CVE-2026-12143 form-data does not escape CR/LF/quote in multipart field names and filenames (CRLF injection)

form-data is a library for creating readable multipart/form-data streams. In versions through 4.0.5, the field argument to FormDataappend and the filename option are concatenated verbatim into the Content-Disposition header without escaping carriage return CR, line feed LF, or double-quote "...

CVE-2026-42747

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in hassantafreshi Easy Form Builder easy-form-builder allows Blind SQL Injection.This issue affects Easy Form Builder: from n/a through = 4.0.6...

CVE-2026-7713

A vulnerability was detected in crocodilestick Calibre-Web-Automated up to 4.0.6. Affected by this vulnerability is the function generateauthtoken of the file cps/koboauth.py of the component Kobo auth-token Route. The manipulation results in improper authorization. The attack may be performed fr...

Calibre-Web Automated 安全漏洞

Calibre-Web Automated is a self-hosted digital library management tool developed by CrocodileStick’s individual developer. Versions of Calibre-Web Automated prior to 4.0.6 contained security vulnerabilities. These vulnerabilities stemmed from improper authorization in the generateauthtoken functi...

CVE-2026-40976

CVE-2026-40976 affects Spring Boot 4.0.0–4.0.5. In vulnerable configurations, a servlet-based web application that relies on Spring Boot’s default web security (no custom Spring Security config), depends on spring-boot-actuator-autoconfigure, and does not rely on spring-boot-health can experience...

GHSA-C96X-RPM4-349P Spring Boot's Elasticsearch auto-configuration doesn't perform hostname verification when connecting to the Elasticsearch server.

When configured to use an SSL bundle, Spring Boot's Elasticsearch auto-configuration does not perform hostname verification when connecting to the Elasticsearch server. Affected: Spring Boot 4.0.0–4.0.5; upgrade to 4.0.6 or later per vendor advisory...

Spring Boot's Elasticsearch auto-configuration doesn't perform hostname verification when connecting to the Elasticsearch server.

When configured to use an SSL bundle, Spring Boot's Elasticsearch auto-configuration does not perform hostname verification when connecting to the Elasticsearch server. Affected: Spring Boot 4.0.0–4.0.5; upgrade to 4.0.6 or later per vendor advisory...

Fedora 44 : smb4k (2026-9094afb6f6)

The remote Fedora 44 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2026-9094afb6f6 advisory. Update to version 4.0.6 Tenable has extracted the preceding description block directly from the Fedora security advisory. Note that Nessus has not tested for...

CVE-2026-5561

A vulnerability was determined in Campcodes Complete POS Management and Inventory System up to 4.0.6. This affects an unknown function of the file app/Http/Controllers/SettingsController.php of the component Environment Variable Handler. Executing a manipulation can lead to injection. It is...

CVE-2026-24061

creationtimestamp| type| source ---|---|--- 2026-01-21 08:01:25+00:00| seen| https://bsky.app/profile/thehackerwire.bsky.social/post/3mcw7ecrteg25 2026-01-21 09:38:25+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mcwers7abk2t 2026-01-21 12:18:21+00:00| seen|...

CVE-2023-40662

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Jonk @ Follow me Darling Cookies and Content Security Policy.This issue affects Cookies and Content Security Policy: from n/a through 2.15...

PT-2025-42549

Name of the Vulnerable Software and Affected Versions Xpdf versions prior to 4.06 Description A flaw exists in Xpdf versions 4.05 and earlier related to PDF object handling within CMap structures. Specifically, a loop in a CMap, triggered through the "UseCMap" entry, can result in infinite...

CVE-2022-40690

Cross-site scripting vulnerability in BookStack versions prior to v22.09 allows a remote authenticated attacker to inject an arbitrary script...

CVE-2025-40635 SQL injection at Comerzzia

SQL injection vulnerability in Comerzzia Backoffice: Sales Orchestrator 3.0.15. This vulnerability allows an attacker to retrieve, create, update and delete databases via the ‘uidActivity’, ‘codCompany’ and ‘uidInstance’ parameters of the ‘/comerzzia/login’ endpoint...

Fortinet FortiOS, FortiProxy, and FortiSwitchManager 7.2.0 - Authentication bypass

Exploit Title: Fortinet FortiOS, FortiProxy, and FortiSwitchManager 7.2.0 - Authentication bypass Date: 2022-10-10 Exploit Author: Zach Hanley, SC Vendor Homepage: https://www.fortinet.com Version: 7.0.0 Tested on: Linux CVE : CVE-2022-40684 This module requires Metasploit:...

CVE-2024-32056

A vulnerability has been identified in Simcenter Femap All versions V2406. The affected application contains an out of bounds write past the end of an allocated buffer while parsing a specially crafted IGS part file. This could allow an attacker to execute code in the context of the current proce...

PT-2024-4862 · Siemens · Simcenter Femap

Name of the Vulnerable Software and Affected Versions: Simcenter Femap versions prior to V2406 Description: The issue is related to an out of bounds write past the end of an allocated buffer while parsing a specially crafted IGS part file. This could allow an attacker to execute code in the conte...

PT-2024-37537 · WordPress · Generate Pdf Using Contact Form 7

Name of the Vulnerable Software and Affected Versions: Generate PDF using Contact Form 7 plugin for WordPress versions up to, and including, 4.0.6 Description: The issue is due to missing nonce validation and missing file type validation in the wp cf7 pdf dashboard html page function, making it...

CVE-2024-40603

creationtimestamp| type| source ---|---|--- 2024-07-07 02:57:28+00:00| seen| https://t.me/cvedetector/156 2025-03-17 21:47:25+00:00| seen| https://t.me/DarkWebInformerCVEAlerts/7860...

CVE-2024-33577

A vulnerability has been identified in Simcenter Femap All versions V2406. The affected applications contain a stack overflow vulnerability while parsing specially strings as argument for one of the application binaries. This could allow an attacker to execute code in the context of the current...