17279 matches found
CVE-2026-34757
LIBPNG is a reference library for use in applications that read, create, and manipulate PNG Portable Network Graphics raster image files. From 1.0.9 to before 1.6.57, passing a pointer obtained from pnggetPLTE, pnggettRNS, or pnggethIST back into the corresponding setter on the same...
CVE-2026-33350
LORIS Longitudinal Online Research and Imaging System is a self-hosted web application that provides data- and project-management for neuroimaging research. Prior to 27.0.3 and 28.0.1, a SQL injection has been identified in some code sections for the MRI feedback popup window of the imaging...
Directory Traversal
Overview praisonai is a PraisonAI TypeScript AI Agents Framework - Node.js, npm, and Javascript AI Agents Framework Affected versions of this package are vulnerable to Directory Traversal in the MultiAgentLedger and MultiAgentMonitor components. An attacker can access sensitive context data...
CVE-2026-33350 LORIS has a SQL injection in MRI feedback popup
LORIS Longitudinal Online Research and Imaging System is a self-hosted web application that provides data- and project-management for neuroimaging research. Prior to 27.0.3 and 28.0.1, a SQL injection has been identified in some code sections for the MRI feedback popup window of the imaging...
CVE-2026-4498 Execution with Unnecessary Privileges in Kibana Leading to reading index data beyond their direct Elasticsearch RBAC scope
Execution with Unnecessary Privileges CWE-250 in Kibana’s Fleet plugin debug route handlers can lead reading index data beyond their direct Elasticsearch RBAC scope via Privilege Abuse CAPEC-122. This requires an authenticated Kibana user with Fleet sub-feature privileges such as agents, agent...
CVE-2026-4498 Execution with Unnecessary Privileges in Kibana Leading to reading index data beyond their direct Elasticsearch RBAC scope
Execution with Unnecessary Privileges CWE-250 in Kibana’s Fleet plugin debug route handlers can lead reading index data beyond their direct Elasticsearch RBAC scope via Privilege Abuse CAPEC-122. This requires an authenticated Kibana user with Fleet sub-feature privileges such as agents, agent...
Improper Isolation or Compartmentalization
Overview pretix is a Reinventing presales, one ticket at a time Affected versions of this package are vulnerable to Improper Isolation or Compartmentalization in the check-in events endpoint. An attacker can access sensitive information related to all check-in events under the same organizer,...
CVE-2026-34582
A flaw was found in Botan, a C++ cryptography library. The TLS 1.3 implementation in Botan allows application data to be processed before the TLS handshake is fully completed. A remote attacker can exploit this by omitting critical client authentication messages, such as the Certificate,...
CVE-2026-33088
Movable Type provided by Six Apart Ltd. contains an SQL Injection vulnerability which may allow an attacker to execute an arbitrary SQL statement...
CVE-2026-24913
SQL Injection vulnerability exists in MATCHA INVOICE 2.6.6 and earlier. If this vulnerability is exploited, information stored in the database may be obtained or altered by a user who can log in to the product...
PT-2026-31083
Name of the Vulnerable Software and Affected Versions MATCHA INVOICE versions 2.6.6 and earlier Description A SQL Injection vulnerability exists that may allow a logged-in user to obtain or alter information stored in the database. Recommendations Update to a newer version to address this...
WordPress plugin Advanced Contact form 7 DB 安全漏洞
WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. The...
Ubuntu: Security Advisory (USN-8153-1)
The remote host is missing an update for the SPDX-FileCopyrightText: 2026 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...
ROS-20260408-73-0031
A vulnerability in the fs/nfs component of the Linux kernel is related to incorrect privilege assignment. Exploitation of the vulnerability allows an attacker to gain access to sensitive data, compromise its integrity, and cause a denial-of-service condition...
CVE-2026-4065 Smart Slider 3 <= 3.5.1.33 - Missing Authorization to Authenticated (Contributor+) Slider Data Read and Image Record Manipulation
The Smart Slider 3 plugin for WordPress is vulnerable to unauthorized access and modification of data due to missing capability checks on multiple wpajaxsmart-slider3 controller actions in all versions up to, and including, 3.5.1.33. The displayadminajax method does not call checkForCap which...
CVE-2026-35574
ChurchCRM is an open-source church management system. Prior to 6.5.3, a stored Cross-Site Scripting XSS vulnerability in ChurchCRM's Note Editor allows authenticated users with note-adding permissions to execute arbitrary JavaScript code in the context of other users' browsers, including...
CVE-2026-35516
LinkAce is a self-hosted archive to collect website links. Prior to 2.5.4, LinkRepository::update and CheckLinksCommand::checkLink do not check for private IPs. An authenticated user can read responses from internal services AWS IMDSv1, cloud metadata, internal APIs by creating a link with a publ...
CVE-2026-5374
An issue that allowed MCP agents to access remediation and asset information from outside of the authorized organization scope has been resolved. This is an instance of CWE-863: Incorrect Authorization, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N 5.8 Medium. Th...
CVE-2026-5379
An issue that allowed MCP agents to access certificate information from outside of their authorized organization scope has been resolved. This is an instance of CWE-863: Incorrect Authorization, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N 3.0 Low. This issue wa...
CVE-2026-5374
An issue that allowed MCP agents to access remediation and asset information from outside of the authorized organization scope has been resolved. This is an instance of CWE-863: Incorrect Authorization, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N 5.8 Medium. Th...