67 matches found
CVE-2026-42201
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.474, database credential fields redispassword, keydbpassword, dragonflypassword, clickhouseadminuser, clickhouseadminpassword, postgresuser, mysqluser are validated only as...
CVE-2026-34034 Coolify: Host RCE via Sentinel token injection
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. Prior to 4.0.0-beta.466, the sentineltoken setting is used in shell commands without sufficient validation, allowing an authenticated user with access to server Sentinel settings to inject shell...
PT-2026-49226
Missing Authorization vulnerability in StylemixThemes MasterStudy LMS Pro allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects MasterStudy LMS Pro: from n/a before 4.7.16...
CVE-2026-42758
Incorrect Privilege Assignment vulnerability in Saleswonder Team: Tobias WebinarIgnition webinar-ignition allows Privilege Escalation.This issue affects WebinarIgnition: from n/a through 4.08.253...
Hackney 安全漏洞
Hackney is a program library from Hackney, Inc. A security vulnerability exists in Hackney versions 0 through prior to 4.0.1, which stems from a URL query component that does not percentile encode CRLF characters, potentially resulting in HTTP request splitting...
DEBIAN-CVE-2026-48832
action/cookie.php in ecrire in SPIP before 4.4.15 is prone to an open redirect vulnerability...
CVE-2026-24573
Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Themeisle Visualizer allows Stored XSS. This issue affects Visualizer: from n/a before 4.0.0...
CVE-2026-24573 WordPress Visualizer plugin < 4.0.0 - Cross Site Scripting (XSS) vulnerability
Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Themeisle Visualizer allows Stored XSS. This issue affects Visualizer: from n/a before 4.0.0...
GFI HelpDesk 安全漏洞
GFI HelpDesk is an open-source service request and ticket management system for enterprise IT support processes developed by GFI. Versions of GFI HelpDesk prior to 4.99.9 contained security vulnerabilities. These vulnerabilities stemmed from insufficient cleaning of the companyname POST parameter...
CVE-2026-4432
CVE-2026-4432 concerns the YITH WooCommerce Wishlist WordPress plugin prior to 4.13.0. Publicly exposed nonce in the /wishlist page allows unauthenticated attackers to rename any wishlist, due to insufficient ownership validation in the save_title() AJAX handler. Technical details across connecte...
SUSE CVE-2026-5302
CORS misconfiguration in CoolerControl/coolercontrold 4.0.0 allows unauthenticated remote attackers to read data and send commands to the service via malicious websites...
CVE-2026-5300
Unauthenticated functionality in CoolerControl/coolercontrold 4.0.0 allows unauthenticated attackers to view and modify potentially sensitive data via HTTP requests...
CVE-2026-5208 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in coolercontrold
Command injection in alerts in CoolerControl/coolercontrold 4.0.0 allows authenticated attackers to execute arbitrary code as root via injected bash commands in alert names...
CVE-2026-32364 WordPress Turbo Manager plugin < 4.0.8 - Local File Inclusion vulnerability
Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in redqteam Turbo Manager turbo-manager allows PHP Local File Inclusion.This issue affects Turbo Manager: from n/a through 4.0.8...
CVE-2026-24004 Fleet: Unauthenticated Android device disenrollment vulnerability via Pub/Sub endpoint
Fleet is open source device management software. In versions prior to 4.80.1, a vulnerability in Fleet’s Android MDM Pub/Sub handling could allow unauthenticated requests to trigger device unenrollment events. This may result in unauthorized removal of individual Android devices from Fleet...
CVE-2026-27745 SPIP interface_traduction_objets < 2.2.2 Authenticated RCE
The SPIP interfacetraductionobjets plugin versions prior to 2.2.2 contain an authenticated remote code execution vulnerability in the translation interface workflow. The plugin incorporates untrusted request data into a hidden form field that is rendered without SPIP output filtering. Because...
Unity Linux 20.1060e / 20.1070e Security Update: kernel (UTSA-2026-003081)
The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-003081 advisory. The replacemapfdwithmapptr function in kernel/bpf/verifier.c in the Linux kernel before 4.5.5 does not properly maintain an fd data structure, which allows local use...
CVE-2026-22800 PILOS affected by a CSRF via GET request allows unintentional termination of all active video conferences
PILOS Platform for Interactive Live-Online Seminars is a frontend for BigBlueButton. Prior to 4.10.0, Cross-Site Request Forgery CSRF vulnerability exists in an administrative API endpoint responsible for terminating all active video conferences on a single server. The affected endpoint performs ...
CVE-2023-4158
Cross-site Scripting XSS - Stored in GitHub repository omeka/omeka-s prior to 4.0.3...
CVE-2025-64213
CVE-2025-64213 describes an information disclosure in the WordPress plugin MasterStudy LMS Pro (styles: MasterStudy LMS Pro masterstudy-lms-learning-management-system-pro) where sensitive data can be retrieved due to insertion of sensitive information into sent data. Affected version range is Mas...