tickets 跨站脚本漏洞

Tickets is an open-source public safety scheduling and tracking application developed by Open ISES. Versions of tickets prior to 3.44.2 contained a cross-site scripting vulnerability. This vulnerability stemmed from the use of the id and ticketid GET parameters in the patient.php file, allowing...

tickets SQL注入漏洞

Tickets is an open-source public safety scheduling and tracking application developed by Open ISES. Versions of tickets prior to 3.44.2 contained a SQL injection vulnerability. This vulnerability stemmed from the direct concatenation of the sort and dir GET parameters into the ORDER BY clause in...

tickets SQL注入漏洞

Tickets is an open-source public safety scheduling and tracking application developed by Open ISES. Versions of tickets prior to 3.44.2 contained a SQL injection vulnerability. This vulnerability stemmed from multiple POST parameters in the dbloader.php file—ticketsdb, ticketshost, ticketsuser, a...

tickets 跨站脚本漏洞

Tickets is an open-source public safety scheduling and tracking application developed by Open ISES. Versions of tickets prior to 3.44.2 contained a cross-site scripting vulnerability. This vulnerability stemmed from the use of the type POST parameter in the landb.php file, allowing uncleaned valu...

tickets SQL注入漏洞

Tickets is an open-source public safety scheduling and tracking application developed by Open ISES. Versions of tickets prior to 3.44.2 contained a SQL injection vulnerability. This vulnerability stemmed from multiple POST parameters in tables.php—tablename, indexname, and sortby—which were...

PT-2026-42538

LiteLLM prior to 1.83.14 allows an authenticated internal user to create API keys with access to routes that their role does not permit. When generating a key, the allowed routes field is stored without verifying that the specified routes fall within the user's own permissions. A key created with...

F5 Networks BIG-IP : BIG-IP APM vulnerability (K000161056)

The version of F5 Networks BIG-IP installed on the remote host is prior to 17.1.3.1 / 17.5.1.4 / 21.0.0.1. It is, therefore, affected by a vulnerability as referenced in the K000161056 advisory. When a BIG-IP APM access policy is configured on a virtual server, undisclosed traffic can cause...

tickets 跨站脚本漏洞

Tickets is an open-source public safety scheduling and tracking application developed by Open ISES. Versions of tickets prior to 3.44.2 contained a cross-site scripting vulnerability. This vulnerability stemmed from the use of the frmaddstr POST parameter in the ics213rr.php file, allowing...

Mattermost 路径遍历漏洞

Mattermost is an open-source collaboration platform developed by the American company Mattermost. Versions of Mattermost such as 11.6.0 and earlier 11.6.x series, 11.5.3 and earlier 11.5.x series, 11.4.4 and earlier 11.4.x series, as well as 10.11.14 and earlier 10.11.x series, have a path...

CVE-2026-40102 Plane: ORM Field Reference Injection via `segment` Parameter in Saved Analytics

Plane is an open-source project management tool. In versions 1.3.0 and below, SavedAnalyticEndpoint passes the user-controlled segment query parameter directly to a Django F expression without validation unlike the regular AnalyticsEndpoint, which checks against an allowlist, causing ORM Field...

CVE-2026-20223

Cisco Secure Workload is affected by a vulnerability in the access validation of internal REST APIs that could allow an unauthenticated, remote attacker to access site resources with Site Admin privileges. The issue arises from insufficient validation/authentication when accessing REST API endpoi...

Flowise: Cross-Workspace Chatflow Disclosure via chatflows/apikey Endpoint Returns All Unprotected Chatflows

Summary The /api/v1/chatflows/apikey/:apikey endpoint whitelisted, accessible with API key auth only returns all chatflows bound to the provided API key AND all chatflows across the entire system that have no API key assigned. This crosses workspace boundaries, allowing a user in Workspace A who...

GHSA-C2C9-MFW7-P8HW Flowise: Cross-Workspace Chatflow Disclosure via chatflows/apikey Endpoint Returns All Unprotected Chatflows

Summary The /api/v1/chatflows/apikey/:apikey endpoint whitelisted, accessible with API key auth only returns all chatflows bound to the provided API key AND all chatflows across the entire system that have no API key assigned. This crosses workspace boundaries, allowing a user in Workspace A who...

CVE-2026-5783 Reflected XSS in Beyaz Computer's CityPLus

Improper neutralization of input during web page generation 'cross-site scripting' vulnerability in Beyaz Computer Software Design Industry and Trade Ltd. Co. CityPLus allows Reflected XSS. This issue affects CityPLus: before V24.29750.1.0...

libsndfile: integer overflow in ima_reader_init()

A flaw was found in the libsndfile library. An integer overflow in the IMA ADPCM codec can occur when a specially crafted WAV audio file is processed, specifically with malicious samplesperblock and blocks values. This can lead to a heap-based buffer overflow, causing a crash to the application...

EUVD-2026-31067

The Decent Comments WordPress plugin before 3.0.2 does not restrict access to comment author email addresses and post author email addresses via its REST API endpoint, allowing unauthenticated attackers to enumerate registered user email addresses...

Astra Linux - уязвимость в mariadb-10.3

In MariaDB version 10.5.9, an application can crash due to certain long SELECT DISTINCT statements that improperly interact with storage-engine resource limitations related to temporary data structures...

Astra Linux - уязвимость в mariadb-10.3

MariaDB before version 10.6.5 has a sqllex.cc integer overflow issue, which can lead to an application crash...

Astra Linux - уязвимость в zabbix

Stored or persistent cross-site scripting XSS is a type of XSS attack where the attacker first sends the malicious payload to the web application. The application then stores the payload e.g., in a database or server-side text files. Eventually, the application inadvertently executes the payload...

Astra Linux – Vulnerability in DjVuLibre

A flaw was discovered in djvulibre-3.5.28 and earlier. An integer overflow in the render function in tools/ddjvu, through a crafted djvu file, may cause the application to crash and lead to other issues...