CVE-2026-10517

A flaw was found in Clair. The fetcher component makes outbound HTTP requests to attacker-supplied URIs from manifest layer descriptors without IP or scheme filtering. When PSK authentication is not configured opt-in, not enforced by default, an unauthenticated attacker can submit a manifest with...

PT-2026-45353

Name of the Vulnerable Software and Affected Versions Clair affected versions not specified Description A flaw in the fetcher component allows the system to make outbound HTTP requests to attacker-supplied URIs from manifest layer descriptors because it lacks IP or scheme filtering. When Pre-Shar...

CVE-2026-32994

The /api/v1/autotranslate.translateMessage endpoint in versions 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.6, 7.13.8, and 7.10.12 allows any authenticated user to retrieve the full content of any message from any room private groups, direct messages, channels by simply providing the target message ID...

PT-2026-40567

The ilGhera Support System for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'get ticket content callback' function in all versions up to, and including, 1.3.0. This makes it possible for unauthenticated attackers to view an...

CVE-2026-4399

Prompt injection vulnerability in 1millionbot Millie chatbot that occurs when a user manages to evade chat restrictions using Boolean prompt injection techniques formulating a question in such a way that, upon receiving an affirmative response 'true', the model executes the injected instruction,...

Shape and Substance: Dual-Layer Side-Channel Attacks on Local Vision-Language Models

On-device Vision-Language Models VLMs promise data privacy via local execution. However, we show that the architectural shift toward Dynamic High-Resolution preprocessing e.g., AnyRes introduces an inherent algorithmic side-channel. Unlike static models, dynamic preprocessing decomposes images in...

CVE-2026-33394

Discourse is an open-source discussion platform. Prior to versions 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, the Post Edits admin report /admin/reports/postedits leaked the first 40 characters of raw post content from private messages and secure categories to moderators who shouldn't have access...

PT-2026-26426

Name of the Vulnerable Software and Affected Versions Discourse versions prior to 2026.3.0-latest.1 Discourse versions prior to 2026.2.1 Discourse versions prior to 2026.1.2 Description Discourse is an open-source discussion platform. The Post Edits admin report, accessible via the...

EUVD-2026-10091

The Greenshift – animation and page builder blocks plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 12.8.3. This is due to missing authorization and post status validation in the gspbelreusableload AJAX handler. The handler accepts an...

CVE-2025-6590 Complete content leak of private wikis due to PasswordReset Wikitext injection in error message

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/htmlform/fields/HTMLUserTextField.Php. This issue affects MediaWiki: from through 1.39.12, 1.42.76 1.43.1, 1.44.0...

EUVD-2014-1127

Malware in sbrugna...

CVE-2020-10955

GitLab EE/CE 11.1 through 12.9 is vulnerable to parameter tampering on an upload feature that allows an unauthorized user to read content available under specific folders...

CVE-2024-45816

Backstage is an open framework for building developer portals. When using the AWS S3 or GCS storage provider for TechDocs it is possible to access content in the entire storage bucket. This can leak contents of the bucket that are not intended to be accessible, as well as bypass permission checks...

CVE-2023-5845

The Simple Social Media Share Buttons WordPress plugin before 5.1.1 leaks password-protected post content to unauthenticated visitors in some meta tags...

Shortcodes Ultimate < 5.12.8 - Subscriber+ Arbitrary Post Access

The plugin does not ensure that posts to be displayed via some shortcodes are already public and can be accessed by the user making the request, allowing any authenticated users such as subscriber to view draft, private or even password protected posts. It is also possible to leak the password of...

WordPress plugin Media Library Assistant 日志信息泄露漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on servers running PHP and MySQL.WordPress plugin is an application plugin. A security vulnerability exists in...

PT-2022-26147 · Unknown · Opensearch

Name of the Vulnerable Software and Affected Versions: OpenSearch versions prior to 1.3.7 OpenSearch versions prior to 2.4.0 Description: An issue in OpenSearch allows certain specially crafted queries to return a response containing the first line of text from arbitrary files. The list of...

CVE-2022-39069

There is a SQL injection vulnerability in ZTE ZAIP-AIE. Due to lack of input verification by the server, an attacker could trigger an attack by building malicious requests. Exploitation of this vulnerability could cause the leakage of the current table content...

WordPress 4.9.x < 4.9.22 Multiple Vulnerabilities

According to its self-reported version number, the detected WordPress application is affected by multiple vulnerabilities : - A stored Cross-Site Scripting XSS via wp-mail.php post by email. - An open redirect in wpnonceays. - Sender's email address is exposed in wp-mail.php. - A Cross-Site...

WordPress 3.7.x < 3.7.40 Multiple Vulnerabilities

According to its self-reported version number, the detected WordPress application is affected by multiple vulnerabilities : - A stored Cross-Site Scripting XSS via wp-mail.php post by email. - An open redirect in wpnonceays. - Sender's email address is exposed in wp-mail.php. - A Cross-Site...