CVE-2026-23478

Cal.com is open-source scheduling software. From 3.1.6 to before 6.0.7, there is a vulnerability in a custom NextAuth JWT callback that allows attackers to gain full authenticated access to any user's account by supplying a target email address via session.update. This vulnerability is fixed in...

CVE-2026-23478

Cal.com CVE-2026-23478 affects versions 3.1.6–6.0.6. Root cause: improper server-side validation in a custom NextAuth JWT callback that trusts client-supplied data during session.update(), enabling an unauthenticated attacker to fully impersonate any user. Impact: total account takeover with acce...

CVE-2025-69021

CVE-2025-14998 (Branda – White Label & Branding, Free Login Page Customizer) : Unauthenticated privilege escalation via account takeover. CVSS 9.8 (Critical). Affected software: Branda – White Label & Branding, Free Login Page Customizer (

PT-2025-53902

Name of the Vulnerable Software and Affected Versions Ays Pro Popup box versions through 6.0.7 Description A Cross-Site Request Forgery issue exists in Ays Pro Popup box. This allows attackers to perform actions on behalf of an unsuspecting user. The issue affects the Popup box component...

DRUPAL-CONTRIB-2025-114

This module introduces an OAuth 2.0 authorization server, which can be configured to protect your Drupal instance with access tokens, or allow clients to request new access tokens and refresh them. The module doesn't sufficiently respect granted scopes, it affects all access checks that are based...

Simple OAuth (OAuth2) & OpenID Connect - Critical - Access bypass - SA-CONTRIB-2025-114

This module introduces an OAuth 2.0 authorization server, which can be configured to protect your Drupal instance with access tokens, or allow clients to request new access tokens and refresh them. The module doesn't sufficiently respect granted scopes, it affects all access checks that are based...

EUVD-2020-15804

Malware in sbrugna...

CVE-2024-56063

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in WPDeveloper Essential Addons for Elementor essential-addons-for-elementor-lite allows Stored XSS.This issue affects Essential Addons for Elementor: from n/a through = 6.0.7...

CVE-2025-32508

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in ComMotion Course Booking System course-booking-system allows Reflected XSS.This issue affects Course Booking System: from n/a through = 6.1.2...

WordPress plugin Course Booking System 跨站脚本漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed in the PHP language. The platform supports personal blog sites on servers running PHP and MySQL.WordPress plugin is an application plugin. A cross-site scripting vulnerability...

PT-2024-36698 · Wpdeveloper · Wpdeveloper Essential Addons For Elementor

Name of the Vulnerable Software and Affected Versions: WPDeveloper Essential Addons for Elementor versions through 6.0.7 Description: The issue is related to Improper Neutralization of Input During Web Page Generation, also known as Cross-site Scripting, which allows Stored XSS. This means that a...

WordPress plugin Essential Addons for Elementor 跨站脚本漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on PHP and MySQL servers.WordPress plugin is an application plugin. A cross-site scripting vulnerability exists...

WordPress plugin Essential Addons for Elementor 跨站脚本漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on PHP and MySQL servers.WordPress plugin is an application plugin. A cross-site scripting vulnerability exists...

Promptr 安全漏洞

Promptr is a CLI tool by the individual developer Ferris Lucas. Allows the use of plain English to instruct the OpenAI LLM model to make changes to the code base. A security vulnerability exists in Promptr version v6.0.7, which stems from the presence of a Remote Command Execution RCE vulnerabili...

WordPress 6.0.x < 6.0.7 Multiple Vulnerabilities

According to its self-reported version number, the detected WordPress application is affected by multiple vulnerabilities : - A PHP file upload bypass via Plugin Installer requiring admin privileges. - An RCE POP Chains vulnerability. Note that the scanner has not tested for these issues but has...

ai.optfor:spring-openai-api (>=0.1.3 <=0.3.25), ai.superstream:spring-kafka (=3.0.1-alpha1) +8811 more potentially affected by CVE-2023-20863 via org.springframework:spring-expression (>=6.0.0 <=6.0.7)

org.springframework:spring-expression MAVEN version =6.0.0, =0.1.3, =1.0.0, =1.0.0, =0.1.0, =0.1.0, =0.1.0, =0.0.2, =0.0.6, =0.0.6, =1.3.0, =4.5.0, =4.0.0, =4.0.3 - be.jidoka:jdk-keycloak-admin =2.0.0 and more Source cves: CVE-2023-20863 Source advisory: OSV:GHSA-WXQC-PXW9-G2P8...

GHSA-M9MF-RQX6-2XPC ThinkCMF Stored Cross-Site Scripting (XSS)

ThinkCMF version 6.0.7 is affected by Stored Cross-Site Scripting XSS. An attacker who successfully exploited this vulnerability could inject a Persistent XSS payload in the Slideshow Management section that execute arbitrary JavaScript code on the client side, e.g., to steal the administrator's...

ThinkCMF Stored Cross-Site Scripting (XSS)

ThinkCMF version 6.0.7 is affected by Stored Cross-Site Scripting XSS. An attacker who successfully exploited this vulnerability could inject a Persistent XSS payload in the Slideshow Management section that execute arbitrary JavaScript code on the client side, e.g., to steal the administrator's...

CVE-2022-40489

ThinkCMF version 6.0.7 is affected by a Cross Site Request Forgery CSRF vulnerability that allows a Super Administrator user to be injected into administrative users...

CVE-2022-40849

ThinkCMF version 6.0.7 is affected by Stored Cross-Site Scripting XSS. An attacker who successfully exploited this vulnerability could inject a Persistent XSS payload in the Slideshow Management section that execute arbitrary JavaScript code on the client side, e.g., to steal the administrator's...