EUVD-2026-10426

Bucket is a MediaWiki extension to store and retrieve structured data on articles. Prior to 2.1.1, a stored XSS can be inserted into any Bucket table field that has a PAGE type, which will execute whenever a user views that table's corresponding Bucket namespace page. This vulnerability is fixed ...

CVE-2026-30917

Bucket is a MediaWiki extension for structured data. Before version 2.1.1, there is a stored XSS in any Bucket table field with a PAGE type that executes when users view the corresponding Bucket namespace page. The issue is fixed in 2.1.1. Affected software: MediaWiki Bucket extension; vulnerable...

CVE-2026-30917 Stored XSS on Bucket namespace pages

Bucket is a MediaWiki extension to store and retrieve structured data on articles. Prior to 2.1.1, a stored XSS can be inserted into any Bucket table field that has a PAGE type, which will execute whenever a user views that table's corresponding Bucket namespace page. This vulnerability is fixed ...

PT-2026-24147

Name of the Vulnerable Software and Affected Versions Bucket versions prior to 2.1.1 Description Bucket is a MediaWiki extension used to store and retrieve structured data on articles. A stored cross-site scripting XSS issue exists that allows malicious code to be inserted into any Bucket table...

Vim < 9.2.0077 Heap-based Buffer Overflow (GHSA-r2gw-2x48-jj5p)

The version of Vim installed on the remote host is prior to 9.2.0077. It is, therefore, affected by a vulnerability as referenced in the GHSA-r2gw-2x48-jj5p advisory. - Vim is an open source, command line text editor. Versions prior to 9.2.0077 have a heap-buffer-overflow and a segmentation fault...

CVE-2026-3711

Code-projects Simple Flight Ticket Booking System 1.0 contains a SQL injection vulnerability in an unknown function of /Adminupdate.php. The issue arises from manipulating parameters flightno/airplaneid/departure/dtime/arrival/atime/ec/ep/bc/bp. Remote exploitation is possible and the exploit is ...

CVE-2026-1650

The MDJM Event Management plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the 'customfieldscontroller' function in all versions up to, and including, 1.7.8.1. This makes it possible for unauthenticated attackers to delete arbitrary custom...

CVE-2026-30843

Wekan is an open source kanban tool built with Meteor. Versions 8.32 and 8.33 have a critical Insecure Direct Object Reference IDOR issue which could allow unauthorized users to modify custom fields across boards through its custom fields update endpoints, potentially leading to unauthorized data...

CVE-2026-30822

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.0.13, unauthenticated users can inject arbitrary values into internal database fields when creating leads. This issue has been patched in version 3.0.13...

Remote Code Execution (RCE)

Craft CMS is vulnerable to Remote Code Execution RCE. The vulnerability is due to a Server-Side Template Injection SSTI flaw in Twig template fields, which allows an authenticated administrator to write a malicious PHP file to a web-accessible directory and execute arbitrary system commands...

CVE-2026-30822

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.0.13, unauthenticated users can inject arbitrary values into internal database fields when creating leads. This issue has been patched in version 3.0.13...

CVE-2026-30822 Flowise: Mass Assignment in `/api/v1/leads` Endpoint

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.0.13, unauthenticated users can inject arbitrary values into internal database fields when creating leads. This issue has been patched in version 3.0.13...

EUVD-2026-10096

The MDJM Event Management plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the 'customfieldscontroller' function in all versions up to, and including, 1.7.8.1. This makes it possible for unauthenticated attackers to delete arbitrary custom...

CVE-2026-1650

The MDJM Event Management plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the 'customfieldscontroller' function in all versions up to, and including, 1.7.8.1. This makes it possible for unauthenticated attackers to delete arbitrary custom...

CVE-2026-28466

OpenClaw versions prior to 2026.2.14 contain a vulnerability in the gateway in which it fails to sanitize internal approval fields in node.invoke parameters, allowing authenticated clients to bypass exec approval gating for system.run commands. Attackers with valid gateway credentials can inject...

CVE-2026-1650

The CVE concerns the MDJM Event Management plugin for WordPress. A missing capability check in the custom_fields_controller allows unauthenticated attackers to modify data by deleting arbitrary custom event fields via delete_custom_field and id parameters. Affected versions include all up to 1.7....

CVE-2026-1650

The MDJM Event Management plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the 'customfieldscontroller' function in all versions up to, and including, 1.7.8.1. This makes it possible for unauthenticated attackers to delete arbitrary custom...

CVE-2026-1650 MDJM Event Management <= 1.7.8.1 - Missing Authorization to Unauthenticated Arbitrary Custom Event Field Deletion

The MDJM Event Management plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the 'customfieldscontroller' function in all versions up to, and including, 1.7.8.1. This makes it possible for unauthenticated attackers to delete arbitrary custom...

CVE-2026-1650 MDJM Event Management <= 1.7.8.1 - Missing Authorization to Unauthenticated Arbitrary Custom Event Field Deletion

The MDJM Event Management plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the 'customfieldscontroller' function in all versions up to, and including, 1.7.8.1. This makes it possible for unauthenticated attackers to delete arbitrary custom...

Flowise 安全漏洞

Flowise is an open-source tool developed by FlowiseAI, designed for easily building LLM applications. Prior versions of Flowise, including 3.0.13, contained security vulnerabilities. These vulnerabilities stemmed from the possibility for unverified users to inject arbitrary values into internal...