PT-2026-25975

Name of the Vulnerable Software and Affected Versions Cockpit versions 2.13.4 and earlier Description Cockpit is a headless content management system. Instances running version 2.13.4 or earlier with API access enabled are susceptible to a SQL Injection issue in the MongoLite Aggregation Optimize...

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization via the BucketsController-actionLoadBucketData endpoint. An attacker can retrieve a list of accessible buckets by sending a request with a valid CSRF token, even without authentication. Remediation Upgrade...

EUVD-2026-12397

Stored Cross-Site Scripting XSS vulnerability in the Wakyma web application, specifically in the endpoint 'vets.wakyma.com/configuracion/agenda/modelo-formulario-evento'. A user with permission to create personalized accounts could exploit this vulnerability simply by creating a malicious survey...

EUVD-2017-18928

Serviio PRO 1.8 contains an information disclosure vulnerability due to improper access control enforcement in the Configuration REST API that allows unauthenticated attackers to access sensitive information. Remote attackers can send specially crafted requests to the REST API endpoints to retrie...

CVE-2026-3024

Stored Cross-Site Scripting XSS vulnerability in the Wakyma web application, specifically in the endpoint 'vets.wakyma.com/configuracion/agenda/modelo-formulario-evento'. A user with permission to create personalized accounts could exploit this vulnerability simply by creating a malicious survey...

SQL Injection

Overview Affected versions of this package are vulnerable to SQL Injection via the tableHandWrite argument in the DDL Handler process. An attacker can access or modify sensitive data and potentially disrupt application functionality by injecting crafted SQL statements remotely. Remediation There ...

CVE-2026-3024

CVE-2026-3024 is a Stored Cross-Site Scripting (XSS) vulnerability in the Wakyma web application, specifically at the endpoint vets.wakyma.com/configuracion/agenda/modelo-formulario-evento. The description indicates an attacker with permission to create personalized accounts can trigger a malicio...

CVE-2017-20223

CVE-2017-20223 affects the Telesquare SKT LTE Router SDT-CS3B1, firmware version 1.2.0. The vulnerability is an insecure direct object reference that allows an unauthenticated attacker to bypass authorization by manipulating user-supplied input parameters, enabling access to resources and functio...

CVE-2025-69808

An out-of-bounds memory access OOB in p2r3 Bareiron commit 8e4d40 allows unauthenticated attackers to access sensitive information and cause a Denial of Service DoS via supplying a crafted packet...

Wakyma 跨站脚本漏洞

Wakyma is a pet management application developed by the Spanish company Wakyma. Wakyma has a cross-site scripting vulnerability. This vulnerability stems from a stored-cross-site scripting flaw in the endpoint vets.wakyma.com/configuracion/agenda/modelo-formulario-evento. It could allow users wit...

`OpenClaw: session_status` let sandboxed subagents access parent or sibling session state

Summary The built-in sessionstatus tool did not enforce the intended session-visibility boundary. A sandboxed subagent could supply another session's sessionKey and inspect or modify state outside its own sandbox scope. Impact This allowed a sandboxed child session to read parent or sibling sessi...

CVE-2026-32306

OneUptime is a solution for monitoring and managing online services. Prior to 10.0.23, the telemetry aggregation API accepts user-controlled aggregationType, aggregateColumnName, and aggregationTimestampColumnName parameters and interpolates them directly into ClickHouse SQL queries via the .appe...

CVE-2025-36368 IBM Sterling B2B Integrator and IBM Sterling File Gateway SQL Injection

IBM Sterling B2B Integrator and IBM Sterling File Gateway 6.1.0.0 through 6.1.2.72, 6.2.0.0 through 6.2.0.51, and 6.2.1.0 through 6.2.1.11 are vulnerable to SQL injection. An administrative user could send specially crafted SQL statements, which could allow the attacker to view, add, modify, or...

CVE-2026-32405 WordPress WoodMart theme <= 8.3.9 - Sensitive Data Exposure vulnerability

Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in xtemos WoodMart woodmart allows Retrieve Embedded Sensitive Data.This issue affects WoodMart: from n/a through = 8.3.9...

CVE-2026-32306

CVE-2026-32306 affects OneUptime prior to 10.0.23. The telemetry aggregation API interpolates user-controlled aggregationType, aggregateColumnName, and aggregationTimestampColumnName into ClickHouse queries via .append() with no allowlist, parameterized binding, or input validation. An authentica...

CVE-2019-25531 Netartmedia Deals Portal Lastest SQL Injection via loginaction.php

Netartmedia Deals Portal contains an SQL injection vulnerability in the Email parameter of loginaction.php that allows unauthenticated attackers to manipulate database queries. Attackers can submit crafted SQL payloads through POST requests to extract sensitive information or bypass authenticatio...

CVE-2019-25528

Inout EasyRooms Ultimate Edition v1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the property1 parameter. Attackers can send POST requests to the search/searchdetailed endpoint with malicious SQL...

CVE-2019-25522 XooGallery Lastest Latest Multiple SQL Injections via photo.php

XooGallery Latest contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to manipulate database queries by injecting SQL code through the photoid parameter. Attackers can send GET requests to photo.php with malicious photoid values to extract sensitive data, bypass...

ThreatsDay Bulletin: OAuth Trap, EDR Killer, Signal Phishing, Zombie ZIP, AI Platform Hack & More

Another Thursday, another pile of weird security stuff that somehow happened in just seven days. Some of it is clever. Some of it is lazy. A few bits fall into that uncomfortable category of “yeah… this is probably going to show up in real incidents sooner than we’d like.” The pattern this week...

Jettweb PHP Hazir Haber Sitesi Scripti SQL注入漏洞

Jettweb PHP Ready-made News Sites Script is a content management system developed by the Turkish company Jettweb. The Jettweb PHP Ready-made News Sites Script V3 version has a SQL injection vulnerability. This vulnerability stems from the kelime parameter, which allows for SQL injections. It coul...