EUVD-2026-14013

Soft Serve is a self-hostable Git server for the command line. From version 0.6.0 to before version 0.11.6, an authorization flaw in repo import allows any authenticated SSH user to clone a server-local Git repository, including another user's private repo, into a new repository they control. Thi...

CVE-2026-33353 Soft Serve: Authenticated repo import can clone server-local private repositories

Soft Serve is a self-hostable Git server for the command line. From version 0.6.0 to before version 0.11.6, an authorization flaw in repo import allows any authenticated SSH user to clone a server-local Git repository, including another user's private repo, into a new repository they control. Thi...

WordPress JupiterX Core plugin <= 4.14.1 - Authenticated (Subscriber+) Missing Authorization To Limited File Upload via Popup Template Import vulnerability

Authenticated Subscriber+ Missing Authorization To Limited File Upload via Popup Template Import vulnerability discovered by Jack Pas Dark. - Black Lantern Security in WordPress Plugin JupiterX Core versions = 4.14.1...

CVE-2026-0848

A code injection flaw was found in nltk. The StanfordSegmenter module in NLTK Natural Language Toolkit is vulnerable to arbitrary code execution due to improper input validation. An attacker can exploit this by supplying or replacing Java Archive JAR files, which are dynamically loaded without...

Important: Red Hat Security Advisory: multicluster engine for Kubernetes v2.7.9 security update

The multicluster engine for Kubernetes 2.7 General Availability release images, which add new features and enhancements, bug fixes, and updated container images. The multicluster engine for Kubernetes v2.7 images The multicluster engine for Kubernetes provides the foundational components that are...

EUVD-2019-19996

Download Accelerator Plus DAP 10.0.6.0 contains a structured exception handler buffer overflow vulnerability that allows remote attackers to execute arbitrary code by crafting malicious URLs. Attackers can create specially crafted URLs with overflowing buffer data that overwrites SEH pointers and...

CVE-2019-25628

Download Accelerator Plus DAP 10.0.6.0 contains a structured exception handler buffer overflow vulnerability that allows remote attackers to execute arbitrary code by crafting malicious URLs. Attackers can create specially crafted URLs with overflowing buffer data that overwrites SEH pointers and...

CVE-2019-25628

CVE-2019-25628 affects Download Accelerator Plus (DAP) 10.0.6.0. The vulnerability is a structured exception handler (SEH) buffer overflow in the web page import pathway, allowing remote code execution when a user imports a specially crafted URL. The issue is memory-corruption based; no specific ...

CVE-2019-25628 Download Accelerator Plus DAP 10.0.6.0 SEH Buffer Overflow

Download Accelerator Plus DAP 10.0.6.0 contains a structured exception handler buffer overflow vulnerability that allows remote attackers to execute arbitrary code by crafting malicious URLs. Attackers can create specially crafted URLs with overflowing buffer data that overwrites SEH pointers and...

CVE-2019-25628

Download Accelerator Plus DAP 10.0.6.0 contains a structured exception handler buffer overflow vulnerability that allows remote attackers to execute arbitrary code by crafting malicious URLs. Attackers can create specially crafted URLs with overflowing buffer data that overwrites SEH pointers and...

CVE-2019-25628 Download Accelerator Plus DAP 10.0.6.0 SEH Buffer Overflow

Download Accelerator Plus DAP 10.0.6.0 contains a structured exception handler buffer overflow vulnerability that allows remote attackers to execute arbitrary code by crafting malicious URLs. Attackers can create specially crafted URLs with overflowing buffer data that overwrites SEH pointers and...

WordPress Import and export users and customers plugin <= 1.29.7 - Privilege Escalation to Administrator via save_extra_user_profile_fields vulnerability

Privilege Escalation to Administrator via saveextrauserprofilefields vulnerability discovered by kai63001 in WordPress Plugin Import and export users and customers versions = 1.29.7...

CVE-2026-3533

CVE-2026-3533 (Jupiter X Core WordPress plugin) is a vulnerability in all versions up to 4.14.1 where limited file uploads are possible due to missing authorization on import_popup_templates() and inadequate file-type validation in upload_files(). Authenticated users with Subscriber-level access ...

CVE-2026-3533 JupiterX Core <= 4.14.1 - Authenticated (Subscriber+) Missing Authorization To Limited File Upload via Popup Template Import

The Jupiter X Core plugin for WordPress is vulnerable to limited file uploads due to missing authorization on importpopuptemplates function as well as insufficient file type validation in the uploadfiles function in all versions up to, and including, 4.14.1. This makes it possible for Authenticat...

CVE-2026-3533 JupiterX Core <= 4.14.1 - Authenticated (Subscriber+) Missing Authorization To Limited File Upload via Popup Template Import

The Jupiter X Core plugin for WordPress is vulnerable to limited file uploads due to missing authorization on importpopuptemplates function as well as insufficient file type validation in the uploadfiles function in all versions up to, and including, 4.14.1. This makes it possible for Authenticat...

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization via the repo import process. An attacker can access unauthorized server-local private repositories by initiating a clone operation after authenticating. Remediation Upgrade...

GO-2026-4788 In Soft Serve, an authenticated repo import can clone server-local private repositories in github.com/charmbracelet/soft-serve

In Soft Serve, an authenticated repo import can clone server-local private repositories in github.com/charmbracelet/soft-serve...

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization via the repo import process. An attacker can access unauthorized server-local private repositories by initiating a clone operation after authenticating. Remediation Upgrade...

CVE-2026-33507 AVideo Affected by CSRF on Plugin Import Endpoint Enables Unauthenticated Remote Code Execution via Malicious Plugin Upload

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the objects/pluginImport.json.php endpoint allows admin users to upload and install plugin ZIP files containing executable PHP code, but lacks any CSRF protection. Combined with the application explicitly setting...

CVE-2026-33507

WWBN AVideo (up to v26.0) exposes a CSRF flaw in the objects/pluginImport.json.php endpoint: an unauthenticated page can trigger a crafted plugin upload when an admin is authenticated, leading to Remote Code Execution via a PHP webshell. Root cause combines lack of CSRF protection with SameSite=N...