CVE-2026-6041

The Buzz Comments plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Custom Buzz Avatar' buzzcommentsavatarimage setting in all versions up to, and including, 0.9.4. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticate...

EUVD-2026-24698

The Buzz Comments plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Custom Buzz Avatar' buzzcommentsavatarimage setting in all versions up to, and including, 0.9.4. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticate...

CVE-2026-6041 Buzz Comments <= 0.9.4 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'Custom Buzz Avatar' Setting

The Buzz Comments plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Custom Buzz Avatar' buzzcommentsavatarimage setting in all versions up to, and including, 0.9.4. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticate...

CVE-2025-23911

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in solidres Solidres – Hotel booking plugin solidres allows SQL Injection.This issue affects Solidres – Hotel booking plugin: from n/a through = 0.9.4...

WordPress Solidres plugin <= 0.9.4 - Reflected XSS vulnerability

Reflected XSS vulnerability discovered by Hassan Khan Yusufzai - Splint3r7 in WordPress Plugin Solidres – Hotel booking plugin versions = 0.9.4...

CVE-2025-66553

Nextcloud Tables allows you to create your own tables with individual columns. Prior to 0.8.7 and 0.9.4, authenticated users were able to view meta data of columns in other tables of the Tables app by modifying the numeric ID in a request. This vulnerability is fixed in 0.8.7 and 0.9.4...

CVE-2025-66553

Summary: Nextcloud Tables prior to 0.8.7 and 0.9.4 allows authenticated users to view column metadata of other tables by altering the numeric ID in a request, causing information disclosure. The issue is fixed in 0.8.7 and 0.9.4. Remediation: upgrade Nextcloud Tables to version 0.8.7 or later, or...

CVE-2025-61784

LLaMA-Factory's chat API contains SSRF and LFI in the _process_request function (src/llamafactory/api/chat.py). For image_url, video_url, and audio_url, if a URL is not a base64 data URI or local file path, the code fetches the URL with requests.get(url, stream=True).raw without validation, enabl...

EUVD-2005-4824

Malware in sbrugna...

LLaMA-Factory 安全漏洞

LLaMA-Factory is a fine-tuned large-scale language model by a Chinese hoshi-hiyouga individual developer. A security vulnerability exists in LLaMA-Factory versions prior to 0.9.4, which stems from the processrequest function not validating or cleaning up URLs, which could lead to server-side...

EUVD-2023-36359

Malicious code in bioql PyPI...

PT-2025-35657

Name of the Vulnerable Software and Affected Versions Dive versions 0.9.0 through 0.9.3 Description Dive is an open-source MCP Host Desktop Application that enables integration with function-calling LLMs. Versions 0.9.0 through 0.9.3 contain a Remote Code Execution RCE vulnerability triggered by ...

Linux Distros Unpatched Vulnerability : CVE-2017-6849

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - The PoDoFo::PdfColorGray::PdfColorGray function in PdfColor.cpp in PoDoFo 0.9.4 allows remote attackers to cause a denial of service NULL pointer dereference vi...

CVE-2023-32091

Cross-Site Request Forgery CSRF vulnerability in POEditor plugin = 0.9.4 versions...

CVE-2023-1377

The Solidres WordPress plugin through 0.9.4 does not sanitise and escape numerous parameter before outputting them back in pages, leading to Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

CVE-2023-1374

The Solidres plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'currencyname' parameter in versions up to, and including, 0.9.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with administrator privileges to...

WordPress Dropdown Multisite selector plugin < 0.9.4 - Cross Site Scripting (XSS) Vulnerability

Cross Site Scripting XSS Vulnerability discovered by muhammad yudha in WordPress Plugin Dropdown Multisite selector versions 0.9.4...

CVE-2025-23847

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in saill Site Launcher site-launcher allows Reflected XSS.This issue affects Site Launcher: from n/a through = 0.9.4...

WordPress plugin Site Launcher 跨站脚本漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A cross-site scripting...

WordPress plugin marekki Marekkis Watermark 跨站脚本漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A cross-site scripting...