CVE-2026-9612

The CVE-2026-9612 entry concerns the WhatsOrder – Instant Checkout for WooCommerce plugin for WordPress. Affects versions up to 1.0.1 and is caused by the yapacdev_generate_order_pdf function, which exposes sensitive customer PII and order details. Attack flow: an unauthenticated user can enumera...

CVE-2026-48929

Rocket.Chat in versions 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, 7.13.9, and 7.10.13 is vulnerable to unauthenticated file deletion. The deleteFileMessage Meteor method permanently deletes any uploaded file by ID without requiring authentication. When called via an unauthenticated DDP WebSocket...

EUVD-2026-30606

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, any authenticated user can permanently delete files owned by other users via DELETE /api/v1/files/id when the target file is referenced in any shared chat. The hasaccesstofile...

PT-2026-23602

Name of the Vulnerable Software and Affected Versions Gokapi versions prior to 2.2.3 Description Gokapi is a self-hosted file sharing server that supports automatic expiration and encryption. The upload status Server-Sent Events SSE implementation on the /uploadStatus API endpoint publishes globa...

CloudCharge 安全漏洞

CloudCharge is a website of the Swedish company CloudCharge, which provides a platform for managing electric vehicle charging stations. CloudCharge has a security vulnerability, as the identity verification identifiers of charging stations can be accessed publicly through a web-based mapping...

PT-2026-5965

Name of the Vulnerable Software and Affected Versions Moodle affected versions not specified Description A flaw exists in Moodle where user identifiers are exposed in URLs during anonymous assignment submissions. This exposure compromises the intended anonymity and could lead to information...

CVE-2025-63212

The vulnerability CVE-2025-63212 affects GatesAir Flexiva-LX devices running firmware 1.0.13 and 2.0 (LX100/LX300/LX600/LX1000). The issue is that sensitive session identifiers (sid) are written to a publicly accessible log at /log/Flexiva%20LX.log, enabling an unauthenticated attacker to hijack ...

CVE-2025-30041

CVE-2025-30041 concerns exposure of session identifiers via three CGI script paths: /cgi-bin/CliniNET.prd/utils/userlogstat.pl, /cgi-bin/CliniNET.prd/utils/usrlogstat.pl, and /cgi-bin/CliniNET.prd/utils/dblogstat.pl. The description indicates that these endpoints expose data containing session ID...

CVE-2025-30041 Missing authentication in APIs returning statistical data along with session IDs

The paths "/cgi-bin/CliniNET.prd/utils/userlogstat.pl", "/cgi-bin/CliniNET.prd/utils/usrlogstat.pl", and "/cgi-bin/CliniNET.prd/utils/dblogstat.pl" expose data containing session IDs...

PT-2025-34847 · Clininet · Clininet

Name of the Vulnerable Software and Affected Versions: CliniNET affected versions not specified Description: The vulnerability allows unauthenticated users to download a file containing session ID data by directly accessing the /cgi-bin/CliniNET.prd/utils/userlogxls.pl endpoint. Recommendations: ...

PT-2025-34848 · Clininet · Clininet

Name of the Vulnerable Software and Affected Versions: CliniNET affected versions not specified Description: The paths /cgi-bin/CliniNET.prd/utils/userlogstat.pl, /cgi-bin/CliniNET.prd/utils/usrlogstat.pl, and /cgi-bin/CliniNET.prd/utils/dblogstat.pl expose data containing session IDs...

Console: HTTPOnly and Secure attributes not set on cookies in Red Hat AMQ

It was found that Hawtio console does not set HTTPOnly or Secure attributes on cookies. An attacker could use this flaw to rerieve an authenticated user's SessionID, and possibly conduct further attacks with the permissions of the authenticated user...