527 matches found
Regular Expression Denial of Service (ReDoS)
Overview Affected versions of this package are vulnerable to Regular Expression Denial of Service ReDoS via the matches, matchesFull, and replaceMatches functions in FHIRPath expression evaluation. An attacker can exhaust system CPU resources by submitting specially crafted regular expressions th...
EUVD-2026-42058
Esri Portal for ArcGIS versions 12.1 and earlier on Windows, Linux and Kubernetes have a missing authentication for critical function vulnerability allows a remote, unauthenticated attacker to access an unprotected API...
CSV Injection
Overview @actual-app/web is an Actual on the web Affected versions of this package are vulnerable to CSV Injection in the exportToCSV and exportQueryToCSV processes, where user-controlled input from fields such as Payee and Notes is passed to CSV export without neutralizing formula-triggering...
Splunk Enterprise Missing Authentication for Critical Function Vulnerability
Splunk Enterprise contains a missing authentication for critical function vulnerability which could allow an unauthenticated user to create or truncate arbitrary files through a PostgreSQL sidecar service endpoint...
NULL Pointer Dereference
Overview Magick.NET-Q8-x64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package are...
CVE-2026-10704
A vulnerability was detected in SourceCodester Pizzafy E-Commerce System 1.0. Affected by this vulnerability is the function Login of the file /admin/adminclassnovo.php of the component Administrative Control Panel. The manipulation of the argument Username results in sql injection. The attack ca...
Insertion of Sensitive Information into Log File
Overview admidio/admidio is a free open source user management system for websites of organizations and groups. Affected versions of this package are vulnerable to Insertion of Sensitive Information into Log File in the setCookie and start functions. An attacker can gain unauthorized access to...
CVE-2026-40818 Unauthenticated SQLi in _mb24confi_getDevice function function
An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the mb24configetDevice function due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality...
Concrete CMS 跨站请求伪造漏洞
Concrete CMS is an open-source content management system designed for teams. Versions of Concrete CMS 9.5.0 and earlier contained a cross-site request forgeing vulnerability. This vulnerability stemmed from the doupdate method not verifying the CSRF token, which could allow attackers to trigger...
CVE-2026-47099
TeleJSON prior to 6.0.0 contains a DOM-based XSS via the parse() reviver that reads a constructor-name property and passes it to new Function(), allowing arbitrary JavaScript execution in contexts such as postMessage for cross-frame communication. Affected component: TeleJSON parse() in versions ...
Regular Expression Denial of Service (ReDoS)
Overview Affected versions of this package are vulnerable to Regular Expression Denial of Service ReDoS via the matches, matchesFull, and replaceMatches functions in the FHIRPathEngine. An attacker can exhaust system resources and cause service disruption by submitting specially crafted regular...
Vim text editor’s `:find` function vulnerability, allowing a hacker to execute arbitrary code or cause a service failure.
The vulnerability of the :find function in the text editor Vim is related to the failure to take measures to neutralize special elements. Exploiting this vulnerability can allow an attacker to execute arbitrary code or cause service interruptions...
EUVD-2026-29026
A vulnerability was found in Open5GS up to 2.7.7. Impacted is the function smfnsmfhandlecreatesmcontext of the component SMF. Performing a manipulation results in denial of service. Remote exploitation of the attack is possible. The exploit has been made public and could be used. The project was...
EUVD-2026-27213
The ElementsKit Elementor Addons plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the LiveAction::reset function in all versions up to, and including, 3.8.2 The function is hooked to the WordPress init action and triggers when both post...
CVE-2026-42076
Evolver is a GEP-powered self-evolving engine for AI agents. Prior to version 1.69.3, a command injection vulnerability in the extractLLM function allows attackers to execute arbitrary shell commands on the server. The function constructs a curl command using string concatenation and passes it to...
CVE-2026-7743
A vulnerability has been found in CodeAstro Online Classroom 1.0. The impacted element is an unknown function of the file /OnlineClassroom/studentdetails. The manipulation of the argument deleteid leads to sql injection. The attack is possible to be carried out remotely. The exploit has been...
CVE-2026-42474
SQL injection vulnerability in MixPHP Framework 2.x thru 2.2.17 via crafted data array to the data function in BuildHelper.php...
Arbitrary Argument Injection
Overview GitPython is a python library used to interact with Git repositories Affected versions of this package are vulnerable to Arbitrary Argument Injection in the multioptions parameter of the clone function, which may be passed in via the clonefrom, clone, or Submodule.update functions. An...
Missing Authentication for Critical Function
Overview Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the SFTP authentication process when the server is configured with an empty username and a password using the -b ':pass' flag together with -sftp. An attacker can gain unauthorized access...
Missing Authentication for Critical Function
Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the sandbox noVNC helper route. An attacker can gain unauthorized access to interactive browser session credentials by bypassing bridge...