ABB Ability OPTIMAX

SUMMARY ABB became aware of severe vulnerability in the products versions listed as affected in the advisory, if the optional integration with Azure Active Directory for Single-Sign On is enabled. We have not received any reports of this vulnerability being exploited. An attacker who...

CVE-2021-47800

b2evolution 7.2.2 contains a cross-site request forgery vulnerability that allows attackers to modify admin account details without authentication. Attackers can craft a malicious HTML form to submit unauthorized changes to user profiles by tricking victims into loading a specially crafted webpag...

WordPress plugin Rede Itaú for WooCommerce: Access control error vulnerability

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows users to create personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be installed t...

Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: kernel (UTSA-2026-001214)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-001214 advisory. In the Linux kernel before 4.17, a local attacker able to set attributes on an xfs filesystem could make this filesystem non-operational until the next mount by...

Unity Linux 20.1060a / 20.1070a Security Update: kernel (UTSA-2026-003614)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-003614 advisory. The coredump implementation in the Linux kernel before 5.0.10 does not use locking or other mechanisms to prevent vma layout or vma flags changes while it runs, whic...

CVE-2021-47800

CVE-2021-47800 affects b2evolution 7.2.2 and is a cross-site request forgery (CSRF) that enables attackers to modify admin account details without authentication. The vulnerability arises from forged requests triggering admin-profile changes via a crafted webpage loaded by a victim, enabling mani...

CVE-2026-23622 CSRF Protection Bypass: Sensitive endpoints accept GET requests, enabling admin account takeover

Easy!Appointments is a self hosted appointment scheduler. In 1.5.2 and earlier, application/core/EASecurity.php::csrfverify only enforces CSRF for POST requests and returns early for non-POST methods. Several application endpoints perform state-changing operations while accepting parameters from...

CVE-2026-23766

Istio (through 1.28.2) is affected. A local, low-privilege user can inject iptables firewall rules via the traffic.sidecar.istio.io/excludeInterfaces annotation to alter firewall behavior, potentially impacting system integrity. Public descriptions acknowledge this may not represent a traditional...

CVE-2021-47754 Arunna 1.0.0 - 'Multiple' Cross-Site Request Forgery (CSRF)

Arunna 1.0.0 contains a cross-site request forgery vulnerability that allows attackers to manipulate user profile settings without authentication. Attackers can craft a malicious form to change user details, including passwords, email, and administrative privileges by tricking authenticated users...

CVE-2021-47754 Arunna 1.0.0 - 'Multiple' Cross-Site Request Forgery (CSRF)

Arunna 1.0.0 contains a cross-site request forgery vulnerability that allows attackers to manipulate user profile settings without authentication. Attackers can craft a malicious form to change user details, including passwords, email, and administrative privileges by tricking authenticated users...

CVE-2025-14482

The Crush.pics Image Optimizer - Image Compression and Optimization plugin for WordPress is vulnerable to unauthorized modification of data due to missing capability checks on multiple functions in all versions up to, and including, 1.8.7. This makes it possible for authenticated attackers, with...

CVE-2025-15377

The Sosh Share Buttons plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.0. This is due to missing nonce validation on the 'adminpagecontent' function. This makes it possible for unauthenticated attackers to update the plugin's settings via...

Unity Linux 20.1060e / 20.1070e Security Update: kernel (UTSA-2026-002179)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-002179 advisory. arch/x86/kvm/emulate.c in the KVM subsystem in the Linux kernel through 3.17.2 does not properly perform RIP changes, which allows guest OS users to cause a denial o...

PT-2026-3171

b2evolution 7.2.2 contains a cross-site request forgery vulnerability that allows attackers to modify admin account details without authentication. Attackers can craft a malicious HTML form to submit unauthorized changes to user profiles by tricking victims into loading a specially crafted webpag...

WordPress plugin AffiliateX – Amazon Affiliate Plugin has a security vulnerability

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...

Unity Linux 20.1060a / 20.1070a Security Update: kernel (UTSA-2026-003041)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-003041 advisory. Since Linux kernel version 3.2, the mremap syscall performs TLB flushes after dropping pagetable locks. If a syscall such as ftruncate removes entries from the...

PT-2026-3099

Name of the Vulnerable Software and Affected Versions Easy!Appointments versions 1.5.2 and earlier Description The application's CSRF protection in application/core/EA Security.php::csrf verify only applies to POST requests, bypassing validation for other request methods like GET. Several...

CVE-2025-71098

In the Linux kernel, the following vulnerability has been resolved: ip6gre: make ip6greheader robust Over the years, syzbot found many ways to crash the kernel in ip6greheader 1. This involves team or bonding drivers ability to dynamically change their dev-neededheadroom and/or dev-hardheaderlen ...

CVE-2026-22814

@adonisjs/lucid is an SQL ORM for AdonisJS built on top of Knex. Prior to 21.8.2 and 22.0.0-next.6, there is a Mass Assignment vulnerability in AdonisJS Lucid which may allow a remote attacker who can influence data that is passed into Lucid model assignments to overwrite the internal ORM state...

CVE-2025-37185

Vulnerabilities in the web-based management interface of EdgeConnect SD-WAN Orchestrator could allow an authenticated remote attacker to conduct a stored cross-site scripting XSS attacks against an administrative user of the interface. A successful exploit allows an attacker to execute arbitrary...