255 matches found
WordPress Ultimate FAQs <= 1.8.24 – Unauthenticated HTML Content Injection
Functions/EWDUFAQImport.php in the ultimate-faqs plugin through 1.8.24 for WordPress allows HTML content injection. id: CVE-2019-17233 info: name: WordPress Ultimate FAQs = 1.8.24 – Unauthenticated HTML Content Injection author: daffainfo severity: medium description: | Functions/EWDUFAQImport.ph...
EUVD-2026-42924
MaxKB is an open-source AI assistant for enterprise. Prior to 2.10.0-lts, MaxKB tool import functionality in apps/tools/serializers/tool.py and MCP referencing mode in apps/application/chatpipeline/step/chatstep/impl/basechatstep.py do not consistently validate MCP transport type, allowing an...
PT-2026-55290
Name of the Vulnerable Software and Affected Versions LobeChat versions prior to 2.2.10-canary.15 Description An authenticated attacker can cause a regular expression denial of service ReDoS by providing a catastrophic-backtracking pattern in a GitHub repository URL path during skill import. This...
DEBIAN-CVE-2026-13807
Use after free in Import in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a malicious file. Chromium security severity: High...
CVE-2026-13807
Use after free in Import in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a malicious file. Chromium security severity: High...
CVE-2026-13807
Use after free in Import in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a malicious file. Chromium security severity: High...
CVE-2026-13807
CVE-2026-13807 describes a use-after-free in Import for Google Chrome on iOS, exploited by convincing a user to perform specific UI gestures to run arbitrary code via a malicious file. Affected product: Google Chrome for iOS (before 150.0.7871.47). Root cause: use-after-free in the Import path. I...
Linux Distros Unpatched Vulnerability : CVE-2026-28385
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - In Canonical LXD versions 4.12 through 6.9, a Server-Side Request Forgery SSRF vulnerability in the image import functionality allows authenticated users with t...
CVE-2026-52801 Gogs: Ability to import local repositories via Mirror Settings
Gogs is an open source self-hosted Git service. Prior to 0.14.3, the Gogs Mirror Settings functionality provide an alternative way from the well protected New Migration functionality for any authenticated users to import local repositories. This issue stems from a lack of validation of SaveAddres...
EUVD-2025-210228
Unauthenticated Arbitrary File Upload in WordPress & WooCommerce Scraper Plugin, Import Data from Any Site = 1.0.7 versions...
CVE-2026-7542 Slider Revolution 7.0 - 7.0.10 - Authenticated (Subscriber+) Sensitive Information Disclosure
The Slider Revolution plugin for WordPress is vulnerable to Sensitive Information Disclosure in versions 7.0 to 7.0.10. This is due to three compounding design flaws: 1 the plugin leaks a valid backend AJAX nonce revslideractions to all authenticated users including Subscribers via the adminfoote...
CVE-2026-11393 Code injection via improper triple-quote escaping in AgentCore CLI Bedrock Agent import
Improper neutralization of triple-quote characters during Python code generation in AgentCore CLI before v0.14.2 might allow an authenticated remote threat actor to execute arbitrary code on AWS AgentCore Runtime under the imported agent's IAM execution role and on the local environment of anothe...
goclaw 代码问题漏洞
Goclaw is an open-source multi-tenant AI agent platform developed by Next Level Builder. Goclaw versions 3.11.3 and earlier have code vulnerabilities. These vulnerabilities stem from issues with the Import function in the ttsconfig.go file within the TTS Configuration Endpoint component, which ma...
CVE-2026-7430 Post Snippets <= 4.0.19 - Authenticated (Administrator+) Stored Cross-Site Scripting via Import
The Post Snippets plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 4.0.19. This is due to insufficient output escaping of imported snippet content when rendering JavaScript variables in the post editor. Specifically, the jqueryUiDialog method...
PT-2026-44972
Name of the Vulnerable Software and Affected Versions TP-Link TL-SG108PE v5 affected versions not specified Description A stored cross-site scripting XSS issue exists in the web management interface. This occurs because the SYSNAM configuration parameter is not properly sanitized during the...
CVE-2026-45412
MaxKB is an open-source AI assistant for enterprise. Prior to 2.9.1, SSRF via workflowtemplate Import. Authenticated users can supply arbitrary URLs in workflowtemplate.downloadUrl which are fetched server-side without any URL validation or internal IP filtering. This vulnerability is fixed in...
CVE-2026-45412
MaxKB (enterprise AI) is affected by SSRF in the work_flow_template component prior to version 2.9.1. An authenticated user could supply arbitrary URLs to work_flow_template.downloadUrl, and the server would fetch them without URL validation or internal IP filtering, enabling server-side requests...
CVE-2026-33137
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. XWiki Platform is a generic wiki platform. In versions starting with 15.10.6 and prior to 18.1.0-rc-1, 17.10.3, 17.4.9, and 16.10.17, the POST /wikis/wikiName API executes a XAR import without...
Exploit for CVE-2026-33137
CVE-2026-33137 XWiki Platform - Unauthenticated XAR Import...
CVE-2026-9223
Missing authorization in the vault import feature in Devolutions Server 2026.1.16.0 and earlier allows a low-privileged authenticated user to create new vaults via a crafted import request...