149 matches found
CVE-2025-41008 SQL Injection in Sinturno
SQL injection vulnerability in Sinturno. This vulnerability allows an attacker to retrieve, create, update, and delete databases through the 'client' parameter in the '/adm/scripts/modalReportdata.php' endpoint...
CVE-2026-1648 Performance Monitor <= 1.0.6 - Unauthenticated Server-Side Request Forgery via 'url' Parameter
The Performance Monitor plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.0.6. This is due to insufficient validation of the 'url' parameter in the '/wp-json/performance-monitor/v1/curldata' REST API endpoint. This makes it possible for...
CVE-2026-1648
The Performance Monitor plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.0.6. This is due to insufficient validation of the 'url' parameter in the '/wp-json/performance-monitor/v1/curldata' REST API endpoint. This makes it possible for...
PT-2026-26719
The EmailKit – Email Customizer for WooCommerce & WP plugin for WordPress is vulnerable to arbitrary file read via path traversal in all versions up to, and including, 1.6.3. This is due to the action function in the TemplateData class passing user-supplied input from the 'emailkit-editor-templat...
Amazon S3 for Craft CMS 信息泄露漏洞
Amazon S3 for Craft CMS is an open-source file storage integration plugin for Craft CMS. Versions of Amazon S3 for Craft CMS 2.2.4 and earlier have a vulnerability known as information leakage. This vulnerability stems from improper access control at the BucketsController-actionLoadBucketData...
EUVD-2026-11647
Dataease is an open source data visualization analysis tool. Prior to 2.10.20, The table parameter for /de2api/datasource/previewData is directly concatenated into the SQL statement without any filtering or parameterization. Since tableName is a user-controllable string, attackers can inject...
CVE-2026-32137 DataEase SQL Injection Vulnerability
Dataease is an open source data visualization analysis tool. Prior to 2.10.20, The table parameter for /de2api/datasource/previewData is directly concatenated into the SQL statement without any filtering or parameterization. Since tableName is a user-controllable string, attackers can inject...
PT-2026-25034
Dataease is an open source data visualization analysis tool. Prior to 2.10.20, The table parameter for /de2api/datasource/previewData is directly concatenated into the SQL statement without any filtering or parameterization. Since tableName is a user-controllable string, attackers can inject...
CVE-2026-29174 Craft Commerce has a SQL Injection in Commerce Inventory Table Sorting
Craft Commerce is an ecommerce platform for Craft CMS. Prior to 5.5.3, Craft Commerce is vulnerable to SQL Injection in the inventory levels table data endpoint. The sort0direction and sort0sortField parameters are concatenated directly into an addOrderBy clause without any validation or...
CVE-2026-2752
Navtor NavBox allows information disclosure via the /api/ais-data endpoint. A remote, unauthenticated attacker can send crafted requests to trigger an unhandled exception, causing the server to return verbose .NET stack traces. These error messages expose internal class names, method calls, and...
CVE-2026-2752
Navtor NavBox allows information disclosure via the /api/ais-data endpoint. A remote, unauthenticated attacker can send crafted requests to trigger an unhandled exception, causing the server to return verbose .NET stack traces. These error messages expose internal class names, method calls, and...
CVE-2026-2752
Navtor NavBox allows information disclosure via the /api/ais-data endpoint. A remote, unauthenticated attacker can send crafted requests to trigger an unhandled exception, causing the server to return verbose .NET stack traces. These error messages expose internal class names, method calls, and...
CVE-2026-2752
CVE-2026-2752 affects Navtor NavBox via the /api/ais-data endpoint, where a remote unauthenticated attacker can trigger an unhandled exception, causing verbose .NET stack traces to be returned. This information disclosure exposes internal class names, methods, and third‑party library references (...
PT-2026-23716
Name of the Vulnerable Software and Affected Versions Navtor NavBox affected versions not specified Description A remote, unauthenticated attacker can send crafted requests to the /api/ais-data endpoint, triggering an unhandled exception. This causes the server to return verbose .NET stack traces...
Navtor NavBox 安全漏洞
Navtor NavBox is a shipping information system device developed by the Norwegian company Navtor. It is used for electronic nautical chart management and synchronization of navigation data. There is a security vulnerability in Navtor NavBox, which stems from the API/ais-data endpoint not handling...
CVE-2026-28424
Statmatic is a Laravel and Git powered content management system CMS. Prior to versions 5.73.11 and 6.4.0, user email addresses were included in responses from the user fieldtype’s data endpoint for control panel users who did not have the "view users" permission. This has been fixed in 5.73.11 a...
GHSA-W878-F8C6-7R63 Statamic's missing authorization allows access to email addresses
Impact User email addresses were included in responses from the user fieldtype’s data endpoint for control panel users who did not have the “view users” permission. Patches This has been fixed in 5.73.11 and 6.4.0...
Statamic's missing authorization allows access to email addresses
Impact User email addresses were included in responses from the user fieldtype’s data endpoint for control panel users who did not have the “view users” permission. Patches This has been fixed in 5.73.11 and 6.4.0...
CVE-2026-28424 Statamic's missing authorization allows access to email addresses
Statmatic is a Laravel and Git powered content management system CMS. Prior to versions 5.73.11 and 6.4.0, user email addresses were included in responses from the user fieldtype’s data endpoint for control panel users who did not have the "view users" permission. This has been fixed in 5.73.11 a...
EUVD-2019-19718
Homey BNB V4 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'pt' parameter. Attackers can send GET requests to the admin/getcmsdata.php endpoint with malicious 'pt' values to extract sensitive database...