469 matches found
Insertion of Sensitive Information into Log File
Overview admidio/admidio is a free open source user management system for websites of organizations and groups. Affected versions of this package are vulnerable to Insertion of Sensitive Information into Log File in the setCookie and start functions. An attacker can gain unauthorized access to...
CVE-2026-40818 Unauthenticated SQLi in _mb24confi_getDevice function function
An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the mb24configetDevice function due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality...
Concrete CMS θ·¨η«θ―·ζ±δΌͺι ζΌζ΄
Concrete CMS is an open-source content management system designed for teams. Versions of Concrete CMS 9.5.0 and earlier contained a cross-site request forgeing vulnerability. This vulnerability stemmed from the doupdate method not verifying the CSRF token, which could allow attackers to trigger...
CVE-2026-47099
TeleJSON prior to 6.0.0 contains a DOM-based XSS via the parse() reviver that reads a constructor-name property and passes it to new Function(), allowing arbitrary JavaScript execution in contexts such as postMessage for cross-frame communication. Affected component: TeleJSON parse() in versions ...
Regular Expression Denial of Service (ReDoS)
Overview Affected versions of this package are vulnerable to Regular Expression Denial of Service ReDoS via the matches, matchesFull, and replaceMatches functions in the FHIRPathEngine. An attacker can exhaust system resources and cause service disruption by submitting specially crafted regular...
EUVD-2026-29026
A vulnerability was found in Open5GS up to 2.7.7. Impacted is the function smfnsmfhandlecreatesmcontext of the component SMF. Performing a manipulation results in denial of service. Remote exploitation of the attack is possible. The exploit has been made public and could be used. The project was...
EUVD-2026-27213
The ElementsKit Elementor Addons plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the LiveAction::reset function in all versions up to, and including, 3.8.2 The function is hooked to the WordPress init action and triggers when both post...
CVE-2026-42076
Evolver is a GEP-powered self-evolving engine for AI agents. Prior to version 1.69.3, a command injection vulnerability in the extractLLM function allows attackers to execute arbitrary shell commands on the server. The function constructs a curl command using string concatenation and passes it to...
CVE-2026-7743
A vulnerability has been found in CodeAstro Online Classroom 1.0. The impacted element is an unknown function of the file /OnlineClassroom/studentdetails. The manipulation of the argument deleteid leads to sql injection. The attack is possible to be carried out remotely. The exploit has been...
CVE-2026-42474
SQL injection vulnerability in MixPHP Framework 2.x thru 2.2.17 via crafted data array to the data function in BuildHelper.php...
Arbitrary Argument Injection
Overview GitPython is a python library used to interact with Git repositories Affected versions of this package are vulnerable to Arbitrary Argument Injection in the multioptions parameter of the clone function, which may be passed in via the clonefrom, clone, or Submodule.update functions. An...
Missing Authentication for Critical Function
Overview Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the SFTP authentication process when the server is configured with an empty username and a password using the -b ':pass' flag together with -sftp. An attacker can gain unauthorized access...
Missing Authentication for Critical Function
Overview openclaw is a π¦ OpenClaw β Personal AI Assistant Affected versions of this package are vulnerable to Missing Authentication for Critical Function via the sandbox noVNC helper route. An attacker can gain unauthorized access to interactive browser session credentials by bypassing bridge...
vim security update
An update is available for vim. This update affects Rocky Linux 10. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list Vim Vi IMproved is an updated and improved version of the vi editor. Security...
CVE-2025-53847
CVE-2025-53847 affects Fortinet FortiOS/FortiGate: missing authentication for a critical function allows an attacker to execute unauthorized code or commands via specially crafted packets. Impact spans FortiOS versions 6.2.x (6.2.9β6.2.17), 6.4.x (all versions), 7.0.x (7.0.0β7.0.17), 7.2.x (7.2.0...
CVE-2026-33710
Chamilo LMS (prior to 1.11.38 and 2.0.0-RC.3) uses REST API keys generated by md5(time() + (user_id * 5) - rand(10000, 10000)). Since rand(10000,10000) always returns 10000, the key becomes md5(timestamp + user_id*5 - 10000), enabling brute-forcing by an attacker who knows a username and approxim...
CVE-2026-33366
CVE-2026-33366 concerns BUFFALO Wi-Fi router products with a vulnerability in a critical function that is missing authentication, potentially allowing an attacker to forcibly reboot the device over the network without valid credentials. The issue is described with two CVSS vectors: CVSS3.0 base s...
EUVD-2026-16379
Missing Authentication for Critical Function vulnerability in Drupal AJAX Dashboard allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AJAX Dashboard: from 0.0.0 before 3.1.0...
CVE-2026-0966
A flaw was found in libssh. The API function sshgethexa is vulnerable to a denial of service when processing zero-length input. This can be exploited remotely by an attacker during GSSAPI Generic Security Service Application Program Interface authentication if the server's logging verbosity is se...
CVE-2026-3527
Missing Authentication for Critical Function vulnerability in Drupal AJAX Dashboard allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AJAX Dashboard: from 0.0.0 before 3.1.0...