CVE-2026-8054

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' in the Publish Audit API endpoints /api/auditPublishing/get and /api/auditPublishing/getAll in dotCMS Core 25.11.04-1 through 26.04.28-02 allows remote unauthenticated attackers to read, modify, or destroy arbitrar...

WordPress User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin <= 4.3.1 - Authenticated (Subscriber+) PHP Object Injection vulnerability

Authenticated Subscriber+ PHP Object Injection vulnerability discovered by d.v4ns3c in WordPress Plugin WP User Frontend versions = 4.3.1...

EUVD-2026-24252

Decidim is a participatory democracy framework. Starting in version 0.0.1 and prior to versions 0.30.5 and 0.31.1, the root level commentable field in the API allows access to all commentable resources within the platform, without any permission checks. All Decidim instances are impacted that hav...

PT-2026-33428

Dell PowerProtect Data Domain appliances with Data Domain Operating System DD OS of Feature Release versions 8.0 through 8.5, LTS2025 release version 8.3.1.0 through 8.3.1.10 contain an insertion of sensitive information into log file vulnerability. A low privileged attacker with remote access...

CVE-2026-1579

The CVE-2026-1579 issue affects PX4 Autopilot via the MAVLink protocol. Without MAVLink 2.0 message signing, unauthenticated entities with access to the MAVLink interface can send messages (including SERIAL_CONTROL, which can grant interactive shell access), potentially compromising devices that ...

CVE-2026-20915

Stored cross-site scripting XSS in Checkmk version 2.5.0 beta before 2.5.0b2 allows authenticated users with permission to create pending changes to inject malicious JavaScript into the Pending Changes sidebar, which will execute in the browsers of other users viewing the sidebar...

GHSA-M983-7426-5HRJ Ech0 authenticated user-list exposed data via public `/api/allusers` endpoint

Summary A public access-control flaw allows unauthenticated users to retrieve the full user list from GET /api/allusers. This exposes user profile metadata to anyone who can reach the application and enables remote user enumeration. Details The vulnerable route is registered as a public endpoint:...

PT-2026-24836

Name of the Vulnerable Software and Affected Versions SiYuan versions prior to 3.6.0 Description SiYuan is a personal knowledge management system. The /api/network/forwardProxy endpoint allows authenticated users to make arbitrary HTTP requests from the server. The endpoint accepts a...

CVE-2021-33259

Several web interfaces in D-Link DIR-868LW 1.12b have no authentication requirements for access, allowing for attackers to obtain users' DNS query history...

CVE-2021-0090

Uncontrolled search path element in IntelR DSA before version 20.11.50.9 may allow an authenticated user to potentially enable an escalation of privilege via local access...

CVE-2019-12463

An issue was discovered in LibreNMS 1.50.1. The scripts that handle graphing options includes/html/graphs/common.inc.php and includes/html/graphs/graphs.inc.php do not sufficiently validate or encode several fields of user supplied input. Some parameters are filtered with mysqlirealescapestring,...

EUVD-2011-1377

Malware in sbrugna...

EUVD-2023-38327

Malicious code in bioql PyPI...

EUVD-2021-6950

Malicious code in bioql PyPI...

EUVD-2023-36158

Malicious code in bioql PyPI...

EUVD-2023-30275

Malicious code in bioql PyPI...

EUVD-2023-53987

Malicious code in bioql PyPI...

EUVD-2021-30271

Malicious code in bioql PyPI...

EUVD-2023-12626

Malicious code in bioql PyPI...

PT-2025-30340 · Romm · Romm

Name of the Vulnerable Software and Affected Versions: RomM versions 4.0.0-beta.3 and below Description: RomM is a tool that allows users to manage their game collections. An authenticated arbitrary file write issue exists in the /api/saves endpoint. This can lead to Remote Code Execution. The...