CVE-2026-49051

Missing Authorization vulnerability in Prasad Kirpekar WP Meta and Date Remover allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Meta and Date Remover: from n/a through 2.3.6...

CVE-2026-45748 Termix Vulnerable to Remote Code Execution via SSH Tunnel Forward Command Injection

Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. The POST /ssh/tunnel/connect endpoint in Termix prior to version 2.3.2 builds an SSH tunnel command by interpolating user-controlled host record fields endpointIP, endpointUsername,...

EUVD-2026-34873

Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. Prior to version 2.3.2, the GET /ssh/filemanager/ssh/resolvePath endpoint in Termix is vulnerable to OS command injection. The endpoint uses double-quote escaping for shell command...

CVE-2026-45743 Termix has a File-Manager Session Hijack via Missing Ownership Check (IDOR)

Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. 16 file-manager endpoints in Termix prior to version 2.3.2 do not verify that the requesting user owns the SSH session identified by sessionId. An authenticated attacker who knows or...

PT-2026-47022

Name of the Vulnerable Software and Affected Versions Termix versions prior to 2.3.2 Description The File Manager component of this web-based server management platform contains a command injection flaw. The endpoint "/ssh/file manager/ssh/resolvePath" unsafely processes the path parameter,...

CVE-2025-53345

Missing Authorization vulnerability leading to code execution after installing malicious vulnerable plugin in ThimPress Thim Core. This issue affects Thim Core: from n/a through 2.3.3...

Casdoor 安全漏洞

Casdoor is an open-source platform developed by Casdoor that supports various authentication and authorization protocols. Versions of Casdoor 2.362.0 and earlier contained security vulnerabilities. These vulnerabilities stemmed from the SAML service provider’s failure to validate the...

CVE-2026-46620

e107 is a content management system CMS. Prior to 2.3.5, e107 CMS does not properly enforce CSRF token validation on comment moderation actions. The problem comes down to how sessionhandler::check handles CSRF tokens. Instead of requiring a token on every state-changing request, it only validates...

Linux Distros Unpatched Vulnerability : CVE-2026-42783

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Debian Linux - rust-sequoia-openpgp - None Ubuntu Linux - openpgp: Don't imply missing key flags from key type CVE-2026-42783 Note that Nessus relies on the...

EUVD-2026-28861

Grimmory is a self-hosted digital library. Prior to version 2.3.1, a stored cross-site scripting XSS vulnerability in Grimmory's browser-based EPUB reader allows an attacker to embed arbitrary JavaScript in a crafted EPUB file. When a victim opens the book, the script executes in their browser wi...

GHSA-XV9C-MJW8-79GF Sidekiq-cron is vulnerable to a cross-site scripting (xss) vulnerability via crafted URL

Sidekiq-cron thru 2.3.1, an open-source scheduling add-on for Sidekiq, is vulnerable to a cross-site scripting xss vulnerability via crafted URL being rended from cron.erb...

CVE-2026-42220

Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.8, an authenticated user can call GET /api/settings and retrieve sensitive configuration values, including node.secret. The same node.secret is accepted by AuthRequired through the X-Node-Secret header or nodesecret...

WordPress Anti-Spam Protection – No API Key, GDPR Friendly plugin <= 2.3.7 - Unauthenticated Reflected Cross-Site Scripting vulnerability

Unauthenticated Reflected Cross-Site Scripting vulnerability discovered by Asaf Mozes in WordPress Plugin Anti-Spam by Fullworks : GDPR Compliant Spam Protection versions = 2.3.7...

OPENSUSE-SU-2026:20658-1 Security update for himmelblau

This update for himmelblau fixes the following issues: Update to version 2.3.9+git0.a9fd29b. Security issues fixed: - CVE-2026-34397: Fixed naming collision that can lead to local privilege escalation bsc1261324. Other updates and bugfixes: - update aws-lc-sys to 0.39.0 for security fixes - updat...

CVE-2026-38935

A reflected cross-site scripting XSS vulnerability exists in diskover-community = 2.3.5 in public/view.php via the doctype parameter...

CVE-2026-38934

CVE-2026-38934 affects diskoverdata diskover-community v2.3.5 and earlier. The issue is a Cross-Site Request Forgery vulnerability in public/settings_process.php that permits a remote attacker to escalate privileges and access sensitive information. The CVE details provide a high-severity impact ...

EUVD-2026-25721

A vulnerability was found in GreenCMS up to 2.3. Affected is the function themeadd of the file /index.php?m=admin&c=custom&a=themeadd. The manipulation results in unrestricted upload. The attack can be launched remotely. The exploit has been made public and could be used. This vulnerability only...

CVE-2026-41231 Froxlor has Incomplete Symlink Validation in DataDump.add() that Allows Arbitrary Directory Ownership Takeover via Cron

Froxlor is open source server administration software. Prior to version 2.3.6, DataDump.add constructs the export destination path from user-supplied input without passing the $fixedhomedir parameter to FileDir::makeCorrectDir, bypassing the symlink validation that was added to all other...

CVE-2026-35598

Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the CalDAV GetResource and GetResourcesByList methods fetch tasks by UID from the database without verifying that the authenticated user has access to the task's project. Any authenticated CalDAV user who knows or...

PT-2026-29414

XenForo before 2.3.5 allows OAuth2 client applications to request unauthorized scopes. This affects any customer using OAuth2 clients on any version of XenForo 2.3 prior to 2.3.5, potentially allowing client applications to gain access beyond their intended authorization level...