3761 matches found
CVE-2026-57379 WordPress FormyChat plugin <= 2.15.3 - Cross Site Scripting (XSS) vulnerability
Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in WPPOOL FormyChat social-contact-form allows Stored XSS.This issue affects FormyChat: from n/a through = 2.15.3...
CVE-2026-58503
Frappe is a full-stack web application framework. Prior to 16.16.0 and 15.106.0, user enumeration could be performed via the resetpassword endpoint. This issue is fixed in versions 16.16.0 and 15.106.0...
CVE-2026-57584
Phalcon is a high-performance, full-stack PHP framework. Prior to 5.15.0, every Phalcon MVC application built with a default router registers a built-in route whose compiled PCRE pattern contains the nested quantifier /., and the same construct is produced by the /:params placeholder and the CLI...
CVE-2026-55881
OpenReplay is a self-hosted session replay suite. From 1.22.0 before 1.27.0, getFirstMob returned 15-second presigned S3 download URLs for a session's DOM-replay recording based solely on the session path parameter, while validateProjectAccess checked only that the project belonged to the...
CVE-2026-57584 Phalcon: Catastrophic backtracking (ReDoS) in the default Phalcon Router route lead to remote unauthenticated DoS
Phalcon is a high-performance, full-stack PHP framework. Prior to 5.15.0, every Phalcon MVC application built with a default router registers a built-in route whose compiled PCRE pattern contains the nested quantifier /., and the same construct is produced by the /:params placeholder and the CLI...
CVE-2026-56667
ZITADEL is an open source identity management platform. Prior to 4.15.3, ZITADEL Login V2 OIDC and SAML FailedPrecondition error paths return loginSettings.defaultRedirectUri to router.push without applying the isSafeRedirectUri check, allowing an organization or instance administrator to store a...
CVE-2026-55670
ZITADEL is an open source identity management platform. Prior to 4.15.1, ZITADEL's event store validation can retain the original resource owner for a deleted user identifier, causing a later user recreated with the same identifier in another organization to be provisioned under the original...
EUVD-2026-42964
ZITADEL is an open source identity management platform. Prior to 4.15.3, ZITADEL Login V2 OIDC and SAML FailedPrecondition error paths return loginSettings.defaultRedirectUri to router.push without applying the isSafeRedirectUri check, allowing an organization or instance administrator to store a...
CVE-2026-55670 ZITADEL: Cross-Tenant User Leakage via Recycled Identifiers
ZITADEL is an open source identity management platform. Prior to 4.15.1, ZITADEL's event store validation can retain the original resource owner for a deleted user identifier, causing a later user recreated with the same identifier in another organization to be provisioned under the original...
EUVD-2026-42977
ZITADEL is an open source identity management platform. Prior to 4.15.1, ZITADEL's event store validation can retain the original resource owner for a deleted user identifier, causing a later user recreated with the same identifier in another organization to be provisioned under the original...
Kibana 7.x < 7.17.15 / 8.x < 8.11.1 Log Injection (ESA-2026-53)
The version of Kibana installed on the remote host is 7.x prior to 7.17.15 or 8.x prior to 8.11.1. It is, therefore, affected by a log injection vulnerability: - Improper Output Neutralization for Logs CWE-117 in Kibana can lead to log injection. An attacker can supply specially crafted input tha...
PT-2026-57334
Name of the Vulnerable Software and Affected Versions Frappe versions prior to 16.16.0 Frappe versions prior to 15.106.0 Description User enumeration is possible through the 'reset password' endpoint. User enumeration is a technique used to verify if a specific user exists within a system by...
PT-2026-57332
Name of the Vulnerable Software and Affected Versions Phalcon versions prior to 5.15.0 Description In Phalcon MVC applications using a default router, the CLI router, or the /:params placeholder, a built-in route is registered with a compiled PCRE Perl Compatible Regular Expressions pattern...
[slackware-security] xorg-server
New xorg-server packages are available for Slackware 15.0 and -current to fix security issues. Here are the details from the Slackware 15.0 ChangeLog: patches/packages/xorg-server-1.20.14-i586-21slack15.0.txz: Rebuilt. This update fixes security issues: glamor Font Atlas Heap Buffer Overflow. GLX...
EUVD-2026-42402
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 15.7 before 18.11.7, 19.0 before 19.0.4, and 19.1 before 19.1.2 that under certain conditions could have allowed an authenticated user to execute arbitrary scripts in another user's browser session due to improper...
Security update for radare2 (important)
openSUSE Security Update: Security update for radare2 Announcement ID: openSUSE-SU-2026:0231-1 Rating: important References: 1244121 1262142 1265403 Cross-References: CVE-2025-1378 CVE-2025-1744 CVE-2025-1864 CVE-2025-5641 CVE-2026-40499 CVE-2026-8695 CVSS scores: CVE-2025-1378 SUSE: 4.8...
WordPress FormyChat plugin <= 2.15.3 - Cross Site Scripting (XSS) vulnerability
Cross Site Scripting XSS vulnerability discovered by dodoh4t in WordPress Plugin FormyChat versions = 2.15.3...
Important: Red Hat Security Advisory: OpenShift Virtualization v4.15 Images
Red Hat OpenShift Virtualization release v4.15 is now available with updates to packages and images that fix several bugs and add enhancements. OpenShift Virtualization is Red Hat's virtualization solution designed for Red Hat OpenShift Container Platform. This advisory contains OpenShift...
Important: Red Hat Security Advisory: OpenShift Virtualization v4.15 Images
Red Hat OpenShift Virtualization release v4.15 is now available with updates to packages and images that fix several bugs and add enhancements. OpenShift Virtualization is Red Hat's virtualization solution designed for Red Hat OpenShift Container Platform. This advisory contains OpenShift...
CVE-2026-53646
FOSSBilling is a free, open-source billing and client management system. In versions 0.5.6 through 0.7.2, when a ClientPasswordReset record already exists for a client from a previous unexpired reset request, subsequent calls to the resetpassword guest API endpoint reuse the existing token instea...