96912 matches found
CVE-2026-59083
Improper Handling of URL Encoding Hex Encoding vulnerability in Apache Tomcat's rewrite valve allowed security constraint bypass for some configurations. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.23, from 10.1.0-M1 through 10.1.56, from 9.0.0.M1 through 9.0.119, from 8.5.0...
WordPress My Calendar <3.4.22 - SQL Injection
WordPress My Calendar plugin versions before 3.4.22 are vulnerable to an unauthenticated SQL injection within the 'from' and 'to' parameters of the '/my-calendar/v1/events' REST route. id: CVE-2023-6360 info: name: WordPress My Calendar 3.4.22 - SQL Injection author: xxcdd severity: critical...
WordPress Product Slider Pro for WooCommerce < 3.5.4 - Supply Chain Backdoor RCE
Improper Validation of Specified Quantity in Input vulnerability in ShapedPlugin, LLC Product Slider Pro for WooCommerce allows Malicious Software Implanted. This issue affects Product Slider Pro for WooCommerce: from n/a before 3.5.4. id: CVE-2026-49777 info: name: WordPress Product Slider Pro f...
Tattile Camera < 1.181.5 - Default Login
Tattile Smart+, Vega, and Basic device families firmware = 1.181.5 contain a broken authentication caused by default credentials not forced to be changed, letting attackers with management interface access gain administrative privileges. id: CVE-2026-26341 info: name: Tattile Camera 1.181.5 -...
Astro - Unauthorized Third-Party Image Access
Astro 5.13.2 and 4.16.18 contains an information disclosure vulnerability caused by improper validation of protocol-relative URLs in the image optimization endpoint, letting attackers serve images from unauthorized third-party domains, exploit requires on-demand rendering deployment. id:...
AntD Admin - Sensitive Information Disclosure
AntD Admin has a security vulnerability that stems from Antd-admin 5.5.0 being affected by an incorrect access control vulnerability. Attackers can exploit this vulnerability to gain unauthorized access to some front-end interfaces, resulting in the leakage of sensitive information such as user...
ownCloud Guests - User Enumeration
ownCloud Guests before 0.12.5 contains an unauthenticated user enumeration vulnerability caused by insufficient validation of the token in showPasswordForm at /apps/guests/register/email/token, letting unauthenticated attackers enumerate valid guest users, exploit requires no authentication. id:...
Stable Diffusion Webui 1.10.0 - Open Redirect
An open redirect vulnerability exists in Stable-Diffusion-Webui 1.10.0, where the file parameter in the /file= endpoint can be manipulated to redirect users to malicious websites. This could facilitate phishing attacks by tricking users into visiting attacker-controlled URLs. id: CVE-2024-11044...
MStore API <= 4.10.7 - Unauthorized Account Access and Privilege Escalation
The MStore API plugin for WordPress is vulnerable to Unauthorized Account Access and Privilege Escalation in versions up to, and including, 4.10.7 due to improper implementation of the Apple login feature. This allows unauthenticated attackers to log in as any user as long as they know the user's...
WooCommerce Ultimate Gift Card ≤ 2.6.0 - Arbitrary File Upload
The WooCommerce Ultimate Gift Card plugin for WordPress is vulnerable to arbitrary file uploads due to insufficient file type validation in the 'mwbwgmpreviewmail' and 'mwbwgmwoocommerceaddcartitemdata' functions in all versions up to, and including, 2.6.0. This makes it possible for...
Navidrome <=0.54.5 - Authentication Bypass in Subsonic API
Navidrome is an open source web-based music collection server and streamer. Starting in version 0.52.0 and prior to version 0.54.5, in certain Subsonic API endpoints, a flaw in the authentication check process allows an attacker to specify any arbitrary username that does not exist on the system,...
Ruckus vRioT IoT Controller - Authentication Bypass
Ruckus vRioT through 1.5.1.0.21 contains an API backdoor caused by a hardcoded token in validatetoken.py,letting unauthenticated attackers interact with the API without authentication. id: CVE-2020-26879 info: name: Ruckus vRioT IoT Controller - Authentication Bypass author: DhiyaneshDk severity:...
Users Ultra <= 3.1.0 - SQL Injection
The Users Ultra WordPress plugin through 3.1.0 fails to properly sanitize and escape the datatarget parameter before it is being interpolated in an SQL statement and then executed via the ratingvote AJAX action available to both unauthenticated and authenticated users, leading to an SQL Injection...
Keycloak - SAML Core Package Signature Validation Flaw
A flaw exists in the SAML signature validation method within the Keycloak XMLSignatureUtil class. The method incorrectly determines whether a SAML signature is for the full document or only for specific assertions based on the position of the signature in the XML document, rather than the Referen...
CVE-2026-15676
A security flaw has been discovered in code-projects Online Job Portal up to 1.0. The impacted element is an unknown function of the file /Admin/DeleteUser.php. Performing a manipulation results in sql injection. Remote exploitation of the attack is possible. The exploit has been released to the...
CVE-2026-15676
CVE-2026-15676 affects code-projects Online Job Portal (
EUVD-2026-43614
A vulnerability was found in nextlevelbuilder GoClaw 3.11.3. Affected by this issue is the function ExecApprovalManager.CheckCommand of the file internal/tools/execapproval.go. The manipulation results in incomplete blacklist. The attack can be executed remotely. The exploit has been made public...
CVE-2026-44745
SAP Approuter does not properly validate incoming request headers during the OAuth2 login flow under certain configurations. This allows an unauthenticated remote attacker to craft a malicious link which, when clicked by a victim, could lead to unauthorized access. Successful exploitation results...
EUVD-2026-43599
A flaw has been found in poco-ai poco-claw up to 0.5.4. Affected is the function getworkspacefile of the file executormanager/app/api/v1/workspace.py of the component Workspace API. Executing a manipulation of the argument userid can lead to authorization bypass. The attack may be launched...
EUVD-2026-43540
OpenClaw versions before 2026.6.1 contain a flaw in host exec environment filtering that could allow Git ext transport to be abused. When the affected feature is enabled and reachable, a lower-trust caller or configured input path could execute or persist actions beyond the caller's intended...