537 matches found
CVE-2026-22034
Snuffleupagus is a module that raises the cost of attacks against website by killing bug classes and providing a virtual patching system. On deployments of Snuffleupagus prior to version 0.13.0 with the non-default upload validation feature enabled and configured to use one of the upstream...
CVE-2025-69331 WordPress Theater for WordPress plugin <= 0.19 - Broken Access Control vulnerability
Missing Authorization vulnerability in Jeroen Schmit Theater for WordPress theatre allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Theater for WordPress: from n/a through = 0.19...
CVE-2026-21428
CVE-2026-21428 affects cpp-httplib (C++11 single-file header-only library). The vulnerability is in write_headers: it does not validate CR/LF in user-supplied header values, enabling injection of extra headers, potential tampering with the request body, and SSRF when paired with servers supportin...
CVE-2025-69288 Titra has Remote Code Execution in Admin Functionality
Titra is open source project time tracking software. Prior to version 0.99.49, Titra allows any authenticated Admin user to modify the timeEntryRule in the database. The value is then passed to a NodeVM value to execute as code. Without sanitization, it leads to a Remote Code Execution. Version...
EUVD-2025-205723
Cross-Site Request Forgery CSRF vulnerability in Ays Pro Popup box ays-popup-box allows Cross Site Request Forgery.This issue affects Popup box: from n/a through = 6.0.7...
CVE-2025-68952
Eigent is a multi-agent Workforce. In version 0.0.60, a 1-click Remote Code Execution RCE vulnerability has been identified in Eigent. This vulnerability allows an attacker to execute arbitrary code on the victim's machine or server through a specific interaction 1-click. This issue has been...
EUVD-2025-204541
Turms AI-Serving module v0.10.0-SNAPSHOT and earlier contains an image decompression bomb denial of service vulnerability. The ExtendedOpenCVImage class in ai/djl/opencv/ExtendedOpenCVImage.java loads images using OpenCV's imread function without validating dimensions or pixel count before...
PT-2025-51194
In the Eclipse OMR compiler component, since release 0.7.0, an optimization enabled for Eclipse OpenJ9 consumers of OMR on Z processors incorrectly handles NUL 0x00 characters during the Latin-compatible charset UTF-8, ISO8859-1, ASCII, etc to IBM-1047/037 translation sequence. This can cause the...
WordPress plugin WPNakama SQL注入漏洞
WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a set of blogging platforms developed using the PHP language. The platform has the ability to set up personal blog sites on PHP and MySQL based servers.WordPress plugin is an application plugin. A SQL...
PT-2025-50806
The Simple post listing plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'class name' parameter in the postlist shortcode in all versions up to, and including, 0.2. This is due to insufficient input sanitization and output escaping on user-supplied attributes. This makes ...
Markdownify MCP Server 安全漏洞
Markdownify MCP Server is a Model Context Protocol server for converting almost any content to Markdown by Zach Caceres, an individual developer in the United States. A security vulnerability exists in Markdownify MCP Server version 0.0.2 and earlier, which stems from a server-side request forger...
CVE-2025-13857
The Yet Another WebClap for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'text' parameter of the webclapbutton shortcode in all versions up to, and including, 0.2 due to insufficient input sanitization and output escaping. This makes it possible for...
TykoTech Fork 操作系统命令注入漏洞
TykoTech Fork is an AI integration tool for LionTech individual developers. An OS command injection vulnerability exists in TykoTech Fork version 0.1, which stems from misuse of the parameter authorizationUrl in the file /.well-known/oauth-authorization-server, which could lead to os command...
xrdp -- remote code execution
Denis Skvortsov, Security Researcher at Kaspersky reports: xrdp before v0.10.5 contains an unauthenticated stack-based buffer overflow vulnerability. The issue stems from improper bounds checking when processing user domain information during the connection sequence. If exploited, the vulnerabili...
CVE-2025-12355 Payaza <= 0.3.8 - Missing Authorization to Unauthenticated Order Status Update
The Payaza plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wpajaxnoprivupdateorderstatus' AJAX endpoint in all versions up to, and including, 0.3.8. This makes it possible for unauthenticated attackers to update order statuses...
CVE-2025-65900
Kalmia CMS version 0.2.0 contains an Incorrect Access Control vulnerability in the /kal-api/auth/users API endpoint. Due to insufficient permission validation and excessive data exposure in the backend, an authenticated user with basic read permissions can retrieve sensitive information for all...
PT-2025-49045
Name of the Vulnerable Software and Affected Versions ComposioHQ version 0.7.20 Description A directory traversal issue exists in ComposioHQ version 0.7.20. This allows a remote attacker to potentially access sensitive information through the download file or dir function. The issue involves...
Central Dogma 安全漏洞
Central Dogma is an open source service configuration version control repository based on Git, ZooKeeper and HTTP/2. A security vulnerability exists in Central Dogma versions prior to 0.78.0, which stems from an open redirect and could lead to phishing attacks and credential theft...
Step CA Has Authorization Bypass in ACME and SCEP Provisioners
Summary A security fix is now available for Step CA that resolves a vulnerability affecting deployments configured with ACME and/or SCEP provisioners. All operators running these provisioners should upgrade to the latest release v0.29.0 immediately. The issue was discovered and disclosed by a...
Fedora 41 : rnp (2025-bc8b81c28d)
The remote Fedora 41 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2025-bc8b81c28d advisory. Version 0.18.1 Security Fixed critical issue where PKESK public-key encrypted session keys were generated as all-zero, allowing trivial decryption of message...