WordPress Publitio plugin <= 2.1.8 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Trương Hữu Phúc truonghuuphuc in WordPress Plugin Publitio versions = 2.1.8...

WordPress Sprout Clients plugin <= 3.2 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by SOPROBRO in WordPress Plugin Sprout Clients versions = 3.2...

WordPress Posten plugin <= 0.0.1 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Gab in WordPress Plugin Posten versions = 0.0.1...

CVE-2025-30354

Bruno is an open source IDE for exploring and testing APIs. A bug in the assertion runtime caused assert expressions to run in Developer Mode, even if Safe Mode was selected. The bug resulted in the sandbox settings to be ignored for the particular case where a single request is run/sent. This...

CVE-2025-30354 Bruno ignores Safe-Mode in Asserts expressions

Bruno is an open source IDE for exploring and testing APIs. A bug in the assertion runtime caused assert expressions to run in Developer Mode, even if Safe Mode was selected. The bug resulted in the sandbox settings to be ignored for the particular case where a single request is run/sent. This...

WordPress Small Package Quotes – Worldwide Express Edition plugin <= 5.2.18 - Reflected Cross Site Scripting (XSS) vulnerability

Reflected Cross Site Scripting XSS vulnerability discovered by Trương Hữu Phúc truonghuuphuc in WordPress Plugin Small Package Quotes – Worldwide Express Edition versions = 5.2.18...

WordPress Themify Folo Theme <= 1.9.6 is vulnerable to Cross Site Scripting (XSS)

Software Themify Folo Type Theme Vulnerable versions = 1.9.6 Fixed in N/A OWASP Top 10 A3: Injection Classification Cross Site Scripting XSS CVE CVE-2025-31013 Patch priority Medium CVSS severity Medium 7.1 Developer Claim ownership PSID 6a066edc64f9 Credits Tran Nguyen Bao Khanh VCI - VNPT Cyber...

WordPress Import Export Suite for CSV and XML Datafeed plugin <= 7.19 - Authenticated (Subscriber+) Arbitrary File Upload vulnerability

Authenticated Subscriber+ Arbitrary File Upload vulnerability discovered by mikemyers in WordPress Plugin WP Ultimate CSV Importer versions = 7.19...

WordPress Shopper plugin <= 3.2.5 - SQL Injection vulnerability

SQL Injection vulnerability discovered by Anhchangmutrang in WordPress Plugin Shopper versions = 3.2.5...

WordPress Vitepos plugin <= 3.1.4 - Broken Authentication vulnerability

Broken Authentication vulnerability discovered by Phat RiO - Fore-Z co.ltd in WordPress Plugin Vitepos versions = 3.1.4...

WordPress Real Estate 7 Theme <= 3.5.4 is vulnerable to Arbitrary File Upload

Software Real Estate 7 Type Theme Vulnerable versions = 3.5.4 Fixed in 3.5.5 OWASP Top 10 A1: Injection Classification Arbitrary File Upload CVE CVE-2025-2891 Patch priority Medium CVSS severity Medium 8.8 Developer Claim ownership PSID 22e03f3e7c10 Credits Foxyyy Required privilege Seller...

Important: Red Hat Security Advisory: Red Hat Developer Hub 1.5.1 release.

Red Hat Developer Hub 1.5.1 has been released. Red Hat Developer Hub RHDH is Red Hat's enterprise-grade, self-managed, customizable developer portal based on Backstage.io. RHDH is supported on OpenShift and other major Kubernetes clusters AKS, EKS, GKE. The core features of RHDH include a single...

CVE-2025-30531

Cross-Site Request Forgery CSRF vulnerability in GBS Developer WP Ride Booking wp-ride-booking allows Cross Site Request Forgery.This issue affects WP Ride Booking: from n/a through = 2.4...

Vite bypasses server.fs.deny when using ?raw??

Summary The contents of arbitrary files can be returned to the browser. Impact Only apps explicitly exposing the Vite dev server to the network using --host or server.host config option are affected. Details @fs denies access to files outside of Vite serving allow list. Adding ?raw?? or...

CVE-2025-30531 WordPress WP Ride Booking plugin <= 2.4 - Cross Site Request Forgery (CSRF) Vulnerability

Cross-Site Request Forgery CSRF vulnerability in GBS Developer WP Ride Booking wp-ride-booking allows Cross Site Request Forgery.This issue affects WP Ride Booking: from n/a through = 2.4...

CVE-2025-30531

CVE-2025-30531: CSRF in WP Ride Booking (wp-ride-booking) plugin observed up to version 2.4. Provided sources list a CSRF risk with Network attack vector, requiring user interaction, and a Medi​um impact rating (I=Low, A=None). No evidence of an available fix or patched version is included in the...

Critical GitHub Attack

This is serious: A sophisticated cascading supply chain attack has compromised multiple GitHub Actions, exposing critical CI/CD secrets across tens of thousands of repositories. The attack, which originally targeted the widely used “tj-actions/changed-files” utility, is now believed to have...

LLaVA 资源管理错误漏洞

LLaVA is an application by Haotian Liu, an individual developer. A resource management error vulnerability exists in LLaVA v1.2.0, which stems from a file upload request being mishandled, which could lead to a denial of service...

A Bootiful Podcast: Java Champion and legend Henri Tremblay

Hi, Spring fans! In this installment I talk to Henri Tremblay, head of TS Imagine Canada, Java Champion, Montreal JUG leader, EasyMock lead dev and all around legend!...

Morning 安全漏洞

Morning is a public service online e-commerce store by the individual developer of Morning in China. A security vulnerability exists in Morning bc782730c74ff080494f145cc363a0b4f43f7d3e and prior versions, which stems from vulnerability to cross-site request forgery attacks...