WCFM WooCommerce Multivendor Marketplace < 3.4.12 - SQL Injection

The wcfmajaxcontroller AJAX action of the WCFM Marketplace WordPress plugin before 3.4.12, available to unauthenticated and authenticated user, does not properly sanitise multiple parameters before using them in SQL statements, leading to SQL injections. id: CVE-2021-24849 info: name: WCFM...

Liferay Portal - Cross-Site Scripting

A reflected cross-site scripting XSS vulnerability in the Liferay Portal 7.4.0 through 7.4.3.131, and Liferay DXP 2024.Q4.0 through 2024.Q4.5, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12, 7.4 GA through update 92 allows an remote non-authenticated...

EUVD-2026-25391

Press, a Frappe custom app that runs Frappe Cloud, manages infrastructure, subscription, marketplace, and software-as-a-service SaaS. Redirect parameter on login page is vulnerable to reflected XSS. The patch in commit 16d1b6ca2559f858a1de77bcb03fd7f1b81671c6 fixes the issue by restricting...

CVE-2026-41297

OpenClaw before 2026.3.31 contains a server-side request forgery vulnerability in the marketplace plugin download functionality that allows attackers to access internal resources by following unvalidated redirects. The marketplace.ts module fails to restrict redirect destinations during archive...

CVE-2026-33067 SiYuan has Stored XSS to RCE via Unsanitized Bazaar Package Metadata

SiYuan is a personal knowledge management system. Versions 3.6.0 and below render package metadata fields displayName, description using template literals without HTML escaping. A malicious package author can inject arbitrary HTML/JavaScript into these fields, which executes automatically when an...

CVE-2026-27510 Unitree Go2 Mobile Program Tampering Enables Root RCE

Unitree Go2 firmware versions 1.1.7 through 1.1.11, when used with the Unitree Go2 Android application com.unitree.doggo2, are vulnerable to remote code execution due to missing integrity protection and validation of user-created programmes. The Android application stores programs in a local SQLi...

A New Platform Offers Privacy Tools to Millions of Public Servants

From data-removal services to threat monitoring, the Public Service Alliance says its new marketplace will help public servants defend themselves in an era of data brokers and political violence...

Malicious code in opensource-marketplace (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 974526369e603fb5c185bc7f3413907573ba2934f77f38446e73607af8847fd1 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Operation Shipwrecked: US Seizes PopeyeTools Marketplace, Charges 3

The US Department of Justice has taken down PopeyeTools, a major online marketplace used by cybercriminals to sell…...

CVE-2024-47173 Aimeos GraphQL API admin interface denial of service vulnerability in SaaS and marketplace setups

Aimeos is an e-commerce framework. All SaaS and marketplace setups using the Aimeos GraphQL API admin interface version from 2024.04 up to 2024.07.1 are affected by a potential denial of service attack. Version 2024.07.2 fixes the issue...

CVE-2024-47173

CVE-2024-47173 describes a denial-of-service vulnerability in Aimeos where all SaaS and marketplace deployments using the GraphQL API admin interface (Aimeos) from versions 2024.04 up to 2024.07.1 are affected. The issue arises from improper handling in the GraphQL admin API, leading to an attack...

CVE-2024-47173 Aimeos GraphQL API admin interface denial of service vulnerability in SaaS and marketplace setups

Aimeos is an e-commerce framework. All SaaS and marketplace setups using the Aimeos GraphQL API admin interface version from 2024.04 up to 2024.07.1 are affected by a potential denial of service attack. Version 2024.07.2 fixes the issue...

GHSA-QXGX-HVG3-V92W ai-admin-graphql has a Denial of service vulnerability in SaaS and marketplace setups

All SaaS and marketplace setups using Aimeos version from 2024.04 up to 2024.07.1 are affected by a potential denial of service attack...

ai-admin-graphql has a Denial of service vulnerability in SaaS and marketplace setups

All SaaS and marketplace setups using Aimeos version from 2024.04 up to 2024.07.1 are affected by a potential denial of service attack...

CVE-2024-9943 MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution <= 4.2.4 - Cross-Site Request Forgery to Vendor Updates

The MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.2.4. This is due to missing or incorrect nonce validation on several functions in api/class-mvx-rest-controller.php...

CVE-2024-9943 MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution <= 4.2.4 - Cross-Site Request Forgery to Vendor Updates

The MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 4.2.4. This is due to missing or incorrect nonce validation on several functions in api/class-mvx-rest-controller.php...

ai-admin-graphql has a Denial of service vulnerability in SaaS and marketplace setups

All SaaS and marketplace setups using Aimeos version from 2024.04 up to 2024.07.1 are affected by a potential denial of service attack...

WordPress WC Marketplace Plugin <= 4.2.4 is vulnerable to Cross Site Request Forgery (CSRF)

Software WC Marketplace Type Plugin Vulnerable versions = 4.2.4 Fixed in 4.2.5 OWASP Top 10 A5: Broken Access Control Classification Cross Site Request Forgery CSRF CVE CVE-2024-9943 Patch priority Low CVSS severity Low 5.4 Developer Claim ownership PSID bfdf428207b9 Credits wesley wcraft Require...

CVE-2024-47048

Rocket.Chat 6.12.0, 6.11.2, 6.10.5, 6.9.6, 6.8.6, 6.7.8, and earlier allows stored XSS in the description and release notes of the marketplace and private apps...

CVE-2024-47048

Rocket.Chat 6.12.0, 6.11.2, 6.10.5, 6.9.6, 6.8.6, 6.7.8, and earlier allows stored XSS in the description and release notes of the marketplace and private apps...