GHSA-RJG2-95X7-8QMX Strapi may leak sensitive data via relational filtering due to lack of query sanitization

Summary of CVE-2026-27886 Vulnerability Details - CVE: CVE-2026-27886 - CVSS v3.1 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N 9.3 — Critical - Affected Versions: @strapi/strapi =5.37.0 Description of CVE-2026-27886 Strapi versions prior to 5.37.0 did not sufficiently...

Strapi: Password Reset Does Not Revoke Existing Refresh Sessions

Summary of CVE-2026-22706 Vulnerability Details - CVE: CVE-2026-22706 - CVSS v3.1 Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N 2.1 — Low - Affected Versions: @strapi/admin and @strapi/plugin-users-permissions =5.33.3 Description of CVE-2026-22706 In Strapi versions prio...

PT-2026-36506

Name of the Vulnerable Software and Affected Versions AGL app-framework-main versions 17.1.12 and earlier Description A Zip Slip path traversal issue combined with a Time-of-Check to Time-of-Use TOCTOU race condition exists in the widget installation flow. The is valid filename function in...

CVE-2025-23032

WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. A Stored Cross-Site Scripting XSS vulnerability was identified in the adicionarescala.php endpoint of the WeGIA application. This vulnerability allows attackers to inject malicious scripts int...

CVE-2022-35925

BookWyrm is a social network for tracking reading. Versions prior to 0.4.5 were found to lack rate limiting on authentication views which allows brute-force attacks. This issue has been patched in version 0.4.5. Admins with existing instances will need to update their nginx.conf file that was...

CVE-2023-45811

Synchrony deobfuscator is a javascript cleaner & deobfuscator. A proto pollution vulnerability exists in versions before v2.4.4. Successful exploitation could lead to arbitrary code execution. A proto pollution vulnerability exists in the LiteralMap transformer allowing crafted input to modify...

PT-2026-1563

Name of the Vulnerable Software and Affected Versions MoneySpace plugin for WordPress versions prior to 2.13.9 Description The MoneySpace plugin for WordPress exhibits a sensitive information exposure issue. The plugin stores complete payment card details – including Primary Account Number PAN,...

PT-2026-1262

Name of the Vulnerable Software and Affected Versions AA-Team Premium SEO Pack versions through 3.3.2 Description The software contains a flaw related to the improper handling of special characters within SQL commands, which could lead to SQL Injection. The issue allows manipulation of SQL querie...

TencentOS Server 4: golang (TSSA-2025:0328)

The version of Tencent Linux installed on the remote TencentOS Server 4 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the TSSA-2025:0328 advisory. Package updates are available for TencentOS Server 4 that fix the following vulnerabilities:...

Incorrect Authorization

Overview symfony/http-foundation is a component defines an object-oriented layer for the HTTP specification. Affected versions of this package are vulnerable to Incorrect Authorization due to the Request class improperly interpreting some PATHINFO in a way that leads to representing some URLs wit...

EUVD-2022-0599

Malicious code in bioql PyPI...

EUVD-2022-5644

Malicious code in bioql PyPI...

EUVD-2024-2867

Malicious code in bioql PyPI...

EUVD-2023-0031

Malicious code in bioql PyPI...

PT-2025-31936

Name of the Vulnerable Software and Affected Versions: OpenJPEG versions 2.5.3 and earlier Description: OpenJPEG is an open-source JPEG 2000 codec. A call to the opj jp2 read header function may lead to an out-of-bounds heap memory write when the data stream p stream is too short and p image is n...

PT-2025-31885 · Pyload · Pyload

Name of the Vulnerable Software and Affected Versions: pyLoad versions 0.5.0b3.dev89 and below Description: pyLoad is a free and open-source Download Manager written in pure Python. A path traversal vulnerability exists in the pyLoad-ng CNL Blueprint via the package parameter, allowing arbitrary...

PT-2025-30053 · Unknown · @Nuxtjs/Mdc

Name of the Vulnerable Software and Affected Versions: @nuxtjs/mdc versions prior to 0.17.2 Description: A remote script-inclusion / stored cross-site scripting issue exists in @nuxtjs/mdc. A Markdown author can inject a element, which rewrites how relative URLs are resolved. This allows an...

PT-2025-29812 · Unknown · Cmsminds Pay With Contact Form 7

Name of the Vulnerable Software and Affected Versions: cmsMinds Pay with Contact Form 7 versions through 1.0.4 Description: The software contains a Reflected Cross-site Scripting XSS issue due to improper neutralization of input during web page generation. This allows for the injection of malicio...

PT-2025-29574 · Dassault Systèmes · Solidworks Desktop +1

Name of the Vulnerable Software and Affected Versions: SOLIDWORKS eDrawings versions prior to SOLIDWORKS Desktop 2025 Description: A use-after-free issue exists in the IPT file reading procedure. This could allow an attacker to execute arbitrary code when opening a specially crafted IPT file...

PT-2025-29121 · Mediawiki · Dynamicpagelist3

Name of the Vulnerable Software and Affected Versions: DynamicPageList3 extension versions prior to 3.6.4 Description: The DynamicPageList3 extension for MediaWiki contains an issue where certain parameters can reveal usernames that have been hidden through revision deletion, suppression, or the...