1683 matches found
XWiki DeleteApplication - Cross-Site Scripting
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 6.2-milestone-1 through 16.10.9 and 17.0.0-rc-1 through 17.4.1 of both XWiki Platform Flamingo Skin Resources and XWiki Platform Web Templates are vulnerable to a reflected XSS attack...
OpenSSH: OpenSSH: Low integrity impact from unconfirmed proxy-mode multiplexing sessions
A flaw was found in OpenSSH. This vulnerability allows for a low integrity impact due to the omission of connection multiplexing confirmation for proxy-mode multiplexing sessions. A local user, under specific and complex conditions requiring user interaction, could potentially establish a...
EUVD-2026-34055
The EmergencyWP – Dead Man's switch & legacy deliverance plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4.2. This is due to missing or incorrect nonce validation on the formsettingsui settings save handler, procedural include scope functio...
CVE-2026-9732 EmergencyWP <= 1.4.2 - Cross-Site Request Forgery to Plugin Settings Update
The EmergencyWP – Dead Man's switch & legacy deliverance plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4.2. This is due to missing or incorrect nonce validation on the formsettingsui settings save handler, procedural include scope functio...
OpenSSH: OpenSSH: Low integrity impact from unconfirmed proxy-mode multiplexing sessions
A flaw was found in OpenSSH. This vulnerability allows for a low integrity impact due to the omission of connection multiplexing confirmation for proxy-mode multiplexing sessions. A local user, under specific and complex conditions requiring user interaction, could potentially establish a...
Android Is Fighting Phone Scams With a New Feature to Prove Who’s Calling
Available for Android 12 and later, the anti-scam feature is baked into Google Dialer, which sends a silent “confirmation signal” to ensure whoever’s calling you is who they appear to be...
praisonai-platform: Any workspace member can delete the entire workspace via DELETE /workspaces/{id}
Summary Type: Authorization bypass enabling destructive action. The DELETE /workspaces/workspaceid endpoint is gated only by requireworkspacememberworkspaceid default minrole="member". Any member of the workspace can issue a single DELETE to wipe the entire workspace, including every project,...
PT-2026-45485
Summary Type: Authorization bypass enabling destructive action. The DELETE /workspaces/workspace id endpoint is gated only by require workspace memberworkspace id default min role="member". Any member of the workspace can issue a single DELETE to wipe the entire workspace, including every project...
project_hydra
Project HYDRA Automated vulnerability discovery & exploitat...
CVE-2026-35675 phpMyFAQ - Authentication Bypass via Missing Password Reset Token in /api/user/password/update
phpMyFAQ before 4.1.3 contains an authentication bypass vulnerability in the password reset endpoint that allows unauthenticated attackers to reset any user account password without token verification or email confirmation. Attackers can enumerate valid usernames, obtain plaintext passwords via...
OpenSSH: OpenSSH: Low integrity impact from unconfirmed proxy-mode multiplexing sessions
A flaw was found in OpenSSH. This vulnerability allows for a low integrity impact due to the omission of connection multiplexing confirmation for proxy-mode multiplexing sessions. A local user, under specific and complex conditions requiring user interaction, could potentially establish a...
OpenSSH: OpenSSH: Low integrity impact from unconfirmed proxy-mode multiplexing sessions
A flaw was found in OpenSSH. This vulnerability allows for a low integrity impact due to the omission of connection multiplexing confirmation for proxy-mode multiplexing sessions. A local user, under specific and complex conditions requiring user interaction, could potentially establish a...
yeoman-environment Vulnerable to Arbitrary Package Installation without User Confirmation
Impact yeoman-environment versions = 2.9.0 and 6.0.1 install missing local generator packages from caller-supplied package names without user confirmation. In downstream consumers that pass attacker-controlled project configuration into this path, this can result in arbitrary package installation...
GHSA-VV9J-GJW2-J8WP yeoman-environment Vulnerable to Arbitrary Package Installation without User Confirmation
Impact yeoman-environment versions = 2.9.0 and 6.0.1 install missing local generator packages from caller-supplied package names without user confirmation. In downstream consumers that pass attacker-controlled project configuration into this path, this can result in arbitrary package installation...
CVE-2026-44707
Chatwoot is a customer engagement suite. From 2.14.0 to before 4.13.0, a Pre-Account Takeover Pre-ATO vulnerability existed in Chatwoot's authentication flow. Because email confirmation was not enforced before an account became usable, an attacker could pre-register an email address they did not...
CVE-2026-44707 Chatwoot: Pre-Account Takeover via OAuth on Unconfirmed Accounts
Chatwoot is a customer engagement suite. From 2.14.0 to before 4.13.0, a Pre-Account Takeover Pre-ATO vulnerability existed in Chatwoot's authentication flow. Because email confirmation was not enforced before an account became usable, an attacker could pre-register an email address they did not...
CVE-2026-48700
A flaw was found in PCManFM-Qt. This vulnerability allows an attacker to achieve arbitrary code execution or bypass network security restrictions. This occurs when a specially crafted file path, provided as a Uniform Resource Identifier URI in a D-Bus method call, causes PCManFM-Qt to open the fi...
Cross-site Scripting (XSS)
Overview @umbraco-cms/backoffice is a This package contains the types for the Umbraco Backoffice. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the confirmation dialog element. An attacker can execute arbitrary scripts in the context of the affected application ...
Umbraco.Cms: XSS/HTML Injection in Umbraco Backoffice confirmation dialog
Impact Authenticated users are able to inject HTML vulnerability into an input field, which is rendered in the confirmation dialog without proper output encoding. Patches This issue has been patched in 17.4.0...
GHSA-VR9V-27GG-QGX4 Umbraco.Cms: XSS/HTML Injection in Umbraco Backoffice confirmation dialog
Impact Authenticated users are able to inject HTML vulnerability into an input field, which is rendered in the confirmation dialog without proper output encoding. Patches This issue has been patched in 17.4.0...