CVE-2018-25324

The CVE-2018-25324 entry concerns the WordPress plugin Simple Fields versions 0.2–0.3.5, which contains a local file inclusion (LFI) flaw via the wp_abspath parameter. Unauthenticated attackers can read arbitrary files (e.g., /etc/passwd) by injecting null bytes into wp_abspath on PHP versions be...

Linux Distros Unpatched Vulnerability : CVE-2026-44240

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - basic-ftp is an FTP client for Node.js. Prior to 5.3.1, basic-ftp is vulnerable to client-side denial of service when parsing FTP control-channel multiline...

Security Bulletin: IBM Watson Discovery Cartridge affected by vulnerability in cryptography-46.0.3-cp311-abi3-macosx109universal2.whl

Summary IBM Watson Discovery Cartridge affected by vulnerability in cryptography-46.0.3-cp311-abi3-macosx109universal2.whl Vulnerability Details CVEID:CVE-2026-34073 DESCRIPTION: cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Prior to versi...

PT-2026-36193

Name of the Vulnerable Software and Affected Versions IBM watsonx.data intelligence versions 5.2.0 through 5.2.1 IBM watsonx.data intelligence versions 5.3.0 through 5.3.1 Description User credentials are stored in plain text, allowing a local user to read them. Recommendations At the moment, the...

Security Bulletin: IBM Watson Discovery Cartridge affected by vulnerability in once-1.1.2.tgz

Summary IBM Watson Discovery Cartridge affected by vulnerability in once-1.1.2.tgz Vulnerability Details CVEID:CVE-2026-3449 DESCRIPTION: Versions of the package @tootallnate/once before 3.0.1 are vulnerable to Incorrect Control Flow Scoping in promise resolving when AbortSignal option is used. T...

PT-2026-33885

Name of the Vulnerable Software and Affected Versions OpenBao versions prior to 2.5.3 Description OpenBao is an open source identity-based secrets management system that utilizes namespaces for multi-tenant separation. A flaw exists where a tenant that leaks token accessors may have their token...

EUVD-2026-20048

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'buttoncaption' parameter in the latepointresources shortcode in versions up to and including 5.3.0. This is due to insufficient output escaping when the...

EUVD-2026-15929

Improper Limitation of a Pathname to a Restricted Directory 'Path Traversal' vulnerability in icopydoc YML for Yandex Market yml-for-yandex-market allows Path Traversal.This issue affects YML for Yandex Market: from n/a through 5.3.0...

CVE-2026-1238

SlimStat Analytics for WordPress is affected by a Stored Cross-Site Scripting vulnerability via the 'fh' parameter in all versions up to 5.3.5. The issue arises from insufficient input sanitization and output escaping, allowing unauthenticated attackers to inject scripts that execute when users v...

CVE-2026-32245 Tinyauth's OIDC authorization codes are not bound to client on token exchange

Tinyauth is an authentication and authorization server. Prior to 5.0.3, the OIDC token endpoint does not verify that the client exchanging an authorization code is the same client the code was issued to. A malicious OIDC client operator can exchange another client's authorization code using their...

CVE-2026-25896

fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. From 4.1.3to before 5.3.5, a dot . in a DOCTYPE entity name is treated as a regex wildcard during entity replacement, allowing an attacker to shadow...

CVE-2026-24892 openITCOCKPIT has Unsafe Deserialization in openITCOCKPIT Changelog Handling

openITCOCKPIT is an open source monitoring tool built for different monitoring engines like Nagios, Naemon and Prometheus. openITCOCKPIT Community Edition 5.3.1 and earlier contains an unsafe PHP deserialization pattern in the processing of changelog entries. Serialized changelog data derived fro...

PT-2026-21139

Name of the Vulnerable Software and Affected Versions VeronaLabs Slimstat Analytics versions through 5.3.2 Description The software contains a flaw due to improper handling of user-supplied data when creating web pages, which can lead to Reflected Cross-site Scripting XSS. This allows attackers t...

CVE-2026-25372 WordPress Academy LMS plugin <= 3.5.3 - Broken Access Control vulnerability

Missing Authorization vulnerability in Kodezen LLC Academy LMS academy allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Academy LMS: from n/a through = 3.5.3...

CVE-2025-13431

The SlimStat Analytics plugin for WordPress is vulnerable to time-based SQL Injection via the ‘args’ parameter in all versions up to, and including, 5.3.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possib...

Security Bulletin: IBM Watson Discovery Cartridge affected by vulnerability in jws-3.2.2.tgz

Summary IBM Watson Discovery Cartridge affected by vulnerability in jws-3.2.2.tgz Vulnerability Details CVEID:CVE-2025-65945 DESCRIPTION: auth0/node-jws is a JSON Web Signature implementation for Node.js. In versions 3.2.2 and earlier and version 4.0.0, auth0/node-jws has an improper signature...

Security Bulletin: IBM Watson Discovery Cartridge affected by vulnerability in pypdf-6.1.1-py3-none-any.whl

Summary IBM Watson Discovery Cartridge affected by vulnerability in pypdf-6.1.1-py3-none-any.whl Vulnerability Details CVEID:CVE-2025-62707 DESCRIPTION: pypdf is a free and open-source pure-python PDF library. Prior to version 6.1.3, an attacker who uses this vulnerability can craft a PDF which...

Unity Linux 20.1060a / 20.1070a Security Update: kernel (UTSA-2026-004070)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-004070 advisory. A memory leak in the qrtrtunwriteiter function in net/qrtr/tun.c in the Linux kernel before 5.3 allows attackers to cause a denial of service memory consumption, aka...

Unity Linux 20.1070e Security Update: kernel (UTSA-2026-001387)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-001387 advisory. In the Linux kernel 5.3.11, mounting a crafted btrfs image twice can cause an rwsemdownwriteslowpath use-after-free because in rwsemcanspinonowner in...

Unity Linux 20.1060a / 20.1070a Security Update: kernel (UTSA-2026-003671)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-003671 advisory. A memory leak in the sofdfsentrywrite function in sound/soc/sof/debug.c in the Linux kernel through 5.3.9 allows attackers to cause a denial of service memory...