298 matches found
CVE-2026-34597
CVE-2026-34597 affects Coolify prior to 4.0.0-beta.470. The vulnerability lies in how user-supplied build parameters for the Nixpacks build pack are handled: the install_command provided by a user is directly concatenated into a shell command string executed on the deployment host during the buil...
PT-2026-53749
Name of the Vulnerable Software and Affected Versions Coolify versions prior to 4.0.0-beta.471 Description Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Server and project lookups are not scoped to the current team, which allows any...
CVE-2026-56024
Cross-Site Request Forgery CSRF vulnerability in Saad Iqbal WP EasyPay allows Cross Site Request Forgery. This issue affects WP EasyPay: from n/a through 4.4.0...
CVE-2026-50268
Steeltoe is an open source project that provides a collection of libraries that helps users build cloud-native applications. In Steeltoe.Configuration.Encryption 4.0.0 through 4.1.0, configuring encrypt:rsa:algorithm=OAEP does not enable OAEP encryption. Due to an incorrect BouncyCastle...
CVE-2026-39591
The CVE-2026-39591 entry concerns the WordPress WP-BusinessDirectory plugin up to version 4.0.0, where a Subscriber Arbitrary File Upload vulnerability is reported. Connected sources confirm the affected product and vulnerability class but do not provide exploit details or mitigation steps beyond...
CVE-2026-12143 form-data does not escape CR/LF/quote in multipart field names and filenames (CRLF injection)
form-data is a library for creating readable multipart/form-data streams. In versions through 4.0.5, the field argument to FormDataappend and the filename option are concatenated verbatim into the Content-Disposition header without escaping carriage return CR, line feed LF, or double-quote "...
CVE-2026-41031
A Stored Cross-Site Scripting vulnerability in Vinna Process Monitor Version 4.0 Service Pack 1 Build 63255 allows an authenticated remote attacker with low privileges to inject malicious JavaScript code into the application. This enables attackers to steal administrative access tokens and sessio...
CVE-2026-41031 A Stored Cross-Site Scripting (XSS) vulnerability occurs in Vinna Process Monitor
A Stored Cross-Site Scripting vulnerability in Vinna Process Monitor Version 4.0 Service Pack 1 Build 63255 allows an authenticated remote attacker with low privileges to inject malicious JavaScript code into the application. This enables attackers to steal administrative access tokens and sessio...
EUVD-2026-35390
A Stored Cross-Site Scripting vulnerability in Vinna Process Monitor Version 4.0 Service Pack 1 Build 63255 allows an authenticated remote attacker with low privileges to inject malicious JavaScript code into the application. This enables attackers to steal administrative access tokens and sessio...
PT-2026-47731
A Stored Cross-Site Scripting vulnerability in Vinna Process Monitor Version 4.0 Service Pack 1 Build 63255 allows an authenticated remote attacker with low privileges to inject malicious JavaScript code into the application. This enables attackers to steal administrative access tokens and sessio...
CVE-2025-14774
Incorrect Authorization vulnerability in ABB T-MAC Plus. This issue affects T-MAC Plus: 4.0-24...
CVE-2026-7509
The KIA Subtitle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's the-subtitle shortcode before and after attributes in all versions up to, and including, 4.0.1. This is due to insufficient input sanitization and output escaping on user supplied attributes. This...
CVE-2026-43897
Link Preview JS extracts web links information. Prior to 4.0.1, the library did not check for IPv6 loopback attacks. There was also a DNS attack, where an address could be resolved into an internal IP. This could cause internal data leaks. This vulnerability is fixed in 4.0.1...
CVE-2026-35672
phpMyFAQ before 4.1.3 contains an authentication bypass vulnerability in API v4.0 where the default empty api.apiClientToken allows unauthenticated users to create and modify FAQ entries. Attackers can send an empty x-pmf-token header to bypass token validation and inject malicious content via PO...
EUVD-2025-210046
Improper neutralization of input during web page generation 'cross-site scripting' vulnerability in ABB T-MAC Plus. This issue affects T-MAC Plus: 4.0-24...
PT-2026-45909
Incorrect Authorization vulnerability in ABB T-MAC Plus. This issue affects T-MAC Plus: 4.0-24...
ABB T-MAC Plus 安全漏洞
ABB T-MAC Plus is a shipboard equipment status monitoring and predictive maintenance management system developed by the Swiss company ABB. Version 4.0-24 of ABB T-MAC Plus contains a security vulnerability, which stems from incorrect authorization settings...
EUVD-2026-33686
Missing Authorization vulnerability in Ben Balter WP Document Revisions allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Document Revisions: from n/a before 4.0.0...
ZeusCart 跨站请求伪造漏洞
ZeusCart is an e-commerce shopping cart system developed by ZeusCart Inc. Version 4.0 of ZeusCart contains a cross-site request forgeing vulnerability. This vulnerability stems from cross-site request forgery, allowing attackers to manipulate user behavior by tricking users into accessing pages...
PT-2026-44383
phpMyFAQ before 4.1.3 contains an authentication bypass vulnerability in API v4.0 where the default empty api.apiClientToken allows unauthenticated users to create and modify FAQ entries. Attackers can send an empty x-pmf-token header to bypass token validation and inject malicious content via PO...