MAL-2026-5799 Malicious code in boardflow (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f9d5c1524281430272215f48a90b957cf08f76dcb9954cb73945421dff358eb2 package.json declares preinstall: node install.js, which fires automatically on npm install. install.js is heavily obfuscated obfuscator.io...

WordPress plugin MDJM Event Management 代码问题漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. There is...

Astra Linux – Vulnerability in binutils

A issue was discovered in the Binary File Descriptor BFD library also known as libbfd, as distributed in GNU Binutils 2.31. An invalid memory access exists in the bfdstabsectionfindnearestline function in syms.c. Attackers could exploit this vulnerability to cause a denial of service application...

Facebook WhatsApp 安全漏洞

Facebook WhatsApp is a suite of Android-based mobile applications from Facebook, Inc. in the United States that utilize the Internet to deliver text messages. The application uses the contact information in the smartphone to find contacts using the software to send texts, pictures, etc. A securit...

CVE-2026-34735

The Hytale Modding Wiki is a free service for Hytale mods to host their documentation & wikis. In version 1.2.0 and prior, the quickUpload endpoint validates uploaded files by checking their MIME type via PHP's finfo, which inspects file contents but constructs the stored filename using the...

CVE-2026-33717

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the downloadVideoFromDownloadURL function in objects/aVideoEncoder.json.php saves remote content to a web-accessible temporary directory using the original URL's filename and extension including .php. By providing...

CVE-2026-4809

Brand-new CVE entry CVE-2026-4809 affects plank/laravel-mediable up to version 6.4.0. In vulnerable configurations that accept a client-supplied MIME type during file upload, an attacker can submit a file containing executable PHP code while declaring a benign image MIME type, enabling arbitrary ...

CVE-2026-33717

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the downloadVideoFromDownloadURL function in objects/aVideoEncoder.json.php saves remote content to a web-accessible temporary directory using the original URL's filename and extension including .php. By providing...

CVE-2026-33647 AVideo Vulnerable to Remote Code Execution via MIME/Extension Mismatch in ImageGallery File Upload

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the ImageGallery::saveFile method validates uploaded file content using finfo MIME type detection but derives the saved filename extension from the user-supplied original filename without an allowlist check. An...

CVE-2026-32989

Precurio Intranet Portal 4.4 contains a cross-site request forgery vulnerability that allows attackers to induce authenticated users to submit crafted requests to a profile update endpoint handling file uploads. Attackers can exploit this to upload executable files to web-accessible locations,...

CVE-2026-32989 Precurio Intranet Portal 4.4: Cross-Site Request Forgery leading to arbitrary file upload

Precurio Intranet Portal 4.4 contains a cross-site request forgery vulnerability that allows attackers to induce authenticated users to submit crafted requests to a profile update endpoint handling file uploads. Attackers can exploit this to upload executable files to web-accessible locations,...

CVE-2026-32989

Precurio Intranet Portal 4.4 is affected by a CSRF weakness that can coerce an authenticated user into submitting a crafted request to a profile update endpoint handling file uploads. If attacker-controlled content is stored as an executable server-side file in a web-accessible location, this may...

PT-2026-23634

Name of the Vulnerable Software and Affected Versions Chamilo versions prior to 1.11.34 Description Chamilo LMS is susceptible to an authenticated remote code execution issue stemming from insufficient validation of uploaded files. The application depends on MIME-type verification for file upload...

WordPress plugin SetSail 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...

CVE-2019-25344

Wondershare MobileGo 8.5.0 is affected by an insecure file permissions vulnerability that allows local users to modify executable files in the application directory. Attackers can replace MobileGo.exe with a malicious executable to create a new user account and add it to the Administrators group,...

CVE-2023-25718

In ConnectWise Control through 22.9.10032 formerly known as ScreenConnect, after an executable file is signed, additional instructions can be added without invalidating the signature, such as instructions that result in offering the end user a different attacker-controlled executable file. It is...

CVE-2023-31748

Insecure permissions in MobileTrans v4.0.11 allows attackers to escalate privileges to local admin via replacing the executable file...

CVE-2018-10190

A vulnerability in London Trust Media Private Internet Access PIA VPN Client v77 for Windows could allow an unauthenticated, local attacker to run executable files with elevated privileges. The vulnerability is due to insufficient implementation of access controls. The "Changelog" and "Help"...

CVE-2009-4373

Unrestricted file upload vulnerability in repository/repositoryattachment.php in AlienVault Open Source Security Information Management OSSIM 2.1.5, and possibly other versions before 2.1.5-4, allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then...

CVE-2021-28271

Soyal Technologies SOYAL 701Server 9.0.1 suffers from an elevation of privileges vulnerability which can be used by an authenticated user to change the executable file with a binary choice. The vulnerability is due to improper permissions with the 'F' flag Full for 'Everyone'and 'Authenticated...