CVE-2026-20003

A vulnerability in the REST API of Cisco Secure FMC Software could allow an authenticated, remote attacker to conduct SQL injection attacks on an affected system. This vulnerability is due to inadequate validation of user-supplied input. An attacker could exploit this vulnerability by sending...

CVE-2026-20017

Cisco Secure FTD Software CLI contains a vulnerability due to insufficient input validation of user-supplied CLI arguments. An authenticated, local attacker with valid admin credentials could execute arbitrary OS commands as root. Impact is privilege escalation with potential for high confidentia...

CVE-2026-20003

A vulnerability in the REST API of Cisco Secure FMC Software could allow an authenticated, remote attacker to conduct SQL injection attacks on an affected system. This vulnerability is due to inadequate validation of user-supplied input. An attacker could exploit this vulnerability by sending...

CVE-2026-20002

A vulnerability in the web-based management interface of Cisco Secure FMC Software could allow an authenticated, remote attacker to conduct SQL injection attacks on an affected system. This vulnerability is due to inadequate validation of user-supplied input. An attacker could exploit this...

CVE-2019-25505 Tradebox 5.4 SQL Injection via symbol Parameter

Tradebox 5.4 contains an SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the symbol parameter. Attackers can send POST requests to the monthlydeposit endpoint with malicious symbol values using boolean-based blind,...

Bdtask Tradebox SQL注入漏洞

Bdtask Tradebox is an inventory management system developed by the Bangladeshi company Bdtask. Version 5.4 of Bdtask Tradebox contains a SQL injection vulnerability. This vulnerability stems from the symbol parameter, which allows for SQL injections. It is possible for authenticated attackers to...

WordPress plugin Page Builder by SiteOrigin 路径遍历漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. The...

CVE-2026-24350

PluXml CMS is vulnerable to Stored XSS in file uploading functionality. An authenticated attacker can upload an SVG file containing a malicious payload, which will be executed when a victim clicks the link associated with the uploaded image. In version 5.9.0-rc7 clicking the link associated with...

CVE-2026-23702

An OS command injection vulnerability exists in XWEB Pro version 1.12.1 and prior, enabling an authenticated attacker to achieve remote code execution on the system by sending malicious input injected into the server username field of the import preconfiguration action in the API V1 route...

CVE-2026-26934

Improper Validation of Specified Quantity in Input CWE-1284 in Kibana can allow an authenticated attacker with view-only privileges to cause a Denial of Service via Input Data Manipulation CAPEC-153. An attacker can send a specially crafted, malformed payload causing excessive resource consumptio...

CVE-2026-20036 Cisco UCS Manager Software Command Injection Vulnerability

A vulnerability in the CLI and web-based management interface of Cisco UCS Manager Software could allow an authenticated, remote attacker with valid administrative privileges to execute arbitrary commands on the underlying operating system of an affected device. This vulnerability is due to...

CVE-2025-70327

TOTOLINK X5000R v9.1.0cu2415B20250515 contains an argument injection vulnerability in the setDiagnosisCfg handler of the /usr/sbin/lighttpd executable. The ip parameter is retrieved via websGetVar and passed to a ping command through CsteSystem without validating if the input starts with a hyphen...

CVE-2019-25435

CVE-2019-25435 affects Sricam DeviceViewer 3.12.0.1. The issue is a local, stack‑based buffer overflow in the User Management → Add User function. An attacker with authenticated access can bypass DEP and inject a payload via the Username field to execute arbitrary code through a ROP chain. The re...

CVE-2025-12975

The CVE-2025-12975 entry concerns CTX Feed – WooCommerce Product Feed Manager for WordPress (

CVE-2019-25373

OPNsense 19.1 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by submitting crafted input to the category parameter. Attackers can send POST requests to firewallrulesedit.php with script payloads in the category field to execute...

WordPress plugin WP Last Modified Info 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...

CVE-2025-15157 Starfish Review Generation & Marketing for WordPress <= 3.1.19 - Authenticated (Subscriber+) Arbitrary Options Update via srm_restore_options_defaults

The Starfish Review Generation & Marketing for WordPress plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the 'srmrestoreoptionsdefaults' function in all versions up to, and including, 3.1.19. This...

CVE-2026-2276

CVE-2026-2276 describes a reflected XSS in Wix’s web app where uploading SVGs to the endpoint https://manage.wix.com/account/account-settings permits embedded JavaScript execution after storage. Authenticated users could upload crafted SVG content; when others view the image, script executes in t...

CVE-2026-0652

On TP-Link Tapo C260 v1, command injection vulnerability exists due to improper sanitization in certain POST parameters during configuration synchronization. An authenticated attacker can execute arbitrary system commands with high impact on confidentiality, integrity and availability. It may cau...

CVE-2026-25957 Cube Denial of Service (DoS) - An authenticated attacker can crash the server by sending a specially crafted request

Cube is a semantic layer for building data applications. From 1.1.17 to before 1.5.13 and 1.4.2, it is possible to make the entire Cube API unavailable by submitting a specially crafted request to a Cube API endpoint. This vulnerability is fixed in 1.5.13 and 1.4.2...