90 matches found
CVE-2026-47745
Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, the admin tables for PaymentMethods, Currencies and Carriers exposed inline toggles and per-record actions enable, disable, edit, delete that were rendered for any authenticated panel user without checking the corresponding per-action...
CVE-2026-47745
Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, the admin tables for PaymentMethods, Currencies and Carriers exposed inline toggles and per-record actions enable, disable, edit, delete that were rendered for any authenticated panel user without checking the corresponding per-action...
EUVD-2026-33406
Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, the admin tables for PaymentMethods, Currencies and Carriers exposed inline toggles and per-record actions enable, disable, edit, delete that were rendered for any authenticated panel user without checking the corresponding per-action...
CVE-2026-47745
CVE-2026-47745 affects Shopper: Headless e-commerce Admin Panel. Before 2.8.0, admin tables for PaymentMethods, Currencies and Carriers exposed inline toggles and per-record actions (enable/disable/edit/delete) without per-action permission checks, allowing a low-privilege authenticated user to d...
CVE-2026-47745 Shopper: Missing per-action authorization on PaymentMethods, Currencies and Carriers admin tables
Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, the admin tables for PaymentMethods, Currencies and Carriers exposed inline toggles and per-record actions enable, disable, edit, delete that were rendered for any authenticated panel user without checking the corresponding per-action...
CVE-2026-47745 Shopper: Missing per-action authorization on PaymentMethods, Currencies and Carriers admin tables
Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, the admin tables for PaymentMethods, Currencies and Carriers exposed inline toggles and per-record actions enable, disable, edit, delete that were rendered for any authenticated panel user without checking the corresponding per-action...
shopper 安全漏洞
Shopper is an open-source e-commerce management backend developed by Shopper Labs. Versions of Shopper prior to 2.8.0 contained security vulnerabilities. These vulnerabilities stemmed from the management tables for PaymentMethods, Currencies, and Carriers rendering inline switching options and...
PT-2026-44945
Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, the admin tables for PaymentMethods, Currencies and Carriers exposed inline toggles and per-record actions enable, disable, edit, delete that were rendered for any authenticated panel user without checking the corresponding per-action...
EUVD-2026-26089
OpenClaw before 2026.3.28 contains an execution approval vulnerability in exec-approvals-allowlist.ts that allows allow-always persistence to trust wrapper carrier executables instead of invoked targets. Attackers can exploit positional carrier executable routing through dispatch wrappers to...
PT-2026-35765
Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.3.28 Description An execution approval issue exists in exec-approvals-allowlist.ts where allow-always persistence trusts wrapper carrier executables instead of the actual invoked targets. This allows attackers t...
CVE-2026-3646 LTL Freight Quotes – R+L Carriers Edition <= 3.3.13 - Missing Authorization to Unauthenticated Settings Update
The LTL Freight Quotes – R+L Carriers Edition plugin for WordPress is vulnerable to Missing Authorization via the plugin's webhook handler in all versions up to, and including, 3.3.13. This is due to missing authentication, authorization, and nonce verification on a standalone PHP file that...
WordPress plugin LTL Freight Quotes – R+L Carriers Edition 安全漏洞
WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. The...
WordPress LTL Freight Quotes - R+L Carriers Edition plugin <= 3.3.13 - Missing Authorization to Unauthenticated Settings Update vulnerability
WordPress LTL Freight Quotes - R+L Carriers Edition plugin = 3.3.13 - Missing Authorization to Unauthenticated Settings Update vulnerability discovered by Poli - CMC Global in WordPress Plugin LTL Freight Quotes – R+L Carriers Edition versions = 3.3.13...
GHSA-P4X4-2R7F-WJXG OpenClaw gateway exec allow-always over-trusts positional carrier executables
Summary Allow-always persistence could trust wrapper carrier executables instead of the actual invoked target when commands were routed through dispatch wrappers. Impact A one-time approval could persist a broader future allowlist entry than the operator intended, weakening execution approval...
OpenClaw's system.run shell-wrapper positional argv carriers could execute hidden commands under misleading approval text
Summary In openclaw up to and including 2026.2.23 latest npm release as of February 25, 2026, system.run shell-wrapper inputs could present misleading approval/display text while still carrying hidden positional argv payloads that execute at runtime. Affected Packages / Versions - Package: opencl...
Salt Typhoon APT Group: What Public Sector Leaders and Defenders Should Know
The Rapid7 Threat Focus: Salt Typhoon report profiles one of the most sophisticated and persistent state-sponsored threat actors operating today. Salt Typhoon, a Chinese espionage advanced persistent threat APT group linked to the Ministry of State Security MSS, has spent years infiltrating globa...
EUVD-2025-4702
Malicious code in bioql PyPI...
When Good Sounds Go Adversarial: Jailbreaking Audio-Language Models with Benign Inputs
As large language models become increasingly integrated into daily life, audio has emerged as a key interface for human-AI interaction. However, this convenience also introduces new vulnerabilities, making audio a potential attack surface for adversaries. Our research introduces WhisperInject, a...
CVE-2024-13481
The LTL Freight Quotes – R+L Carriers Edition plugin for WordPress is vulnerable to SQL Injection via the 'editid' and 'dropshipeditid' parameters in all versions up to, and including, 3.3.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the...
CVE-2024-13481
The LTL Freight Quotes – R+L Carriers Edition plugin for WordPress is vulnerable to SQL Injection via the 'editid' and 'dropshipeditid' parameters in all versions up to, and including, 3.3.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the...