SQL Injection

Overview Affected versions of this package are vulnerable to SQL Injection via the AddressRepository::getSqlQuery method that constructs a database query without properly sanitizing user input, leading to SQL Injection. The method is not invoked anywhere within the extension itself and therefore...

@fastify/static vulnerable to path traversal in directory listing

Impact @fastify/static v9.1.0 and earlier serves directory listings outside the configured static root when the list option is enabled. A request such as /public/../outside/ causes dirList.path to resolve a directory outside the root via path.join without a containment check. A remote...

CVE-2026-6410

@fastify/static versions 8.0.0 through 9.1.0 allow path traversal when directory listing is enabled via the list option. The dirList.path function resolves directories outside the configured static root using path.join without a containment check. A remote unauthenticated attacker can obtain...

Improper Handling of URL Encoding (Hex Encoding)

Overview @fastify/static is a Plugin for serving static files as fast as possible. Affected versions of this package are vulnerable to Improper Handling of URL Encoding Hex Encoding via the handling of percent-encoded path separators in the fastifyStatic function. This creates a mismatch between...

PT-2026-33313

Name of the Vulnerable Software and Affected Versions @fastify/static versions 8.0.0 through 9.1.0 Description @fastify/static decodes percent-encoded path separators '%2F' before filesystem resolution, whereas the Fastify router treats them as literal characters. This discrepancy allows for a...

PT-2026-22056

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 8.6.3 Parse Server versions prior to 9.1.1-alpha.4 Description Parse Server is susceptible to a security issue where an unauthenticated attacker can create a forged Google authentication token using alg: "none" t...

CVE-2025-68853

Deserialization of Untrusted Data vulnerability in Kleor Contact Manager contact-manager allows Object Injection.This issue affects Contact Manager: from n/a through = 9.1.1...

CVE-2025-68853

The CVE CVE-2025-68853 affects WordPress Contact Manager plugin (contact-manager) up to version 9.1.1 and is a Deserialization of Untrusted Data (PHP Object Injection) vulnerability. Public sources (NVD/Red Hat/Patchstack/Wordfence) identify the root cause as untrusted data deserialization in con...

CVE-2025-68853 WordPress Contact Manager plugin <= 9.1.1 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in Kleor Contact Manager contact-manager allows Object Injection.This issue affects Contact Manager: from n/a through = 9.1.1...

PT-2026-21112

Name of the Vulnerable Software and Affected Versions Kleor Contact Manager versions through 9.1.1 Description A flaw exists in Kleor Contact Manager that allows for object injection due to deserialization of untrusted data. This issue impacts the contact-manager component. Recommendations At the...

WordPress plugin Contact Manager 代码问题漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. There we...

CVE-2025-68150 Parse Server has Server-Side Request Forgery (SSRF) in Instagram OAuth Adapter

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.2 and 9.1.1-alpha.1, the Instagram authentication adapter allows clients to specify a custom API URL via the apiURL parameter in authData. This enables SSRF attacks and...

Security Bulletin: IBM Maximo Application Suite - Visual Inspection component uses golang.org/x/net-v0.21.0, golang.org/x/net-v0.33.0, golang.org/x/net-v0.34.0 which is vulnerable to this CVE-2025-22870

Summary Security Bulletin: IBM Maximo Application Suite - Visual Inspection component uses golang.org/x/net-v0.21.0, golang.org/x/net-v0.33.0, golang.org/x/net-v0.34.0 which is vulnerable to this CVE-2025-22870 Vulnerability Details CVEID:CVE-2025-22870 DESCRIPTION: Matching of hosts against prox...

Security Bulletin: IBM Maximo Application Suite - Visual Inspection component uses form-data-4.0.1.tgz and form-data-4.0.3.tgz which are vulnerable to this CVE-2024-6345

Summary Security Bulletin: IBM Maximo Application Suite - Visual Inspection component uses form-data-4.0.1.tgz and form-data-4.0.3.tgz which are vulnerable to this CVE-2024-6345 Vulnerability Details CVEID:CVE-2025-7783 DESCRIPTION: Use of Insufficiently Random Values vulnerability in form-data...

eslint-config-prettier 安全漏洞

eslint-config-prettier is a Prettier open source application. A security vulnerability exists in eslint-config-prettier version 8.10.1, 9.1.1, 10.1.6, and 10.1.7, which stems from embedded malicious code that could lead to a supply chain attack...

Oracle MySQL Server 9.0 - 9.1.0 Security Update (cpujan2025) - Linux

Oracle MySQL Server is prone to multiple vulnerabilities. SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:oracle:mysql"; if...

WordPress plugin Quiz and Survey Master 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plug-in. A security vulnerability...

PT-2024-37923 · WordPress · The Quiz/Survey Master

Name of the Vulnerable Software and Affected Versions: The Quiz and Survey Master QSM WordPress plugin versions prior to 9.1.1 Description: The issue is related to the failure of the plugin to validate and escape certain Quiz fields before displaying them on a page or post where the Quiz is...

CVE-2024-20724

Substance3D – Painter versions 9.1.1 and earlier are affected by an out-of-bounds read that could disclose sensitive memory and bypass ASLR. Exploitation requires user interaction (opening a malicious file). Remediation: update to version 9.1.2 or later (as per APSB24-04) to mitigate. CVE-2024-20...

Adobe Substance 3D Painter Buffer Error Vulnerability

Adobe Substance 3D Painter is a 3D texturing application from Audobee Adobe USA. A buffer error vulnerability previously existed in Adobe Substance 3D Painter version 9.1.1, which stemmed from the effects of the presence of an out-of-bounds read vulnerability that could lead to a sensitive memory...