PT-2026-42931

A weakness has been identified in ulisesbocchio jasypt-spring-boot up to 3.0.5/4.0.4. Affected by this vulnerability is the function getSecretKeySaltGenerator of the file jasypt-spring-boot/src/main/java/com/ulisesbocchio/jasyptspringboot/encryptor/SimpleGCMConfig.java of the component Password...

PT-2026-40271

Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. From version 4.0.0 to before version 4.0.5, the workflow executor logs all artifact repository credentials S3 access keys, secret keys, GCS service account keys, Azure account keys, Gi...

CVE-2026-42295

Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. From version 4.0.0 to before version 4.0.5, the workflow executor logs all artifact repository credentials S3 access keys, secret keys, GCS service account keys, Azure account keys, Gi...

CVE-2026-42297

CVE-2026-42297 concerns Argo Workflows, where the Sync Service's ConfigMap-backed provider (server/sync/sync_cm.go) allows zero authorization checks on all CRUD operations. From 4.0.0 up to just before 4.0.5, any authenticated user (including fake Bearer tokens) could create, read, update, or del...

CVE-2026-39707 WordPress Accept PayPal Payments using Contact Form 7 plugin <= 4.0.4 - Broken Access Control vulnerability

Missing Authorization vulnerability in ZealousWeb Accept PayPal Payments using Contact Form 7 contact-form-7-paypal-extension allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Accept PayPal Payments using Contact Form 7: from n/a through = 4.0.4...

CVE-2026-0944

The CVE-2026-0944 entry concerns Drupal Group Invite. Affected: Drupal Group invite module versions before 2.3.9, before 3.0.4, and before 4.0.4. Description: an improper check for unusual or exceptional conditions enables forceful browsing, effectively an access-bypass vulnerability. Impact: una...

CVE-2026-0944 Group invite - Moderately critical - Access bypass - SA-CONTRIB-2026-001

Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal Group invite allows Forceful Browsing.This issue affects Group invite: from 0.0.0 before 2.3.9, from 3.0.0 before 3.0.4, from 4.0.0 before 4.0.4...

CVE-2026-23794

Reflected XSS in Apache Syncope's Enduser Login page. An attacker that tricks a legitimate user into clicking a malicious link and logging in to Syncope Enduser could steal that user's credentials. This issue affects Apache Syncope: from 3.0 through 3.0.15, from 4.0 through 4.0.3. Users are...

Drupal Group invite 安全漏洞

Drupal Group invite is a membership invitation module provided by the Drupal company. Versions prior to 2.3.9, 3.0.4, and 4.0.4 of Drupal Group invite contained security vulnerabilities. These vulnerabilities were due to improper exception condition checks, which could lead to forced browsing...

CVE-2026-23794

Reflected XSS in Apache Syncope's Enduser Login page. An attacker that tricks a legitimate user into clicking a malicious link and logging in to Syncope Enduser could steal that user's credentials. This issue affects Apache Syncope: from 3.0 through 3.0.15, from 4.0 through 4.0.3. Users are...

CVE-2026-23795 Apache Syncope: Console XXE on Keymaster parameters

Improper Restriction of XML External Entity Reference vulnerability in Apache Syncope Console. An administrator with adequate entitlements to create or edit Keymaster parameters via Console can construct malicious XML text to launch an XXE attack, thereby causing sensitive data leakage occurs. Th...

CVE-2026-1464

Integer Overflow or Wraparound vulnerability in MuntashirAkon AppManager app/src/main/java/org/apache/commons/compress/archivers/tar modules. This vulnerability is associated with program files TarUtils.Java. This issue affects AppManager: before 4.0.4...

CVE-2026-1464

Integer Overflow or Wraparound vulnerability in MuntashirAkon AppManager app/src/main/java/org/apache/commons/compress/archivers/tar modules. This vulnerability is associated with program files TarUtils.Java. This issue affects AppManager: before 4.0.4...

CVE-2025-68558

Missing Authorization vulnerability in averta Depicter Slider depicter allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Depicter Slider: from n/a through = 4.0.4...

CVE-2025-68558

CVE-2025-68558 : A missing/incorrect authorization control in averta Depicter Slider (Depicter) allows unauthorized access due to misconfigured access control levels. Affected: Depicter Slider up to and including version 4.0.4. Impact/notes: CVSS 3.1 base score 6.5 (Medium); attack vector Network...

CVE-2026-24001

jsdiff is a JavaScript text differencing implementation. Prior to versions 8.0.3, 5.2.2, 4.0.4, and 3.5.1, attempting to parse a patch whose filename headers contain the line break characters \r, \u2028, or \u2029 can cause the parsePatch method to enter an infinite loop. It then consumes memory...

CVE-2016-10705

The Jetpack plugin before 4.0.4 for WordPress has XSS via the Likes module...

CVE-2017-18608

The spotim-comments plugin before 4.0.4 for WordPress has multiple XSS issues...

CVE-2025-13739

The CryptX plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's cryptx shortcode in all versions up to, and including, 4.0.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, wi...

CVE-2025-13739 CryptX <= 4.0.5 - Authenticated (Contributor+) Stored Cross-Site Scripting

The CryptX plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's cryptx shortcode in all versions up to, and including, 4.0.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, wi...