ICZ MATCHA SNS 跨站脚本漏洞

ICZ MATCHA SNS is a notification and message distribution system developed by the Japanese company ICZ. Versions of ICZ MATCHA SNS 1.3.9 and earlier contained a cross-site scripting vulnerability. This vulnerability was due to a susceptibility to cross-site scripting attacks, which could allow...

WordPress plugin Travel Booking 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...

CVE-2026-3788

A security vulnerability has been detected in Bytedesk up to 1.3.9. This impacts the function getModels of the file source-code/src/main/java/com/bytedesk/ai/springai/providers/openrouter/SpringAIOpenrouterRestService.java of the component SpringAIOpenrouterRestController. Such manipulation of th...

CVE-2026-3748

A security flaw has been discovered in Bytedesk up to 1.3.9. This affects the function uploadFile of the file source-code/src/main/java/com/bytedesk/core/upload/UploadRestController.java of the component SVG File Handler. Performing a manipulation results in unrestricted upload. Remote exploitati...

EUVD-2026-9759

Missing Authorization vulnerability in Aryan Shirani Bid Abadi Site Suggest site-suggest allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Site Suggest: from n/a through = 1.3.9...

WordPress Hospital Doctor Directory plugin <= 1.3.9 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Phat RiO - BlueRock in WordPress Plugin Hospital Doctor Directory versions = 1.3.9...

EUVD-2025-27503

Malicious code in bioql PyPI...

CVE-2025-59036 Infrahub allows authentication with deleted and expired API tokens

Infrahub offers a central hub to manage data, templates, and playbooks. Prior to versiond 1.3.9 and 1.4.5, a bug in the authentication logic will cause API tokens that were deleted and/or expired to be considered valid. This means that any API token that is associated with an active user account...

OpsMill Infrahub 安全漏洞

OpsMill Infrahub is an infrastructure resource management platform from the French company OpsMill. A security vulnerability exists in OpsMill Infrahub versions prior to 1.3.9 and prior to 1.4.5, which stems from an error in the authentication logic that could cause deleted or expired API tokens ...

CVE-2025-27340

CVE-2025-27340 describes a CSRF vulnerability in the WordPress plugin F12-Profiler (versions up to 1.3.9). The issue allows unauthorized cross-site requests due to CSRF weaknesses in the plugin. Public references in the connected docs consistently identify the affected software as the F12-Profile...

PT-2025-7757 · Unknown · F12-Profiler

Name of the Vulnerable Software and Affected Versions: F12-Profiler versions 1.3.9 and earlier Description: A Cross-Site Request Forgery CSRF issue affects the software, allowing unauthorized requests. Recommendations: For versions 1.3.9 and earlier, update to a version that contains a fix for th...

PT-2025-5199 · Unknown · Applicantpro

Name of the Vulnerable Software and Affected Versions: ApplicantPro versions 1.3.9 and earlier Description: The issue is related to improper neutralization of input during web page generation, which allows Reflected XSS. This means that an attacker can inject malicious scripts into the website,...

WordPress Contact Form, Survey & Form Builder – MightyForms plugin <= 1.3.9 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by zaim in WordPress Plugin Contact Form, Survey & Form Builder – MightyForms versions = 1.3.9...

CVE-2023-7002 Backup Migration <= 1.3.9 - Authenticated (Admin+) OS Command Injection via url

The Backup Migration plugin for WordPress is vulnerable to OS Command Injection in all versions up to, and including, 1.3.9 via the 'url' parameter. This vulnerability allows authenticated attackers, with administrator-level permissions and above, to execute arbitrary commands on the host operati...

com.webank.wedatasphere.dss:dolphinscheduler-prod-metrics (>=1.1.0 <=1.2.2), org.apache.dolphinscheduler:dolphinscheduler-dist (>=2.0.0 <=2.0.9) +2 more potentially affected by CVE-2023-49068 via org.apache.dolphinscheduler:dolphinscheduler-api (>=1.3.9 <=3.0.6)

org.apache.dolphinscheduler:dolphinscheduler-api MAVEN version =1.3.9, =1.1.0, =2.0.0, =2.0.2, =1.3.9, =3.0.6 Source cves: CVE-2023-49068 Source advisory: OSV:GHSA-C6CG-73P3-973H...

WordPress plugin download-info-page 跨站脚本漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A cross-site scripting...

CVE-2023-25806 Time discrepancy in authentication responses in OpenSearch

OpenSearch Security is a plugin for OpenSearch that offers encryption, authentication and authorization. There is an observable discrepancy in the authentication response time between calls where the user provided exists and calls where it does not. This issue only affects calls using the interna...

CVE-2020-15257

containerd is an industry-standard container runtime and is available as a daemon for Linux and Windows. In containerd before versions 1.3.9 and 1.4.3, the containerd-shim API is improperly exposed to host network containers. Access controls for the shim’s API socket verified that the connecting...

PT-2020-5862 · Containerd +5 · Kubernetes Containerd +4

Name of the Vulnerable Software and Affected Versions: containerd versions prior to 1.3.9 and 1.4.3 Description: The issue is related to the improper exposure of the containerd-shim API to host network containers. Access controls for the shim's API socket verified that the connecting process had ...

Cross site scripting

A cross-site scripting XSS vulnerability in the MantisBT Configuration Report page admconfigreport.php allows remote attackers to inject arbitrary code if CSP settings permit it through a crafted 'configoption' parameter. This is fixed in 1.3.9, 2.1.3, and 2.2.3...