Leantime < 2.4 - Authenticated SQL Injection

Leantime is an open source project management system. A 'userId' variable in app/domain/files/repositories/class.files.php is not parameterized. An authenticated attacker can send a carefully crafted POST request to /api/jsonrpc to exploit an SQL injection vulnerability. Confidentiality is impact...

Astra Linux - уязвимость в json-smart

A vulnerability was discovered in the indexOf function of JSONParserByteArray in JSON Smart versions 1.3 and 2.4, which causes a denial of service DOS through a crafted web request...

CVE-2025-39666

CVE-2025-39666 affects Checkmk in multiple versions: 2.2.0 (EOL), 2.3.0 before 2.3.0p46, 2.4.0 before 2.4.0p25, and 2.5.0 beta before 2.5.0b3. A site user can escalate to root by manipulating files in the site context that are processed when the omd command is run by root. This yields a local pri...

CVE-2026-21294

Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by a Server-Side Request Forgery SSRF vulnerability that could result in a Security feature bypass. A high-privileged attacker could exploit this vulnerability to manipulate...

CVE-2026-21309

Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to bypass security measures and gain...

CVE-2026-26306

The installer for OM Workspace Windows Edition Ver 2.4 and earlier insecurely loads Dynamic Link Libraries DLLs, which could allow an attacker to execute arbitrary code with the privileges of the user invoking the installer...

PT-2026-27641

Name of the Vulnerable Software and Affected Versions OM Workspace versions 2.4 and earlier Description The installer for OM Workspace Windows Edition insecurely loads Dynamic Link Libraries DLLs. This could allow an attacker to execute arbitrary code with the privileges of the user running the...

CVE-2026-27838 wger: IDOR via user-unscoped cache keys on routine API actions exposes workout data

wger is a free, open-source workout and fitness manager. Five routine detail action endpoints check a cache before calling self.getobject. In versions up to and including 2.4, ache keys are scoped only by pk — no user ID is included. When a victim has previously accessed their routine via the API...

CVE-2026-1043

The PostmarkApp Email Integrator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin settings in versions up to, and including, 2.4. This is due to insufficient input sanitization and output escaping on the pmaapikey and pmasenderaddress parameters. This makes it...

CVE-2026-1043 PostmarkApp Email Integrator <= 2.4 - Authenticated (Administrator+) Stored Cross-Site Scripting via Plugin Settings

The PostmarkApp Email Integrator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin settings in versions up to, and including, 2.4. This is due to insufficient input sanitization and output escaping on the pmaapikey and pmasenderaddress parameters. This makes it...

RHSA-2026:1497 Red Hat Security Advisory: Red Hat Ansible Automation Platform 2.4 Product Security and Bug Fix Update

Bulletin has no description...

Adobe Commerce - Authentication Bypass

Adobe Commerce versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by an Improper Input Validation vulnerability. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality, and integrity impact to high...

EUVD-2021-34761

Mult-E-Cart Ultimate 2.4 contains multiple SQL injection vulnerabilities in inventory, customer, vendor, and order modules. Remote attackers with privileged vendor or admin roles can exploit the 'id' parameter to execute malicious SQL commands and compromise the database management system...

CVE-2025-68899 WordPress Vivagh theme <= 2.4 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in designthemes Vivagh vivagh allows Object Injection.This issue affects Vivagh: from n/a through = 2.4...

PT-2026-4101

Name of the Vulnerable Software and Affected Versions designthemes Vivagh versions through 2.4 Description The software contains a flaw due to deserialization of untrusted data, which allows for object injection. This could potentially allow an attacker to compromise the system. Recommendations A...

CVE-2026-0741

The Electric Studio Download Counter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin settings in all versions up to, and including, 2.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

PT-2026-2843

The Electric Studio Download Counter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin settings in all versions up to, and including, 2.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

MiracleLinux 4 : spice-xpi-2.4-1.AXS4.2 (AXSA:2011-154:01)

The remote MiracleLinux 4 host has a package installed that is affected by multiple vulnerabilities as referenced in the AXSA:2011-154:01 advisory. SPICE extension for mozilla allows the client to be used from a web browser. Security issues fixed with this release: CVE-2011-0012 CVE-2011-1179 No...

OPENSUSE-SU-2026:10041-1 libsoup-2_4-1-2.74.3-14.1 on GA media

These are all security issues fixed in the libsoup-24-1-2.74.3-14.1 package on the GA media of openSUSE Tumbleweed...

CVE-2021-41920

webTareas version 2.4 and earlier allows an unauthenticated user to perform Time and Boolean-based blind SQL Injection on the endpoint /includes/library.php, via the sorcible, sorchamps, and sorordre HTTP POST parameters. This allows an attacker to access all the data in the database and obtain...