CVE-2026-41683 HTTP response splitting and DoS in i18next-http-middleware via unsanitised Content-Language header

i18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. Prior to version 3.9.3, i18next-http-middleware wrote user-controlled language values into the Content-Language response header after passing them through utils.escape, which ...

i18next-http-middleware has path traversal / SSRF via user-controlled language and namespace parameters

Summary Versions of i18next-http-middleware prior to 3.9.3 pass the user-controlled lng and ns values from getResourcesHandler directly into i18next.services.backendConnector.loadlanguages, namespaces, … without any sanitisation. Depending on which backend is configured, the unvalidated path...

PT-2026-37150

Name of the Vulnerable Software and Affected Versions i18next-http-middleware versions prior to 3.9.3 Description An unauthenticated HTTP client can pollute Object.prototype in the Node.js process hosting the middleware. This occurs via two unvalidated entry points: getResourcesHandler and...

SUSE CVE-2026-33230

NLTK Natural Language Toolkit is a suite of open source Python modules, data sets, and tutorials supporting research and development in Natural Language Processing. In versions 3.9.3 and prior, nltk.app.wordnetapp contains a reflected cross-site scripting issue in the lookup... route. A crafted...

CVE-2026-33236

NLTK Natural Language Toolkit is a suite of open source Python modules, data sets, and tutorials supporting research and development in Natural Language Processing. In versions 3.9.3 and prior, the NLTK downloader does not validate the subdir and id attributes when processing remote XML index...

CVE-2026-33236 NLTK has a Downloader Path Traversal Vulnerability (AFO) - Arbitrary File Overwrite

NLTK Natural Language Toolkit is a suite of open source Python modules, data sets, and tutorials supporting research and development in Natural Language Processing. In versions 3.9.3 and prior, the NLTK downloader does not validate the subdir and id attributes when processing remote XML index...

Heap-based Buffer Overflow

Overview Biosig is a BioSig - tools for biomedical signal processing Affected versions of this package are vulnerable to Heap-based Buffer Overflow via the Intan CLP parsing functionality. An attacker can execute arbitrary code by supplying a specially crafted Intan CLP file. Remediation Upgrade...

Heap-based Buffer Overflow

Overview Biosig is a BioSig - tools for biomedical signal processing Affected versions of this package are vulnerable to Heap-based Buffer Overflow in the Nicolet WFT parsing functionality. An attacker can execute arbitrary code by supplying a specially crafted .wft file. PoC A heap-based buffer...

CVE-2025-14067

The Easy Form Builder plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on multiple AJAX actions in all versions up to, and including, 3.9.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve...

PT-2026-8046

The Easy Form Builder plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on multiple AJAX actions in all versions up to, and including, 3.9.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve...

CVE-2025-13628

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability check on the 'bulkactionhandler' and 'couponpermanentdelete' functions in all versions up to, and including, 3.9.3. This makes it...

CVE-2025-13934

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized course enrollment in all versions up to, and including, 3.9.3. This is due to a missing capability check and purchasability validation in the courseenrollment AJAX handler. This makes it possib...

CVE-2025-13628

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized modification and deletion of data due to a missing capability check on the 'bulkactionhandler' and 'couponpermanentdelete' functions in all versions up to, and including, 3.9.3. This makes it...

CVE-2025-13934 Tutor LMS – eLearning and online course solution <= 3.9.3 - Missing Authorization to Authenticated (Subscriber+) Course Enrollment Bypass

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized course enrollment in all versions up to, and including, 3.9.3. This is due to a missing capability check and purchasability validation in the courseenrollment AJAX handler. This makes it possib...

CVE-2025-13934

CVE-2025-13934 (Tutor LMS for WordPress) : The WordPress Tutor LMS plugin (versions up to 3.9.3) is affected by a missing capability check and purchasability validation in the course_enrollment() AJAX handler, enabling authenticated users with Subscriber+ to enroll in any course outside the prope...

CVE-2025-13934 Tutor LMS – eLearning and online course solution <= 3.9.3 - Missing Authorization to Authenticated (Subscriber+) Course Enrollment Bypass

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized course enrollment in all versions up to, and including, 3.9.3. This is due to a missing capability check and purchasability validation in the courseenrollment AJAX handler. This makes it possib...

WordPress plugin Tutor LMS – eLearning and online course solution 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. WordPress is a blogging platform developed using the PHP language, with the ability to host personal blog sites on PHP and MySQL based servers.WordPress...

WordPress Tutor LMS - eLearning and online course solution plugin <= 3.9.3 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Coupon Modification vulnerability

WordPress Tutor LMS - eLearning and online course solution plugin = 3.9.3 - Missing Authorization to Authenticated Subscriber+ Arbitrary Coupon Modification vulnerability discovered by Supakiad S. m3ez - E-CQURITY Thailand in WordPress Plugin Tutor LMS versions = 3.9.3...

CVE-2025-64251

Missing Authorization vulnerability in azzaroco Ultimate Learning Pro indeed-learning-pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ultimate Learning Pro: from n/a through = 3.9.3...

CVE-2025-64251

Missing Authorization vulnerability in azzaroco Ultimate Learning Pro indeed-learning-pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ultimate Learning Pro: from n/a through = 3.9.3...