39627 matches found
CVE-2026-50185
CVE-2026-50185 affects RustCrypto CMOV (cmov crate) aarch64 backends where Cmov and CmovEq incorrectly assume high bits are zero-extended when loading small values, causing left.cmovz and cmoveq operations to produce incorrect results under certain casts or inline-asm paths. Affected range is 0.1...
CVE-2026-50185 RustCrypto Cmov/CmovEq on aarch64 can produce wrong results if high-bits of registers are set
RustCrypto CMOV provides conditional move CPU intrinsics which are guaranteed on major platforms to execute in constant-time and not be rewritten as branches by the compiler. From 0.1.1 until 0.5.4, the aarch64 implementations of Cmov and CmovEq in cmov/src/backends/aarch64.rs assume high bits ar...
EUVD-2026-41921
vLLM has Remote DoS via Invalid Recovered Token Reinjection...
MagnusBilling Login Logs - Cross-Site Scripting
Improper neutralization of input during web page generation vulnerability in MagnusSolution MagnusBilling login logging allows unauthenticated users to store HTML content in the viewable log component accessible at /mbilling/index.php/logUsers/read" cross-site scripting This vulnerability is...
WordPress Plugin MainWP Child - Authentication Bypass
The plugin is vulnerable to an authentication bypass that allows an unauthenticated user to login as an administrator without providing a password. This vulnerability is only exploitable when the plugin has not been connected to a MainWP Dashboard and the "Require unique security ID" option is no...
Piwigo < 16.3.0 - Unauthenticated Information Disclosure via History API
Piwigo = 16.3.0 contains an information disclosure vulnerability caused by the pwg.history.search API method lacking adminonly restriction, letting unauthenticated users access full browsing history, exploit requires no authentication id: CVE-2026-27833 info: name: Piwigo 16.3.0 - Unauthenticated...
Avid NEXIS Agent - Arbitrary File Read
Avid NEXIS E-series, F-series, PRO+, and System Director Appliance SDA+ before 2025.5.1 contain an unauthenticated arbitrary file read caused by improper validation of the filename parameter, letting unauthenticated attackers read sensitive files, exploit requires no authentication. id:...
Breeze <= 2.4.4 - Arbitrary File Upload
Breeze Cache WordPress plugin = 2.4.4 contains an unrestricted file upload vulnerability caused by missing file type validation in 'fetchgravatarfromremote' function, letting unauthenticated attackers upload arbitrary files, exploit requires 'Host Files Locally - Gravatars' enabled. id:...
WordPress Media Library Assistant <= 3.34 - SQL Injection
David Lingren Media Library Assistant = 3.34 contains an sql injection caused by improper neutralization of special elements in SQL commands, letting attackers execute arbitrary SQL queries, exploit requires crafted input. id: CVE-2026-34885 info: name: WordPress Media Library Assistant = 3.34 -...
Glances - Information Disclosure
Glances 4.5.2 contains an information disclosure vulnerability caused by the web server running without authentication by default, letting remote attackers access sensitive system information including credentials, exploit requires no special privileges. id: CVE-2026-32596 info: name: Glances -...
EventON Lite <= 2.4 - Authenticated Local File Inclusion
Ashan Perera EventON contains a PHP remote file inclusion caused by improper control of filename in include/require statements, letting attackers include local files, exploit requires attacker to control include filename. id: CVE-2025-32614 info: name: EventON Lite = 2.4 - Authenticated Local Fil...
Bulk Me Now! Plugin <= 2.0 - Cross-Site Scripting
Bulk Me Now! WordPress plugin = 2.0 contains a reflected cross-site scripting caused by lack of sanitization and escaping of a parameter before outputting it in the page, letting attackers execute malicious scripts in the context of high privilege users, exploit requires attacker to craft a...
WordPress Front End Users - Reflected XSS
WordPress Front End Users plugin = 3.2.32 contains a reflected cross-site scripting caused by lack of sanitization and escaping of a parameter before outputting it in the page, letting attackers execute malicious scripts in the context of high privilege users, exploit requires attacker to craft a...
Post Sync Plugin <= 1.1 - Cross-Site Scripting
Post Sync WordPress plugin = 1.1 contains a reflected cross-site scripting caused by lack of sanitization and escaping of a parameter before outputting it in the page, letting attackers execute malicious scripts in the context of high privilege users, exploit requires attacker to craft a maliciou...
WP BASE Booking - Reflected XSS
WP BASE Booking of Appointments, Services and Events WordPress plugin 5.0.0 contains a reflected cross-site scripting caused by lack of sanitization and escaping of a parameter before output, letting attackers execute malicious scripts in high privilege users' browsers, exploit requires victim to...
WordPress TS Poll < 2.4.0 - SQL Injection
WordPress TS Poll plugin 2.4.0 contains a SQL injection caused by lack of sanitization and escaping of a parameter before using it in a SQL statement, letting attackers perform SQL injection attacks, exploit requires admin privileges. id: CVE-2024-8625 info: name: WordPress TS Poll 2.4.0 - SQL...
Mail Mint < 1.19.5 - Unauthenticated Email Disclosure
Mail Mint WordPress plugin 1.19.5 contains an information disclosure vulnerability caused by lack of authorization in a REST API endpoint, letting unauthenticated users retrieve email addresses of blog users, exploit requires no authentication. id: CVE-2026-2025 info: name: Mail Mint 1.19.5 -...
WP Triggers Lite - Cross-Site Scripting
WP Triggers Lite WordPress plugin v2.5.3 contains a reflected cross-site scripting caused by lack of sanitization and escaping of a parameter before outputting it in the page, letting attackers execute malicious scripts in the context of high privilege users, exploit requires attacker to craft a...
Lokomedia CMS - Local File Inclusion
A Local File Inclusion LFI vulnerability exists in Lokomedia CMS. The application allows an attacker to include files on the server that should not be accessible, potentially exposing sensitive information. id: CVE-2010-2018 info: name: Lokomedia CMS - Local File Inclusion author: r3Y3r53 severit...
Hongjing e-HR 2020 - SQL Injection
A vulnerability, which was classified as critical, has been found in Hongjing e-HR 2020. Affected by this issue is some unknown functionality of the file /wselfservice/oauthservlet/%2e./.%2e/general/inform/org/loadhistroyorgtree of the component Login Interface. The manipulation of the argument...