CVE-2026-34596

Sandboxie-Plus is an open source sandbox-based isolation software for Windows. In versions 1.17.2 and earlier, a Time-of-Check-to-Time-of-Use TOCTOU race condition exists during addon installation. When a user installs an addon through the SandMan interface, UpdUtil.exe is spawned as SYSTEM by...

CVE-2026-34596 Sandboxie-Plus local privilege escalation via TOCTOU race condition in UpdUtil addon installation

Sandboxie-Plus is an open source sandbox-based isolation software for Windows. In versions 1.17.2 and earlier, a Time-of-Check-to-Time-of-Use TOCTOU race condition exists during addon installation. When a user installs an addon through the SandMan interface, UpdUtil.exe is spawned as SYSTEM by...

CVE-2026-34596

Sandboxie-Plus (Windows) prior to v1.17.3 contains a TOCTOU race during addon installation. UpdUtil.exe runs as SYSTEM via SandBoxieSvc, stages updater files in %TEMP%\sandboxie-updater, verifies hashes against the addon manifest, then extracts files.cab and runs config.exe. An unprivileged user ...

CVE-2026-34596 Sandboxie-Plus local privilege escalation via TOCTOU race condition in UpdUtil addon installation

Sandboxie-Plus is an open source sandbox-based isolation software for Windows. In versions 1.17.2 and earlier, a Time-of-Check-to-Time-of-Use TOCTOU race condition exists during addon installation. When a user installs an addon through the SandMan interface, UpdUtil.exe is spawned as SYSTEM by...

CVE-2026-1920

The Booking Calendar for Appointments and Service Businesses – Booktics plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'ExtensionController::updateitempermissionscheck' function in all versions up to, and including, 1.0.16. This...

EUVD-2026-10468

The Booking Calendar for Appointments and Service Businesses – Booktics plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'ExtensionController::updateitempermissionscheck' function in all versions up to, and including, 1.0.16. This...

CVE-2026-1920

The Booking Calendar for Appointments and Service Businesses – Booktics plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'ExtensionController::updateitempermissionscheck' function in all versions up to, and including, 1.0.16. This...

CVE-2026-1920 Booktics <= 1.0.16 - Missing Authorization to Addon Plugin Installation

The Booking Calendar for Appointments and Service Businesses – Booktics plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'ExtensionController::updateitempermissionscheck' function in all versions up to, and including, 1.0.16. This...

CVE-2026-1920 Booktics <= 1.0.16 - Missing Authorization to Addon Plugin Installation

The Booking Calendar for Appointments and Service Businesses – Booktics plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'ExtensionController::updateitempermissionscheck' function in all versions up to, and including, 1.0.16. This...

PT-2026-24175

The Booking Calendar for Appointments and Service Businesses – Booktics plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'Extension Controller::update item permissions check' function in all versions up to, and including, 1.0.16. Thi...

CVE-2025-10249 Slider Revolution <= 6.7.37 - Missing Authorization to Authenticated (Contributor+) Arbitrary File Read

The Slider Revolution plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on several functions in all versions up to, and including, 6.7.37. This makes it possible for authenticated attackers, with Contributor-level access and above...

PT-2024-12112 · Unknown · Cs-Cart Multivendor

Name of the Vulnerable Software and Affected Versions: CS-Cart MultiVendor version 4.16.1 Description: A Directory Traversal vulnerability allows remote attackers to run arbitrary code via a crafted zip file when installing a new add-on. This issue enables attackers to potentially execute malicio...

NextMove Lite < 2.18.2 - Cross-Site Request Forgery

Description The NextMove Lite plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.18.1. This is due to missing or incorrect nonce validation on the xladdoninstallation function. This makes it possible for unauthenticated attackers to install addons...

SUSE CVE-2011-2370

Mozilla Firefox before 5.0 does not properly enforce the whitelist for the xpinstall functionality, which allows remote attackers to trigger an installation dialog for a 1 add-on or 2 theme via unspecified vectors...

SUSE CVE-2011-3001

Mozilla Firefox 4.x through 6, Thunderbird before 7.0, and SeaMonkey before 2.4 do not prevent manual add-on installation in response to the holding of the Enter key, which allows user-assisted remote attackers to bypass intended access restrictions via a crafted web site that triggers an...

SUSE CVE-2015-4498

The add-on installation feature in Mozilla Firefox before 40.0.3 and Firefox ESR 38.x before 38.2.1 allows remote attackers to bypass an intended user-confirmation requirement by constructing a crafted data: URL and triggering navigation to an arbitrary http: or https: URL at a certain early poin...

Moodle Teacher Enrollment Privilege Escalation to RCE

Moodle version 3.9, 3.8 to 3.8.3, 3.7 to 3.7.6, 3.5 to 3.5.12 and earlier unsupported versions allow for a teacher to exploit chain to RCE. A bug in the privileges system allows a teacher to add themselves as a manager to their own class. They can then add any other users, and thus look to add...

USN-3991-3: Firefox regression

USN-3991-1 fixed vulnerabilities in Firefox, and USN-3991-2 fixed a subsequent regression. The update caused an additional regression that resulted in Firefox failing to load correctly after executing it in safe mode. This update fixes the problem. We apologize for the inconvenience. Original...

Ubuntu 16.04 LTS / 18.04 LTS : Firefox vulnerabilities (USN-3991-1)

The remote Ubuntu 16.04 LTS / 18.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-3991-1 advisory. Multiple security issues were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could...

Ubuntu: Security Advisory (USN-3991-1)

The remote host is missing an update for the SPDX-FileCopyrightText: 2019 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...