BIT-LIBPYTHON-2026-7774 tarfile.data_filter path traversal bypass allows writing outside the extraction directory

tarfile.datafilter could be bypassed using crafted link entries, including symlinks with empty or directory-like names, to redirect later archive members outside the intended extraction directory. This allowed a malicious tar archive to cause tarfile.extractall to write files outside the...

UBUNTU-CVE-2026-37713

An issue in Dolibarr ERP/CRM v.22.0.0 through v.22.0.4 and v.24.0.0-alpha allows a remote attacker to execute arbitrary code via the htdocs/core/class/commonobject.class.php...

CVE-2026-1612

AL-KO Robolinho Update Software has hard-coded AWS Access and Secret keys that allow anyone to access AL-KO's AWS bucket. Using the keys directly might give the attacker greater access than the app itself. Key grants AT LEAST read access to some of the objects in bucket. The vendor was notified...

CVE-2026-1612

AL-KO Robolinho Update Software has hard-coded AWS Access and Secret keys that allow anyone to access AL-KO's AWS bucket. Using the keys directly might give the attacker greater access than the app itself. Key grants AT LEAST read access to some of the objects in bucket. The vendor was notified...

PT-2026-29008

AL-KO Robolinho Update Software has hard-coded AWS Access and Secret keys that allow anyone to access AL-KO's AWS bucket. Using the keys directly might give the attacker greater access than the app itself. Key grants AT LEAST read access to some of the objects in bucket. The vendor was notified...

Malicious Package

Overview @al-ui/useappinsights is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

WordPress Subitem AL Slider plugin <= 1.0.0 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF'] vulnerability

Reflected Cross-Site Scripting via $SERVER'PHPSELF' vulnerability discovered by Abdulsamad Yusuf 0xVenus - Envorasec in WordPress Plugin Subitem AL Slider versions = 1.0.0...

CVE-2026-1634 Subitem AL Slider <= 1.0.0 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF']

The Subitem AL Slider plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the $SERVER'PHPSELF' parameter in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...

CVE-2026-1634

CVE-2026-1634 concerns the WordPress plugin Subitem AL Slider. Affected) versions are all up to and including 1.0.0, vulnerable to Reflected Cross-Site Scripting via the PHP_SELF parameter due to insufficient input sanitization and output escaping. Unauthenticated attackers could inject scripts i...

EUVD-2026-5743

The Subitem AL Slider plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the $SERVER'PHPSELF' parameter in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...

WordPress plugin Subitem AL Slider 跨站脚本漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. WordPres...

PT-2026-6894

Name of the Vulnerable Software and Affected Versions Subitem AL Slider versions prior to 1.0.1 Description The Subitem AL Slider plugin for WordPress is susceptible to Reflected Cross-Site Scripting. This is due to insufficient input sanitization and output escaping related to the $ SERVER'PHP...

CVE-2026-24006 Seroval affected by Denial of Service via Deeply Nested Objects

Seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0 and below, serialization of objects with extreme depth can exceed the maximum call stack limit. In version 1.4.1, Seroval introduces a depthLimit parameter in...

CVE-2025-14137

The Simple AL Slider plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the $SERVER'PHPSELF' variable in all versions up to, and including, 1.2.10 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...

CVE-2025-14137

The Simple AL Slider plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the $SERVER'PHPSELF' variable in all versions up to, and including, 1.2.10 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...

CVE-2025-14137 Simple AL Slider <= 1.2.10 - Reflected Cross-Site Scripting via $_SERVER['PHP_SELF']

The Simple AL Slider plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the $SERVER'PHPSELF' variable in all versions up to, and including, 1.2.10 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...

WordPress plugin Simple AL Slider 跨站脚本漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a set of blogging platforms developed using the PHP language. The platform has the ability to set up personal blog sites on PHP and MySQL based servers.WordPress plugin is an application plugin. A cross-site...

PT-2025-50855

The Simple AL Slider plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the $ SERVER'PHP SELF' variable in all versions up to, and including, 1.2.10 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...

Amazon Linux 2023 : binutils, binutils-devel, binutils-gprofng (ALAS2023-2025-1301)

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2025-1301 advisory. A vulnerability has been found in GNU Binutils 2.45. This impacts the function bfdelfgcrecordvtentry of the file bfd/elflink.c of the component Linker. The manipulation leads to out-of-bounds read. Loc...

Malicious code in poliaoz-aiks-al (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 81da736051f89a4d3735b96dcc2378b26b9b7019b61f054499882d6539a51874 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...