GitLab - Account Takeover via Password Reset

An issue has been discovered in GitLab CE/EE affecting all versions from 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, 16.3 prior to 16.3.7, 16.4 prior to 16.4.5, 16.5 prior to 16.5.6, 16.6 prior to 16.6.4, and 16.7 prior to 16.7.2 in which user account password reset emails could be delivered to a...

PT-2026-45038

Summary modules/registration.php mode send login regenerates a random password for user uuid assigned, stores its bcrypt hash in adm users.usr password, and emails the cleartext to that user. Every other state-changing mode in the same file assign member, assign user, delete user, create user cal...

CVE-2026-25602

Insufficient Verification of Data Authenticity vulnerability in Mesalvo Meona Client Launcher Component, Mesalvo Meona Server Component makes it possible to send messages to any email address. This issue affects Meona Client Launcher Component: through 19.06.2020 15:11:49; Meona Server Component:...

EUVD-2026-31094

Insufficient Verification of Data Authenticity vulnerability in Mesalvo Meona Client Launcher Component, Mesalvo Meona Server Component makes it possible to send messages to any email address. This issue affects Meona Client Launcher Component: through 19.06.2020 15:11:49; Meona Server Component:...

CVE-2026-25602

Summary: CVE-2026-25602 affects Mesalvo Meona’s Client Launcher and Server components with an insufficient verification of data authenticity. This could enable sending messages to arbitrary email addresses. Affected components and scope: Meona Client Launcher Component (affected up to 19.06.2020 ...

plunk 数据伪造问题漏洞

Plunk is an open-source email sending and management platform developed by Plunk. Versions of Plunk prior to 0.9.0 contained a data manipulation vulnerability. This vulnerability stems from the /webhooks/sns endpoint accepting Amazon SNS notification payloads without verifying the SNS signature,...

PT-2026-37296

Name of the Vulnerable Software and Affected Versions AVideo versions prior to 29.0 Description An issue exists in the 'objects/sendEmail.json.php' endpoint where the absence of the contactForm parameter allows unauthenticated users to send emails to arbitrary recipients. When this parameter is...

CVE-2026-34367

InvoiceShelf is an open-source web & mobile app that helps track expenses, payments and create professional invoices and estimates. Prior to version 2.2.0, a Server-Side Request Forgery SSRF vulnerability exists in the Invoice PDF generation module. User-supplied HTML in the invoice Notes field i...

CVE-2026-34367

InvoiceShelf is an open-source web & mobile app that helps track expenses, payments and create professional invoices and estimates. Prior to version 2.2.0, a Server-Side Request Forgery SSRF vulnerability exists in the Invoice PDF generation module. User-supplied HTML in the invoice Notes field i...

WordPress plugin Two Factor (2FA) Authentication via Email 输入验证错误漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. There wa...

CVE-2025-12718

The Quick Contact Form plugin for WordPress is vulnerable to Open Mail Relay in all versions up to, and including, 8.2.6. This is due to the 'qcfvalidateform' AJAX endpoint allowing a user controlled parameter to set the 'from' email address. This makes it possible for unauthenticated attackers t...

CVE-2025-10869

Stored Cross-site Scripting XSS in Oct8ne Chatbot v2.3. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by injecting a malicious payload through the creation of a transcript that is sent by email. This vulnerability can be exploited to steal sensitive user...

EUVD-2021-30295

Malicious code in bioql PyPI...

CVE-2025-10377 System Dashboard <= 2.8.20 - Cross-Site Request Forgery

The System Dashboard plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.8.20. This is due to missing nonce validation on the sdtogglelogs function. This makes it possible for unauthenticated attackers to toggle critical logging settings...

PT-2025-39486

Name of the Vulnerable Software and Affected Versions System Dashboard plugin for WordPress versions prior to 2.8.21 Description The System Dashboard plugin for WordPress is susceptible to Cross-Site Request Forgery CSRF. This is caused by a lack of nonce validation in the sd toggle logs function...

CVE-2025-58434

Flowise is a drag & drop user interface to build a customized large language model flow. In version 3.0.5 and earlier, the forgot-password endpoint in Flowise returns sensitive information including a valid password reset tempToken without authentication or verification. This enables any attacker...

CVE-2025-58434 Flowise Cloud and Local Deployments have Unauthenticated Password Reset Token Disclosure that Leads to Account Takeover

Flowise is a drag & drop user interface to build a customized large language model flow. In version 3.0.5 and earlier, the forgot-password endpoint in Flowise returns sensitive information including a valid password reset tempToken without authentication or verification. This enables any attacker...

Malicious code in leadconduit-email-delivery (npm)

The package leadconduit-email-delivery was found to contain malicious code...

MAL-2025-25021 Malicious code in leadconduit-email-delivery (npm)

The package leadconduit-email-delivery was found to contain malicious code...

Microsoft Office Excel Remote Code Execution Vulnerability

Microsoft Office Excel contains a remote code execution vulnerability that can be exploited when a specially crafted Excel file is opened. This malicious file could be delivered as an email attachment or hosted on a malicious website. An attacker could leverage this vulnerability by creating a...