158589 matches found
Social Auto Poster <= 5.3.14 - Stored Cross-Site Scripting
Social Auto Poster plugin for WordPress versions up to 5.3.14 contains a stored cross-site scripting caused by insufficient sanitization and escaping of 'mapTypes' parameter in the 'wpwautopostermapwordpressposttype' AJAX function, letting unauthenticated attackers inject and execute arbitrary...
Ametys CMS Information Disclosure
Ametys CMS before 4.5.0 allows a remote unauthenticated attacker to read documents such as plugins/web/service/search/auto-completion/domain/en.xml and similar pathnames for other languages via the auto-completion plugin, which contain all characters typed by all users, including the content of...
WordPress Car Seller - Auto Classifieds Script - SQL Injection
The requestlistrequest AJAX call of the Car Seller - Auto Classifieds Script WordPress plugin through 2.1.0, available to both authenticated and unauthenticated users, does not sanitize, validate or escape the orderid POST parameter before using it in a SQL statement, leading to a SQL injection...
G Auto-Hyperlink <= 1.0.1 - SQL Injection
The G Auto-Hyperlink WordPress plugin through 1.0.1 does not sanitise or escape an 'id' GET parameter before using it in a SQL statement, to select data to be displayed in the admin dashboard, leading to an authenticated SQL injection id: CVE-2021-24627 info: name: G Auto-Hyperlink = 1.0.1 - SQL...
CVE-2026-61970
Server-Side Request Forgery SSRF vulnerability in Themeisle Auto Featured Image Auto Post Thumbnail auto-post-thumbnail allows Server Side Request Forgery.This issue affects Auto Featured Image Auto Post Thumbnail: from n/a through = 5.0.4...
CVE-2026-61970
The CVE-2026-61970 entry concerns a Server-Side Request Forgery (SSRF) in the Themeisle Auto Featured Image (Auto Post Thumbnail) WordPress plugin. Affected versions are <= 5.0.4 (reported as from n/a through
CVE-2026-61970 WordPress Auto Featured Image (Auto Post Thumbnail) plugin <= 5.0.4 - Server Side Request Forgery (SSRF) vulnerability
Server-Side Request Forgery SSRF vulnerability in Themeisle Auto Featured Image Auto Post Thumbnail auto-post-thumbnail allows Server Side Request Forgery.This issue affects Auto Featured Image Auto Post Thumbnail: from n/a through = 5.0.4...
CVE-2026-12273
The Tutor LMS WordPress plugin before 3.9.13 does not perform any authorization or post-target validation before creating a comment in one of its handlers, and stores the comment pre-approved, allowing authenticated users with subscriber-level access and above to post auto-approved comments...
MAL-2026-10390 Malicious code in timmytuffknuckles9 (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 342d7a44db99769023685647376a6042d5a9b345c281826484c9d88561f245ca Package is not a Node library — package.json declares main: sw.js, a browser Service Worker whose first line calls importScripts'./8cfc2/hgshm.js'...
CVE-2026-12273
The CVE-2026-12273 entry concerns Tutor LMS for WordPress (MITRE CVE-2026-12273). Affected component: Tutor LMS WordPress plugin prior to version 3.9.13. Description details a lack of authorization checks and post-target validation in a comment-creation handler, resulting in pre-approved comments...
CVE-2026-12273 Tutor LMS < 3.9.13 - Subscriber+ Arbitrary Auto-Approved Comment Creation
The Tutor LMS WordPress plugin before 3.9.13 does not perform any authorization or post-target validation before creating a comment in one of its handlers, and stores the comment pre-approved, allowing authenticated users with subscriber-level access and above to post auto-approved comments...
CVE-2026-54714
Logto is the modern, open-source auth infrastructure for SaaS and AI apps. Prior to 1.41.0, @logto/core reflected the SAML RelayState, SAMLResponse, and actionUrl into a Logto-origin auto-submit HTML form in packages/core/src/saml-application/SamlApplication/utils.ts without HTML-attribute...
CVE-2026-54714
Technical details about CVE-2026-54714 are not publicly available in the provided documents. Monitor for updates from Logto advisories and releases.
CVE-2026-54714 Logto: XSS via unescaped RelayState in SAML auto-submit form
Logto is the modern, open-source auth infrastructure for SaaS and AI apps. Prior to 1.41.0, @logto/core reflected the SAML RelayState, SAMLResponse, and actionUrl into a Logto-origin auto-submit HTML form in packages/core/src/saml-application/SamlApplication/utils.ts without HTML-attribute...
CVE-2026-54714 Logto: XSS via unescaped RelayState in SAML auto-submit form
Logto is the modern, open-source auth infrastructure for SaaS and AI apps. Prior to 1.41.0, @logto/core reflected the SAML RelayState, SAMLResponse, and actionUrl into a Logto-origin auto-submit HTML form in packages/core/src/saml-application/SamlApplication/utils.ts without HTML-attribute...
CVE-2026-56666 ZITADEL: Auto-linking by email: IdP-side email verification is not checked
ZITADEL is an open source identity management platform. Prior to 4.15.3, ZITADEL's external identity provider handler checks that the local user's email is verified but does not verify that the external IdP confirmed ownership of the same email before auto-linking by email, allowing a permissive...
CVE-2026-56666
ZITADEL before v4.15.3 permits auto-linking by email without confirming IdP ownership of the email. The external IdP handler validates the local email but not that the IdP confirms ownership, enabling linking a permissive provider account to a victim’s local account. This vulnerability is address...
CVE-2026-56666 ZITADEL: Auto-linking by email: IdP-side email verification is not checked
ZITADEL is an open source identity management platform. Prior to 4.15.3, ZITADEL's external identity provider handler checks that the local user's email is verified but does not verify that the external IdP confirmed ownership of the same email before auto-linking by email, allowing a permissive...
Coder < 2.29.7 / 2.30.x < 2.30.2 Workspace Auto-Creation Without Consent (CVE-2026-44454)
The version of Coder installed on the remote host is prior to 2.29.7 or 2.30.x prior to 2.30.2. It is, therefore, affected by a command injection vulnerability. The dotfiles registry module passed unsanitized user input to shell commands, enabling arbitrary code execution inside provisioned...
CVE-2026-44454
Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7 and 2.30.2, the dotfiles registry module passed unsanitized user input to shell commands, allowing arbitrary code execution inside a provisioned workspace. Any user who supplied a craft...