EUVD-2025-210046

Improper neutralization of input during web page generation 'cross-site scripting' vulnerability in ABB T-MAC Plus. This issue affects T-MAC Plus: 4.0-24...

PT-2026-45909

Incorrect Authorization vulnerability in ABB T-MAC Plus. This issue affects T-MAC Plus: 4.0-24...

EUVD-2026-33686

Missing Authorization vulnerability in Ben Balter WP Document Revisions allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Document Revisions: from n/a before 4.0.0...

ZeusCart Cross-Site Request Forgery Vulnerability

ZeusCart is an e-commerce shopping cart system developed by ZeusCart Inc. Version 4.0 of ZeusCart contains a cross-site request forgeing vulnerability. This vulnerability stems from cross-site request forgery, allowing attackers to manipulate user behavior by tricking users into accessing pages...

PT-2026-44383

phpMyFAQ before 4.1.3 contains an authentication bypass vulnerability in API v4.0 where the default empty api.apiClientToken allows unauthenticated users to create and modify FAQ entries. Attackers can send an empty x-pmf-token header to bypass token validation and inject malicious content via PO...

AdminPanel 安全漏洞

AdminPanel is a database management panel developed by Jason000. Version 4.0 of AdminPanel contains a security vulnerability, which stems from a cross-site request forgeing vulnerability in the delete.php endpoint...

CVE-2026-30498

A CSRF vulnerability (CVE-2026-30498) affects Jason2605 AdminPanel 4.0, located in the delete.php endpoint. The issue is described across multiple sources as CSRF; no explicit exploit details, mitigations, or patch information are provided in the connected documents. CVSS v3.1 metrics indicate a ...

CVE-2026-42782

CVE-2026-42782 affects Apache Syncope 3.0–3.0.16, 4.0–4.0.5, and 4.1.0, caused by improper isolation that lets an administrator with sufficient entitlements load a malicious Groovy class whose static initializer reaches a non-sandboxed execution path. Remediation is to upgrade to 4.0.6 or 4.1.1, ...

CVE-2025-14755 Cost Calculator Builder <= 4.0.1 - Unauthenticated Price Manipulation and Insecure Direct Object Reference

The Cost Calculator Builder plugin for WordPress is vulnerable to Unauthenticated Price Manipulation and Insecure Direct Object Reference IDOR in all versions up to, and including, 4.0.1 only when used in combination with Cost Calculator Builder PRO. This is due to the ccbwoocommercepayment AJAX...

CVE-2026-8220

A vulnerability was detected in Devs Palace ERP Online up to 4.0.0. This affects an unknown function of the file /inventory/customer-save. The manipulation results in cross site scripting. The attack can be executed remotely. The exploit is now public and may be used. The vendor was contacted ear...

Devs Palace ERP Online 跨站脚本漏洞

Devs Palace ERP Online is a cloud-based enterprise resource planning and business management system developed by Devs Palace. Versions of Devs Palace ERP Online 4.0.0 and earlier contained a cross-site scripting vulnerability. This vulnerability originated from an unknown portion of the...

Devs Palace ERP Online 跨站脚本漏洞

Devs Palace ERP Online is a cloud-based enterprise resource planning and business management system developed by Devs Palace. Versions of Devs Palace ERP Online 4.0.0 and earlier contained a cross-site scripting vulnerability. This vulnerability stemmed from operations on unknown code located in...

CVE-2026-42183

Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. From version 4.0.0 to before version 4.0.5, a nil pointer dereference in server/auth/gatekeeper.go rbacAuthorization causes a panic denial of service for SSO users whose claims match a...

CVE-2026-44498

ZEBRA is a Zcash node written entirely in Rust. Prior to version 4.4.0, Zebra's block validator undercounts transparent signature operations against the 20000-sigop block limit MAXBLOCKSIGOPS, allowing it to accept blocks that zcashd rejects with bad-blk-sigops. A miner who produces such a block...

CVE-2026-44498 ZEBRA: Block Validator Undercounts Coinbase and P2SH Sigops

ZEBRA is a Zcash node written entirely in Rust. Prior to version 4.4.0, Zebra's block validator undercounts transparent signature operations against the 20000-sigop block limit MAXBLOCKSIGOPS, allowing it to accept blocks that zcashd rejects with bad-blk-sigops. A miner who produces such a block...

GHSA-R374-RXX8-8654 Paramiko rsakey.py allows the SHA-1 algorithm

In Paramiko through 4.0.0 before a448945, rsakey.py allows the SHA-1 algorithm...

CVE-2026-41499 Wazuh: Multiple Heap-based NULL WRITE Buffer Underflows in parse_uname_string()

Wazuh is a free and open source platform used for threat prevention, detection, and response. From version 4.0.0 to before version 4.14.4, multiple heap-based out-of-bounds WRITE vulnerabilities exist in parseunamestring remotedop.c. This function processes OS identification data from agents and...

CVE-2026-40976

CVE-2026-40976 affects Spring Boot 4.0.0–4.0.5. In vulnerable configurations, a servlet-based web application that relies on Spring Boot’s default web security (no custom Spring Security config), depends on spring-boot-actuator-autoconfigure, and does not rely on spring-boot-health can experience...

CVE-2026-24032

A vulnerability has been identified in SINEC NMS All versions V4.0 SP3 with UMC. The affected application contains an authentication weakness due to insufficient validation of user identity in the UMC component. This could allow an unauthenticated remote attacker to bypass authentication and gain...

CVE-2026-5376

The CVE-2026-5376 issue affects the runZero Platform where session inactivity timeouts could fail to trigger due to automatic page reloading. Root cause is CWE-613 (Insufficient Control of Resources After Expiration or Release). CVSS v3.1 vector: AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N, base score 5....