CVE-2026-41258 OpenMRS: Stored Velocity SSTI to RCE via ConceptReferenceRange

OpenMRS is an open source electronic medical record system platform. From 2.7.0 to before 2.7.9 and 2.8.6, the ConceptReferenceRangeUtility.evaluateCriteria method in OpenMRS Core evaluates database-stored criteria strings as Apache Velocity templates without any sandbox configuration. The...

PT-2026-36946

Name of the Vulnerable Software and Affected Versions openmrs-api versions prior to 2.7.9 openmrs-api versions prior to 2.8.6 Description Server-side template injection SSTI occurs via Velocity, which allows for remote code execution RCE. SSTI is a flaw where an attacker can inject malicious code...

WordPress Team Slider and Team Grid Showcase plus Team Carousel plugin <= 2.8.6 - Backdoor vulnerability

Backdoor vulnerability discovered by ? in WordPress Plugin Team Slider and Team Grid Showcase plus Team Carousel versions = 2.8.6...

Deserialization of Untrusted Data

Overview Affected versions of this package are vulnerable to Deserialization of Untrusted Data in the TGT credential field via the Nimbus Thrift API, due to deserialization of base64-encoded data using ObjectInputStream.readObject without class filtering or validation. A user with topology...

Apache Storm 安全漏洞

Apache Storm is an open-source distributed real-time computing system developed by the Apache Foundation in the United States using the concurrent programming language Clojure. Versions of Apache Storm prior to 2.8.6 contained a security vulnerability. This vulnerability stemmed from the fact tha...

CVE-2026-3657

The My Sticky Bar plugin for WordPress is vulnerable to SQL injection via the stickymenucontactleadform AJAX action in all versions up to, and including, 2.8.6. This is due to the handler using attacker-controlled POST parameter names directly as SQL column identifiers in $wpdb-insert. While...

VulnCheck KEV: CVE-2026-3657

The My Sticky Bar plugin for WordPress is vulnerable to SQL injection via the stickymenucontactleadform AJAX action in all versions up to, and including, 2.8.6. This is due to the handler using attacker-controlled POST parameter names directly as SQL column identifiers in $wpdb-insert. While...

WordPress plugin Lobo 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform has the ability to host personal blog sites on PHP and MySQL based servers.WordPress plugin is an application plugin. A security vulnerabili...

CVE-2025-66527

Missing Authorization vulnerability in VanKarWai Lobo lobo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Lobo: from n/a through = 2.8.6...

CVE-2025-65474

An arbitrary file rename vulnerability in the /admin/manager.php component of EasyImages 2.0 v2.8.6 and below allows attackers to execute arbitrary code via renaming a PHP file to a SVG format...

CVE-2025-65471

An arbitrary file upload vulnerability in the /admin/manager.php component of EasyImages 2.0 v2.8.6 and below allows attackers to execute arbitrary code via uploading a crafted PHP file...

CVE-2025-65473

An arbitrary file rename vulnerability in the /admin/filer.php component of EasyImages 2.0 v2.8.6 and below allows attackers with Administrator privileges to execute arbitrary code via injecting a crafted payload into an uploaded file name...

CVE-2025-66410 Gin-vue-admin has an arbitrary file deletion vulnerability

Gin-vue-admin is a backstage management system based on vue and gin. In 2.8.6 and earlier, attackers can delete any file on the server at will, causing damage or unavailability of server resources. Attackers can control the 'FileMd5' parameter to delete any file and folder...

CVE-2025-66410 Gin-vue-admin has an arbitrary file deletion vulnerability

Gin-vue-admin is a backstage management system based on vue and gin. In 2.8.6 and earlier, attackers can delete any file on the server at will, causing damage or unavailability of server resources. Attackers can control the 'FileMd5' parameter to delete any file and folder...

Gin-Vue-Admin 路径遍历漏洞

Gin-Vue-Admin is flipped-aurora open source a full-stack predevelopment infrastructure platform based on Vue and Gin development. A path traversal vulnerability exists in Gin-Vue-Admin version 2.8.6 and earlier, which stems from an attacker being able to control the FileMd5 parameter to delete...

WordPress Lobo theme <= 2.8.6 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Theme Lobo versions = 2.8.6...

EUVD-2023-56906

Malicious code in bioql PyPI...

EUVD-2025-17515

Malicious code in bioql PyPI...

EUVD-2024-40166

Malicious code in bioql PyPI...

CVE-2024-10486

The Google for WooCommerce plugin for WordPress is vulnerable to Information Disclosure in all versions up to, and including, 2.8.6. This is due to publicly accessible printphpinformation.php file. This makes it possible for unauthenticated attackers to retrieve information about Webserver and PH...