CVE-2026-41885

CVE-2026-41885 affects i18next-locize-backend prior to version 9.0.2. The issue arises when the backend interpolates values (lng, ns, projectId, version) directly into URL templates (loadPath/privatePath/addPath/updatePath/getLanguagesPath) without encoding or validation, enabling user-controlled...

CVE-2026-41885 Path traversal / URL injection via unsanitised lng/ns/projectId/version in i18next-locize-backend

i18next-locize-backend is a simple i18next backend for locize.com which can be used in Node.js, in the browser and for Deno. Prior to version 9.0.2, i18next-locize-backend interpolates lng, ns, projectId, and version directly into the configured loadPath / privatePath / addPath / updatePath /...

@bechara/crux (>=6.0.0 <=6.6.2), @cappa/cli (>=0.1.0 <=0.8.2) +11 more potentially affected by CVE-2026-33804 via @fastify/middie (>=9.0.2 <=9.3.1)

@fastify/middie NPM version =9.0.2, =6.0.0, =0.1.0, =0.1.0, =1.0.0, =1.0.11, =0.1.51, =1.0.36, =11.0.0, =1.3.0, =5.0.0, =0.6.1-dev, =1.1.48 Source cves: CVE-2026-33804 Source advisory: SNYK:JS-FASTIFYMIDDIE-16098212...

SUSE CVE-2025-67733

Valkey is a distributed key-value database. Prior to versions 9.0.2, 8.1.6, 8.0.7, and 7.2.12, a malicious user can use scripting commands to inject arbitrary information into the response stream for the given client, potentially corrupting or returning tampered data to other users on the same...

WordPress Quiz And Survey Master plugin < 9.0.2 - Contributor+ SQLi vulnerability

Contributor+ SQLi vulnerability discovered by Project Black in WordPress Plugin Quiz And Survey Master versions 9.0.2...

CVE-2019-7135

Adobe Bridge CC versions 9.0.2 have an out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure...

CVE-2025-11785

Stack-based buffer overflow vulnerability in Circutor SGE-PLC1000/SGE-PLC50 v9.0.2. In the 'ShowMeterPasswords' function, there is an unlimited user input that is copied to a fixed-size buffer via 'sprintf'. The 'GetParametermeter' function retrieves the user input, which is directly incorporated...

EUVD-2025-200227

Out-of-bounds read vulnerability in Circutor SGE-PLC1000/SGE-PLC50 v9.0.2. The 'DownloadFile' function converts a parameter to an integer using 'atoi' and then uses it as an index in the 'FilesDownload' array with '&FilesDownloadiVar2'. If the parameter is too large, it will access memory beyond...

CVE-2025-11787

CVE-2025-11787 affects Circutor SGE-PLC1000/SGE-PLC50 running v9.0.2. The OS exposes a command injection vulnerability in GetDNS(), CheckPing(), and TraceRoute() functions. Impact is high (CVE scores indicate network-based, unauthenticated/low-privilege access with potential total impact on confi...

CVE-2025-11787 Command injection vulnerability in Circutor SGE-PLC1000/SGE-PLC50

Command injection vulnerability in the operating system in Circutor SGE-PLC1000/SGE-PLC50 v9.0.2 through the 'GetDNS', 'CheckPing' and 'TraceRoute' functions...

PT-2025-48673

Name of the Vulnerable Software and Affected Versions Circutor SGE-PLC1000/SGE-PLC50 version 9.0.2 Description A stack-based buffer overflow exists in the AddEvent function when handling user-supplied usernames. The issue occurs because the function copies the username input to a fixed-size buffe...

IBM Engineering Systems Design Rhapsody 缓冲区错误漏洞

IBM Engineering Systems Design Rhapsody is a model-driven development MDD environment for systems engineering and software development provided by IBM. IBM Engineering Systems Design Rhapsody suffers from a stack buffer overflow vulnerability that stems from the program not properly checking...

CVE-2024-9944

The WooCommerce plugin for WordPress is vulnerable to HTML Injection in all versions up to, and including, 9.0.2. This is due to the plugin not properly neutralizing HTML elements from submitted order forms. This makes it possible for unauthenticated attackers to inject arbitrary HTML that will...

CVE-2023-28819

Concrete CMS previously concrete5 versions 8.5.12 and below, 9.0.0 through 9.0.2 is vulnerable to Stored XSS in uploaded file and folder names...

CVE-2022-30118

Title for CVE: XSS in /dashboard/system/express/entities/forms/savecontrol/GUID: old browsers only.Description: When using Internet Explorer with the XSS protection disabled, editing a form control in an express entities form for Concrete 8.5.7 and below as well as Concrete 9.0 through 9.0.2 can...

CVE-2019-17295

SugarCRM before 8.0.4 and 9.x before 9.0.2 allows SQL injection in the history function by a Regular user...

WordPress plugin URL Shortener 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A security vulnerability...

WordPress URL Shortener WooCommerce plugin <= 9.0.2 - Authenticated (Admin+) Stored Cross-Site Scripting vulnerability

Authenticated Admin+ Stored Cross-Site Scripting vulnerability discovered by Bob Matyas in WordPress Plugin URL Shortener | Conversion Tracking | AB Testing | WooCommerce versions = 9.0.2...

WordPress URL Shortener WooCommerce plugin <= 9.0.2 - Cross-Site Request Forgery vulnerability

Cross-Site Request Forgery vulnerability discovered by Bob Matyas in WordPress Plugin URL Shortener | Conversion Tracking | AB Testing | WooCommerce versions = 9.0.2...

PT-2025-7010 · Unknown · Woocommerce +1

Name of the Vulnerable Software and Affected Versions: tahinajannat URL Shortener | Conversion Tracking | AB Testing | WooCommerce versions n/a through 9.0.2 Description: The issue is related to Improper Neutralization of Input During Web Page Generation, also known as Cross-site Scripting. This...