EUVD-2026-4459

Open WebUI PIP installfrontmatterrequirements Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Open WebUI. Authentication is required to exploit this vulnerability. The specific flaw exists...

CVE-2026-23887

Group-Office is an enterprise customer relationship management and groupware tool. In versions 6.8.148 and below, and 25.0.1 through 25.0.79, the application stores unsanitized filenames in the database, which can lead to Stored Cross-Site Scripting XSS. Users who interact with these specially...

CVE-2025-69907

An unauthenticated information disclosure vulnerability exists in Newgen OmniDocs due to missing authentication and access control on the /omnidocs/GetListofCabinet API endpoint. A remote attacker can access this endpoint without valid credentials to retrieve sensitive internal configuration...

📄 Lingdang CRM 8.6.4.7 SQL Injection

Lingdang CRM versions 8.6.4.7 and below remote time-based blind SQL injection proof of concept exploit. ============================================================================================================================================= | Title : Lingdang CRM = 8.6.4.7 - Time-Based Blind...

CVE-2025-69907

An unauthenticated information disclosure vulnerability exists in Newgen OmniDocs due to missing authentication and access control on the /omnidocs/GetListofCabinet API endpoint. A remote attacker can access this endpoint without valid credentials to retrieve sensitive internal configuration...

PT-2026-4538

MyTube is a self-hosted downloader and player for several video websites. Versions 1.7.78 and below have a Mass Assignment vulnerability in the settings management functionality due to insufficient input validation. The application's saveSettings function accepts arbitrary key-value pairs without...

PT-2026-4537

Name of the Vulnerable Software and Affected Versions MyTube versions 1.7.78 and below Description The MyTube application does not properly protect against authorization bypass, potentially allowing guest users to download the complete application database. The application does not validate user...

CVE-2025-69907

An unauthenticated information disclosure vulnerability exists in Newgen OmniDocs due to missing authentication and access control on the /omnidocs/GetListofCabinet API endpoint. A remote attacker can access this endpoint without valid credentials to retrieve sensitive internal configuration...

PT-2026-4530

Name of the Vulnerable Software and Affected Versions Aptsys gemscms POS Platform versions prior to 2025-05-29 Description An SQL Injection issue exists in the backend of the Aptsys gemscms POS Platform. The issue is due to the direct insertion of user-supplied input into a dynamic SQL query...

CVE-2025-69907

CVE-2025-69907 concerns an unauthenticated information-disclosure vulnerability in Newgen OmniDocs . Multiple connected sources describe missing authentication and access control on the API endpoint /omnidocs/GetListofCabinet , allowing unauthenticated remote access to sensitive internal configur...

WordPress plugin Nelio Content has a security vulnerability

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. There is...

Oracle Database Server (January 2026 CPU)

The versions of Oracle Database Server installed on the remote host are affected by multiple vulnerabilities as referenced in the January 2026 CPU advisory. - Vulnerability in the Oracle Spatial and Graph OpenJPEG component of Oracle Database Server. Supported versions that are affected are...

CVE-2025-69285

SQLBot is an intelligent data query system based on a large language model and RAG. Versions prior to 1.5.0 contain a missing authentication vulnerability in the /api/v1/datasource/uploadExcel endpoint, allowing a remote unauthenticated attacker to upload arbitrary Excel/CSV files and inject data...

CVE-2025-68017

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in Antideo Antideo Email Validator antideo-email-validator allows Blind SQL Injection.This issue affects Antideo Email Validator: from n/a through = 1.0.10...

EUVD-2026-3898

Missing Authorization vulnerability in e-plugins ListingHub listinghub allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ListingHub: from n/a through = 1.2.7...

EUVD-2026-3933

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in AncoraThemes Indoor Plants indoor-plants allows PHP Local File Inclusion.This issue affects Indoor Plants: from n/a through = 1.2.7...

EUVD-2026-3910

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in AncoraThemes DiveIt diveit allows PHP Local File Inclusion.This issue affects DiveIt: from n/a through = 1.4.3...

EUVD-2026-3956

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in LambertGroup Universal Video Player universal-video-player allows Reflected XSS.This issue affects Universal Video Player: from n/a through = 3.8.4...

EUVD-2026-3941

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in goalthemes Vango vango allows PHP Local File Inclusion.This issue affects Vango: from n/a through = 1.3.3...

CVE-2025-68999 WordPress Happy Addons for Elementor plugin <= 3.20.4 - SQL Injection vulnerability

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in HappyMonster Happy Addons for Elementor happy-elementor-addons allows Blind SQL Injection.This issue affects Happy Addons for Elementor: from n/a through = 3.20.4...