CVE-2025-15581

Orthanc versions before 1.12.10 are affected by an authorisation logic flaw in the application's HTTP Basic Authentication implementation. Successful exploitation could result in Privilege Escalation, potentially allowing full administrative access...

CVE-2026-26964

Windmill is an open-source developer platform for internal code: APIs, background jobs, workflows and UIs. Versions 1.634.6 and below allow non-admin users to obtain Slack OAuth client secrets, which should only be accessible to workspace administrators. The GET...

CVE-2026-26964

Windmill CVE-2026-26964 affects Windmill versions 1.634.6 and earlier. The issue allows non-admin workspace members to access the Slack OAuth client secret via GET /api/w/{workspace}/workspaces/get_settings, revealing a secret that should be admin-only. Root cause: Slack configuration was stored ...

CVE-2026-26964 Windmill Exposes Workspace Slack OAuth Client Secrets to Non-Admin Workspace Members

Windmill is an open-source developer platform for internal code: APIs, background jobs, workflows and UIs. Versions 1.634.6 and below allow non-admin users to obtain Slack OAuth client secrets, which should only be accessible to workspace administrators. The GET...

CVE-2025-67305

In RUCKUS Network Director RND 4.5.0.56, the OVA appliance contains hardcoded SSH keys for the postgres user. These keys are identical across all deployments, allowing an attacker with network access to authenticate via SSH without a password. Once authenticated, the attacker can access the...

Incorrect Privilege Assignment

Overview getformwork/formwork is an a file-based Content Management System CMS to make and manage simple sites. Affected versions of this package are vulnerable to Incorrect Privilege Assignment due to insufficient privilege checks in the create user function. An attacker can gain unauthorized...

CVE-2026-2426

The WP-DownloadManager plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.69 via the 'file' parameter in the file deletion functionality. This is due to insufficient validation of user-supplied file paths, allowing directory traversal sequences. This make...

CVE-2019-25404

CVE-2019-25404 affects Comodo Dome Firewall 2.7.0. The vulnerability is a stored XSS in the admin interface, exploitable by an authenticated attacker who submits crafted input to /korugan/admins via POST, injecting scripts into admin_name, name, or surname. The payload is stored and executed when...

CVE-2026-2716

The Client Testimonial Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Testimonial Heading' setting in all versions up to, and including, 2.0. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers,...

CVE-2026-2281

The Private Comment plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Label text' setting in all versions up to, and including, 0.0.4. This is due to insufficient input sanitization and output escaping on the plugin's label text option. This makes it possible for...

CVE-2026-1047

The salavat counter Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'imageurl' parameter in all versions up to, and including, 0.9.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

CVE-2025-62183

Pega Platform versions 8.1.0 through 25.1.1 are affected by a Stored Cross-site Scripting vulnerability in a user interface component. Requires an administrative user and given extensive access rights, impact to Confidentiality and Integrity are low...

PT-2026-20588

Name of the Vulnerable Software and Affected Versions Clasifico Listing plugin for WordPress versions prior to 2.1 Description The Clasifico Listing plugin for WordPress allows users registering new accounts to set their own role using the listing user role parameter. This can allow unauthenticat...

PT-2026-20794

The Client Testimonial Slider plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Testimonial Heading' setting in all versions up to, and including, 2.0. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers,...

PT-2026-21344

Name of the Vulnerable Software and Affected Versions Formwork versions 2.0.0 through 2.3.3 Description Formwork is a flat file-based Content Management System CMS. The application does not properly enforce role-based authorization during account creation. Specifically, it does not verify if the...

PT-2026-20970

Windmill is an open-source developer platform for internal code: APIs, background jobs, workflows and UIs. Versions 1.634.6 and below allow non-admin users to obtain Slack OAuth client secrets, which should only be accessible to workspace administrators. The GET /api/w/workspace/workspaces/get...

DEBIAN-CVE-2025-15581

Orthanc versions before 1.12.10 are affected by an authorisation logic flaw in the application's HTTP Basic Authentication implementation. Successful exploitation could result in Privilege Escalation, potentially allowing full administrative access...

CVE-2025-15581

Orthanc versions before 1.12.10 are affected by an authorisation logic flaw in the application's HTTP Basic Authentication implementation. Successful exploitation could result in Privilege Escalation, potentially allowing full administrative access...

UBUNTU-CVE-2025-15581

Orthanc versions before 1.12.10 are affected by an authorisation logic flaw in the application's HTTP Basic Authentication implementation. Successful exploitation could result in Privilege Escalation, potentially allowing full administrative access...

CVE-2025-15581

Orthanc versions before 1.12.10 are affected by an authorization logic flaw in the HTTP Basic Authentication implementation. Successful exploitation could enable privilege escalation, potentially granting full administrative access. The CVE notes a MEDIUM base score (CVSS 4.0: 5.7) with network a...