Apache Flink Kubernetes Operator 安全漏洞

Apache Flink Kubernetes Operator is an operations component for Flink clusters developed by the Apache Foundation. Versions of Apache Flink Kubernetes Operator from 1.3.0 to 1.15.0 contained security vulnerabilities. These vulnerabilities stemmed from the lack of validation of the jarURI in...

YouTube wants your face to fight deepfakes

If you're worried about deepfake likenesses of yourself showing up online, you're not alone; YouTube is worried for you. It wants to protect you by having you upload a selfie video and government ID to its site. The idea is that the video giant will use its own AI to patrol the service for fake...

Open WebUI 跨站脚本漏洞

Open WebUI is an extensible, feature-rich, and user-friendly self-hosted WebUI under open source. Versions of Open WebUI prior to 0.9.0 contained a cross-site scripting vulnerability. This vulnerability stemmed from stored-xss attacks, which could allow users with model creation permissions to...

CVE-2026-40929

WWBN AVideo 29.0 and earlier: the endpoint objects/commentDelete.json.php mutates state to delete comments without CSRF validation, lacking forbidIfIsUntrustedRequest(), CSRF/global token, or Origin/Referer checks. Because session.cookie_samesite=None, cross-site requests from attacker pages carr...

PT-2026-30816

Name of the Vulnerable Software and Affected Versions Checkmk versions 2.2.0 EOL, 2.3.0 through 2.3.0p45, 2.4.0 through 2.4.0p24, and 2.5.0 beta through 2.5.0b2 Description Insufficient sanitization of dashboard dashlet title links allows an attacker with dashboard creation privileges to perform...

BIT-DISCOURSE-2026-28282 Discourse vulnerable to group membership addition permission bypass via discourse-policy plugin

Discourse is an open-source discussion platform. Versions prior to 2026.3.0, 2026.2.1, and 2026.1.2 have a security flaw in the discourse-policy plugin which allowed a user with policy creation permission to gain membership access to any private/restricted groups. Once membership to a...

EUVD-2026-12456

Fields is a GLPI plugin that allows users to add custom fields on GLPI items forms. Prior to version 1.23.3, it is possible to execute arbitrary PHP code from users that are allowed to create dropdowns. This issue has been patched in version 1.23.3...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the Legacy Form block when an authenticated user with permissions to create or edit forms injects malicious JavaScript into the options of a multiple-choice question. An attacker can execute arbitrary script...

NocoDB Missing Ownership Validation in MCP Token Operations

Summary The MCP token service did not validate token ownership, allowing a Creator within the same base to read, regenerate, or delete another user's MCP tokens if the token ID was known. Details McpTokenService.get, regenerateToken, and delete did not filter by fkuserid. The analogous...

CVE-2026-28361

CVE-2026-28361 affects NocoDB prior to version 0.301.3, where the MCP token service did not validate token ownership. This allowed a Creator within the same base to read, regenerate, or delete another user’s MCP tokens if the token ID was known. The issue is fixed in 0.301.3. Remediation: upgrade...

CVE-2026-25759

Statmatic is a Laravel and Git powered content management system CMS. From 6.0.0 to before 6.2.3, a stored XSS vulnerability in content titles allows authenticated users with content creation permissions to inject malicious JavaScript that executes when viewed by higher-privileged users. Maliciou...

CVE-2026-25759 Statmatic affected by privilege escalation via stored cross-site scripting

Statmatic is a Laravel and Git powered content management system CMS. From 6.0.0 to before 6.2.3, a stored XSS vulnerability in content titles allows authenticated users with content creation permissions to inject malicious JavaScript that executes when viewed by higher-privileged users. Maliciou...

Statamic CMS vulnerable to privilege escalation via stored cross-site scripting

Impact Stored XSS vulnerability in content titles allow authenticated users with content creation permissions to inject malicious JavaScript that executes when viewed by higher-privileged users. Malicious user must have an account with control panel access and content creation permissions. This...

PT-2026-7714

Name of the Vulnerable Software and Affected Versions Statamic versions 6.0.0 through 6.2.2 Description Statamic is a Laravel and Git powered content management system CMS. A stored cross-site scripting XSS issue exists in content titles, allowing authenticated users with content creation...

One-Person Production: Wondershare Filmora V15 Empowers Solo Creators With AI

AI is transforming the video-making process of creators. Learn how WondershareFilmora V15 helps individual creators edit smarter using powerful AI...

ROS-20251125-06

A vulnerability in the Moodle virtual learning environment is related to the disclosure of hidden group names to users, who have permission to create events in the calendar. Exploitation of the vulnerability could allow an attacker, acting remotely, to gain unauthorized access to protected...

BIT-MOODLE-2025-62400 Moodle: hidden group names visible to event creators

Moodle exposed the names of hidden groups to users who had permission to create calendar events but not to view hidden groups. This could reveal private or restricted group information...

MAL-2025-113390 Malicious code in dian-lapis2-miaww (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2faa610996169695c1d695972a75b8d4197e1a8aa49644b6dd809ff00442a7d3 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

CVE-2025-64112

Statmatic is a Laravel and Git powered content management system CMS. Stored XSS vulnerabilities in Collections and Taxonomies allow authenticated users with content creation permissions to inject malicious JavaScript that executes when viewed by higher-privileged users. This vulnerability is fix...

CVE-2025-64112

CVE-2025-64112 refers to a stored XSS vulnerability in Statamic CMS (Laravel + Git) involving Collections and Taxonomies. The issue allows an authenticated user with content-creation permissions to inject malicious JavaScript that executes for higher-privileged users, potentially enabling credent...