Astra Linux - уязвимость в waitress

Waitress is a Web Server Gateway Interface server for Python 2 and 3. When a remote client closes the connection before Waitress has had the opportunity to call getpeername, Waitress will not properly clean up the connection. As a result, the main thread attempts to write to a socket that no long...

Exploit for Missing Authentication for Critical Function in Flowiseai Flowise

Silentium — HackTheBox Writeup Platform: HackTheBox...

PT-2026-27927

Name of the Vulnerable Software and Affected Versions eyecix Addon Jobsearch Chat versions through 3.0 Description The software contains a flaw related to improper input handling during web page generation, which allows for Reflected Cross-Site Scripting XSS. This issue impacts the Addon Jobsearc...

WordPress plugin Contact List 跨站脚本漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...

CVE-2026-32711

pydicom is a pure Python package for working with DICOM files. Versions 2.0.0-rc.1 through 3.0.1 are vulnerable to Path Traversal through a maliciously crafted DICOMDIR ReferencedFileID when it is set to a path outside the File-set root. pydicom resolves the path only to confirm that it exists, b...

MAL-2026-1242 Malicious code in yaml-manifest-utils-mynarratorai (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5c0e8992c68d7a201833d2405113695a4da985df9e5b9bdd46fcdc1f28a0828d The package yaml-manifest-utils-mynarratorai was found to contain malicious code. Source: ossf-package-analysis...

CVE-2026-1826

CVE-2026-1826 affects the WordPress plugin OpenPOS Lite – Point of Sale for WooCommerce (versions up to 3.0). The issue is a Stored Cross-Site Scripting via the short code attribute width on the order_qrcode shortcode, caused by insufficient input sanitization and output escaping. Exploitation re...

GHSA-73F3-RQQF-2J54 Apache Syncope: Console XXE on Keymaster parameters

Improper Restriction of XML External Entity Reference vulnerability in Apache Syncope Console. An administrator with adequate entitlements to create or edit Keymaster parameters via Console can construct malicious XML text to launch an XXE attack, thereby causing sensitive data leakage occurs. Th...

CVE-2021-47914

PHP Melody 3.0 is affected by a persistent cross-site scripting (XSS) vulnerability in the edit-video.php submitted parameter. The root cause is a flaw in handling the parameter, allowing an attacker to inject malicious script code that can be executed in a victim’s browser. Reported impacts incl...

CVE-2023-29839

A Stored Cross Site Scripting XSS vulnerability exists in multiple pages of Hotel Druid version 3.0.4, which allows arbitrary execution of commands. The vulnerable fields are Surname, Name, and Nickname in the Document function...

CVE-2022-23316

An issue was discovered in taoCMS v3.0.2. There is an arbitrary file read vulnerability that can read any files via admin.php?action=file=download=../../1.txt...

CVE-2020-10940

Local Privilege Escalation can occur in PHOENIX CONTACT PORTICO SERVER through 3.0.7 when installed to run as a service...

CVE-2023-25456

Auth. admin+ Stored Cross-Site Scripting XSS vulnerability in Klaviyo, Inc. Klaviyo plugin = 3.0.7 versions...

CVE-2019-7173

A stored-self XSS exists in Croogo through v3.0.5, allowing an attacker to execute HTML or JavaScript code in a vulnerable Title field to /admin/file-manager/attachments/edit/4...

CVE-2025-62090

Missing Authorization vulnerability in Jegstudio Gutenverse News – Advanced News Magazine Blog Gutenberg Blocks Addons gutenverse-news allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Gutenverse News – Advanced News Magazine Blog Gutenberg Blocks Addons:...

Sangfor Operation and Maintenance Security 命令注入漏洞

Sangfor Operation and Maintenance Security is an operation and maintenance security management system from China's Sangfor. A command injection vulnerability exists in Sangfor Operation and Maintenance Security version 3.0, which stems from an incorrect manipulation of the parameter loginUrl in t...

CVE-2025-9898

CVE-2025-9898 (cForms – Light speed fast Form Builder for WordPress) is a Cross-Site Request Forgery vulnerability present in all versions up to 3.0.0. The root cause is missing or incorrect nonce validation on the cforms_api function, enabling unauthenticated attackers to modify forms and their ...

WordPress plugin cForms 跨站请求伪造漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a set of blogging platforms developed using the PHP language. The platform has the ability to host personal blog sites on PHP and MySQL based servers.WordPress plugin is an application plugin. A cross-site...

CVE-2025-49879

CVE-2025-49879 is a path traversal vulnerability in the WordPress theme Litho (versions <= 3.0). It stems from improper pathname restrictions that could lead to arbitrary file deletion. The issue is documented as Litho

CVE-2025-44906

Removed by vendor...