CVE-2026-43877

WWBN AVideo is an open source video platform. In versions up to and including 29.0, objects/userSavePhoto.php is a legacy profile-photo endpoint that accepts a base64 POST parameter and writes the decoded bytes to videos/userPhoto/photo.png. Its only access control is User::isLogged. It does not...

CVE-2026-43877

WWBN AVideo is an open source video platform. In versions up to and including 29.0, objects/userSavePhoto.php is a legacy profile-photo endpoint that accepts a base64 POST parameter and writes the decoded bytes to videos/userPhoto/photo.png. Its only access control is User::isLogged. It does not...

CVE-2026-4117

The CalJ plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.5. This is due to a missing capability check in the CalJSettingsPage class constructor, which processes the 'save-obtained-key' operation directly from POST data without verifying that the...

CVE-2026-4117

CVE-2026-4117 affects the WordPress CalJ plugin (≤ v1.5). The vulnerability is caused by a missing authorization check in the CalJSettingsPage constructor that processes the POST operation 'save-obtained-key' without verifying the user’s capability or nonce, allowing authenticated users (Subscrib...

CVE-2025-13864

The Breeze - WordPress Cache Plugin plugin for WordPress is vulnerable to unauthorized cache clearing in all versions up to, and including, 2.2.21. This is due to the REST API endpoint /wp-json/breeze/v1/clear-all-cache being registered with permissioncallback = 'returntrue' and authentication...

CVE-2025-12084

When building nested elements using xml.dom.minidom methods such as appendChild that have a dependency on clearidcache the algorithm is quadratic. Availability can be impacted when building excessively nested documents...

@actbase/react-native-simple-video contains malware after npm account takeover

On November 24th 2025, a new supply chain attack called Shai-Hulud 2.0 was launched. This package contains the malicious code that attempts to harvest credentials and infect GitHub and npm repositories. The malicious software executes during the pre-install phase and attempts to harvest credentia...

@actbase/react-absolute contains malware after npm account takeover

On November 24th 2025, a new supply chain attack called Shai-Hulud 2.0 was launched. This package contains the malicious code that attempts to harvest credentials and infect GitHub and npm repositories. The malicious software executes during the pre-install phase and attempts to harvest credentia...

Exploit for CVE-2025-56799

CVE-2025-56799 OS Command Injection Vulnerability via Cach...

CVE-2025-2888

During a snapshot rollback, the client incorrectly caches the timestamp metadata. If the client checks the cache when attempting to perform the next update, the update timestamp validation will fail, preventing the next update until the cache is cleared. Users should upgrade to tough version 0.20...

PT-2025-6545 · WordPress · Speedsize Image & Video Ai-Optimizer

Name of the Vulnerable Software and Affected Versions: SpeedSize Image & Video AI-Optimizer plugin for WordPress versions up to, and including, 1.5.1 Description: The issue is due to missing or incorrect nonce validation on the speedsize clear css cache action function, making it possible for...

CVE-2024-13715

The zStore Manager Basic plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the zstoreclearcache function in all versions up to, and including, 3.311. This makes it possible for authenticated attackers, with Subscriber-level access and above, to...

PT-2025-2254 · WordPress · Zstore Manager Basic

Name of the Vulnerable Software and Affected Versions: zStore Manager Basic plugin for WordPress versions up to, and including, 3.311 Description: The issue is related to a missing capability check on the zstore clear cache function, which allows authenticated attackers with Subscriber-level acce...

CVE-2024-0623

The VK Block Patterns plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.31.1.1. This is due to missing or incorrect nonce validation on the vbpclearpatternscache function. This makes it possible for unauthenticated attackers to clear the...

CVE-2023-1925

The WP Fastest Cache plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1.2. This is due to missing or incorrect nonce validation on the wpfcclearcacheofallsitescallback function. This makes it possible for unauthenticated attackers to clear cache...

CVE-2021-0432

In ClearPullerCacheIfNecessary and ForceClearPullerCache of StatsPullerManager.cpp, there is a possible use-after-free due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product:...

CVE-2017-1000406

OpenDaylight Karaf 0.6.1-Carbon fails to clear the cache after a password change, allowing the old password to be used until the Karaf cache is manually cleared e.g. via restart...

symfony 1.3.2 and 1.4.2

We have just released the latest stable versions of symfony: 1.3.2 and 1.4.2. These releases include numerous bug fixes and one security fix. The bundled version of Propel has also been updated to version 1.4.1. We recommend all 1.3.x and 1.4.x projects upgrade to these latest releases immediatel...

CVE-2009-4367

The Staging Webservice "sitecore modules/staging/service/api.asmx" in Sitecore Staging Module 5.4.0 rev.080625 and earlier allows remote attackers to bypass authentication and 1 upload files, 2 download files, 3 list directories, and 4 clear the server cache via crafted SOAP requests with arbitra...