9305 matches found
WordPress Automatic Plugin <3.92.1 - Arbitrary File Download and SSRF
WordPress Automatic plugin 3.92.1 is vulnerable to unauthenticated Arbitrary File Download and SSRF Located in the downloader.php file, could permit attackers to download any file from a site. Sensitive data, including login credentials and backup files, could fall into the wrong hands. This...
WordPress SEO Tools Plugin 4.0.7 - Cross-Site Scripting
The SEO Tools WordPress plugin through version 4.0.7 contains a reflected cross-site scripting vulnerability. The plugin does not properly sanitize and escape the 'src' parameter in the rssread.php file before outputting it back in the page, which could allow attackers to execute arbitrary...
WordPress Automatic Plugin - Unauthenticated Options Change
WordPress Automatic Plugin versions 3.53.2 and below contains a critical vulnerability that allows unauthenticated users to change arbitrary WordPress options through the processform.php script. The vulnerable script uses updateoption on all POST parameters without authentication or capability...
Pinterest Automatic < 4.14.4 - Unauthenticated Arbitrary Options Update
The Pinterest Automatic plugin for WordPress is vulnerable to authorization bypass due to missing capability checks on the 'wppinterestautomaticparserequest' function and the 'processform.php' script in versions up to, and including, 1.14.3. This makes it possible for unauthenticated attackers to...
Malicious code in auto-debug-tool (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8dd31c11b5149d8dd2142c81cc066576dc799ba4dae4599a9569cb56256417ec package.json declares a postinstall hook node install.js that fires automatically on npm install. On Windows, install.js invokes hidden PowerShell -N...
[SECURITY] Fedora 43 Update: clamav-1.4.5-1.fc43
Clam AntiVirus is an anti-virus toolkit for UNIX. The main purpose of this software is the integration with mail servers attachment scanning. The package provides a flexible and scalable multi-threaded daemon, a command line scanner, and a tool for automatic updating via Internet. The programs ar...
CVE-2026-55698
A flaw was found in pnpm, a package manager. This vulnerability allows a remote attacker to achieve arbitrary code execution by committing a specially crafted package-manager lockfile pnpm-lock.yaml to a repository. When pnpm is executed, it trusts an already resolved packageManagerDependencies...
Cross-site Request Forgery (CSRF)
Overview webpack-dev-server is an Uses webpack with a development server that provides live reloading. It should be used for development only. Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF via the open-editor and invalidate endpoints. An attacker can open...
CVE-2026-11586
CVE-2026-11586 : curl is vulnerable to memory exhaustion via WebSocket PING handling. The description across sources states that curl automatically responds to WebSocket PING frames and lacks an upper bound on memory allocation for unacknowledged frames, enabling a malicious server to flood curl ...
PT-2026-55445
Name of the Vulnerable Software and Affected Versions coder versions prior to 2.29.7 coder versions prior to 2.30.2 Description A command injection issue exists in the dotfiles registry module where unsanitized user input is passed to shell commands. An attacker can provide a crafted dotfiles uri...
CVE-2026-56045
Unauthenticated Cross Site Scripting XSS in Automatic 3.135.1 versions...
CVE-2026-56045
The CVE-2026-56045 entry applies to the WordPress Automatic plugin versions earlier than 3.135.1, with an unauthenticated Cross Site Scripting (XSS) vulnerability. Affected software: WordPress Automatic plugin (
EUVD-2026-39706
Unauthenticated Cross Site Scripting XSS in Automatic 3.135.1 versions...
CVE-2026-13324
A vulnerability has been identified in the GNOME Geary package within its mailto URI handling component. This flaw occurs because the email client automatically processes a non-standard attach parameter in email links without prompting or alerting the user. An attacker could exploit this by...
CVE-2026-56770
libais through 0.15 VdmStream::AddLine uses an unchecked sentinel value as a vector index when processing AIS sentences with empty or out-of-range sequential message IDs. Remote attackers can crash services or vessel systems by sending crafted AIVDM sentences over VHF marine radio or IP feeds,...
CVE-2026-56770
Libais 0.15 is affected by an out-of-bounds vector access in VdmStream::AddLine caused by an unchecked sentinel value used as a vector index when handling AIS sentences with empty or out-of-range sequential IDs. Remote attackers can crash services or vessel systems by sending crafted AIVDM senten...
Malicious code in leo-aws (npm)
The leo-aws npm package was compromised as part of the Miasma worm campaign targeting the LeoPlatform npm ecosystem. On June 24, 2026, 20 LeoPlatform packages were published within a 3-second window by a threat actor who had taken over the npm account czirker belonging to the LeoPlatform...
CVE-2026-53030
In the Linux kernel, the following vulnerability has been resolved: i3c: master: renesas: Fix memory leak in renesasi3ci3cxfers The xfer structure allocated by renesasi3callocxfer was never freed in the renesasi3ci3cxfers function. Use the freekfree cleanup attribute to automatically free the...
CVE-2026-53065
CVE-2026-53065 affects the Linux kernel ASoC: sti driver. The issue is that regmap_field objects allocated at player init were never freed, potentially leaking resources when the driver is removed. The remediation is to switch to devm_regmap_field_alloc() , which ties the lifetimes of the allocat...
Astra Linux – Vulnerability found in Linux 6.1, Linux 6.12
In the Linux kernel, the following vulnerability has been resolved: SCSI: UFS: Core – Flush exception handling work when RPM level is zero Ensure that exception event handling work is explicitly flushed during suspension when the runtime power management level is set to UFSPMLVL0. When the RPM...