CVE-2026-29173

Craft Commerce (for Craft CMS) has a stored XSS vulnerability that affects the Order Status name field when updating the status from the Commerce Orders Table. The issue occurs prior to versions 4.10.2 and 5.5.3, where the Status Name is rendered without proper escaping, enabling script execution...

EUVD-2026-10815

Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.10.2 and 5.5.3, a stored XSS vulnerability exists when a user tries to update the Order Status from the Commerce Orders Table. The Order Status Name is rendered without proper escaping, allowing script execution to occur. This...

CVE-2026-29173 Craft Commerce has Stored XSS while updating Order Status from Orders Table

Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.10.2 and 5.5.3, a stored XSS vulnerability exists when a user tries to update the Order Status from the Commerce Orders Table. The Order Status Name is rendered without proper escaping, allowing script execution to occur. This...

CVE-2026-29173 Craft Commerce has Stored XSS while updating Order Status from Orders Table

Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.10.2 and 5.5.3, a stored XSS vulnerability exists when a user tries to update the Order Status from the Commerce Orders Table. The Order Status Name is rendered without proper escaping, allowing script execution to occur. This...

CVE-2026-29172 Craft Commerce has a SQL Injection in Commerce Purchasables Table Sorting

Craft Commerce is an ecommerce platform for Craft CMS. Prior to 4.10.2 and 5.5.3, Craft Commerce is vulnerable to SQL Injection in the purchasables table endpoint. The sort parameter is split by | and the first part column name is passed directly as an array key to orderBy without whitelist...

PT-2026-2215

Name of the Vulnerable Software and Affected Versions Spree versions prior to 4.10.2 Spree versions prior to 5.0.7 Spree versions prior to 5.1.9 Spree versions prior to 5.2.5 Description Spree is an open source e-commerce solution built with Ruby on Rails. An Unauthenticated Insecure Direct Objec...

CVE-2025-14691

A vulnerability was detected in Mayan EDMS up to 4.10.1. The affected element is an unknown function of the file /authentication/. The manipulation results in cross site scripting. The attack may be performed from remote. The exploit is now public and may be used. Upgrading to version 4.10.2 is...

EUVD-2025-203313

A flaw has been found in Mayan EDMS up to 4.10.1. The impacted element is an unknown function of the file /authentication/. This manipulation causes open redirect. It is possible to initiate the attack remotely. The exploit has been published and may be used. Upgrading to version 4.10.2 is...

GHSA-X37W-7P52-8F49 Mayan EDMS has an Open Redirect through the /authentication/ file

A flaw has been found in Mayan EDMS up to 4.10.1. The impacted element is an unknown function of the file /authentication/. This manipulation causes open redirect. It is possible to initiate the attack remotely. The exploit has been published and may be used. Upgrading to version 4.10.2 is...

Mayan EDMS is vulnerable to XSS through the /authentication/ file

A vulnerability was detected in Mayan EDMS up to 4.10.1. The affected element is an unknown function of the file /authentication/. The manipulation results in cross site scripting. The attack may be performed from remote. The exploit is now public and may be used. Upgrading to version 4.10.2 is...

CVE-2025-14692

A flaw has been found in Mayan EDMS up to 4.10.1. The impacted element is an unknown function of the file /authentication/. This manipulation causes open redirect. It is possible to initiate the attack remotely. The exploit has been published and may be used. Upgrading to version 4.10.2 is...

CVE-2025-14692 Mayan EDMS authentication redirect

A flaw has been found in Mayan EDMS up to 4.10.1. The impacted element is an unknown function of the file /authentication/. This manipulation causes open redirect. It is possible to initiate the attack remotely. The exploit has been published and may be used. Upgrading to version 4.10.2 is...

PYSEC-2025-134

A vulnerability was detected in Mayan EDMS up to 4.10.1. The affected element is an unknown function of the file /authentication/. The manipulation results in cross site scripting. The attack may be performed from remote. The exploit is now public and may be used. Upgrading to version 4.10.2 is...

PYSEC-2025-134

A vulnerability was detected in Mayan EDMS up to 4.10.1. The affected element is an unknown function of the file /authentication/. The manipulation results in cross site scripting. The attack may be performed from remote. The exploit is now public and may be used. Upgrading to version 4.10.2 is...

CVE-2025-14691 Mayan EDMS authentication cross site scripting

A vulnerability was detected in Mayan EDMS up to 4.10.1. The affected element is an unknown function of the file /authentication/. The manipulation results in cross site scripting. The attack may be performed from remote. The exploit is now public and may be used. Upgrading to version 4.10.2 is...

CVE-2025-62787

Wazuh prior to version 4.10.2 is affected by a buffer over-read in DecodeWinevt() caused by an incorrect index when accessing child_attr[p]->attributes[j]. A compromised agent can cause a read past the end of the allocated buffer, potentially exposing sensitive data, particularly when analysis...

CVE-2025-62786 Wazuh Vulnerable to Heap-based Buffer Out-Of-Bounds WRITE in decode_win_permissions

Wazuh is a free and open source platform used for threat prevention, detection, and response. A heap-based out-of-bounds WRITE occurs in decodewinpermissions, resulting in writing a NULL byte 2 bytes before the start of the buffer allocated to decodedit. A compromised agent can potentially levera...

CVE-2025-62785 Wazuh fillData NULL pointer dereference causes analysisd crash

Wazuh is a free and open source platform used for threat prevention, detection, and response. fillData implementation does not check whether value is NULL or not before calling osstrdup on it. A compromised agent can cause a crash of analysisd by sending a specially crafted message to the wazuh...

CVE-2025-62610 Hono Improperly Authorizes JWT Audience Validation

Hono is a Web application framework that provides support for any JavaScript runtime. In versions from 1.1.0 to before 4.10.2, Hono’s JWT Auth Middleware does not provide a built-in aud Audience verification option, which can cause confused-deputy / token-mix-up issues: an API may accept a valid...

PT-2025-43405

Name of the Vulnerable Software and Affected Versions Hono versions 1.1.0 through 4.10.1 Description Hono’s JWT authentication middleware lacked built-in verification of the aud Audience claim. This could lead to confused-deputy or token-mix-up issues, where an API might accept a valid token...