CVE-2026-27937

October is a Content Management System CMS and web platform. Prior to 3.7.16 and 4.1.16, a reflected Cross-Site Scripting XSS vulnerability was identified in the backend DataTable widget where a query parameter was rendered without proper output escaping. This vulnerability is fixed in 3.7.16 and...

Electerm runWidget has a path traversal that leads to arbitrary code execution

Impact The runWidget function in src/app/widgets/load-widget.js constructs a file path by directly concatenating user‑supplied widget identifiers without any sanitisation: javascript const file = widget-$widgetId.js const widget = requirepath.joindirname, file Because runWidget is exposed to the...

GHSA-F77V-9VPC-6PJM Electerm runWidget has a path traversal that leads to arbitrary code execution

Impact The runWidget function in src/app/widgets/load-widget.js constructs a file path by directly concatenating user‑supplied widget identifiers without any sanitisation: javascript const file = widget-$widgetId.js const widget = requirepath.joindirname, file Because runWidget is exposed to the...

EUVD-2026-28512

Electerm runWidget has a path traversal that leads to arbitrary code execution...

NPM: Electerm runWidget has a path traversal that leads to arbitrary code execution

NPM: Electerm runWidget has a path traversal that leads to arbitrary code execution vulnerability discovered by ? in WordPress Npm electerm versions 3.7.16...

CVE-2026-43940

CVE-2026-43940 affects the electerm client. The runWidget function in src/app/widgets/load-widget.js builds a file path by concatenating user‑supplied widget identifiers without sanitisation, and runWidget is exposed to the renderer via an asynchronous IPC handler with no input validation. This e...

CVE-2026-43940

electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. Prior to version 3.7.16, the runWidget function in src/app/widgets/load-widget.js constructs a file path by directly concatenating user‑supplied widget identifiers without any sanitisation. Because runWidget...

October CMS: Reflected XSS via DataTable Form Widget

A reflected Cross-Site Scripting XSS vulnerability was identified in the backend DataTable widget where a query parameter was rendered without proper output escaping. Impact - Reflected XSS only, no stored/persistent component - The backend URL prefix is customizable and must be known or guessed ...

CVE-2026-27937

October is a Content Management System CMS and web platform. Prior to 3.7.16 and 4.1.16, a reflected Cross-Site Scripting XSS vulnerability was identified in the backend DataTable widget where a query parameter was rendered without proper output escaping. This vulnerability is fixed in 3.7.16 and...

CVE-2026-27937

CVE-2026-27937 concerns the October CMS platform. Affected versions prior to 3.7.16 and 4.1.16 have a vulnerability in the backend DataTable widget where a query parameter is rendered without proper output escaping, resulting in a reflected Cross-Site Scripting (XSS) condition. The root cause is ...

CVE-2026-27937 October: Reflected XSS via DataTable Form Widget

October is a Content Management System CMS and web platform. Prior to 3.7.16 and 4.1.16, a reflected Cross-Site Scripting XSS vulnerability was identified in the backend DataTable widget where a query parameter was rendered without proper output escaping. This vulnerability is fixed in 3.7.16 and...

PT-2026-34005

Name of the Vulnerable Software and Affected Versions October versions prior to 3.7.16 October versions prior to 4.1.16 Description Fine-grained sub-permission checks for asset and blueprint file operations were not enforced in the CMS and Tailor editor extensions. This allows backend users who...

October 安全漏洞

October is an open-source content management system CMS and network platform developed by October. Versions prior to October 3.7.16 and 4.1.16 contained security vulnerabilities. These vulnerabilities stemmed from the lack of strict fine-grained sub-permissions checks, which could allow backend...

WordPress ShoppyStore theme <= 3.7.16 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by Bonds Patchstack Alliance in WordPress Theme ShoppyStore versions = 3.7.16...

Python DoS Vulnerability (Oct 2022) - Linux

Python is prone to a denial of service DoS vulnerability. SPDX-FileCopyrightText: 2022 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:python:python";...

Python <= 3.10.x Buffer Overflow Vulnerability - Linux

Python is prone to a buffer overflow vulnerability in the sha3 module. SPDX-FileCopyrightText: 2022 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE =...

Python Shell Command Injection Vulnerability (bpo-24778) - Linux

Python is prone to a shell command injection vulnerability in the mailcap module. SPDX-FileCopyrightText: 2022 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE =...

Python Shell Command Injection Vulnerability (bpo-24778) - Windows

Python is prone to a shell command injection vulnerability in the mailcap module. SPDX-FileCopyrightText: 2022 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE =...