9840 matches found
Arbitrary File Upload
Overview Affected versions of this package are vulnerable to Arbitrary File Upload via throttling policy import API. An attacker can execute arbitrary code by uploading a specially crafted file to a user-controlled location. Remediation Upgrade org.wso2.carbon.apimgt:org.wso2.carbon.apimgt.impl t...
CVE-2026-2817
Use of insecure directory in Spring Data Geode snapshot import extracts archives into predictable, permissive directories under the system temp location. On shared hosts, a local user with basic privileges can access another user’s extracted snapshot contents, leading to unintended exposure of...
Creation of Temporary File in Directory with Insecure Permissions
Overview Affected versions of this package are vulnerable to Creation of Temporary File in Directory with Insecure Permissions due to the use of an insecure temporary directory during snapshot import operations. An attacker can access sensitive information by reading files from the temporary...
CVE-2026-2817 Spring Data Geode Insecure Temporary Directory Usage
Use of insecure directory in Spring Data Geode snapshot import extracts archives into predictable, permissive directories under the system temp location. On shared hosts, a local user with basic privileges can access another user’s extracted snapshot contents, leading to unintended exposure of...
CVE-2026-2817
CVE-2026-2817 affects Spring Data Geode. The issue arises from using an insecure directory during snapshot imports: archives are extracted to predictable, overly permissive locations in the system temp directory. On shared hosts, a local user with basic privileges can access another user’s extrac...
CVE-2026-2817 Spring Data Geode Insecure Temporary Directory Usage
Use of insecure directory in Spring Data Geode snapshot import extracts archives into predictable, permissive directories under the system temp location. On shared hosts, a local user with basic privileges can access another user’s extracted snapshot contents, leading to unintended exposure of...
CVE-2026-1317
The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 7.37. This is due to insufficient escaping on the filename parameter which is stored in the database during file upload and later used in raw SQL queri...
CLSA-2026-1771494125 nodejs: Fix of CVE-2024-22020
CVE-2024-22020: lib,esm: handle bypass network-import via data...
PT-2026-20882
Name of the Vulnerable Software and Affected Versions Spring Data Geode affected versions not specified Description The software has a flaw related to insecure directory usage during snapshot imports. Specifically, archives are extracted into predictable and overly permissive directories within t...
Spring Data Geode 安全漏洞
Spring Data Geode is a software developed by Spring for configuring, operating, and accessing distributed data management systems. There is a security vulnerability in Spring Data Geode, which stems from the use of an insecure directory during the snapshot import process. Archives are stored in a...
Unsafe Dependency Resolution
Overview @tygo-van-den-hurk/slyde is a Make beautifully animated Slydes and presentations from XML with ease! Affected versions of this package are vulnerable to Unsafe Dependency Resolution via the automatic import process of /.plugin.js,mjs files from dependencies. An attacker can execute...
CVE-2025-65519
mayswind ezbookkeeping versions 1.2.0 and earlier contain a critical vulnerability in JSON and XML file import processing. The application fails to validate nesting depth during parsing operations, allowing authenticated attackers to trigger denial of service conditions by uploading deeply nested...
CVE-2025-65519
mayswind ezbookkeeping versions 1.2.0 and earlier contain a critical vulnerability in JSON and XML file import processing. The application fails to validate nesting depth during parsing operations, allowing authenticated attackers to trigger denial of service conditions by uploading deeply nested...
CVE-2026-1317
The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 7.37. This is due to insufficient escaping on the filename parameter which is stored in the database during file upload and later used in raw SQL queri...
CVE-2026-1317 WP Import – Ultimate CSV XML Importer for WordPress <= 7.37 - Authenticated (Subscriber+) SQL Injection via File Name
The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 7.37. This is due to insufficient escaping on the filename parameter which is stored in the database during file upload and later used in raw SQL queri...
CVE-2026-1317 WP Import – Ultimate CSV XML Importer for WordPress <= 7.37 - Authenticated (Subscriber+) SQL Injection via File Name
The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 7.37. This is due to insufficient escaping on the filename parameter which is stored in the database during file upload and later used in raw SQL queri...
CVE-2026-1317
The WP Import – Ultimate CSV XML Importer for WordPress plugin is affected by a SQL Injection in all versions up to 7.37 due to insufficient escaping of the file_name parameter, which is stored in the database during file upload and later used in raw SQL queries. This requires an authenticated us...
WordPress Import Eventbrite Events plugin <= 1.7.4 - Reflected Cross-Site Scripting vulnerability
Reflected Cross-Site Scripting vulnerability discovered by vgo0 in WordPress Plugin Import Eventbrite Events versions = 1.7.4...
CVE-2026-1937
The YayMail – WooCommerce Email Customizer plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the yaymailimportstate AJAX action in all versions up to, and including, 4.3.2. This makes it possible for...
CVE-2026-1937 YayMail <= 4.3.2 - Missing Authorization to Authenticated (Shop Manager+) Arbitrary Options Update via 'yaymail_import_state' AJAX Action
The YayMail – WooCommerce Email Customizer plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the yaymailimportstate AJAX action in all versions up to, and including, 4.3.2. This makes it possible for...