599 matches found
CVE-2026-8874
Version 3.0.7 of the Securly Chrome Extension downloads JSON files containing crisis alert keywords and filtering rules over unencrypted HTTP via the Fetch API. Other endpoints in the same extension correctly fetch IWF and CIPA data over HTTPS, demonstrating an inconsistent implementation of TLS...
CVE-2026-8876
Securly Chrome Extension, version 3.0.7, is affected by CVE-2026-8876 due to hardcoded, plaintext AES passphrases in securly.min.js used to decrypt crisis alert keyword data and intervention site data. This JavaScript plaintext key exposure constitutes a cryptographic weakness that could enable u...
CVE-2026-8874 CVE-2026-8874
Version 3.0.7 of the Securly Chrome Extension downloads JSON files containing crisis alert keywords and filtering rules over unencrypted HTTP via the Fetch API. Other endpoints in the same extension correctly fetch IWF and CIPA data over HTTPS, demonstrating an inconsistent implementation of TLS...
EUVD-2026-34161
Version 3.0.7 of the Securly Chrome Extension downloads JSON files containing crisis alert keywords and filtering rules over unencrypted HTTP via the Fetch API. Other endpoints in the same extension correctly fetch IWF and CIPA data over HTTPS, demonstrating an inconsistent implementation of TLS...
CVE-2026-8874
Version 3.0.7 of the Securly Chrome Extension downloads JSON files containing crisis alert keywords and filtering rules over unencrypted HTTP via the Fetch API. Other endpoints in the same extension correctly fetch IWF and CIPA data over HTTPS, demonstrating an inconsistent implementation of TLS...
CVE-2026-8874 CVE-2026-8874
Version 3.0.7 of the Securly Chrome Extension downloads JSON files containing crisis alert keywords and filtering rules over unencrypted HTTP via the Fetch API. Other endpoints in the same extension correctly fetch IWF and CIPA data over HTTPS, demonstrating an inconsistent implementation of TLS...
PT-2026-46048
Name of the Vulnerable Software and Affected Versions Securly Chrome Extension version 3.0.7 Description The extension downloads JSON files containing crisis alert keywords and filtering rules over unencrypted HTTP using the Fetch API. This represents an inconsistent implementation of Transport...
Malicious code in license-checker-plus (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 66ac93280c5fc72f65d15486a69369e4d2c2b289fa6f062a6643b63137fc6aa9 Package name mimics the widely-used license-checker while shipping an undocumented lib/compliance.js module that harvests credentials. The module sca...
Malicious code in get-deps-path (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 65fa6f34a831aa832f9d88019ce3d0f4011701df6ab0667bd263645208c978ce On require, get-deps-path immediately invokes getPlugin, which performs an HTTP fetch to https://jsonkeeper.com/b/QBRMI an anonymous public paste hos...
PT-2026-40828
Name of the Vulnerable Software and Affected Versions OPNsense versions prior to 26.1.7 Description A logic flaw in the lockout handler allows an unauthenticated attacker to continuously reset the authentication failure counter for their IP address. By interjecting a crafted username containing a...
CLSA-2026-1777393200 cups: Fix of CVE-2026-34980
CVE-2026-34980: filter control characters from IPP option values and allowlist PPD keywords returned by filters so a remote attacker cannot inject cupsFilter/cupsFilter2 entries on a shared PostScript queue and gain code execution as the cupsd user...
CLSA-2026-1777392877 cups: Fix of CVE-2026-34980
CVE-2026-34980: filter control characters from IPP option values and allowlist PPD keywords returned by filters so a remote attacker cannot inject cupsFilter/cupsFilter2 entries on a shared PostScript queue and gain code execution as the cupsd user...
CLSA-2026-1777392623 cups: Fix of CVE-2026-34980
CVE-2026-34980: filter control characters from IPP option values and allowlist PPD keywords returned by filters so a remote attacker cannot inject cupsFilter/cupsFilter2 entries on a shared PostScript queue and gain code execution as the cupsd user...
CLSA-2026-1777022893 Fix CVE(s): CVE-2026-34980
SECURITY UPDATE: arbitrary PPD keyword injection via job options - debian/patches/CVE-2026-34980.patch: filter control characters from option values and allowlist PPD keywords from filters in scheduler/job.c - CVE-2026-34980...
CLSA-2026-1777026478 Fix CVE(s): CVE-2026-34980
SECURITY UPDATE: control-character injection in scheduler option handling - debian/patches/CVE-2026-34980.patch: filter control characters from IPP string option values and reject "special" PPD keywords cupsFilter, cupsFilter2, etc. reported back by job filters to prevent filter/command injection...
CLSA-2026-1777030799 Fix CVE(s): CVE-2026-34980
SECURITY UPDATE: arbitrary code execution via PPD keyword injection - debian/patches/CVE-2026-34980.patch: filter control characters from option values and allowlist PPD keywords merged from CUPSDLOGPPD messages in scheduler/job.c - CVE-2026-34980...
GHSA-WRWH-C28M-9JJH @nocobase/plugin-collection-sql: SQL Validation Bypass Through Missing `checkSQL` Call
Summary The checkSQL validation function that blocks dangerous SQL keywords e.g., pgreadfile, LOADFILE, dblink is applied on the collections:create and sqlCollection:execute endpoints but is entirely missing on the sqlCollection:update endpoint. An attacker with collection management permissions...
EUVD-2026-24684
The Sentence To SEO keywords, description and tags plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Permanent keywords' field in all versions up to and including 1.0. This is due to insufficient input sanitization and output escaping. The plugin reads user input via...
CVE-2026-4142
The Sentence To SEO keywords, description and tags plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Permanent keywords' field in all versions up to and including 1.0. This is due to insufficient input sanitization and output escaping. The plugin reads user input via...
CVE-2026-4142 Sentence To SEO (keywords, description and tags) <= 1.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'Permanent keywords' Field
The Sentence To SEO keywords, description and tags plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Permanent keywords' field in all versions up to and including 1.0. This is due to insufficient input sanitization and output escaping. The plugin reads user input via...