377 matches found
Download Monitor < 4.4.5 - SQL Injection
The Download Monitor plugin for WordPress is vulnerable to SQL injection via the 'orderby' parameter in versions before 4.4.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attacker...
CVE-2026-12918
The Mail Mint – Email Marketing, Newsletter, Email Automation & WooCommerce Emails plugin for WordPress is vulnerable to generic SQL Injection via the 'recipients' parameter in all versions up to, and including, 1.24.1 due to insufficient escaping on the user supplied parameter and lack of...
CVE-2026-13080
The CVE concerns the WordPress plugin WPFunnels – Funnel Builder for WooCommerce with Checkout & One Click Upsell . It is vulnerable to Local File Inclusion (LFI) in all versions up to and including 3.12.7 via the logKey parameter. The issue can be exploited by an attacker with at least administr...
EUVD-2026-42076
NocoBase through 2.1.20 contains a server-side request forgery vulnerability in the serverRequest wrapper that allows authenticated administrators to issue arbitrary outbound HTTP requests by supplying malicious URLs to workflow request nodes, custom request action buttons, or the AI plugin...
EUVD-2026-40441
Capgo before 12.128.2 contains a server-side validation bypass vulnerability in organization security settings that allows authenticated org admins to persist invalid security policy state. Attackers can bypass backend validation by directly updating the public.orgs table from the browser,...
CVE-2026-56333 Capgo - Server-Side Validation Bypass via Direct Browser-Side Organization Security Settings Updates
Capgo before 12.128.2 contains a server-side validation bypass vulnerability in organization security settings that allows authenticated org admins to persist invalid security policy state. Attackers can bypass backend validation by directly updating the public.orgs table from the browser,...
CVE-2026-11975
Stored cross-site scripting XSS in NewsItemApiController In SimplCommerce prior to commit 6142d3b5 allows an authenticated administrator to execute arbitrary JavaScript via the ShortContent and FullContent fields, which are stored without HTML sanitization and rendered unencoded via @Html.Raw...
EUVD-2016-10880
WordPress CP Polls 1.0.8 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized actions on behalf of authenticated users. Attackers can craft malicious HTML pages that execute unwanted poll operations when administrators visit the page while logged in...
Palo Alto Networks PAN-OS 跨站脚本漏洞
Palo Alto Networks PAN-OS is an operating system developed by Palo Alto Networks for its firewall devices. Palo Alto Networks PAN-OS has a cross-site scripting vulnerability. This vulnerability stems from cross-site scripting, and it could allow malicious authenticated administrators to use the w...
Palo Alto Networks PAN-OS 操作系统命令注入漏洞
Palo Alto Networks PAN-OS is an operating system developed by Palo Alto Networks for its firewall devices. Palo Alto Networks PAN-OS has a vulnerability related to command injection. This vulnerability arises from command injections, which may allow authenticated administrators to bypass system...
CVE-2026-0417
Insufficient input validation vulnerability in the listed NETGEAR devices allows authenticated administrators connected to the local network to tamper with the router's integrity...
CVE-2026-0418
Insufficient configuration management in the listed devices allows authenticated administrators connected to the local network to tamper with the system...
CVE-2026-0410
CVE-2026-0410 affects certain NETGEAR routers. The issue is insufficient input validation that allows authenticated administrators on the local network to gain elevated access and make unauthorized changes to router software and functionality. The provided documents describe the affected conditio...
PT-2026-47818
Name of the Vulnerable Software and Affected Versions NETGEAR affected versions not specified Description A buffer overflow occurs due to insufficient input validation of buffers. This allows authenticated administrators connected to the local network to make unauthorized modifications to the...
NETGEAR Routers 输入验证错误漏洞
NETGEAR Routers are a series of routers produced by NETGEAR, a company in the United States. NETGEAR Routers have a vulnerability related to input validation. This vulnerability stems from insufficient input validation, which may allow administrators who have passed authentication to make...
TP-Link Archer MR600 操作系统命令注入漏洞
The TP-Link Archer MR600 is a wireless router produced by TP-Link Corporation. The TP-Link Archer MR600 v5 version has a vulnerability related to operating system command injection. This vulnerability stems from improper handling of user-controlled inputs in the web management interface, leading ...
PT-2026-47296
QloApps through 1.7.0 contains a stored cross-site scripting vulnerability in the admin file manager that allows authenticated administrators to inject malicious JavaScript by uploading crafted SVG files. Attackers can embed JavaScript event handlers such as onload within SVG files uploaded throu...
CVE-2026-7566
The LearnPress – Backup & Migration Tool plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.1.4 via deserialization of untrusted input . This makes it possible for authenticated attackers, with administrator-level access and above, to inject a PHP...
CVE-2026-8978
The OptinCraft – Drag & Drop Optins & Popup Builder for WordPress plugin for WordPress is vulnerable to generic SQL Injection via the 'orderby' parameter in all versions up to, and including, 1.2.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on t...
CVE-2026-6448 Quiz and Survey Master (QSM) <= 11.1.2 - Authenticated (Admin+) SQL Injection via 'order' and 'limit' Parameters
The Quiz and Survey Master QSM – Easy Quiz and Survey Maker plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'order' parameter in all versions up to, and including, 11.1.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on...