3021 matches found
CVE-2026-42221
Nginx UI is a web user interface for the Nginx web server. From version 2.0.0 to before version 2.3.8, an unauthenticated network attacker can claim the initial administrator account on a fresh nginx-ui instance during the first-run setup window. The public /api/install endpoint is reachable...
CVE-2026-6696
The Zingaya Click-to-Call plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'email', 'firstname', 'lastname', and 'phone' parameters on the plugin's sign-up admin page in all versions up to, and including, 1.0. This is due to insufficient input sanitization and output...
CVE-2026-6696
The Zingaya Click-to-Call plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'email', 'firstname', 'lastname', and 'phone' parameters on the plugin's sign-up admin page in all versions up to, and including, 1.0. This is due to insufficient input sanitization and output...
CVE-2026-6696 Zingaya Click-to-Call <= 1.0 - Reflected Cross-Site Scripting via 'email' Parameter
The Zingaya Click-to-Call plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'email', 'firstname', 'lastname', and 'phone' parameters on the plugin's sign-up admin page in all versions up to, and including, 1.0. This is due to insufficient input sanitization and output...
CVE-2026-6696 Zingaya Click-to-Call <= 1.0 - Reflected Cross-Site Scripting via 'email' Parameter
The Zingaya Click-to-Call plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'email', 'firstname', 'lastname', and 'phone' parameters on the plugin's sign-up admin page in all versions up to, and including, 1.0. This is due to insufficient input sanitization and output...
CVE-2026-6696
CVE-2026-6696 concerns the Zingaya Click-to-Call plugin for WordPress. The connected documents confirm a Reflected Cross-Site Scripting vulnerability on the plugin’s sign-up admin page, affecting all versions up to and including 1.0. The root cause is insufficient input sanitization and output es...
PT-2026-36957
Name of the Vulnerable Software and Affected Versions Zingaya Click-to-Call versions prior to 1.1 Description Insufficient input sanitization and output escaping in the sign-up admin page allow unauthenticated attackers to inject arbitrary web scripts. This occurs via the 'email', 'first name',...
CVE-2026-42221
Nginx UI is a web user interface for the Nginx web server. From version 2.0.0 to before version 2.3.8, an unauthenticated network attacker can claim the initial administrator account on a fresh nginx-ui instance during the first-run setup window. The public /api/install endpoint is reachable...
CVE-2026-42222
CVE-2026-42222 (nginx-ui 2.3.5) describes an unauthenticated bootstrap takeover during the initial installation window exposed by POST /api/install. The issue allows a remote attacker to submit attacker-chosen bootstrap data and gain full unauthenticated administrative control on a fresh, uniniti...
CVE-2026-42222 nginx-ui: Unauthenticated first-boot instance claim via POST /api/install allows remote bootstrap takeover
Nginx UI is a web user interface for the Nginx web server. In version 2.3.5, an unauthenticated bootstrap takeover exists in nginx-ui during the initial installation window exposed by POST /api/install. At time of publication no public patches are available...
CVE-2026-42221 nginx-ui: Unauthenticated First-Run Installer Allows Remote Initial Admin Claim
Nginx UI is a web user interface for the Nginx web server. From version 2.0.0 to before version 2.3.8, an unauthenticated network attacker can claim the initial administrator account on a fresh nginx-ui instance during the first-run setup window. The public /api/install endpoint is reachable...
CVE-2026-42221
Nginx UI is a web user interface for the Nginx web server. From version 2.0.0 to before version 2.3.8, an unauthenticated network attacker can claim the initial administrator account on a fresh nginx-ui instance during the first-run setup window. The public /api/install endpoint is reachable...
CVE-2026-42221 nginx-ui: Unauthenticated First-Run Installer Allows Remote Initial Admin Claim
Nginx UI is a web user interface for the Nginx web server. From version 2.0.0 to before version 2.3.8, an unauthenticated network attacker can claim the initial administrator account on a fresh nginx-ui instance during the first-run setup window. The public /api/install endpoint is reachable...
JLSEC-2026-413 When asked to both use a `.netrc` file for credentials and to follow HTTP redirects, curl could...
When asked to both use a .netrc file for credentials and to follow HTTP redirects, curl could leak the password used for the first host to the followed-to host under certain circumstances. This flaw only manifests itself if the netrc file has an entry that matches the redirect target hostname but...
Nginx UI 访问控制错误漏洞
Nginx UI is a web interface for Nginx developed by Jacky. In versions 2.0.0 to 2.3.8 of Nginx UI, there was an access control vulnerability. This vulnerability stemmed from the fact that the public/api/install endpoint required no authentication during the first run, allowing unauthenticated...
Astra Linux – Vulnerability in Linux
In the Linux kernel, the following vulnerabilities have been resolved: netfilter: nftct: Skip the evaluation of rules for confirmed conntrack entries. The nftctexpectobjeval function calls nfctextadd for confirmed conntrack entries. However, nfctextadd can only be called when !nfctisconfirmed is...
Astra Linux – Vulnerability in Linux 5.10
In the Linux kernel, the following vulnerability has been resolved: drbd: fixed the issue of null-pointer dereference during local read operations. In drbdrequestendio, READCOMPLETEDWITHERROR is passed to reqmod with a NULL peerdevice: c reqmodreq, what, NULL, &m; The handler for...
Astra Linux – Vulnerability found in Linux 5.10, Linux 6.1
In the Linux kernel, the following vulnerabilities have been resolved: drm/amdkfd: Ensure that the list is non-empty before using listfirstentry in kfdtopology.c. Before using listfirstentry, make sure that the list is not empty; if the list is empty, return -ENODATA. The following issues have al...
Astra Linux – Vulnerability in Linux 5.10
In the Linux kernel, the following vulnerability has been resolved: Drivers: perf: Check the return value of findfirstbit We must check the return value of findfirstbit before using its value as an index array, as it may cause the array to overflow, leading to a panic: 107.318430 Kernel BUG 1...
Astra Linux – Vulnerability in Linux 5.10
In the Linux kernel, the following vulnerability has been resolved: Platform/x86: x86-android-tablets: Devices are unregistered in reverse order. Not all subsystems support the removal of a device when there are still consumers referencing that device. One example is the regulator subsystem. If a...