CVE-2026-33708

Chamilo LMS is a learning management system. Prior to 1.11.38, the getuserinfofromusername REST API endpoint returns personal information email, first name, last name, user ID, active status of any user to any authenticated user, including students. There is no authorization check. This...

CVE-2026-27659

Mattermost versions 11.2.x = 11.2.2, 10.11.x = 10.11.10, 11.4.x = 11.4.0, 11.3.x = 11.3.1 fail to properly validate CSRF tokens in the /api/v4/accesscontrolpolicies/policyid/activate endpoint, which allows an attacker to trick an admin into changing access control policy active status via a craft...

EUVD-2026-15806

Mattermost versions 11.2.x = 11.2.2, 10.11.x = 10.11.10, 11.4.x = 11.4.0, 11.3.x = 11.3.1 fail to properly validate CSRF tokens in the /api/v4/accesscontrolpolicies/policyid/activate endpoint, which allows an attacker to trick an admin into changing access control policy active status via a craft...

CVE-2026-27659

Mattermost versions 11.2.x = 11.2.2, 10.11.x = 10.11.10, 11.4.x = 11.4.0, 11.3.x = 11.3.1 fail to properly validate CSRF tokens in the /api/v4/accesscontrolpolicies/policyid/activate endpoint, which allows an attacker to trick an admin into changing access control policy active status via a craft...

CVE-2026-27659

Mattermost CSRF in UpdateAccessControlPolicyActiveStatus: versions 11.2.x ≤ 11.2.2, 10.11.x ≤ 10.11.10, 11.4.x ≤ 11.4.0, 11.3.x ≤ 11.3.1 fail to validate CSRF tokens on /api/v4/access_control_policies/{policy_id}/activate, enabling an attacker to trick an admin into changing an access control pol...

CVE-2026-30831

Rocket.Chat is an open-source, secure, fully customizable communications platform. Prior to versions 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, and 8.2.0, authentication vulnerabilities exist in Rocket.Chat's enterprise DDP Streamer service. The Account.login method exposed through the DDP...

EUVD-1999-0618

Malware in sbrugna...

GO-2025-3822 Authentik has insufficient check for account active status when authenticating with OAuth/SAML Sources in goauthentik.io

Authentik has insufficient check for account active status when authenticating with OAuth/SAML Sources in goauthentik.io. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive...

CVE-2025-53942 authentik has an insufficient check for account active status during OAuth/SAML authentication

authentik is an open-source Identity Provider that emphasizes flexibility and versatility, with support for a wide set of protocols. In versions 2025.4.4 and earlier, as well as versions 2025.6.0-rc1 through 2025.6.3, deactivated users who registered through OAuth/SAML or linked their accounts to...

CVE-2024-11260

The Events Manager – Calendar, Bookings, Tickets, and more! plugin for WordPress is vulnerable to time-based SQL Injection via the activestatus parameter in all versions up to, and including, 6.6.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on t...

LTL Freight Quotes – Old Dominion Edition 4.2.10 SQL Injection Vulnerability

CVE-2024-13489 LTL Freight Quotes – Old Dominion Edition = 5.6 AND error-bas...

LTL Freight Quotes – TForce Edition 3.6.4 SQL Injection

LTL Freight Quotes – TForce Edition versions 3.6.4 and below suffer from an unauthenticated remote SQL injection vulnerability. CVE-2024-13478 LTL Freight Quotes – TForce Edition = 3.6.4 - Unauthenticated SQL Injection Description The LTL Freight Quotes – TForce Edition plugin for WordPress is...

CVE-2024-12427

creationtimestamp| type| source ---|---|--- 2025-01-16 09:44:29+00:00| seen| https://infosec.exchange/users/cve/statuses/113837386587970746 2025-01-16 09:55:30+00:00| seen| https://t.me/DarkWebInformerCVEAlerts/1927 2025-01-16 10:15:43+00:00| seen|...

WordPress Radio Player 2.0.82 Server-Side Request Forgery Vulnerability

CVE-2024-54385 Radio Player = 2.0.82 - Unauthenticated Server-Side Request Forgery Description The Radio Player – Live Shoutcast, Icecast and Any Audio Stream Player for WordPress plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.0.82. This...

Employee Management System v1 - (email) SQL Injection Vulnerability

Exploit Title: Employee Management System v1 - 'email' SQL Injection Application: Employee Management System Date: 19.02.2024 Bugs: SQL Injection Exploit Author: SoSPiro Vendor Homepage: https://www.sourcecodester.com/ Software Link:...

Facebook Introduces New Features for End-to-End Encrypted Messenger App

Meta Platforms on Monday announced that it has started to expand global testing of end-to-end encryption E2EE in Messenger chats by default. "Over the next few months, more people will continue to see some of their chats gradually being upgraded with an extra layer of protection provided by...

DRUPAL-CONTRIB-2022-001

This module enables you to login with an email address. The module doesn't sufficiently check if a user account is active when using email login. This vulnerability is mitigated by the fact that an attacker must have an account in the website that is blocked...