EUVD-2024-55547

The WSO2 API Manager developer portal accepts user-supplied input without enforcing expected validation constraints or proper output encoding. This deficiency allows a malicious actor to inject script content that is executed within the context of a user's browser. By leveraging this cross-site...

CVE-2024-4867

The WSO2 API Manager developer portal accepts user-supplied input without enforcing expected validation constraints or proper output encoding. This deficiency allows a malicious actor to inject script content that is executed within the context of a user's browser. By leveraging this cross-site...

CVE-2024-10242

The authentication endpoint fails to adequately validate user-supplied input before reflecting it back in the response. This allows an attacker to inject malicious script payloads into the input parameters, which are then executed by the victim's browser. Successful exploitation can enable an...

CVE-2024-10242

The authentication endpoint fails to adequately validate user-supplied input before reflecting it back in the response. This allows an attacker to inject malicious script payloads into the input parameters, which are then executed by the victim's browser. Successful exploitation can enable an...

CVE-2024-4867

The CVE-2024-4867 entry describes a cross-site scripting (XSS) vulnerability in the WSO2 API Manager developer portal. User-supplied input is not properly validated or output-encoded, enabling injection of script content executed in the user’s browser. Exploitation can cause the UI to redirect to...

CVE-2024-4867 Cross-Site Scripting via Developer Portal in WSO2 API Manager Enables UI Modification and Information Retrieval

The WSO2 API Manager developer portal accepts user-supplied input without enforcing expected validation constraints or proper output encoding. This deficiency allows a malicious actor to inject script content that is executed within the context of a user's browser. By leveraging this cross-site...

Cross-site Request Forgery

RedwoodSDK is vulnerable to Cross-site Request Forgery. The vulnerability is due to server functions exported from 'use server' files being invoked via GET requests, bypassing their intended HTTP method, where browsers send SameSite=Lax cookies on top-level GET requests and an attacker could...

EUVD-2026-23180

The Basic Google Maps Placemarks plugin for WordPress is vulnerable to authorization bypass in versions up to, and including, 1.10.7. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to modify...

CVE-2026-3581

The CVE-2026-3581 entry concerns the Basic Google Maps Placemarks plugin for WordPress. Affected component: the plugin itself (WordPress plugin for map placemarks). Root cause: authorization bypass due to improper verification of user permissions, leading to unauthenticated users being able to mo...

EUVD-2026-23155

An Incorrect Permission Assignment for Critical Resource vulnerability in the ASUS DriverHub update process allows privilege escalation due to improper protection of required execution resources during the validation phase, permitting a local user to make unprivileged modifications. This allows t...

EUVD-2026-23141

OpenHarness prior to commit dd1d235 contains a command injection vulnerability that allows remote gateway users with chat access to invoke sensitive administrative commands by exploiting insufficient distinction between local-only and remote-safe commands in the gateway handler. Attackers can...

free5GC 安全漏洞

free5GC is an open-source project for the 5th generation 5G mobile core network. Versions of free5GC prior to 4.2.1 contained security vulnerabilities. These vulnerabilities stemmed from the PUT request handler in the UDR service, which failed to properly return values after request parsing or...

WordPress plugin Livemesh Addons for Elementor 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows users to create personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be installed t...

PT-2026-33303

The WSO2 API Manager developer portal accepts user-supplied input without enforcing expected validation constraints or proper output encoding. This deficiency allows a malicious actor to inject script content that is executed within the context of a user's browser. By leveraging this cross-site...

CVE-2026-40173

Dgraph is an open source distributed GraphQL database. Versions 25.3.1 and prior contain an unauthenticated credential disclosure vulnerability where the /debug/pprof/cmdline endpoint is registered on the default mux and reachable without authentication, exposing the full process command line...

CVE-2026-40163

Saltcorn is an extensible, open source, no-code database application builder. Prior to 1.4.5, 1.5.5, and 1.6.0-beta.4, the POST /sync/offlinechanges endpoint allows an unauthenticated attacker to create arbitrary directories and write a changes.json file with attacker-controlled JSON content...

EUVD-2026-22938

A prompt injection vulnerability in Windsurf 1.9544.26 allows remote attackers to execute arbitrary commands on a victim system. When Windsurf processes attacker-controlled HTML content, malicious instructions can cause unauthorized modification of the local MCP configuration and automatic...

CVE-2025-40897

An access control vulnerability was discovered in the Threat Intelligence functionality due to a specific access restriction not being properly enforced for users with view-only privileges. An authenticated user with view-only privileges for the Threat Intelligence functionality can perform...

PT-2026-33069

Name of the Vulnerable Software and Affected Versions Windsurf version 1.9544.26 Description A prompt injection issue occurs when the application processes attacker-controlled HTML content. This allows remote attackers to execute arbitrary commands on a victim system without user interaction. The...

CVE-2026-30615

A prompt injection vulnerability in Windsurf 1.9544.26 allows remote attackers to execute arbitrary commands on a victim system. When Windsurf processes attacker-controlled HTML content, malicious instructions can cause unauthorized modification of the local MCP configuration and automatic...