27 matches found
CVE-2026-31942 LibreChat has IDOR in API Keys Management that allows any authenticated user to overwrite other users' API keys
LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. In versions up to and including 0.7.6, an Insecure Direct Object Reference IDOR vulnerability exists in the API keys management endpoint PUT /api/keys. Due to the use of the JavaScript object spread operator after setting...
CVE-2025-69986
A buffer overflow vulnerability exists in the ONVIF GetStreamUri function of LSC Indoor Camera V7.6.32. The application fails to validate the length of the Protocol parameter inside the Transport element. By sending a specially crafted SOAP request containing an oversized protocol string, an...
CVE-2026-27348
CVE-2026-27348 affects ThemeGoods Photography (WordPress theme). The issue is an improper neutralization of input during web page generation, enabling DOM-based XSS. Affected: Photography theme versions before 7.7.6 (per CVE entry; related sources reference Photography ≤ 7.6.x/7.7.6). Impact is D...
CVE-2025-64206
Deserialization of Untrusted Data vulnerability in TieLabs Jannah jannah allows Object Injection.This issue affects Jannah: from n/a through = 7.6.0...
CVE-2025-64207 WordPress Jannah theme <= 7.6.0 - Cross Site Scripting (XSS) vulnerability
Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in TieLabs Jannah jannah allows DOM-Based XSS.This issue affects Jannah: from n/a through = 7.6.0...
CVE-2025-64205
CVE-2025-64205 affects WordPress Jannah theme versions up to and including 7.6.0. The issue is an improper control of filename for include/require, enabling PHP Local File Inclusion (LFI). The CVSS 3.1 base score is 8.2 (HIGH) with network attack vector, low attack complexity, no privileges requi...
PT-2025-52161
Deserialization of Untrusted Data vulnerability in TieLabs Jannah jannah allows Object Injection.This issue affects Jannah: from n/a through = 7.6.0...
PT-2025-48976
Cross Site Scripting vulnerability in HCL Technologies Limited HCLTech DRAGON before v.7.6.0 allows a remote attacker to execute arbitrary code via missing directives...
CVE-2025-66421
Tryton sao aka tryton-sao before 7.6.11 allows XSS because it does not escape completion values. This is fixed in 7.6.11, 7.4.21, 7.0.40, and 6.0.69...
CVE-2025-61754
Vulnerability in the Oracle BI Publisher product of Oracle Analytics component: Web Service API. Supported versions that are affected are 7.6.0.0.0 and 8.2.0.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle BI Publisher...
EUVD-2025-35478
Missing Authorization vulnerability in FantasticPlugins SUMO Memberships for WooCommerce sumomemberships allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects SUMO Memberships for WooCommerce: from n/a through = 7.6.0...
EUVD-2025-33709
The WP JobHunt plugin for WordPress, used by the JobCareer theme, is vulnerable to authorization bypass in all versions up to, and including, 7.6. This is due to insufficient login restrictions on inactive and pending accounts. This makes it possible for authenticated attackers, with Candidate- a...
Unicom Focal Point 安全漏洞
Unicom Focal Point is a portfolio management and decision analysis tool from Unicom, Inc. for use by corporate and government agency product organizations. A security vulnerability exists in Unicom Focal Point version 7.6.1, which stems from an SQL injection in the image parameter during the dele...
IBM Maximo MXAPIASSET API 路径遍历漏洞
The IBM Maximo MXAPIASSET API is a remote asset monitoring application program interface from International Business Machines IBM. A path traversal vulnerability exists in the IBM Maximo MXAPIASSET API version 7.6.1.3, which originates from allowing a remote attacker to view arbitrary files on th...
CVE-2024-1559
The Link Library plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'llreciprocal' parameter in all versions up to, and including, 7.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web...
SUSE CVE-2017-12805
In ImageMagick 7.0.6-6, a memory exhaustion vulnerability was found in the function ReadTIFFImage, which allows attackers to cause a denial of service...
Kiteworks MFT 安全漏洞
Kiteworks Mft is a software for securely managing internal and external data transfers from Kiteworks USA. A security vulnerability exists in Kiteworks MFT that could allow an unauthorized user to reset another user's password. This issue is fixed in version 7.6 and later...
PT-2021-22796 · Primekey · Primekey Ejbca
Name of the Vulnerable Software and Affected Versions: PrimeKey EJBCA versions prior to 7.6.0 Description: An issue was discovered where the enrollment secret for SCEP, CMP, EST, and Auto-enrollment aliases is reflected on a page, accessible to administrators. Although the secret is hidden from...
YouPHPTube subscribe.json.php file SQL Injection Vulnerability
YouPHPTube is a PHP-based video website system. A SQL injection vulnerability exists in the /objects/subscribe.json.php file in YouPHPTube version 7.6. The vulnerability stems from a lack of validation of externally entered SQL statements in database-based applications. An attacker can exploit th...
PT-2019-17080 · Ibm · Ibm Maximo Asset Management
Name of the Vulnerable Software and Affected Versions: IBM Maximo Asset Management version 7.6 Description: The issue allows a remote attacker to traverse directories on the system by sending a specially-crafted URL request containing dot dot sequences /../ to view arbitrary files on the system...