GHSA-JJF9-W5VJ-R6VP Ash.Type.Module.cast_input/2 atom exhaustion via unchecked Module.concat allows BEAM VM crash

Summary Ash.Type.Module.castinput/2 unconditionally creates a new Erlang atom via Module.concatvalue for any user-supplied binary string that starts with "Elixir.", before verifying whether the referenced module exists. Because Erlang atoms are never garbage-collected and the BEAM atom table has ...

Himmelblau 安全漏洞

Himmelblau is an open-source Azure Entra ID authentication module developed by Himmelblau. There is a security vulnerability in Himmelblau, which stems from conditional local privilege escalation due to name conflicts in edge scenarios. If the mapped CN or short name matches the name of a...

CVE-2026-30643

An issue was discovered in DedeCMS 5.7.118 allowing attackers to execute code via crafted setup tag values in a module upload...

Hi.Events SQL注入漏洞

Hi.Events is an open-source event ticketing and management platform developed by Hi.Events. Versions of Hi.Events from 0.8.0-beta.1 to 1.7.1-beta contained a SQL injection vulnerability. This vulnerability occurred because multiple repository classes directly passed the sortby query parameter...

VulnCheck KEV: CVE-2022-3254

The WordPress Classifieds Plugin WordPress plugin before 4.3 does not properly sanitise and escape some parameters before using them in a SQL statement via an AJAX action available to unauthenticated users and when a specific premium module is active, leading to a SQL injection...

PT-2026-29495

Summary Ash.Type.Module.cast input/2 unconditionally creates a new Erlang atom via Module.concatvalue for any user-supplied binary string that starts with "Elixir.", before verifying whether the referenced module exists. Because Erlang atoms are never garbage-collected and the BEAM atom table has...

PT-2026-29675

Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal SAML SSO - Service Provider allows Privilege Escalation. This issue affects SAML SSO - Service Provider: from 0.0.0 before 3.1.4...

Python Install Manager 安全漏洞

Python Install Manager is an open-source installation management tool for Python. Python Install Manager has a security vulnerability that stems from including the current working directory in the sys.path, which may allow malicious modules to be imported from a directory controlled by the attack...

PT-2026-29576

Name of the Vulnerable Software and Affected Versions Himmelblau versions 2.0.0-alpha through 2.3.8 and 3.0.0-alpha through 3.1.0 Description Himmelblau, an interoperability suite for Microsoft Azure Entra ID and Intune, contains a conditional local privilege escalation issue due to an edge-case...

DesDev DedeCMS 安全漏洞

DesDev DedeCMS is an open-source content management system CMS developed by DesDev Corporation in China. It operates on the PHP platform and offers functions such as content publishing, management, editing, and retrieval. Version 5.7.118 of DesDev DedeCMS contains a security vulnerability, which...

CVE-2026-30643

An issue was discovered in DedeCMS 5.7.118 allowing attackers to execute code via crafted setup tag values in a module upload...

CVE-2026-30643

An issue was discovered in DedeCMS 5.7.118 allowing attackers to execute code via crafted setup tag values in a module upload...

PT-2026-29567

🔴 CVE-2026-30643 - Critical An issue was discovered in DedeCMS 5.7.118 allowing attackers to execute code via crafted setup tag values in a module upload. https://t.co/rjHTzSsdI1 https://t.co/y2qo3h5iFP...

ROS-20260401-73-0033

A vulnerability in the createHook function of the asynchooks module of the Node.js software platform is related to uncontrolled recursion. Exploitation of the vulnerability could allow an attacker acting remotely to cause a denial of service...

CVE-2026-30643

Summary: CVE-2026-30643 affects DedeCMS 5.7.118 and allows code execution via crafted setup tag values during a module upload. The description consistently states the root cause as the crafted setup tag values leading to remote code execution within the module upload process. The available source...

openssl-encrypt: Dynamic .so loading for Whirlpool uses broad glob pattern without integrity verification

Severity: HIGH Summary The Whirlpool hash implementation in opensslencrypt/modules/registry/hashregistry.py at lines 570-589 uses glob patterns to find .so modules in site-packages and loads the first match via importlib without verifying module integrity. Affected Code python for sitepkg in...

GHSA-J48Q-4C78-RHF9 openssl-encrypt: Dynamic .so loading for Whirlpool uses broad glob pattern without integrity verification

Severity: HIGH Summary The Whirlpool hash implementation in opensslencrypt/modules/registry/hashregistry.py at lines 570-589 uses glob patterns to find .so modules in site-packages and loads the first match via importlib without verifying module integrity. Affected Code python for sitepkg in...

EUVD-2026-17626

Admidio has CSRF and Form Validation Bypass in Inventory Item Save via imported Parameter...

Arbitrary Code Injection

Overview lodash-amd is a Lodash exported as AMD modules. Affected versions of this package are vulnerable to Arbitrary Code Injection due the improper validation of options.imports key names in .template. An attacker can execute arbitrary code at template compilation time by injecting malicious...

CVE-2026-34383

Admidio is an open-source user management solution. Prior to version 5.0.8, the inventory module's itemsave endpoint accepts a user-controllable POST parameter imported that, when set to true, completely bypasses both CSRF token validation and server-side form validation. An authenticated user ca...