Server-side Request Forgery (SSRF)

Overview @utcp/http is a HTTP utilities for UTCP Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the OpenApiConverter process. An attacker can access internal network resources and sensitive metadata endpoints by supplying a malicious OpenAPI specification...

GHSA-537J-GQPC-P7FQ n8n Vulnerable to XSS via MCP OAuth client

Impact An unauthenticated attacker could register a malicious MCP OAuth client with a crafted clientname. If a victim user authorized the OAuth consent dialog and a second user subsequently revoked that access, a toast notification would render the injected script. Clicking the link would execute...

PT-2026-32727

A stored cross-site scripting XSS vulnerability was identified in the Event Log mail preview feature. When viewing logged mail messages, HTML content was rendered in an iframe without proper sandboxing, allowing JavaScript execution in the viewer's browser context. Impact - Stored XSS via mail...

CVE-2026-31869

Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, the ComposerControllermentions endpoint reveals hidden group membership to any authenticated user who can message the group. By supplying allowednames referencing a hidden-membership grou...

CVE-2025-48382 Fess has Insecure Temporary File Permissions

Fess is a deployable Enterprise Search Server. Prior to version 14.19.2, the createTempFile method in org.codelibs.fess.helper.SystemHelper creates temporary files without explicitly setting restrictive permissions. This could lead to potential information disclosure, allowing unauthorized local...

PT-2025-4007 · Joeybling · Bootplus

Name of the Vulnerable Software and Affected Versions: JoeyBling bootplus versions up to 247d5f6c209be1a5cf10cd0fa18e1d8cc63cf55d Description: A critical issue has been found, allowing for remote SQL injection. The manipulation of the sort/order argument in an unknown function of the file...

PT-2024-39424 · Sourcecodester · Sourcecodester Loan Management System

Name of the Vulnerable Software and Affected Versions: SourceCodester Modern Loan Management System version 1.0 Description: A critical issue has been found, allowing for SQL injection through the manipulation of the searchMember argument in the file search member.php. This can be exploited...

PT-2024-28305 · WordPress · Gallery Plugin

Name of the Vulnerable Software and Affected Versions: The Gallery Plugin for WordPress versions prior to 1.8.15 Description: The issue is related to the lack of sanitization and escaping of some image settings in the plugin, which could allow users with post-writing privileges, such as Authors, ...

PT-2024-9654 · Adobe · Experience Manager

Name of the Vulnerable Software and Affected Versions: Adobe Experience Manager versions 6.5.21 and earlier Description: The issue is related to insufficient protection of the web page structure in Adobe Experience Manager, which could allow a remote attacker to execute arbitrary code. This is a...

PT-2024-38330 · WordPress · Pdf Builder For Wpforms

Name of the Vulnerable Software and Affected Versions: PDF Builder for WPForms plugin for WordPress versions up to, and including, 1.2.116 Description: The issue is related to Full Path Disclosure, which occurs because the plugin allows direct access to the composer-setup.php file with display...

PT-2024-27337 · Evmos · Evmos

Name of the Vulnerable Software and Affected Versions: Evmos versions prior to V18.1.0 Description: The issue is related to liquid staking using Safe, which is a contract. The bug appears when there is a local state change together with an ICS20 transfer in the same function, and it uses the...

PT-2024-25990 · Unknown · Wpsoul Table Maker

Name of the Vulnerable Software and Affected Versions: Wpsoul Table Maker versions 1.9.1 and earlier Description: The issue is related to improper neutralization of input during web page generation, which allows for stored cross-site scripting XSS. This means that an attacker can inject malicious...

PT-2024-22178 · Very Good Plugins · Wp Fusion Lite

Name of the Vulnerable Software and Affected Versions: WP Fusion Lite versions 3.41.24 and earlier Description: The issue is related to an Improper Neutralization of Special Elements used in a Command 'Command Injection' vulnerability. This vulnerability allows Command Injection in Very Good...

PT-2024-3606 · Foxit · Foxit Reader

Name of the Vulnerable Software and Affected Versions: Foxit Reader version 2024.1.0.23997 Description: A type confusion vulnerability exists in the way Foxit Reader handles a Lock object. This can be triggered by a specially crafted Javascript code inside a malicious PDF document, leading to...

PT-2024-1906 · Google +4 · Google Chrome +4

Name of the Vulnerable Software and Affected Versions: Google Chrome versions prior to 122.0.6261.94 Description: The issue is related to a type confusion in the V8 JavaScript engine of Google Chrome, which can lead to object corruption. A remote attacker can potentially exploit this issue via a...

PT-2024-20286 · Atmail · Atmail

Name of the Vulnerable Software and Affected Versions: Atmail version 6.6.0 Description: The issue is a SQL injection vulnerability that can be exploited via the username parameter on the login page. Recommendations: For Atmail version 6.6.0, avoid using the username parameter in the login page...

PT-2024-2034 · Otrs · Otrs

Name of the Vulnerable Software and Affected Versions: OTRS versions 7.0.X through 7.0.48 OTRS versions 8.0.X through 8.0.37 OTRS versions 2023.X through 2023.1.1 Description: The issue is related to the handling of attachments in ticket comments, allowing another user to add attachments...

PT-2024-15448 · Unknown · Kashipara Food Management System

Name of the Vulnerable Software and Affected Versions: Kashipara Food Management System version 1.0 Description: A critical vulnerability has been found in the Kashipara Food Management System. This issue affects an unknown part of the file rawstock used damaged submit.php. The manipulation of th...

PT-2023-32925 · Unknown · Campcodes Online College Library System

Name of the Vulnerable Software and Affected Versions: Campcodes Online College Library System version 1.0 Description: A critical vulnerability was found in the Campcodes Online College Library System. The issue affects an unknown function of the file /admin/category row.php of the component HTT...

PT-2023-30704 · Smartertools · Smartermail

Name of the Vulnerable Software and Affected Versions: SmarterTools SmarterMail versions 8495 through 8664 before 8747 Description: The issue allows stored DOM XSS because an XSS protection mechanism is skipped when messageHTML and messagePlainText are set in the same request. Recommendations: Fo...