64 matches found
CVE-2026-3479 pkgutil.get_data() does not enforce documented restrictions
DISPUTED: The project has clarified that the documentation was incorrect, and that pkgutil.getdata has the same security model as open. The documentation has been updated to clarify this point. There is no vulnerability in the function if following the intended security model. pkgutil.getdata did...
PSF-2026-13
DISPUTED: The project has clarified that the documentation was incorrect, and that pkgutil.getdata has the same security model as open. The documentation has been updated to clarify this point. There is no vulnerability in the function if following the intended security model. pkgutil.getdata did...
CVE-2026-3479 pkgutil.get_data() does not enforce documented restrictions
DISPUTED: The project has clarified that the documentation was incorrect, and that pkgutil.getdata has the same security model as open. The documentation has been updated to clarify this point. There is no vulnerability in the function if following the intended security model. pkgutil.getdata did...
CVE-2026-3479 pkgutil.get_data() does not enforce documented restrictions
DISPUTED: The project has clarified that the documentation was incorrect, and that pkgutil.getdata has the same security model as open. The documentation has been updated to clarify this point. There is no vulnerability in the function if following the intended security model. pkgutil.getdata did...
CVE-2026-3479
CVE-2026-3479 concerns improper resource-argument validation in pkgutil.get_data(), which can enable path traversal. The DISPUTED description notes the function’s security model is the same as open(), and updated docs clarify there is no vulnerability when following the intended model. Connected ...
Directory Traversal
Overview Affected versions of this package are vulnerable to Directory Traversal via the pkgutil.getdata function. An attacker can access files and directories outside the intended root directory by supplying crafted input to the resource argument. Details A Directory Traversal attack also known ...
PT-2026-26139
Name of the Vulnerable Software and Affected Versions pkgutil affected versions not specified Description The pkgutil.get data function did not properly validate the resource argument, as documented. This allowed for path traversal, potentially enabling unauthorized access to files. Recommendatio...
Out-of-bounds Read
Overview Affected versions of this package are vulnerable to Out-of-bounds Read via the sftpextensionsgetname or sftpextensionsgetdata functions. An attacker can cause the application to read memory outside the intended buffer by supplying a crafted argument, potentially resulting in application...
CVE-2026-3058
The Seraphinite Accelerator plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.28.14 via the seraphaccelapi AJAX action with fn=GetData. This is due to the OnAdminApiGetData function not performing any capability checks. This makes it...
CVE-2026-3058 Seraphinite Accelerator <= 2.28.14 - Authenticated (Subscriber+) Exposure of Sensitive Information to an Unauthorized Actor
The Seraphinite Accelerator plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.28.14 via the seraphaccelapi AJAX action with fn=GetData. This is due to the OnAdminApiGetData function not performing any capability checks. This makes it...
EUVD-2025-206786
The Infility Global plugin for WordPress is vulnerable to unauthenticated SQL Injection via the 'infilitygetdata' API action in all versions up to, and including, 2.14.46. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL...
CVE-2025-15268
The Infility Global plugin for WordPress is vulnerable to unauthenticated SQL Injection via the 'infilitygetdata' API action in all versions up to, and including, 2.14.46. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL...
CVE-2025-13383
The Job Board by BestWebSoft plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.2.1. This is due to the plugin storing the entire unsanitized $GET superglobal array directly into the database via updateusermeta when users save search results,...
CVE-2025-13383 Job Board by BestWebSoft <= 1.2.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting via $_GET Array Storage
The Job Board by BestWebSoft plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.2.1. This is due to the plugin storing the entire unsanitized $GET superglobal array directly into the database via updateusermeta when users save search results,...
NULL Pointer Dereference
Overview Affected versions of this package are vulnerable to NULL Pointer Dereference via the BIOgetdata function. An attacker can cause the application to crash by sending a specially crafted DTLS/TLS connection that results in a NULL pointer dereference. Remediation A fix was pushed into the...
CVE-2025-65493
NULL pointer dereference in src/coapopenssl.c in OISM libcoap 4.3.5 allows remote attackers to cause a denial of service via a crafted DTLS/TLS connection that triggers BIOgetdata to return NULL...
PT-2025-41387
Potential use of sensitive information in GET requests in Checkmk GmbH's Checkmk versions 2.4.0p13, 2.3.0p38, 2.2.0p46, and 2.1.0 EOL may cause sensitive form data to be included in URL query parameters, which may be logged in various places such as browser history or web server logs...
CVE-2025-57433
The 2wcom IP-4c 2.15.5 device's web interface includes an information disclosure vulnerability. By sending a crafted POST request to a specific endpoint /cwi/ajaxrequest/getdata.php, an authenticated attacker even with a low-privileged account like guest can retrieve the hashed passwords for the...
CVE-2025-57433
The CVE-2025-57433 entry concerns the 2wcom IP-4c device (version 2.15.5). A vulnerability in the web interface allows information disclosure via a crafted POST to /cwi/ajax_request/get_data.php. An authenticated user, even with low privileges (e.g., guest), can retrieve hashed passwords for admi...
Vulnerability of the rng_get_data() function in the drivers/char/hw_random/core.c module – A driver for supporting alphanumeric devices in the Linux kernel, which allows a hacker to cause a service failure.
Vulnerability of the rnggetdata function in the drivers/char/hwrandom/core.c module – The Linux kernel’s driver for supporting alphanumeric devices is vulnerable to synchronization errors when using shared resources. Exploiting this vulnerability can allow an attacker to cause a service failure...