7921 matches found
Magento 2 Amasty Order Attributes < 4.0.0 - Unauthenticated Arbitrary File Upload
Amasty Order Attributes for Magento 2 4.0.0 contains an unrestricted file upload vulnerability caused by lack of authentication and validation in the upload endpoint, letting unauthenticated attackers upload arbitrary files including PHP, enabling remote code execution or malware hosting. id:...
CVE-2026-15759 ChatHelp <= 3.5.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'number' and 'group' Shortcode Attributes
The ChatHelp – Click to Chat Button, WooCommerce Chat to Order & Floating Chat Form plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'number' and 'group' Shortcode Attributes in all versions up to, and including, 3.5.1 due to insufficient input sanitization and output escapin...
CVE-2026-44174
Kirby is an open-source content management system. Prior to 4.9.1 and 5.4.1, Kirby did not validate the model attributes that were used in its collection queries, allowing attackers to include arbitrary model methods in their queries. This includes methods with sensitive data such as password...
CVE-2026-15945
A flaw was found in the group search functionality of the Keycloak server's administrative API. When Fine-Grained Admin Permissions FGAP v2 is enabled, a delegated administrator can bypass access restrictions to view parent groups they are not authorized to see. By searching for a child group the...
CVE-2026-15945
A flaw was found in the group search functionality of the Keycloak server's administrative API. When Fine-Grained Admin Permissions FGAP v2 is enabled, a delegated administrator can bypass access restrictions to view parent groups they are not authorized to see. By searching for a child group the...
CVE-2026-13397
HTML::Bare versions through 0.04 for Perl will hang in an infinite loop when parsing malformed attributes. The parsercparse function never advances the attribute-parse state cursor on certain malformed attribute forms, looping forever. Nameless attributes such as "" or unbalanced quotes "" can...
CVE-2026-13401
XML::Bare versions through 0.53 for Perl will hang in an infinite loop when parsing malformed attributes. The parsercparse function never advances the attribute-parse state cursor on certain malformed attribute forms, looping forever. Nameless attributes such as "" or unbalanced quotes "" can...
CVE-2026-13401
CVE-2026-13401 affects Perl’s XML::Bare up to version 0.53. The vulnerability is a hang/infinite loop in the attribute parser: the parserc_parse state cursor does not advance for certain malformed attribute forms (e.g., nameless attributes like ), causing looping. Impact is a potential denial-of-...
CVE-2026-13401 XML::Bare versions through 0.53 for Perl will hang in an infinite loop when parsing malformed attributes
XML::Bare versions through 0.53 for Perl will hang in an infinite loop when parsing malformed attributes. The parsercparse function never advances the attribute-parse state cursor on certain malformed attribute forms, looping forever. Nameless attributes such as "" or unbalanced quotes "" can...
EUVD-2026-44964
XML::Bare versions through 0.53 for Perl will hang in an infinite loop when parsing malformed attributes. The parsercparse function never advances the attribute-parse state cursor on certain malformed attribute forms, looping forever. Nameless attributes such as "" or unbalanced quotes "" can...
CVE-2026-13397
CVE-2026-13397 affects HTML::Bare up to version 0.04 for Perl. The vulnerability is an infinite loop in the parser when encountering certain malformed attributes, because parserc_parse does not advance the attribute-parse state cursor for those forms (e.g., nameless attributes like and unbalance...
EUVD-2026-44963
HTML::Bare versions through 0.04 for Perl will hang in an infinite loop when parsing malformed attributes. The parsercparse function never advances the attribute-parse state cursor on certain malformed attribute forms, looping forever. Nameless attributes such as "" or unbalanced quotes "" can...
CVE-2026-13397 HTML::Bare versions through 0.04 for Perl will hang in an infinite loop when parsing malformed attributes
HTML::Bare versions through 0.04 for Perl will hang in an infinite loop when parsing malformed attributes. The parsercparse function never advances the attribute-parse state cursor on certain malformed attribute forms, looping forever. Nameless attributes such as "" or unbalanced quotes "" can...
CrushFTP < 10.5.1 - Unauthenticated Remote Code Execution
CrushFTP prior to 10.5.1 is vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes. id: CVE-2023-43177 info: name: CrushFTP 10.5.1 - Unauthenticated Remote Code Execution author: iamnoooob,rootxharsh,pdresearch severity: critical description: | CrushFTP prior...
CVE-2026-15697
A flaw was found in svgdotjs svg.js. A remote attacker could exploit a vulnerability in the EventTarget.on function, which improperly controls modifications to object prototype attributes. This could allow an attacker to manipulate object properties, potentially leading to unintended behavior or...
Linux Distros Unpatched Vulnerability : CVE-2026-49459
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Prior to 3.4.6, DOMPurify.sanitizeroot, INPLACE: true could preserve...
kernel: ima: don't clear IMA_DIGSIG flag when setting or removing non-IMA xattr
In the Linux kernel, the following vulnerability has been resolved: ima: don't clear IMADIGSIG flag when setting or removing non-IMA xattr Currently when both IMA and EVM are in fix mode, the IMA signature will be reset to IMA hash if a program first stores IMA signature in security.ima and then...
CVE-2026-49459
DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Prior to 3.4.6, DOMPurify.sanitizeroot, INPLACE: true could preserve event-handler attributes on an attacker-controlled root when a descendant name clobbered properties checked by isClobbered, because forceRemove...
CVE-2026-49459 DOMPurify: IN_PLACE mode preserves attributes of a clobbered root element, allowing XSS via attacker-controlled root DOM
DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Prior to 3.4.6, DOMPurify.sanitizeroot, INPLACE: true could preserve event-handler attributes on an attacker-controlled root when a descendant name clobbered properties checked by isClobbered, because forceRemove...
CVE-2026-49459 DOMPurify: IN_PLACE mode preserves attributes of a clobbered root element, allowing XSS via attacker-controlled root DOM
DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Prior to 3.4.6, DOMPurify.sanitizeroot, INPLACE: true could preserve event-handler attributes on an attacker-controlled root when a descendant name clobbered properties checked by isClobbered, because forceRemove...