CVE-2026-29069 Craft has an unauthenticated activation email trigger with potential user enumeration

Craft is a content management system CMS. Prior to 5.9.0-beta.2 and 4.17.0-beta.2, the actionSendActivationEmail endpoint is accessible to unauthenticated users and does not require a permission check for pending users. An attacker with no prior access can trigger activation emails for any pendin...

CVE-2025-9944 Professional Contact Form <= 1.0.0 - Cross-Site Request Forgery to Test Email Sending

The Professional Contact Form plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing or incorrect nonce validation on the watchforcontactformsubmit function. This makes it possible for unauthenticated attackers to trigg...

CVE-2024-9531

The MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'mvxsentdeactivationrequest' function in all versions up to, and including, 4.2.4. This makes it possible f...

OTRS AG 跨站脚本漏洞

OTRS AG is an application of the German company OTRS. A service management software. OTRS AG suffers from a cross-site scripting vulnerability that can be triggered by an attacker sending a specially designed e-mail to the system...

New Relic: Adding your account to victim's app via deeplink

At your android app, there is a feature for passwordless login. It sends an email and if you click the link, it triggers a deeplink on the app for login. I think this feature needs a state control, for example setting loginstatetoken=ABC on the requester device and adding this loginstatetoken to...

DEBIAN-CVE-2008-5514

Off-by-one error in the rfc822outputchar function in the RFC822BUFFER routines in the University of Washington UW c-client library, as used by the UW IMAP toolkit before imap-2007e and other applications, allows context-dependent attackers to cause a denial of service crash via an e-mail message...

Authentication flaw

The hookcomments API in Drupal 4.7.x before 4.7.8 and 5.x before 5.3 does not pass publication status, which might allow attackers to bypass access restrictions and trigger e-mail with unpublished comments from some modules, as demonstrated by 1 Organic groups and 2 Subscriptions...

GLSA-200507-12 : Bugzilla: Unauthorized access and information disclosure

The remote host is affected by the vulnerability described in GLSA-200507-12 Bugzilla: Unauthorized access and information disclosure Bugzilla allows any user to modify the flags of any bug CAN-2005-2173. Bugzilla inserts bugs into the database before marking them as private, in connection with...