44 matches found
CVE-2026-46385
Summary (CVE-2026-46385) iskorotkov/avro’s Go Avro decoder can trigger remote, unauthenticated CPU exhaustion by looping up to math.MaxInt64 iterations when decoding large attacker-controlled block counts, because inner loops did not check the reader’s error state after each decode. Affected: git...
Portainer's Kubernetes middleware continues after token validation failure, bypassing endpoint authorization
Summary Portainer proxies requests to Kubernetes clusters through a middleware layer kubeClientMiddleware that validates the requesting user's token before forwarding traffic to the cluster. When security.RetrieveTokenData returned an error, the middleware wrote an HTTP 403 response but was missi...
CVE-2026-42887
Audiobookshelf is a self-hosted audiobook and podcast server. Prior to 2.33.0, a stored cross-site scripting XSS vulnerability exists in the Login Page due to improper sanitization of the authLoginCustomMessage field of the /api/auth-settings endpoint. An attacker with administrative privileges c...
CVE-2026-4437 affecting package glibc for versions less than 2.38-19
CVE-2026-4437 affecting package glibc for versions less than 2.38-19. A patched version of the package is available...
CVE-2026-32357
Server-Side Request Forgery SSRF vulnerability in Katsushi Kawamori Simple Blog Card simple-blog-card allows Server Side Request Forgery.This issue affects Simple Blog Card: from n/a through = 2.37...
CVE-2026-32414 WordPress Advanced Woo Labels plugin <= 2.36 - Remote Code Execution (RCE) vulnerability
Improper Control of Generation of Code 'Code Injection' vulnerability in ILLID Advanced Woo Labels advanced-woo-labels allows Remote Code Inclusion.This issue affects Advanced Woo Labels: from n/a through = 2.36...
DEBIAN-CVE-2026-3904
Calling NSS-backed functions that support caching via nscd may call the nscd client side code and in the GNU C Library version 2.36 under high load on x8664 systems, the client may call memcmp on inputs that are concurrently modified by other processes or threads and crash. The nscd client in the...
Audiobookshelf 跨站脚本漏洞
Audiobookshelf is an open-source, self-hosted server for audio books and podcasts. Versions of Audiobookshelf prior to 2.32.0 contained a cross-site scripting vulnerability. This vulnerability was caused by malicious library metadata, leading to storage-based cross-site scripting, which could...
Top Password ZIP Password Recovery 安全漏洞
Top Password ZIP Password Recovery is a ZIP file password recovery tool developed by Top Password. Version 2.30 of Top Password ZIP Password Recovery contains a security vulnerability, which stems from improper input processing and could lead to denial-of-service attacks...
PT-2026-4083
Name of the Vulnerable Software and Affected Versions matiskiba Ravpage versions prior to 2.33 Description The software contains a flaw due to improper handling of user-supplied data when creating web pages, leading to a Reflected Cross-Site Scripting XSS condition. This allows an attacker to...
Esri ArcGIS Web AppBuilder 跨站脚本漏洞
Esri ArcGIS Web AppBuilder is a web application builder tool from Esri Corporation, USA. A cross-site scripting vulnerability exists in Esri ArcGIS Web AppBuilder developer edition prior to version 2.30, which originates from HTML injection and could lead to arbitrary HTML rendering...
CVE-2025-12368
CVE-2025-12368 concerns Sermon Manager for WordPress (plugin) ≤ 2.30.0. It exposes a Stored Cross-Site Scripting vulnerability via the sermon-views shortcode, allowing authenticated users with Contributor+ privileges to inject scripts that execute on pages viewed by others. Technical details acro...
CVE-2025-62158
Frappe Learning is a learning system that helps users structure their content. In versions prior to 2.38.0, the system did stored the attachments uploaded by the students in their assignments as public files. This issue potentially exposed student-uploaded files to the public. Anyone with the fil...
Copeland E3 Supervisory Control 安全漏洞
Copeland E3 Supervisory Control is an industrial equipment control system from Copeland, USA. A security vulnerability exists in Copeland E3 Supervisory Control versions prior to 2.31F01 that stems from a predictable default user ONEDAY password...
webkitgtk: Logic issue leading to arbitrary code execution
A logic issue was found in WebKitGTK and WPE WebKit in versions prior to 2.32.0. A remote attacker may be able to cause arbitrary code execution. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability...
webkitgtk: Use-after-free in fireEventListeners leading to arbitrary code execution
An exploitable use-after-free vulnerability exists in WebKitGTK browser version 2.30.3 x64. A specially crafted HTML web page can cause a use-after-free condition, resulting in remote code execution. The victim needs to visit a malicious web site to trigger the vulnerability...
WordPress Post Duplicator plugin <= 2.36 - Authenticated (Contributor+) Protected Post Disclosure vulnerability
Authenticated Contributor+ Protected Post Disclosure vulnerability discovered by Webbernaut in WordPress Plugin Post Duplicator versions = 2.36...
flusity CMS Security Vulnerability
flusity CMS is a user interactive interface solution where code can be easily changed or added. A security vulnerability exists in flusity CMS version 2.33, which stems from an unrestricted upload of dangerously typed files allowed in updatesetting.php...
flusity CMS Security Vulnerability
flusity CMS is a user interactive interface solution where code can be easily changed or added. A security vulnerability exists in flusity CMS version v2.33, which was discovered to contain a cross-site request forgery CSRF vulnerability via the component /core/tools/deleteplace.php...
flusity CMS Security Vulnerability
flusity CMS is a user-interactive interface solution that can be easily changed or added to code. A security vulnerability exists in flusity CMS version v2.33, which stems from the presence of a cross-site scripting XSS vulnerability that allows an attacker to execute arbitrary web script or HTML...