GHSA-9V4J-7G44-QCQW Algernon: Auto-refresh SSE event server binds to all interfaces with Access-Control-Allow-Origin: * and no authentication

Summary When auto-refresh is enabled, Algernon spins up an SSE handler that streams a data: line for every filesystem event under the watched directory. The handler performs no authentication of any kind — no shared token, no cookie check against the permissions2 userstate, no IP allow-list, no...

Algernon: Auto-refresh SSE event server binds to all interfaces with Access-Control-Allow-Origin: * and no authentication

Summary When auto-refresh is enabled, Algernon spins up an SSE handler that streams a data: line for every filesystem event under the watched directory. The handler performs no authentication of any kind — no shared token, no cookie check against the permissions2 userstate, no IP allow-list, no...

CVE-2026-25476

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the session expiration check in library/auth.inc.php runs only when skiptimeoutreset is not present in the request. When skiptimeoutreset=1 is sent, the entire block th...

CVE-2026-25476 OpenEMR has Session Timeout Bypass via skip_timeout_reset

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the session expiration check in library/auth.inc.php runs only when skiptimeoutreset is not present in the request. When skiptimeoutreset=1 is sent, the entire block th...

CVE-2024-1731

The CVE-2024-1731 entry concerns the Auto Refresh Single Page plugin for WordPress. It is vulnerable to PHP Object Injection in all versions up to 1.1 via deserialization of untrusted input from the arsp_options post meta option. An authenticated attacker with contributor-level access or higher c...

WordPress Auto Refresh Single Page Plugin <= 1.1 is vulnerable to PHP Object Injection

Software Auto Refresh Single Page Type Plugin Vulnerable versions = 1.1 Fixed in N/A OWASP Top 10 A1: Injection Classification PHP Object Injection CVE CVE-2024-1731 Patch priority Low CVSS severity Low 8.8 Developer Claim ownership PSID d58385aa0db1 Credits Francesco Carlucci Required privilege...

MyBB ChangUonDyU Plugin 1.0.2 - Cross-Site Scripting

Exploit Title: MyBB ChangUonDyU Advanced Statistics Plugin v1.0.2 - Cross-Site Scripting Date: 5/25/2018 Author: 0xB9 Twitter: @0xB9Sec Contact: 0xB9atpm.me Software Link: https://community.mybb.com/mods.php?action=view&pid=1125 Version: 1.0.2 Tested on: Ubuntu 18.04 CVE: CVE-2018-11532 1...