421 matches found
CVE-2025-68056 WordPress LBG Zoominoutslider plugin <= 5.4.4 - SQL Injection vulnerability
Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in LambertGroup LBG Zoominoutslider lbgzoominoutslider allows SQL Injection.This issue affects LBG Zoominoutslider: from n/a through = 5.4.4...
abp 安全漏洞
abp is an ABP open source web application framework. A security vulnerability exists in abp version 5.1.0 through versions prior to 10.0.0-rc.2, which stems from failure to properly validate the returnUrl parameter, which could result in a redirect to an arbitrary external domain...
CVE-2025-65581
An open redirect vulnerability exists in the Account module in Volosoft ABP Framework = 5.1.0 and 10.0.0-rc.2. Improper validation of the returnUrl parameter in the register function allows an attacker to redirect users to arbitrary external domains...
WordPress Essential Real Estate plugin <= 5.2.6 - Broken Access Control vulnerability
Broken Access Control vulnerability discovered by daroo in WordPress Plugin Essential Real Estate versions = 5.2.6...
Security Bulletin: Multiple security vulnerabilities have been identified in IBM Db2 shipped with IBM Guardium Key Lifecycle Manager
Summary IBM Db2 is shipped as a component of IBM Guardium Key Lifecycle Manager. Information about multiple security vulnerabilities affecting IBM Db2 has been published in security bulletins. Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes section Affected...
CVE-2025-53679
An improper neutralization of special elements used in an OS command 'OS Command Injection' vulnerability CWE-78 vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.2, FortiSandbox 4.4.0 through 4.4.7, FortiSandbox 4.2 all versions, FortiSandbox 4.0 all versions, FortiSandbox Cloud 24.1,...
Mersive Solstice Pod API 安全漏洞
The Mersive Solstice Pod API is an application programming interface from Mersive USA. A security vulnerability exists in Mersive Solstice Pod API versions 5.5 and 6.2, which originates from an unauthenticated api/config endpoint that exposes sensitive information, potentially leading to session...
CVE-2025-66291
OrangeHRM is a comprehensive human resource management HRM system. From version 5.0 to 5.7, the interview attachment retrieval endpoint in the Recruitment module serves files based solely on an authenticated session and user-supplied identifiers, without verifying whether the requester has...
CVE-2025-66290
OrangeHRM is a comprehensive human resource management HRM system. From version 5.0 to 5.7, the application’s recruitment attachment retrieval endpoint does not enforce the required authorization checks before serving candidate files. Even users restricted to ESS-level access, who have no...
EUVD-2025-199903
OrangeHRM is a comprehensive human resource management HRM system. From version 5.0 to 5.7, the interview attachment retrieval endpoint in the Recruitment module serves files based solely on an authenticated session and user-supplied identifiers, without verifying whether the requester has...
EUVD-2025-199906
OrangeHRM is a comprehensive human resource management HRM system. From version 5.0 to 5.7, the password reset workflow does not enforce that the username submitted in the final reset request matches the account for which the reset process was originally initiated. After obtaining a valid reset...
CVE-2025-66224
OrangeHRM versions 5.0–5.7 contain an input-neutralization flaw in mail configuration and delivery workflow where user-controlled values flow into the sendmail path without sanitization, allowing OS command strings to be constructed and enabling file writes on the server and potential code execut...
OrangeHRM 授权问题漏洞
OrangeHRM is a human resource management system HRM from OrangeHRM, Inc. in the United States. The system supports personnel information management, leave management, attendance management and recruitment management. An authorization issue vulnerability exists in OrangeHRM versions 5.0 through 5....
wolfSSL 安全漏洞
wolfSSL CyaSSL is a small, portable embedded SSL programming library for use by embedded systems developers from wolfSSL, Inc. in the United States. A security vulnerability exists in wolfSSL CyaSSL versions 5.8.2 and earlier, which stems from improper validation of the TLS 1.3 CertificateVerify...
CVE-2025-55123
Improper neutralization of input in Revive Adserver 5.5.2 and 6.0.1 and earlier versions causes manager accounts to be able to craft XSS attacks to their own advertiser users...
WordPress Email Subscribers & Newsletters plugin <= 5.9.10 - PHP Object Injection vulnerability
PHP Object Injection vulnerability discovered by Ananda Dhakal Patchstack in WordPress Plugin Email Subscribers & Newsletters versions = 5.9.10...
ClipBucket V5 安全漏洞
ClipBucket V5 is a video hosting platform for MacWarrior individual developers. A security vulnerability exists in ClipBucket V5 5.5.2-146 and prior versions, which stems from the Manage Photos feature mishandling the Photo Title parameter, which could lead to a stored cross-site scripting attack...
PYSEC-2025-126
Weblate is a web based localization tool. In versions 5.14 and below, Weblate leaks the IP address of the project member inviting the user to the project in the audit log. The audit log includes IP addresses from admin-triggered actions, which can be viewed by invited users. This issue is fixed i...
ClipBucket V5 跨站脚本漏洞
ClipBucket V5 is a video hosting platform for MacWarrior individual developers. A cross-site scripting vulnerability exists in ClipBucket v5 versions 5.5.2 through 147, which stems from the Collection tags feature not escaping HTML or JavaScript, and could lead to a stored cross-site scripting...
EUVD-2025-37010
Dell Unity, versions 5.4 and prior, contains an Improper Neutralization of Special Elements used in an OS Command 'OS Command Injection' vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Command execution and Elevation of privilege...