Moderate: Red Hat Security Advisory: php security update

An update for php is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CV...

GHSA-76VF-MPMX-777J Graylog Allows Session Takeover via Insufficient HTML Sanitization

Impact It is possible to obtain user session cookies by submitting an HTML form as part of an Event Definition Remediation Step field. For this attack to succeed, the attacker needs a user account with permissions to create event definitions, while the user must have permissions to view alerts...

python-werkzeug: high resource usage when parsing multipart form data with many fields

A flaw was found in python-werkzeug. Werkzeug is multipart form data parser, that will parse an unlimited number of parts, including file parts. These parts can be a small amount of bytes, but each requires CPU time to parse, and may use more memory as Python data. If a request can be made to an...

Cross-Site Scripting (XSS)

verbb/formie is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to improper output escaping when previewing imported form data, which allows an attacker to inject malicious scripts via tampered field labels or handles in the JSON export...

OESA-2025-1426 python-werkzeug security update

werkzeug German noun: "tool". Etymology: werk "work", zeug "stuff" Werkzeug is a comprehensive WSGI web application library. It began as a simple collection of various utilities for WSGI applications and has become one of the most advanced WSGI utility libraries. It includes: - An interactive...

OESA-2025-1425 python-werkzeug security update

werkzeug German noun: "tool". Etymology: werk "work", zeug "stuff" Werkzeug is a comprehensive WSGI web application library. It began as a simple collection of various utilities for WSGI applications and has become one of the most advanced WSGI utility libraries. It includes: - An interactive...

Important: php

Issue Overview: An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A heap out-of-bounds write or read occurs in nextstateval during regular expression compilation. Octal numbers larger than 0xff are not handled correctly i...

Important: php

Issue Overview: An issue was discovered in Oniguruma 6.2.0, as used in Oniguruma-mod in Ruby through 2.4.1 and mbstring in PHP through 7.1.5. A heap out-of-bounds write or read occurs in nextstateval during regular expression compilation. Octal numbers larger than 0xff are not handled correctly i...

SUSE CVE-2025-30153

kin-openapi is a Go project for handling OpenAPI files. Prior to 0.131.0, when validating a request with a multipart/form-data schema, if the OpenAPI schema allows it, an attacker can upload a crafted ZIP file e.g., a ZIP bomb, causing the server to consume all available system memory. The root...

WordPress Lead Form Data Collection to CRM plugin <= 3.0.1 - SQL Injection vulnerability

SQL Injection vulnerability discovered by Trương Hữu Phúc truonghuuphuc in WordPress Plugin Lead Form Data Collection to CRM versions = 3.0.1...

CVE-2025-30810

CVE-2025-30810 affects the WordPress plugin “Lead Form Data Collection to CRM.” The vulnerability is an authenticated SQL injection in the plugin’s Lead Form Data Collection to CRM component, exploitable by users with Contributor+ privileges. Affected versions are from an unknown starting point u...

CVE-2025-30810 WordPress Lead Form Data Collection to CRM plugin <= 3.0.1 - SQL Injection vulnerability

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in Smackcoders Inc., Lead Form Data Collection to CRM wp-leads-builder-any-crm allows Blind SQL Injection.This issue affects Lead Form Data Collection to CRM: from n/a through = 3.0.1...

WordPress plugin Lead Form Data Collection to CRM SQL注入漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed in the PHP language. WordPress plugin is an application plugin that supports personal blog sites on PHP and MySQL servers. A SQL injection vulnerability exists in WordPress plug...

WordPress Product Import Export for WooCommerce plugin <= 2.5.0 - Authenticated (Admin+) PHP Object Injection via form_data Parameter vulnerability

Authenticated Admin+ PHP Object Injection via formdata Parameter vulnerability discovered by HayMiz in WordPress Plugin Product Import Export for WooCommerce versions = 2.5.0...

CVE-2025-1913

The Product Import Export for WooCommerce – Import Export Product CSV Suite plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.5.0 via deserialization of untrusted input from the 'formdata' parameter This makes it possible for authenticated attacker...

CVE-2025-1913 Product Import Export for WooCommerce <= 2.5.0 - Authenticated (Admin+) PHP Object Injection via form_data Parameter

The Product Import Export for WooCommerce – Import Export Product CSV Suite plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.5.0 via deserialization of untrusted input from the 'formdata' parameter This makes it possible for authenticated attacker...

CVE-2024-53678

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in Apache VCL. Users can modify form data submitted when requesting a new Block Allocation such that a SELECT SQL statement is modified. The data returned by the SELECT statement is not viewable by th...

CVE-2024-53678

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in Apache VCL. Users can modify form data submitted when requesting a new Block Allocation such that a SELECT SQL statement is modified. The data returned by the SELECT statement is not viewable by th...

WordPress Export and Import Users and Customers plugin <= 2.6.2 - Authenticated (Admin+) PHP Object Injection via form_data Parameter vulnerability

Authenticated Admin+ PHP Object Injection via formdata Parameter vulnerability discovered by HayMiz in WordPress Plugin Import Export WordPress Users versions = 2.6.2...

CVE-2025-1971

The Export and Import Users and Customers plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.6.2 via deserialization of untrusted input from the 'formdata' parameter. This makes it possible for authenticated attackers, with Administrator-level acces...