CVE-2026-39393

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, the install route guard in ci4ms relies solely on a volatile cache check cache'settings' combined with .env file existence to block...

CVE-2026-39393

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, the install route guard in ci4ms relies solely on a volatile cache check cache'settings' combined with .env file existence to block...

CVE-2026-33735 MyTube has an Improper Access Control that Allows Complete Application Takeover

MyTube is a self-hosted downloader and player for several video websites Prior to version 1.8.69, an authorization bypass in the /api/settings/import-database endpoint allows attackers with low-privilege credentials to upload and replace the application's SQLite database entirely, leading to a fu...

CVE-2026-33735 MyTube has an Improper Access Control that Allows Complete Application Takeover

MyTube is a self-hosted downloader and player for several video websites Prior to version 1.8.69, an authorization bypass in the /api/settings/import-database endpoint allows attackers with low-privilege credentials to upload and replace the application's SQLite database entirely, leading to a fu...

TP-Link Archer BE230 安全漏洞

The TP-Link Archer BE230 is a wireless router produced by TP-Link Corporation. The TP-Link Archer BE230 v1.2 1.2.4 Build 20251218 rel.70420 versions had security vulnerabilities. These vulnerabilities stemmed from the command injection vulnerability in the configuration backup and recovery...

MAL-2026-138 Malicious code in rt-footer (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 843ded25c4705270d68a2528b9a2aadd0755998b2880686a4ea7ad2d777a1235 The package rt-footer was found to contain malicious code. Source: ghsa-malware d3f499cb715f4d755c0be8690d154c1da2a95c1195bff56c58d5967d2b680e6e Any...

CVE-2020-36920 iDS6 DSSPro Digital Signage System 6.2 Privilege Escalation via Access Control

iDS6 DSSPro Digital Signage System 6.2 contains an improper access control vulnerability that allows authenticated users to elevate privileges through console JavaScript functions. Attackers can create users, modify roles and permissions, and potentially achieve full application takeover by...

Malicious code in ddos-gacor-v2 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 32622783fe9401d4c567f638a03e43b4559383e7f853ff0457f7f301420f95e9 The package ddos-gacor-v2 was found to contain malicious code. Source: ghsa-malware 3192709ec1aa7bcf745ab018eb8d6a537ace33453acda64299ef30193f8d64a9...

Monsta FTP Vulnerability Exposed Thousands of Servers to Full Takeover

Monsta FTP users must update now! A critical pre-authentication flaw CVE-2025-34299 allows hackers to fully take over web servers. Patch to version 2.11.3 immediately...

PT-2025-45405

Name of the Vulnerable Software and Affected Versions IDonate – Blood Donation, Request And Donor Management System plugin for WordPress versions 2.1.5 through 2.1.9 Description The IDonate plugin for WordPress is susceptible to privilege escalation. Authenticated attackers with Subscriber-level...

Malicious code in @diotoborg/voluptate-sequi-natus (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 7f995aab21f2130aeaf719de3be8623af8ba2c71e3a2f330647fb5806fb3b4a5 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

document-merge-service vulnerable to Remote Code Execution via Server-Side Template Injection

Impact What kind of vulnerability is it? Who is impacted? A remote code execution RCE via server-side template injection SSTI allows for user supplied code to be executed in the server's context where it is executed as the document-merge-server user with the UID 901 thus giving an attacker...

CVE-2024-37301

Document Merge Service is a document template merge service providing an API to manage templates and merge them with given data. Versions 6.5.1 and prior are vulnerable to remote code execution via server-side template injection which, when executed as root, can result in full takeover of the...

CVE-2024-37301

Document Merge Service (versions ≤ 6.5.1) is vulnerable to remote code execution via server-side template injection (SSTI). The root cause is insufficient input sanitization/validation in template handling, allowing an attacker to execute code with the document-merge-server user (UID 901) and pot...

CVE-2024-37301 document-merge-service vulnerable to Remote Code Execution via Server-Side Template Injection

Document Merge Service is a document template merge service providing an API to manage templates and merge them with given data. Versions 6.5.1 and prior are vulnerable to remote code execution via server-side template injection which, when executed as root, can result in full takeover of the...

CVE-2024-37301 document-merge-service vulnerable to Remote Code Execution via Server-Side Template Injection

Document Merge Service is a document template merge service providing an API to manage templates and merge them with given data. Versions 6.5.1 and prior are vulnerable to remote code execution via server-side template injection which, when executed as root, can result in full takeover of the...

CVE-2024-3829 Arbitrary File Read and Write during Snapshot Recovery in qdrant/qdrant

qdrant/qdrant version 1.9.0-dev is vulnerable to arbitrary file read and write during the snapshot recovery process. Attackers can exploit this vulnerability by manipulating snapshot files to include symlinks, leading to arbitrary file read by adding a symlink that points to a desired file on the...

Malicious code in wlwz-2312-6403 (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware a3dbcf44dbfc9707df017f54aa7632fdd5e1815a399c9be2b74201dd48125c7a Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Cross site scripting

Home assistant is an open source home automation. The Home Assistant login page allows users to use their local Home Assistant credentials and log in to another website that specifies the redirecturi and clientid parameters. Although the redirecturi validation typically ensures that it matches th...

CVE-2023-41896 Fake websocket server installation permits full takeover in Home Assistant Core

Home assistant is an open source home automation. Whilst auditing the frontend code to identify hidden parameters, Cure53 detected authcallback=1, which is leveraged by the WebSocket authentication logic in tandem with the state parameter. The state parameter contains the hassUrl, which is...