CVE-2026-40529

CMS ALAYA provided by KANATA Limited contains an SQL injection vulnerability. Information stored in the database may be obtained or altered by an attacker with access to the administrative interface...

CVE-2026-40529

CMS ALAYA provided by KANATA Limited contains an SQL injection vulnerability. Information stored in the database may be obtained or altered by an attacker with access to the administrative interface...

CVE-2026-40529

CVE-2026-40529 involves a SQL injection in the CMS ALAYA provided by KANATA Limited. The vulnerability allows an attacker who has access to the administrative interface to obtain or alter information stored in the database. The connected sources (NVD/CVELIST) describe the affected product and the...

Oracle Primavera Unifier (April 2026 CPU)

The versions of Primavera Unifier installed on the remote host are affected by a vulnerability as referenced in the April 2026 CPU advisory. - Vulnerability in the Primavera Unifier product of Oracle Construction and Engineering component: Platform Apache Log4j. Supported versions that are affect...

Oracle WebLogic Server (April 2026 CPU)

The 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0, and 15.1.1.0.0 versions of WebLogic Server installed on the remote host are affected by multiple vulnerabilities as referenced in the April 2026 CPU advisory. - Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware component: Web...

OpenClaw 安全漏洞

OpenClaw is an open-source intelligent artificial assistant developed by OpenClaw. Versions of OpenClaw prior to 2026.4.2 contained security vulnerabilities. These vulnerabilities stemmed from a integrity approval vulnerability present in pnpm dlx. The vulnerability allowed local script operation...

TP-Link TL-WR841N 安全漏洞

The TP-Link TL-WR841N is a router produced by the TP-Link company. The TP-Link TL-WR841N v13 version has a security vulnerability. This vulnerability stems from the use of DES-CBC encryption in the TDDPv2 debugging protocol, where the key is predictable. This could allow unauthorized attackers to...

uutils coreutils allows unauthorized modification of permissions on existing files

A vulnerability in uutils coreutils mkfifo allows for the unauthorized modification of permissions on existing files. When mkfifo fails to create a FIFO because a file already exists at the target path, it fails to terminate the operation for that path and continues to execute a follow-up...

CVE-2026-35376 uutils coreutils chcon Security Bypass and Mandatory Access Control (MAC) Inconsistency via TOCTOU Race Condition

A Time-of-Check to Time-of-Use TOCTOU vulnerability exists in the chcon utility of uutils coreutils during recursive operations. The implementation resolves recursive targets using a fresh path lookup via ftsaccpath rather than binding the traversal and label application to the specific directory...

vulnerabilities in Oracle PeopleSoft

Oracle has identified vulnerabilities in Oracle PeopleSoft. These vulnerabilities enable unauthorized attackers to gain access to sensitive data and modify it. In some cases, these vulnerabilities can even lead to a denial-of-service attack on the affected products. Oracle has released updates to...

EUVD-2026-24718

The Emailchef plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the pageoptionsajaxdisconnect function in all versions up to, and including, 3.5.1. This makes it possible for authenticated attackers, with Subscriber-level access and above...

CVE-2026-6855

A flaw was found in InstructLab. A local attacker could exploit a path traversal vulnerability in the chat session handler by manipulating the logsdir parameter. This allows the attacker to create new directories and write files to arbitrary locations on the system, potentially leading to...

CVE-2026-1930

The Emailchef plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the pageoptionsajaxdisconnect function in all versions up to, and including, 3.5.1. This makes it possible for authenticated attackers, with Subscriber-level access and above...

CVE-2026-33259

CVE-2026-33259 affects PowerDNS Recursor RPZ handling. The issue arises when there are many concurrent transfers of the same RPZ, which can lead to inconsistent RPZ data, use-after-free, or a crash of the recursor. The root cause is described as concurrent transfers of the same RPZ zone occurring...

EUVD-2026-24707

The Fast & Fancy Filter – 3F plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to and including 1.2.2. This is due to missing nonce verification in the saveFields function, which handles the fffsavesettins AJAX action. This makes it possible for unauthenticated...

CVE-2026-1930

The Emailchef plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the pageoptionsajaxdisconnect function in all versions up to, and including, 3.5.1. This makes it possible for authenticated attackers, with Subscriber-level access and above...

CVE-2026-4139

The mCatFilter plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 0.5.2. This is due to the complete absence of nonce verification and capability checks in the computepost function, which processes settings updates. The computepost function is...

CVE-2026-4138

The DX Unanswered Comments plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.7. This is due to missing nonce validation on the plugin's settings form in the dxuc-unanswered-comments-admin-page.php file. This makes it possible for...

CVE-2026-2717

The HTTP Headers plugin for WordPress is vulnerable to CRLF Injection in all versions up to, and including, 1.19.2. This is due to insufficient sanitization of custom header name and value fields before writing them to the Apache .htaccess file via insertwithmarkers. This makes it possible for...

CVE-2026-4117 CalJ <= 1.5 - Authenticated (Subscriber+) Arbitrary Settings Modification via 'save-obtained-key' Action

The CalJ plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.5. This is due to a missing capability check in the CalJSettingsPage class constructor, which processes the 'save-obtained-key' operation directly from POST data without verifying that the...