77 matches found
Security Bulletin: IBM Maximo Application Suite - Predict Component uses WebSphere Application Server Liberty, that could provide weaker than expected security ( CVE-2025-14917)
Summary Security Bulletin: IBM Maximo Application Suite - Predict Component uses WebSphere Application Server Liberty, that could provide weaker than expected security CVE-2025-14917. This bulletin contains information regarding the vulnerability and its fixture. Vulnerability Details...
EUVD-2026-31129
SQL injection in InfoScale VIOM before v9.1.3 allows remote attackers to escalate privileges...
EUVD-2026-31130
Cross-Site Request Forgery CSRF vulnerability in InfoScale v.9.1.3 Operations Manager VIOM allows an attacker to force the user with an active session into clicking a malicious HTML link, which triggers unintended modifications on VIOM web application without the user's knowledge...
CVE-2026-44923
SQL injection in InfoScale VIOM before v9.1.3 allows remote attackers to escalate privileges...
CVE-2026-5340 Fancy Image Show <= 9.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
The Fancy Image Show plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's fancy-img-show shortcode in all versions up to, and including, 9.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticat...
CVE-2026-42845
The form plugin for Grav adds the ability to create and use forms. Prior to 9.1.0 , there is an unauthenticated page-content overwrite via file upload GHSA-w4rc-p66m-x6qq. Public form uploads now strip path components from the POST-supplied filename and hard-block page-content extensions md, yaml...
VulnCheck KEV: CVE-2026-2931
The Amelia Booking plugin for WordPress is vulnerable to Insecure Direct Object References in versions up to, and including, 9.1.2. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for...
qdPM SQL注入漏洞
qdPM is a web-based open-source project management tool developed by qdPM Inc. Version 9.1 of qdPM has a SQL injection vulnerability. This vulnerability stems from the SQL injection present in the searchbyextrafields parameter, which could allow attackers to manipulate database queries and extrac...
CVE-2026-34400 alerta-server has potential SQL Injection vulnerability in Query String Syntax (q=) API
Alerta is a monitoring tool. Prior to version 9.1.0, the Query string search API q= was vulnerable to SQL injection via the Postgres query parser, which built WHERE clauses by interpolating user-supplied search terms directly into SQL strings via f-strings. This issue has been patched in version...
Security Bulletin: IBM Maximo Application Suite - Visual Inspection Component uses wheel dependency which is vulnerable to CVE-2026-24049.
Summary IBM Maximo Application Suite - Visual Inspection Component uses wheel dependency which is vulnerable to CVE-2026-24049. This bulletin contains information regarding the vulnerability and its remediation. Vulnerability Details CVEID:CVE-2026-24049 DESCRIPTION: wheel is a command line tool...
CVE-2026-2931
The CVE-2026-2931 entry concerns the Amelia Booking plugin for WordPress (versions up to and including 9.1.2). The vulnerability is an Insecure Direct Object Reference that allows a user-controlled access to objects, enabling authenticated users with customer-level permissions or higher to change...
EUVD-2026-12182
The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the deactivatelicense function in all versions up to, and including, 9.1.9. This makes it possible for authenticated attackers, with...
Security Bulletin: Multiple Vulnerabilities have been identified in IBM DB2 shipped with IBM WebSphere Remote Server
Summary IBM DB2 is shipped with IBM WebSphere Remote Server. Information about security vulnerabilities affecting IBM DB2 have been published in a security bulletins Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section Affected Products and Versions Affect...
CVE-2026-1051
The Newsletter – Send awesome emails from WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 9.1.0. This is due to missing or incorrect nonce validation on the hooknewsletteraction function. This makes it possible for unauthenticated...
PT-2026-3448
Name of the Vulnerable Software and Affected Versions @fastify/middie versions prior to 9.1.0 Description A security issue exists in @fastify/middie where middleware registered with a specific path prefix can be bypassed using URL-encoded characters. For example, using /%61dmin instead of /admin...
CVE-2025-67279
An issue in TIM Solution GmbH TIM BPM Suite & TIM FLOW before v.9.1.2 allows a remote attacker to escalate privileges via the application stores password hashes in MD5 format...
CVE-2025-14835 WP Photo Album Plus <= 9.1.05.008 - Reflected Cross-Site Scripting
The WP Photo Album Plus plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘shortcode’ parameter in all versions up to, and including, 9.1.05.008 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...
CVE-2025-64520
GLPI CVE-2025-64520 affects versions 9.1.0 up to (but not including) 10.0.21, where an unauthorized API user can read all knowledge base entries. Root cause: insufficient API authorization. Impact: confidentiality high; integrity/availability not affected per disclosure. Remediation: upgrade to 1...
CVE-2025-68115
Parse Server is affected by a Cross-Site Scripting (XSS) vulnerability in its password reset and email verification HTML pages due to unescaped Mustache template variables. Affected versions are prior to 8.6.1 and 9.1.0-alpha.3; the patch escapes user-controlled values in those pages and is avail...
CVE-2025-68115 Parse Server vulnerable to Cross-Site Scripting (XSS) via Unescaped Mustache Template Variables
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 8.6.1 and 9.1.0-alpha.3, a Reflected Cross-Site Scripting XSS vulnerability exists in Parse Server's password reset and email verification HTML pages. The patch, available ...