CVE-2026-25883

Vexa is an open-source, self-hostable meeting bot API and meeting transcription API. Prior to 0.10.0-260419-1910, the Vexa webhook feature allows authenticated users to configure an arbitrary URL that receives HTTP POST requests when meetings complete. The application performs no validation on th...

CVE-2026-23866

Incomplete validation of AI rich response messages for Instagram Reels in WhatsApp for iOS v2.25.8.0 to v2.26.15.72 and WhatsApp for Android v2.25.8.0 to v2.26.7.10 could have allowed a user to trigger processing of media content from an arbitrary URL on another user’s device, including triggerin...

EUVD-2026-26666

Incomplete validation of AI rich response messages for Instagram Reels in WhatsApp for iOS v2.25.8.0 to v2.26.15.72 and WhatsApp for Android v2.25.8.0 to v2.26.7.10 could have allowed a user to trigger processing of media content from an arbitrary URL on another user’s device, including triggerin...

PT-2026-36500

Name of the Vulnerable Software and Affected Versions WhatsApp for iOS versions 2.25.8.0 through 2.26.15.72 WhatsApp for Android versions 2.25.8.0 through 2.26.7.10 Description Incomplete validation of AI rich response messages for Instagram Reels allows a user to trigger the processing of media...

Vikunja 安全漏洞

Vikunja is an open-source to-do application developed by Vikunja. Versions of Vikunja prior to 2.2.1 contained security vulnerabilities. These vulnerabilities stemmed from the DELETE /api/v1/projects/:project/shares/:share endpoint, which did not validate the project to which link sharing belonge...

Admidio Vulnerable to SSRF and Local File Read via Unrestricted URL Fetch in SSO Metadata Endpoint

The SSO metadata fetch endpoint at modules/sso/fetchmetadata.php accepts an arbitrary URL via $GET'url', validates it only with PHP's FILTERVALIDATEURL, and passes it directly to filegetcontents. FILTERVALIDATEURL accepts file://, http://, ftp://, data://, and php:// scheme URIs. An authenticated...

NiceGUI apps are vulnerable to XSS which uses `ui.sub_pages` and render arbitrary user-provided links

Summary An unsafe implementation in the click event listener used by ui.subpages, combined with attacker-controlled link rendering on the page, causes an XSS when the user actively clicks on the link. Details 1. On click, eventually subpagesnavigate event is emitted...

CVE-2025-55179

Incomplete validation of rich response messages in WhatsApp for iOS prior to v2.25.23.73, WhatsApp Business for iOS v2.25.23.82, and WhatsApp for Mac v2.25.23.83 could have allowed a user to trigger processing of media content from an arbitrary URL on another user’s device. We have not seen...

Livemarks 跨站请求伪造漏洞

Livemarks is an extension to restore the RSS feed Livemarks in Firefox by Tim Nguyen, a personal developer. A security vulnerability exists in Livemarks versions prior to 3.7, which stems from the presence of a cross-site request forgery CSRF vulnerability. An attacker can exploit the vulnerabili...

WordPress 安全漏洞

WordPress plugin is a WordPress application plugin. WordPress Link Library plugin versions prior to 7.2.8 have an arbitrary link removal vulnerability, which stems from unauthorized removal of links, and can be exploited by attackers to remove arbitrary links via carefully crafted requests...

CVE-2021-24749 URL Shortify < 1.5.1 - Arbitrary Link/Group Deletion via CSRF

The URL Shortify WordPress plugin before 1.5.1 does not have CSRF check in place when bulk-deleting links or groups, which could allow attackers to make a logged in admin delete arbitrary link and group via a CSRF attack...

URL Shortify < 1.5.1 - Arbitrary Link/Group Deletion via CSRF

The plugin does not have CSRF check in place when bulk-deleting links or groups, which could allow attackers to make a logged in admin delete arbitrary link and group via a CSRF attack. PoC https://example.com/wp-admin/admin.php?page=uslinks=bulkdeleteids=1...

Debian DLA-2269-1 : wordpress security update

Several vulnerabilities were discovered in Wordpress, a web blogging tool. They allowed remote attackers to perform various Cross-Side Scripting XSS attacks, create open redirects, escalate privileges, and bypass authorization access. CVE-2020-4046 In affected versions of WordPress, users with lo...