EUVD-2022-55998

An inclusion of functionality from untrusted control sphere vulnerability in OpenSSL configuration in Synology Active Backup for Business Recovery Media Creator before 2.5.0-2081 allows local users to execute arbitrary code via unspecified vectors...

PT-2026-40796

Name of the Vulnerable Software and Affected Versions Garmin WDU version 1.4.6 Garmin WDU version 5.0 Description The locally served web site allows a cross-site origin WebSocket hijacking attack. The system utilizes WebSockets to manage settings, including administrative configurations, which...

CVE-2026-40563 Apache Atlas: Script injection allows access to unintended data

Description: Improper Control of Generation of Code 'Code Injection' vulnerability in Apache Atlas Apache Atlas exposes a DSL search endpoint that accepts user-supplied query strings. Attacker can alter Gremlin traversal logic within grammar-allowed characters to access unintended data Affect...

EUVD-2026-26719

A flaw has been found in nextlevelbuilder ui-ux-pro-max-skill up to 2.5.0. Affected by this vulnerability is the function formatplugins of the file .claude/skills/ui-styling/scripts/tailwindconfiggen.py of the component Tailwind Config Generator. This manipulation causes code injection. The attac...

PT-2026-36547

Name of the Vulnerable Software and Affected Versions nextlevelbuilder ui-ux-pro-max-skill versions prior to 2.5.1 Description A flaw in the Tailwind Config Generator component allows remote code injection. The issue exists within the format plugins function located in the...

PT-2026-36548

Name of the Vulnerable Software and Affected Versions nextlevelbuilder ui-ux-pro-max-skill versions prior to 2.5.1 Description A remote cross-site scripting issue exists in the Slide Generator component. The problem occurs within the data.get function of the...

EUVD-2026-26005

The Woostify plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.5.0 This is due to insufficient input sanitization and output escaping in the bundled Lity.js lightbox library, where user-controlled input from the href attribute is concatenated...

dynamic-datasource-spring-boot-starter 注入漏洞

dynamic-datasource-spring-boot-starter is a fast integration multi-data-source starter developed by baomidou under the Open Source project. Version 2.5.0 of dynamic-datasource-spring-boot-starter contains an injection vulnerability. This vulnerability stems from improper handling of the...

CVE-2025-15632 1Panel-dev MaxKB MdPreview chat.ts cross site scripting

A vulnerability has been found in 1Panel-dev MaxKB up to 2.4.2. Impacted is an unknown function of the file ui/src/chat.ts of the component MdPreview. Such manipulation leads to cross site scripting. The attack can be executed remotely. The exploit has been disclosed to the public and may be used...

PYSEC-2026-59

Emmett is a full-stack Python web framework designed with simplicity. From 2.5.0 to before 2.8.1, the RSGI static handler for Emmett's internal assets /emmett paths is vulnerable to path traversal attacks. An attacker can use ../ sequences eg /emmett/../rsgi/handlers.py to read arbitrary files...

CLEANSTART-2026-LS00044 Security fixes for CVE-2025-47911, CVE-2025-47913, CVE-2025-47914, CVE-2025-54410, CVE-2025-58181, CVE-2025-58190, CVE-2025-61726, CVE-2025-61727, CVE-2025-61728, CVE-2025-61729, CVE-2025-61730, CVE-2025-68121, CVE-2026-1229, CVE-2026-24051, CVE-2026-25679, CVE-2026-26958, CVE-2026-27139, CVE-2026-27142, CVE-2026-33186 applied in versions: 2.3.2-r4, 2.3.2-r5, 2.4.4-r2, 2.5.0-r0, 2.5.0-r1

Multiple security vulnerabilities affect the openbao-fips package. These issues are resolved in later releases. See references for individual vulnerability details...

EUVD-2026-17429

Stored cross-site scripting XSS in Checkmk 2.5.0 beta before 2.5.0b2 allows authenticated users with permission to create hosts or services to execute arbitrary JavaScript in the browsers of other users performing searches in the Unified Search feature...

CVE-2026-20915

Checkmk CVE-2026-20915 describes a stored XSS in the Pending Changes sidebar affecting Checkmk 2.5.0 (beta) before 2.5.0b2. An authenticated user with permission to create pending changes can inject JavaScript, which then executes in the browsers of other users viewing the sidebar. Impact per CVS...

CVE-2025-9497

The CVE-2025-9497 entry concerns Microchip Time Provider 4100 (before 2.5.0) with a hard-coded upgrade decryption password vulnerability that enables a malicious manual software update. The affected component is the upgrade/decryption mechanism, due to hard-coded credentials, which can be exploit...

PT-2026-28307

Name of the Vulnerable Software and Affected Versions Microchip Time Provider 4100 versions prior to 2.5.0 Description A use of hard-coded credentials issue exists in Microchip Time Provider 4100, potentially allowing for malicious manual software updates. Recommendations Update Microchip Time...

Microchip Time Provider 4100 安全漏洞

Microchip Time Provider 4100 is a precision time gateway developed by the American company Microchip. Versions of Microchip Time Provider 4100 prior to version 2.5.0 contained security vulnerabilities. These vulnerabilities stemmed from the use of hard-coded credentials, which could lead to...

CVE-2021-27933

pfSense 2.5.0 allows XSS via the serviceswoledit.php Description field...

CVE-2026-22324

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in ThemeREX Melania allows PHP Local File Inclusion.This issue affects Melania: from n/a through 2.5.0...

EUVD-2026-15954

n8n's Source Control SSH Configuration Uses StrictHostKeyChecking=no...

GHSA-43V7-FP2V-68F6 n8n's Source Control SSH Configuration Uses StrictHostKeyChecking=no

Impact When the Source Control feature is configured to use SSH, the SSH command used for git operations explicitly disabled host key verification. A network attacker positioned between the n8n instance and the remote Git server could intercept the connection and present a fraudulent host key,...