7943 matches found
CVE-2026-59100
CVE-2026-59100 affects LobeChat up to version 2.2.9. It describes a broken object level authorization allowing authenticated attackers to access and modify other users’ chat-group agent data by supplying arbitrary group identifiers. Attackers can call getGroupAgents, updateAgentInGroup, and remov...
GHSA-3VCG-PV95-PQ54 SFTPGo has stored XSS via inline parameter on public shares and user file download
Summary The inline query parameter on the browsable-share file download and on the authenticated user file download suppressed Content-Disposition: attachment, so an HTML file stored in a share or home directory could be served as text/html and execute in SFTPGo's web origin stored XSS. Impact Lo...
GHSA-H64P-8H4R-6GFH SFTPGo has path confinement bypass in public browsable share partial ZIP download
Summary The public web-client endpoint for partial ZIP downloads of a browsable share did not correctly confine the client-supplied files entries to the shared directory. A requester able to reach a public share could read files located outside the shared directory, as long as the target's...
Information Exposure
Overview Affected versions of this package are vulnerable to Information Exposure via the Authorizer function. An attacker can determine valid usernames by measuring the response time difference between valid and invalid usernames during authentication attempts. Remediation There is no fixed...
ROOT-APP-GOBINARY-CVE-2026-53489 CVE-2026-53489 in rootio-github.com/containerd/containerd/v2 - Patched by Root
Root has patched CVE-2026-53489 in the rootio-github.com/containerd/containerd/v2 package for Root:Go. Multiple fixed versions available...
ROOT-APP-GOBINARY-CVE-2026-53492 CVE-2026-53492 in rootio-github.com/containerd/containerd/v2 - Patched by Root
Root has patched CVE-2026-53492 in the rootio-github.com/containerd/containerd/v2 package for Root:Go. Multiple fixed versions available...
CVE-2026-57357
Unauthenticated Cross Site Scripting XSS in Search Atlas SEO = 2.6.6 versions...
CVE-2025-69094
Subscriber SQL Injection in Unicamp = 2.2.2 versions...
CVE-2026-54431
In liboauth2 the Demonstrating Proof-of-Possession DPoP verifier accepts a proof whose JSON Web Key jwk header contains private key material. RFC 9449 section 4.3 step 7 requires the verifier to reject such a proof but oauth2tokenverify function returns success for a malformed DPoP proof that...
CVE-2026-57753
The CVE-2026-57753 entry concerns the WordPress Kit (formerly ConvertKit) for WooCommerce plugin, affected versions 2.1.5 and earlier. Description indicates an unauthenticated sensitive data exposure vulnerability in these versions. The provided documents do not specify the exact root cause, vuln...
EUVD-2026-41296
Contributor SQL Injection in Custom Field Template = 2.7.8 versions...
CVE-2026-57352 WordPress ALD – Dropshipping and Fulfillment for AliExpress and WooCommerce plugin <= 2.2.0 - Broken Authentication vulnerability
Unauthenticated Broken Authentication in ALD – Dropshipping and Fulfillment for AliExpress and WooCommerce = 2.2.0 versions...
CVE-2026-57351
Unauthenticated Cross Site Scripting XSS in HandL UTM Grabber = 2.9.2 versions...
CVE-2025-69152
CVE-2025-69152 affects the Artale | Wedding Photography WordPress theme (versions
CVE-2026-54431
In liboauth2 the Demonstrating Proof-of-Possession DPoP verifier accepts a proof whose JSON Web Key jwk header contains private key material. RFC 9449 section 4.3 step 7 requires the verifier to reject such a proof but oauth2tokenverify function returns success for a malformed DPoP proof that...
EUVD-2026-41277
In liboauth2 the Demonstrating Proof-of-Possession DPoP verifier accepts a proof whose JSON Web Key jwk header contains private key material. RFC 9449 section 4.3 step 7 requires the verifier to reject such a proof but oauth2tokenverify function returns success for a malformed DPoP proof that...
OPENSUSE-SU-2026:21210-1 Security update for google-osconfig-agent
This update for google-osconfig-agent fixes the following issues - CVE-2023-45288: golang.org/x/net/http2: close connections when receiving too many headers. - CVE-2025-47911: golang.org/x/net/html: various algorithms with quadratic complexity when parsing HTML documents bsc1251453. -...
[SECURITY] Fedora 43 Update: caddy-2.10.2-9.fc43
Caddy is an extensible server platform that uses TLS by default...
PT-2026-54961
Name of the Vulnerable Software and Affected Versions Unicamp versions prior to 2.2.3 Description A SQL Injection issue exists where users with subscriber-level access can extract sensitive data. This occurs due to improper handling of input in the subscriber module, allowing an attacker to execu...
CVE-2026-54704
OpenTelemetry Java Instrumentation provides OpenTelemetry auto-instrumentation and instrumentation libraries for Java. In versions prior to 2.28.0, the JDBC auto-instrumentation may fail to sanitize passwords in SQL CONNECT statements when the password is double-quoted. As a result, clear-text...