60135 matches found
CVE-2026-49485
Summary: CVE-2026-49485 affects HAPI FHIR’s FHIRPathEngine (matches(), matchesFull(), replaceMatches()) where user-controlled regex patterns are compiled via Java’s regex engine, enabling ReDoS and CPU exhaustion. The issue exists in implementations prior to version 6.9.9 and 6.9.4.2. An attacker...
EUVD-2026-34900
AWS-JDBC Wrapper: Privilege Escalation in Aurora PostgreSQL instance...
CVE-2026-52746 JSONata: Malicious inputs to "$toMillis" function can cause resource exhaustion
JSONata is a JSON query and transformation language. Prior to 2.2.0, malicious non-matching inputs to the $toMillis function can cause superlinear backtracking in the ISO-8601 validation regex, leading to denial of service in applications that evaluate user-provided JSONata expressions. This issu...
CVE-2026-52746
CVE-2026-52746 concerns the JSONata language. Affected: jsonata prior to version 2.2.0. Issue: malicious non-matching inputs to the $toMillis function can cause superlinear backtracking in the ISO-8601 validation regex, leading to denial of service in applications evaluating JSONata expressions. ...
CVE-2026-52746 JSONata: Malicious inputs to "$toMillis" function can cause resource exhaustion
JSONata is a JSON query and transformation language. Prior to 2.2.0, malicious non-matching inputs to the $toMillis function can cause superlinear backtracking in the ISO-8601 validation regex, leading to denial of service in applications that evaluate user-provided JSONata expressions. This issu...
CVE-2026-12691
Missing authentication for critical function vulnerability in Vimesoft Inc. Enterprise Video Platform allows Authentication Bypass. This issue affects Enterprise Video Platform: from 3.11.0.0 before 3.25.0...
EUVD-2026-45219
Missing authentication for critical function vulnerability in Vimesoft Inc. Enterprise Video Platform allows Authentication Bypass. This issue affects Enterprise Video Platform: from 3.11.0.0 before 3.25.0...
CVE-2026-15982
The CVE-2026-15982 entry describes a Privilege Escalation flaw in the Aimogen Pro WordPress plugin (<= 2.8.4). The root cause is a missing capability check in the function aiomatic_call_google_ai_function, which allows unauthenticated attackers to use the aimogen_wp_god_mode tool to clear func...
CVE-2026-15982 Aimogen Pro - All-in-One AI Content Writer, Editor, ChatBot & Automation Toolkit <= 2.8.4 - Unauthenticated Privilege Escalation via 'aiomatic_call_google_ai_function'
The Aimogen Pro - All-in-One AI Content Writer, Editor, ChatBot & Automation Toolkit plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.8.4. This is due to due to a missing capability check on the 'aiomaticcallgoogleaifunction' function. This makes ...
LotusCMS 3.0 - Remote Code Execution
LotusCMS 3.0 is susceptible to remote code execution via the Router function. This is done by embedding PHP code in the 'page' parameter, which will be passed to a eval call and allow remote code execution. id: CVE-2011-0518 info: name: LotusCMS 3.0 - Remote Code Execution author: pikpikcu...
WordPress Epsilon Framework Themes <=2.4.8 - Remote Code Execution
WordPress themes including Shapely = 1.2.7, NewsMag = 2.4.1, Activello = 1.4.0, Illdy = 2.1.4, Allegiant = 1.2.2, Newspaper X = 1.3.1, Pixova Lite = 2.0.5, Brilliance = 1.2.7, MedZone Lite = 1.2.4, Regina Lite = 2.0.4, Transcend = 1.1.8, Affluent = 1.1.0, Bonkers = 1.0.4, Antreas = 1.0.2, Sparkli...
DedeCMS 5.7 SP2 - Cross-Site Scripting
DedeCMS 5.7 SP2 is vulnerable to cross-site scripting via the function named GetPageList defined in the include/datalistcp.class.php file that is used to display the page numbers list at the bottom of some templates, as demonstrated by the PATHINFO to /member/index.php, /member/pm.php,...
mooSocial 3.1.8 - External Service Interaction
mooSocial 3.1.8 is vulnerable to external service interaction via multiple parameters in the post function. id: CVE-2023-43323 info: name: mooSocial 3.1.8 - External Service Interaction author: ritikchaddha severity: medium description: | mooSocial 3.1.8 is vulnerable to external service...
MooSocial 3.1.8 - Cross-Site Scripting
A reflected cross-site scripting XSS vulnerability exisits in the q parameter on search function of mooSocial v3.1.8 which allows attackers to steal user's session cookies and impersonate their account via a crafted URL. id: CVE-2023-45542 info: name: MooSocial 3.1.8 - Cross-Site Scripting author...
PT-2026-60836
A security vulnerability has been detected in AstrBotDevs AstrBot up to 4.25.2. Affected by this issue is the function Star.text to image/NetworkRenderStrategy.render of the file astrbot/core/star/base.py of the component T2I Feature. The manipulation leads to cross site scripting. The attack is...
PT-2026-60768
A security flaw has been discovered in mosaxiv clawlet up to 0.2.10. Impacted is the function list/remove of the file tools/tool cron.go of the component cron Chat Tool. The manipulation results in missing authorization. The attack may be performed from remote. The exploit has been released to th...
PT-2026-60744
GD::SecurityImage versions through 1.75 for Perl use rand to generate secrets. The random method creates the challenge text used for the CAPTCHA by sampling characters from an array using Perl's built-in rand function, and generates a by default six-character string. The built-in rand function is...
CVE-2026-63304
AVideo through 29.0 contains an OS command injection vulnerability in plugin/API/standAlone/functions.php where the listFFmpegProcesses function interpolates unsanitized keyword parameters inside single quotes without escaping. Attackers who can craft a valid encrypted codeToExec payload can brea...
EUVD-2026-44898
The Loco Translate plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.8.5. This is due to missing or incorrect nonce validation on the execTemplate function. This makes it possible for unauthenticated attackers to execute arbitrary PHP code on...
EUVD-2026-44851
A heap overflow in the evalcommand function shell/ash.c of Busybox v1.38.0 allows attackers to cause a Denial of Service DoS via supplying a crafted input...