16851 matches found
CVE-2026-8622
The CVE-2026-8622 entry concerns the WordPress plugin Image Sizes on Demand (versions affected: all up to and including 1.3). The vulnerability is a Reflected Cross-Site Scripting (XSS) via the PHP_SELF server variable caused by insufficient input sanitization and output escaping. It allows unaut...
CVE-2026-45792
Vulnerability summary (CVE-2026-45792) RTK (Rust Token Killer) prior to 0.32.0 trusts project-local configuration by auto-loading the highest-priority .rtk/filters.toml without user notification. An attacker with repository access can place a malicious filter to modify shell command output before...
EUVD-2026-38509
Low‑privileged session IDs generated for the web admin console could be reused in the XML‑RPC API, whose authentication is normally restricted to admin users. An attacker could leverage this to gain unauthorised access and exploit API‑level vulnerabilities. The session context web/API is now...
CVE-2026-34917
Low‑privileged session IDs generated for the web admin console could be reused in the XML‑RPC API, whose authentication is normally restricted to admin users. An attacker could leverage this to gain unauthorised access and exploit API‑level vulnerabilities. The session context web/API is now...
EUVD-2026-38469
OpenHarness /issue and /prcomments slash commands lack remoteinvocable=False protection, allowing remote channel senders to write attacker-controlled Markdown into project context files. Admitted remote attackers can inject malicious content into .openharness/issue.md and .openharness/prcomments....
XWiki - Information Disclosure
XWiki 16.7.0 to 16.10.11, 17.4.4, and 17.7.0 using XJetty contains an information disclosure vulnerability caused by exposed context allowing static access to files in webapp/ folder, letting attackers access sensitive files, exploit requires use of XJetty package. id: CVE-2025-55749 info: name:...
MCP Inspector < 0.14.0 UnauthenticatedRemote Code Execution
The MCP inspector is a developer tool for testing and debugging MCP servers. Versions of MCP Inspector below 0.14.1 are vulnerable to remote code execution due to lack of authentication between the Inspector client and proxy, allowing unauthenticated requests to launch MCP commands over stdio. id...
Microweber < 1.2.17 - Cross-Site Scripting
Cross-site Scripting XSS vulnerability in the /demo/editortools/module endpoint via the 'type' parameter. id: CVE-2022-2130 info: name: Microweber 1.2.17 - Cross-Site Scripting author: ritikchaddha severity: medium description: | Cross-site Scripting XSS vulnerability in the...
mooSocial 3.1.8 - Reflected XSS
A vulnerability, which was classified as problematic, was found in mooSocial mooStore 3.1.6. Affected is an unknown function of the file /search/index. id: CVE-2023-4173 info: name: mooSocial 3.1.8 - Reflected XSS author: momika233 severity: medium description: | A vulnerability, which was...
Zarinpal Paid Download - Reflected XSS
Zarinpal Paid Download WordPress plugin v2.3 contains a reflected cross-site scripting caused by lack of sanitization and escaping of a parameter before outputting it in the page, letting attackers execute malicious scripts in the context of high privilege users such as admin, exploit requires...
Giga Messenger WordPress - Cross-Site Scripting
Giga Messenger WordPress plugin = 2.3.1 contains a reflected cross-site scripting caused by lack of sanitization and escaping of a parameter before outputting it in the page, letting attackers execute malicious scripts in the context of high privilege users, exploit requires attacker to craft a...
Jenkins build-metrics 1.3 - Cross-Site Scripting
Jenkins build-metrics 1.3 is vulnerable to a reflected cross-site scripting vulnerability that allows attackers to inject arbitrary HTML and JavaScript into the web pages the plugin provides. id: CVE-2019-10475 info: name: Jenkins build-metrics 1.3 - Cross-Site Scripting author: madrobot severity...
DomainMOD 4.13.0 - Cross-Site Scripting
DomainMOD 4.13.0 is vulnerable to cross-site scripting via reporting/domains/cost-by-owner.php in the "or Expiring Between" parameter. id: CVE-2020-20988 info: name: DomainMOD 4.13.0 - Cross-Site Scripting author: arafatansari severity: medium description: | DomainMOD 4.13.0 is vulnerable to...
CVE-2026-56306
Capgo before 12.128.2 contains a parsing vulnerability in the x-limited-key-id header that can bypass subkey enforcement and let attackers make requests under the main API key context instead of restricted subkey permissions. The issue arises from malformed, zero, or duplicate header values produ...
CVE-2026-56306 Capgo - Subkey Enforcement Bypass via x-limited-key-id Header Parsing
Capgo before 12.128.2 contains a weak parsing vulnerability in the x-limited-key-id header that allows attackers to bypass subkey enforcement by submitting malformed values, zero, or duplicate headers that result in NaN or falsy values. Remote attackers can manipulate the x-limited-key-id header ...
DELMIA Apriso - Command Injection
An Improper Control of Generation of Code code injection / file upload → RCE vulnerability affecting DELMIA Apriso Release 2020 → Release 2025. When an authenticated user can upload files and the upload handler fails to canonicalize filenames or enforce storage restrictions, an attacker may place...
Linux Distros Unpatched Vulnerability : CVE-2026-49295
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - libde265 is an open source implementation of the h.265 video codec. Prior to version 1.0.20, a crafted H.265 bitstream can cause an out-of-bounds array write in...
Linux Distros Unpatched Vulnerability : CVE-2026-48928
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A inconsistency in Node.js hostname matching can cause a trust-policy bypass in multi-context mTLS setups. This vulnerability affects all supported release line...
CVE-2026-47203 Authelia Missing Username Canonicalization in Basic Auth (LDAP)
Authelia is an open-source authentication and authorization server providing two-factor authentication and single sign-on SSO for applications via a web portal. In versions 4.38.0 through 4.39.19, when a user authenticates via Basic Auth i.e via the Authorization header with the Basic scheme on t...
Astra Linux – Vulnerability in Linux 5.10
In the Linux kernel, the following vulnerabilities have been resolved: Wifi: mt76: mt7921 – Fixed kernel panic due to null pointer dereference Fixed a kernel panic caused by a null pointer dereference in the mt792xrxgetwcid function. The issue arises because the deflink structure is not properly...