PT-2026-45447

A flaw has been found in a4m4 Student-Management-System up to f0c5f6842c5e8c431ff02b5260a565ca844df3a0. The affected element is an unknown function of the file admin/ of the component Admin Endpoint. This manipulation of the argument uid causes execution after redirect. It is possible to initiate...

CVE-2026-44542

FileBrowser Quantum is a free, self-hosted, web-based file manager. Prior to 1.3.1-stable and 1.3.9-beta, attacker-controlled path input is joined with a trusted base path prior to sanitization, allowing traversal sequences e.g., ../ to escape the intended shared directory. As a result, an...

CVE-2026-29194

CVE-2026-29194 affects Netmaker (WireGuard-based networks). Before v1.5.0, the Authorize middleware can mishandle host JWT validation when hostAllowed=true, allowing a valid host token to bypass subsequent authorization checks without verifying host-resource authorization. An attacker with knowle...

CVE-2026-29194 Netmaker: Insufficient Authorization in Host Token Verification

Netmaker makes networks with WireGuard. Prior to version 1.5.0, the Authorize middleware in Netmaker incorrectly validates host JWT tokens. When a route permits host authentication hostAllowed=true, a valid host token bypasses all subsequent authorization checks without verifying that the host is...

Plane is Vulnerable to Unauthenticated Workspace Member Information Disclosure

Executive Summary A security vulnerability exists in the Plane project management platform that allows unauthenticated attackers to enumerate workspace members and extract sensitive information including email addresses, user roles, and internal identifiers. The vulnerability stems from Django RE...

PT-2026-22545

A vulnerability has been found in Dataease SQLBot up to 1.4.0. This affects an unknown function of the file backend/apps/system/api/assistant.py of the component API Endpoint. Such manipulation leads to improper access controls. It is possible to launch the attack remotely. The exploit has been...

FUXA Affected by a Path Traversal Sanitization Bypass

Summary A flaw in the path sanitization logic allows an authenticated attacker with administrative privileges to bypass directory traversal protections. By using nested traversal sequences e.g., ....//, an attacker can write arbitrary files to the server filesystem, including sensitive directorie...

CVE-2025-1084

A vulnerability, which was classified as problematic, has been found in Mindskip xzs-mysql 学之思开源考试系统 3.9.0. Affected by this issue is some unknown functionality. The manipulation leads to cross-site request forgery. The attack may be launched remotely. The exploit has been disclosed to the public...

PT-2025-45156

Name of the Vulnerable Software and Affected Versions Quipux versions 4.0.1 through e1774ac Description Quipux versions 4.0.1 through e1774ac are susceptible to SQL injection attacks. Authenticated users can exploit this issue through multiple PHP scripts and parameters. Specifically, the followi...

EUVD-2025-13567

Malicious code in bioql PyPI...

CVE-2025-7763

A vulnerability, which was classified as problematic, was found in thinkgem JeeSite up to 5.12.0. Affected is the function select of the file src/main/java/com/jeesite/modules/cms/web/SiteController.java of the component Site Controller. The manipulation of the argument redirect leads to open...

GHSA-M9JH-JF9H-X3H2 OctoPrint vulnerable to possible file extraction via upload endpoints

Impact OctoPrint versions up until and including 1.11.1 contain a vulnerability that allows an attacker with the FILEUPLOAD permission to exfiltrate files from the host that OctoPrint has read access to, by moving them into the upload folder where they then can be downloaded from. The primary ris...

CVE-2025-4327 MRCMS cross-site request forgery

A vulnerability was found in MRCMS 3.1.2. It has been classified as problematic. Affected is an unknown function. The manipulation leads to cross-site request forgery. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Multiple endpoints...

PT-2025-27746

Name of the Vulnerable Software and Affected Versions: Linux kernel versions prior to 6.12.0-54.el10.aarch64 Description: A vulnerability in the Linux kernel has been resolved, specifically in the RDMA/mlx5 component. The issue occurs upon RQ destruction when the firmware command fails, causing...

CVE-2025-3557

A vulnerability, which was classified as problematic, has been found in ScriptAndTools eCommerce-website-in-PHP 3.0. Affected by this issue is some unknown functionality. The manipulation leads to cross-site request forgery. The attack may be launched remotely. The exploit has been disclosed to t...

PT-2025-16210 · Unknown · Scriptandtools Ecommerce-Website-In-Php

Name of the Vulnerable Software and Affected Versions: ScriptAndTools eCommerce-website-in-PHP version 3.0 Description: A problematic issue has been identified in ScriptAndTools eCommerce-website-in-PHP. The issue affects some unknown functionality and allows for cross-site request forgery CSRF...

wallabag/wallabag Has Multiple Cross-Site Request Forgery (CSRF) Vulnerabilities

Impact wallabag versions prior to 2.6.11 were discovered to contain multiple Cross-Site Request Forgery CSRF vulnerabilities across several endpoints. An attacker could craft a malicious link or page that, if visited by a logged-in wallabag user, could trick the user's browser into performing...

CVE-2025-23203

Icinga Director is an Icinga config deployment tool. A Security vulnerability has been found starting in version 1.0.0 and prior to 1.10.4 and 1.11.4 on several director endpoints of REST API. To reproduce this vulnerability an authenticated user with permission to access the Director is required...

CVE-2024-9340

A Denial of Service DoS vulnerability in zenml-io/zenml version 0.66.0 allows unauthenticated attackers to cause excessive resource consumption by sending malformed multipart requests with arbitrary characters appended to the end of multipart boundaries. This flaw in the multipart request boundar...

ZenML unauthenticated DoS via Multipart Boundry

A Denial of Service DoS vulnerability in zenml-io/zenml version 0.66.0 allows unauthenticated attackers to cause excessive resource consumption by sending malformed multipart requests with arbitrary characters appended to the end of multipart boundaries. This flaw in the multipart request boundar...