initial configuration has...

PT-2025-43962

Name of the Vulnerable Software and Affected Versions Bdtask Wholesale Inventory Control and Inventory Management System versions prior to 20251014 Description A security issue exists in Bdtask Wholesale Inventory Control and Inventory Management System. Manipulation of the first name and last na...

Hash Chaining Degrades Security at Facebook

Modern web and digital application password storage relies on password hashing for storage and security. Ad-hoc upgrade of password storage to keep up with hash algorithm norms may be used to save costs but can introduce unforeseen vulnerabilities. This is the case in the password storage scheme...

lemlist: Unauthorized Password Reset Allows Account Takeover Across Tenant Boundaries

An authorization issue was discovered in the application that allowed a tenant admin to change the password of another user within the same tenant, including invited agency accounts. The victim had to first accept the invitation before the attacker could proceed. The issue could allow unintended...

security-research

Security Research This project hosts security advisories and...

EUVD-2025-10847

Malicious code in bioql PyPI...

EUVD-2025-14249

Malicious code in bioql PyPI...

EUVD-2025-7536

Malicious code in bioql PyPI...

security-research

Security Research This project hosts security advisories and...

CVE-2025-54172 Stored Cross-Site Scripting in QuickCMS

QuickCMS is vulnerable to Stored XSS in sTitle parameter in page editor functionality. Malicious attacker with admin privileges can inject arbitrary HTML and JS into website, which will be rendered/executed when visiting edited page. Regular admin user is not able to inject any JS scripts into th...