278 matches found
CVE-2026-1273 PostX <= 5.0.8 - Authenticated (Administrator+) Server-Side Request Forgery via REST API Endpoints
The Post Grid Gutenberg Blocks for News, Magazines, Blog Websites – PostX plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.0.8 via the /ultp/v3/starterdummypost/ and /ultp/v3/starterimportcontent/ REST API endpoints. This makes it possible...
WordPress plugin PostX 代码问题漏洞
WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...
CVE-2025-14532
CVE-2025-14532 describes an unauthenticated file-upload flaw in DobryCMS that allows uploading files of any type/extension, enabling remote code execution. The NVD entry indicates a high-severity, network-accessible issue (CVSS v4.0-like metrics: base score 9.3; impacts to confidentiality, integr...
PT-2026-22581
Name of the Vulnerable Software and Affected Versions DobryCMS versions prior to 5.0 Description The software’s file upload functionality allows unauthenticated remote attackers to upload files of any type and extension without restriction. This can lead to Remote Code Execution. Recommendations...
CVE-2026-3179 A path traversal vulnerability was found in the FTP Backup on the ADM.
The FTP Backup on the ADM does not properly sanitize filenames received from the FTP server when parsing directory listings. A malicious server or MITM attacker can craft filenames containing path traversal sequences, causing the client to write files outside the intended backup directory. A path...
CVE-2026-27192
Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. In versions 5.0.39 and below, origin validation uses startsWith for comparison, allowing attackers to bypass the check by registering a domain that shares a common prefix with an allowed...
CVE-2026-27191 Feathers: Open Redirect in OAuth callback enables account takeover
Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. Versions 5.0.39 and below the redirect query parameter is appended to the base origin without validation, allowing attackers to steal access tokens via URL authority injection. This leads to...
Feathers 信息泄露漏洞
Feathers is a lightweight web framework developed by Feathers OpenSource. It is used to create APIs and real-time applications using TypeScript or JavaScript. Feathers versions 5.0.39 and earlier contained an information leakage vulnerability. This vulnerability stemmed from the fact that all HTT...
CVE-2026-25388
Missing Authorization vulnerability in scripteo Ads Pro ap-plugin-scripteo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ads Pro: from n/a through = 5.0...
WordPress Ads Pro plugin <= 5.0 - Broken Access Control vulnerability
Broken Access Control vulnerability discovered by Trương Hữu Phúc truonghuuphuc in WordPress Plugin Ads Pro versions = 5.0...
CVE-2026-25388
Missing Authorization vulnerability in scripteo Ads Pro ap-plugin-scripteo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ads Pro: from n/a through = 5.0...
CVE-2026-1216
The RSS Aggregator plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'template' parameter in all versions up to, and including, 5.0.10 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for unauthenticated...
FileZen vulnerable to OS command injection
Overview FileZen provided by Soliton Systems K.K. contains the following vulnerability. OS command injection CWE-78 - CVE-2026-25108 This vulnerability can be exploited when FileZen Antivirus Check Option is enabled The developer states that attacks exploiting the vulnerability has been observed...
CVE-2025-58467
A relative path traversal vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to read the contents of unexpected files or system data. We have already fixed the vulnerability in the following version: Qsync...
CVE-2025-30266
The CVE-2025-30266 entry describes a NULL pointer dereference in Qsync Central that could allow a remote attacker with a user account to cause a denial-of-service. Concrete details across connected sources identify Qsync Central as the affected product, with the root cause listed as a NULL pointe...
CVE-2025-52868
CVE-2025-52868 is a buffer overflow in Qsync Central. The issue allows a remote attacker who has a user account to modify memory or crash processes. A fix is available in Qsync Central 5.0.0.4 (2026-01-20) and later; users should upgrade to receive mitigation. The connected sources corroborate th...
PT-2026-7535
A NULL pointer dereference vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service DoS attack. We have already fixed the vulnerability in the following version: Qsync Central 5.0.0.4...
Craft CMS SQL注入漏洞
Craft CMS is an open-source content management system developed by Craft CMS. Versions 4.0.0-RC1 to 4.16.17, and 5.0.0-RC1 to 5.8.21 of Craft CMS have SQL injection vulnerabilities. These vulnerabilities stem from improper cleaning of the criteriaorderBy parameter input, which may lead to SQL...
Security Bulletin: IBM Watson Discovery Cartridge affected by vulnerability in jws-3.2.2.tgz
Summary IBM Watson Discovery Cartridge affected by vulnerability in jws-3.2.2.tgz Vulnerability Details CVEID:CVE-2025-65945 DESCRIPTION: auth0/node-jws is a JSON Web Signature implementation for Node.js. In versions 3.2.2 and earlier and version 4.0.0, auth0/node-jws has an improper signature...
CVE-2026-1517
A vulnerability was identified in iomad up to 5.0. Affected is an unknown function of the component Company Admin Block. Such manipulation leads to sql injection. The attack can be executed remotely. It is best practice to apply a patch to resolve this issue...