24 matches found
CVE-2026-1509
The Avada Fusion Builder plugin for WordPress is vulnerable to Arbitrary WordPress Action Execution in all versions up to, and including, 3.15.1. This is due to the plugin's outputactionhook function accepting user-controlled input to trigger any registered WordPress action hook without proper...
CVE-2026-42205 Avo: Broken Access Control: Unauthorized Execution of Arbitrary Action Classes Across Resources
Avo is a framework to create admin panels for Ruby on Rails apps. Prior to version 3.31.2, a broken access control vulnerability was identified in the ActionsController of the Avo framework. Due to insecure action lookup logic, an authenticated user can execute any Action class descendants of...
Broken Access Control Through Unauthorized Execution of Arbitrary Action Classes Across Resources
Summary A critical Broken Access Control vulnerability was identified in the ActionsController of the Avo framework v3.x. Due to insecure action lookup logic, an authenticated user can execute any Action class descendants of Avo::BaseAction on any resource, even if the action is not registered fo...
EUVD-2026-22820
The Avada Fusion Builder plugin for WordPress is vulnerable to Arbitrary WordPress Action Execution in all versions up to, and including, 3.15.1. This is due to the plugin's outputactionhook function accepting user-controlled input to trigger any registered WordPress action hook without proper...
[SECURITY] Fedora 44 Update: kf6-purpose-6.25.0-1.fc44
Purpose offers the possibility to create integrate services and actions on any application without having to implement them specifically. Purpose will offer them mechanisms to list the different alternatives to execute given the requested action type and will facilitate components so that all the...
CVE-2026-1509 Avada (Fusion) Builder <= 3.15.1 - Authenticated (Subscriber+) Limited Arbitrary WordPress Action Execution
The Avada Fusion Builder plugin for WordPress is vulnerable to Arbitrary WordPress Action Execution in all versions up to, and including, 3.15.1. This is due to the plugin's outputactionhook function accepting user-controlled input to trigger any registered WordPress action hook without proper...
CVE-2026-1509
The CVE concerns the Avada (Fusion) Builder plugin for WordPress, affected in all versions up to 3.15.1. The root cause is the output_action_hook() function accepting user-controlled input to trigger any registered WordPress action hook without proper authorization checks, allowing authenticated ...
CVE-2026-1509 Avada (Fusion) Builder <= 3.15.1 - Authenticated (Subscriber+) Limited Arbitrary WordPress Action Execution
The Avada Fusion Builder plugin for WordPress is vulnerable to Arbitrary WordPress Action Execution in all versions up to, and including, 3.15.1. This is due to the plugin's outputactionhook function accepting user-controlled input to trigger any registered WordPress action hook without proper...
PT-2026-32994
The Avada Fusion Builder plugin for WordPress is vulnerable to Arbitrary WordPress Action Execution in all versions up to, and including, 3.15.1. This is due to the plugin's output action hook function accepting user-controlled input to trigger any registered WordPress action hook without proper...
EUVD-2021-12296
Malware in sbrugna...
EUVD-2021-28798
Malicious code in bioql PyPI...
CVE-2025-6948
An issue has been discovered in GitLab CE/EE affecting all versions from 17.11 before 17.11.6, 18.0 before 18.0.4, and 18.1 before 18.1.2 that, under certain conditions, could have allowed a successful attacker to execute actions on behalf of users by injecting malicious content...
CVE-2025-6948
Removed by vendor...
CVE-2021-25380
Improper handling of exceptional conditions in Bixby prior to version 3.0.53.02 allows attacker to execute the actions registered by the user...
WordPress CozyStay theme <= 1.7.0 - Missing Authorization to Arbitrary Action Execution in ajax_handler vulnerability
Missing Authorization to Arbitrary Action Execution in ajaxhandler vulnerability discovered by Lucio Sá in WordPress Theme CozyStay versions = 1.7.0...
Execution does not work if the action has a non-zero value
Lines of code Vulnerability details Llama instances have a separate LlamaExecutor contract for action execution. When calling LlamaCore.executeAction, the flow is the following for simplicity, we ignore action guards: The function does internal validation: checking the current action state is...
Accidentally setting expirationPeriod to Zero will cause all actions execution to Fail.
Lines of code Vulnerability details Description During action execution, when user calls executeAction the function call getActionState to get the current state for the action, if this actions is queued successfully and the disapproval check passed, the function check if the action expired by...
CVE-2023-29400
Templates containing actions in unquoted HTML attributes e.g. "attr=." executed with empty input can result in output with unexpected results when parsed due to HTML normalization rules. This may allow injection of arbitrary attributes into tags...
CVE-2023-1749
The listed versions of Nexx Smart Home devices lack proper access control when executing actions. An attacker with a valid NexxHome deviceId could send API requests that the affected devices would execute...
CVE-2021-41790
An issue was discovered in Hyland org.alfresco:alfresco-content-services through 7.0.1.2. Script Action execution allows executing scripts uploaded outside of the Data Dictionary. This could allow a logged-in attacker to execute arbitrary code inside a sandboxed environment...