SPIP Ultimate Auditor – Comprehensive Security Assessment Script

SPIP Ultimate Auditor is a Python-based security assessment script designed to perform a multi-phase audit against a SPIP CMS installation. The tool automates reconnaissance and misconfiguration detection tasks to identify potential security weaknesses in a target deployment...

GetSimple CMS 跨站脚本漏洞

GetSimple CMS is an open-source content management system developed by GetSimple CMS. Version 3.3.16 of GetSimple CMS has a cross-site scripting vulnerability. This vulnerability stems from improper output encoding of user inputs for the slug field in component functions. It may lead to...

Unity Linux 20.1060e / 20.1070e Security Update: wireshark (UTSA-2026-005365)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-005365 advisory. In Wireshark 3.0.0 to 3.0.6 and 2.6.0 to 2.6.12, the CMS dissector could crash. This was addressed in epan/dissectors/asn1/cms/packet-cms-template.c by ensuring that...

Time-of-check Time-of-use (TOCTOU) Race Condition

Overview craftcms/cms is a content management system. Affected versions of this package are vulnerable to Time-of-check Time-of-use TOCTOU Race Condition via the getTokenRoute function. An attacker can bypass token usage limits by sending concurrent requests before the database update completes,...

GHSA-GP2F-7WCM-5FHX Craft CMS has Cloud Metadata SSRF Protection Bypass via DNS Rebinding

Summary The SSRF validation in Craft CMS’s GraphQL Asset mutation performs DNS resolution separately from the HTTP request. This Time-of-Check-Time-of-Use TOCTOU vulnerability enables DNS rebinding attacks, where an attacker’s DNS server returns different IP addresses for validation compared to t...

Time-of-check Time-of-use (TOCTOU) Race Condition

Overview craftcms/cms is a content management system. Affected versions of this package are vulnerable to Time-of-check Time-of-use TOCTOU Race Condition in the validateHostname function. An attacker can access internal cloud metadata endpoints and retrieve sensitive credentials by exploiting a...

Craft CMS has Cloud Metadata SSRF Protection Bypass via DNS Rebinding

Summary The SSRF validation in Craft CMS’s GraphQL Asset mutation performs DNS resolution separately from the HTTP request. This Time-of-Check-Time-of-Use TOCTOU vulnerability enables DNS rebinding attacks, where an attacker’s DNS server returns different IP addresses for validation compared to t...

CVE-2019-25439

NoviSmart CMS contains an SQL injection vulnerability that allows remote attackers to execute arbitrary SQL queries by injecting malicious code through the Referer HTTP header field. Attackers can craft requests with time-based SQL injection payloads in the Referer header to extract sensitive...

CVE-2019-25433

XOOPS CMS 2.5.9 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the cid parameter. Attackers can send GET requests to the gerarpdf.php endpoint with malicious cid values to extract sensitive database...

openssl: Out-of-bounds read & write in RFC 3211 KEK Unwrap

A flaw was found in the OpenSSL CMS implementation RFC 3211 KEK Unwrap. This vulnerability allows memory corruption, an application level denial of service, or potential execution of attacker-supplied code via crafted CMS messages using password-based encryption PWRI...

openssl: OpenSSL: Remote code execution or Denial of Service via oversized Initialization Vector in CMS parsing

A flaw was found in OpenSSL. A remote attacker can exploit a stack buffer overflow vulnerability by supplying a crafted Cryptographic Message Syntax CMS message with an oversized Initialization Vector IV when parsing AuthEnvelopedData structures that use Authenticated Encryption with Associated...

openssl: Out-of-bounds read & write in RFC 3211 KEK Unwrap

A flaw was found in the OpenSSL CMS implementation RFC 3211 KEK Unwrap. This vulnerability allows memory corruption, an application level denial of service, or potential execution of attacker-supplied code via crafted CMS messages using password-based encryption PWRI...

CVE-2026-27198

Formwork is a flat file-based Content Management System CMS. In versions 2.0.0 through 2.3.3, the application fails to properly enforce role-based authorization during account creation. Although the system validates that the specified role exists, it does not verify whether the current user has...

CVE-2026-2965

A security flaw has been discovered in 07FLYCMS, 07FLY-CMS and 07FlyCRM up to 1.2.9. The affected element is an unknown function of the file /admin/SysModule/edit.html of the component System Extension Module. Performing a manipulation of the argument Title results in cross site scripting. The...

CVE-2026-2965 07FLYCMS/07FLY-CMS/07FlyCRM System Extension edit.html cross site scripting

A security flaw has been discovered in 07FLYCMS, 07FLY-CMS and 07FlyCRM up to 1.2.9. The affected element is an unknown function of the file /admin/SysModule/edit.html of the component System Extension Module. Performing a manipulation of the argument Title results in cross site scripting. The...

CVE-2026-2965

A security flaw has been discovered in 07FLYCMS, 07FLY-CMS and 07FlyCRM up to 1.2.9. The affected element is an unknown function of the file /admin/SysModule/edit.html of the component System Extension Module. Performing a manipulation of the argument Title results in cross site scripting. The...

CVE-2026-2965

Summary: CVE-2026-2965 affects 07FLYCMS, 07FLY-CMS and 07FlyCRM up to version 1.2.9. The vulnerability exists in the System Extension Module, specifically the /admin/SysModule/edit.html file, where manipulating the Title argument causes cross-site scripting (XSS). The issue can be triggered remot...

PT-2026-21609

Name of the Vulnerable Software and Affected Versions Craft CMS versions 4.5.0-RC1 through 4.16.18 Craft CMS versions 5.0.0-RC1 through 5.8.22 Description Craft CMS is susceptible to a Server-Side Request Forgery SSRF vulnerability in its GraphQL Asset mutation. The validation process performs DN...

PT-2026-21489

A security flaw has been discovered in 07FLYCMS, 07FLY-CMS and 07FlyCRM up to 1.2.9. The affected element is an unknown function of the file /admin/SysModule/edit.html of the component System Extension Module. Performing a manipulation of the argument Title results in cross site scripting. The...

PT-2026-21610

Name of the Vulnerable Software and Affected Versions Craft versions 4.5.0-RC1 through 4.16.18 Craft versions 5.0.0-RC1 through 5.8.22 Description Craft CMS contains a Time-of-Check-Time-of-Use TOCTOU race condition within its token validation service, specifically affecting tokens configured for...