CVE-2026-44199

Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, a CMS user with limited access to form pages could delete submissions to form pages they don't have access to by crafting a form submission to delete submissions on a page they do have access to f...

EUVD-2026-29828

PowerSYSTEM Center REST API endpoint for device account export allows an authenticated user with limited permissions to expose sensitive information normally restricted to administrative permissions only...

PYSEC-2026-148

Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, a CMS user with limited access to form pages could delete submissions to form pages they don't have access to by crafting a form submission to delete submissions on a page they do have access to f...

PYSEC-2026-149

Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, a CMS user with limited access to pages could copy a page they don't have access to to an area of the site they do. Once coped, they'd be able to view its contents, and potentially publish it...

CVE-2026-44199

Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, a CMS user with limited access to form pages could delete submissions to form pages they don't have access to by crafting a form submission to delete submissions on a page they do have access to f...

CVE-2026-44199

Summary (CVE-2026-44199) Wagtail (Django-based CMS) before versions 7.0.7, 7.3.2, and 7.4 contains a permission bug in form submissions. A CMS user with limited access to form pages can delete submissions on pages they should not access by crafting a delete submission request for pages they can a...

CVE-2025-41710

An unauthenticated remote attacker may use hardcodes credentials to get access to the previously activated FTP Server with limited read and write privileges...

CVE-2026-21297

Adobe Commerce versions 2.4.9-alpha3, 2.4.8-p3, 2.4.7-p8, 2.4.6-p13, 2.4.5-p15, 2.4.4-p16 and earlier are affected by an Incorrect Authorization vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to bypass security measures an...

CVE-2025-40886

Nozomi Networks Guardian/CMC exposes a SQL Injection in the Alert functionality due to improper input validation. An authenticated user with limited privileges can run arbitrary SQL on the underlying DBMS, potentially exposing data, altering structures, or affecting availability. Affected: Guardi...

EUVD-2023-50857

Malicious code in bioql PyPI...

CVE-2025-36757

It is possible to bypass the administrator login screen on SolaX Cloud. An attacker could use parameter tampering to bypass the login screen and gain limited access to the system...

CVE-2025-36757 Bypass of administrator login screen in SolaX Cloud

It is possible to bypass the administrator login screen on SolaX Cloud. An attacker could use parameter tampering to bypass the login screen and gain limited access to the system...

PT-2025-37029

Name of the Vulnerable Software and Affected Versions: SolaX Cloud affected versions not specified Description: It is possible to bypass the administrator login screen. An attacker could use parameter tampering to bypass the login screen and gain limited access to the system. Recommendations: At...

CVE-2025-54251 Adobe Experience Manager | XML Injection (aka Blind XPath Injection) (CWE-91)

Adobe Experience Manager versions 6.5.23.0 and earlier are affected by an XML Injection vulnerability that could result in a Security feature bypass. A low-privileged attacker could leverage this vulnerability to manipulate XML queries and gain limited unauthorized write access...

Sparklabs Viscosity 安全漏洞

Sparklabs Viscosity is an OpenVPN client from Sparklabs Australia. A security vulnerability exists in SparkLabs Viscosity versions prior to 1.11.5, which stems from the possibility of exploiting the Launch Agent to load dynamic libraries to gain limited access to resources...

CVE-2025-3153 Concrete CMS version 9 below 9.4.0RC2 and versions below 8.5.20 - CSRF and XSS in Concrete CMS Custom Address attribute

Concrete CMS version 9 below 9.4.0RC2 and versions below 8.5.20 are vulnerable to CSRF and XSS in the Concrete CMS Address attribute because addresses are not properly sanitized in the output when a country is not specified. Attackers are limited to individuals whom a site administrator has...

CVE-2024-11952

CVE-2024-11952 covers a Limited Local PHP File Inclusion in Classic Addons for WPBakery Page Builder (WordPress) up to v3.0, exploitable via the style parameter by an authenticated user with Contributor-level access (or higher) with permissions granted by an Administrator. The issue allows includ...

CVE-2024-48899

A vulnerability was found in Moodle. Additional checks are required to ensure users can only fetch the list of course badges for courses that they are intended to have access to...

PT-2024-39904 · WordPress · The Poll Maker – Versus Polls

Name of the Vulnerable Software and Affected Versions: The Poll Maker – Versus Polls, Anonymous Polls, Image Polls plugin for WordPress versions up to, and including, 5.4.6 Description: The issue is related to time-based SQL Injection via the orderby parameter due to insufficient escaping on the...

PT-2024-22584 · Infinera · Infinera Hit 7300

Name of the Vulnerable Software and Affected Versions: Infinera hiT 7300 version 5.60.50 Description: A web application in the Infinera hiT 7300 allows a remote privileged attacker to execute applications contained in a specific OS directory via HTTP invocations. This issue can lead to unauthoriz...