43608 matches found
DNN 安全漏洞
DNN also known as DotNetNuke is an open-source content management system CMS developed by the American company DNN, supported by Microsoft and based on the ASP.NET platform. This system features easy installation, scalability, and rich functionality. Versions of DNN prior to 10.2.2 contained...
craftql 安全漏洞
Craftql is a server developed by Mark Huot, an individual developer, that provides GraphQL interfaces for the Craft CMS. Versions of Craftql 1.3.7 and earlier contained security vulnerabilities. These vulnerabilities stemmed from server-side request forgeing in the...
GHSA-C276-FJ82-F2PQ ApostropheCMS: Information Disclosure via choices/counts Query Parameters Bypassing publicApiProjection Field Restrictions
Summary The choices and counts query parameters in the Apostrophe CMS REST API allow unauthenticated users to extract distinct field values for any schema field that has a registered query builder, completely bypassing publicApiProjection restrictions that are intended to limit which fields are...
@draadnl/openstad-cms (>=0.12.2 <=0.12.3), apostrophe-personas (>=2.0.0 <=2.2.1) +3 more potentially affected by CVE-2026-33889 via apostrophe (>=0.5.393 <=2.227.12)
apostrophe NPM version =0.5.393, =0.12.2, =2.0.0, =0.5.0, =1.0.0, =1.0.2 Source cves: CVE-2026-33889 Source advisory: OSV:GHSA-97V6-998M-FP4G...
@draadnl/openstad-cms (>=0.12.2 <=0.12.3), apostrophe-personas (>=2.0.0 <=2.2.1) +3 more potentially affected by CVE-2026-33888 via apostrophe (>=0.5.393 <=2.227.12)
apostrophe NPM version =0.5.393, =0.12.2, =2.0.0, =0.5.0, =1.0.0, =1.0.2 Source cves: CVE-2026-33888 Source advisory: OSV:GHSA-XHQ9-58FW-859P...
EUVD-2026-23015
ApostropheCMS: User Enumeration via Timing Side Channel in Password Reset Endpoint...
CVE-2026-30993
Slah CMS v1.5.0 and below was discovered to contain a remote code execution RCE vulnerability in the session function at config.php. This vulnerability is exploitable via a crafted input...
Security update for openssl-1_1
This update for openssl-11 fixes the following issues: CVE-2026-28387: Potential use-after-free in DANE client code bsc1260441. CVE-2026-28388: NULL Pointer Dereference When Processing a Delta CRL bsc1260442. CVE-2026-28389: Possible NULL dereference when processing CMS KeyAgreeRecipientInfo...
SUSE-SU-2026:1386-1 Security update for openssl-1_1
This update for openssl-11 fixes the following issues: - CVE-2026-28387: Potential use-after-free in DANE client code bsc1260441. - CVE-2026-28388: NULL Pointer Dereference When Processing a Delta CRL bsc1260442. - CVE-2026-28389: Possible NULL dereference when processing CMS KeyAgreeRecipientInf...
EUVD-2026-23188
The AcyMailing plugin for WordPress is vulnerable to privilege escalation in all versions From 9.11.0 up to, and including, 10.8.1 due to a missing capability check on the wpajaxacymailingrouter AJAX handler. This makes it possible for authenticated attackers, with Subscriber-level access and...
CVE-2026-3614 AcyMailing 9.11.0 - 10.8.1 - Missing Authorization to Authenticated (Subscriber+) Privilege Escalation
The AcyMailing plugin for WordPress is vulnerable to privilege escalation in all versions From 9.11.0 up to, and including, 10.8.1 due to a missing capability check on the wpajaxacymailingrouter AJAX handler. This makes it possible for authenticated attackers, with Subscriber-level access and...
FUEL CMS 安全漏洞
FUEL CMS is a content management system CMS developed by David McReynolds using the Codelgniter framework. Version 1.5.2 of FUEL CMS has a security vulnerability, which stems from a problem with the forgot password feature. This issue may allow unverified attackers to obtain the password reset...
PT-2026-34571
Name of the Vulnerable Software and Affected Versions Statamic versions prior to 5.73.20 Statamic versions prior to 6.13.0 Description Manipulating query parameters on Control Panel and REST API endpoints, or arguments in GraphQL queries, can lead to the loss of content, assets, and user accounts...
CVE-2026-40500
ProcessWire CMS version 3.0.255 and prior contain a server-side request forgery vulnerability in the admin panel's 'Add Module From URL' feature that allows authenticated administrators to supply arbitrary URLs to the module download parameter, causing the server to issue outbound HTTP requests t...
Cross-site Scripting (XSS)
Overview @apostrophecms/seo is a SEO Tools for ApostropheCMS Affected versions of this package are vulnerable to Cross-site Scripting XSS in renderNodes, via SEO Title and Meta Description values, where user-controlled input is rendered without proper output encoding into HTML contexts such as...
CVE-2026-40500 ProcessWire CMS SSRF via Add Module From URL
ProcessWire CMS version 3.0.255 and prior contain a server-side request forgery vulnerability in the admin panel's 'Add Module From URL' feature that allows authenticated administrators to supply arbitrary URLs to the module download parameter, causing the server to issue outbound HTTP requests t...
CVE-2026-39857 Information Disclosure via `choices`/`counts` Query Parameters Bypassing publicApiProjection Field Restrictions
ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain an authorization bypass vulnerability in the choices and counts query parameters of the REST API, where these query builders execute MongoDB distinct operations that bypass the publicApiProjection...
CVE-2026-33877
CVE-2026-33877 affects ApostropheCMS (Node.js). Versions up to 4.28.0 contain a timing side-channel in the password reset endpoint /api/v1/@apostrophecms/login/reset-request, enabling unauthenticated enumeration of usernames/emails via differences in response time. When no user is found, the hand...
EUVD-2026-22985
Slah CMS v1.5.0 and below was discovered to contain a remote code execution RCE vulnerability in the session function at config.php. This vulnerability is exploitable via a crafted input...
EUVD-2026-22989
Slah CMS v1.5.0 and below was discovered to contain a SQL injection vulnerability via the id parameter in the vereadorver.php endpoint...