CVE-2025-20028

Time-of-check time-of-use race condition in the WheaERST SMM module for some IntelR reference platforms may allow an escalation of privilege. System software adversary with a privileged user combined with a high complexity attack may enable escalation of privilege. This result may potentially occ...

CVE-2025-20028

CVE-2025-20028 is a TOCTOU race condition in the WheaERST SMM module on some Intel reference platforms that may allow local privilege escalation by a privileged attacker with high attack complexity and no user interaction. Affected software is Intel UEFI/SMM components on various Intel reference ...

CVE-2025-20027

Improper input validation in the UEFI WheaERST module for some IntelR reference platforms may allow an escalation of privilege. System software adversary with a privileged user combined with a high complexity attack may enable escalation of privilege. This result may potentially occur via local...

CVE-2025-20027

Improper input validation in the UEFI WheaERST module for some IntelR reference platforms may allow an escalation of privilege. System software adversary with a privileged user combined with a high complexity attack may enable escalation of privilege. This result may potentially occur via local...

CVE-2025-20027

CVE-2025-20027: Improper input validation in the UEFI WheaERST module on Intel reference platforms can allow local privilege escalation by a privileged user with high complexity. Affected items are Intel UEFI firmware components; exploitation requires local access and no user interaction. The CVS...

cpython: email header injection due to unquoted newlines

A flaw was found in the email module in the Python standard library. When serializing an email message, the BytesGenerator class fails to properly quote newline characters for email headers. This issue is exploitable when the LiteralHeader class is used as it does not respect email folding rules,...

SQL Injection

Overview limesurvey/limesurvey is a FOSS online survey tool on the web. Affected versions of this package are vulnerable to SQL Injection via the statistics module. An attacker can access sensitive information by injecting malicious SQL statements. Remediation Upgrade limesurvey/limesurvey to...

CVE-2026-28495

GetSimple CMS is a content management system. The massiveAdmin plugin v6.0.3 bundled with GetSimpleCMS-CE v3.3.22 allows an authenticated administrator to overwrite the gsconfig.php configuration file with arbitrary PHP code via the gsconfig editor module. The form lacks CSRF protection, enabling...

CVE-2026-28495

CVE-2026-28495 affects GetSimple CMS via the bundled massiveAdmin plugin in GetSimpleCMS-CE v3.3.22. The description states an authenticated administrator can overwrite the gsconfig.php configuration file with arbitrary PHP code through the gsconfig editor module, due to lack of CSRF protection. ...

EUVD-2026-10462

Due to a missing authorization check in SAP NetWeaver Application Server for ABAP, an authenticated attacker with user privileges could read Database Analyzer Log Files via a specific RFC function module. The attacker with the necessary privileges to execute this function module could potentially...

EUVD-2026-10465

Due to an uncontrolled resource consumption Denial of Service vulnerability, an authenticated attacker with regular user privileges and network access can repeatedly invoke a remote-enabled function module with an excessively large loop-control parameter. This triggers prolonged loop execution th...

EUVD-2026-10463

Due to a missing authorization check in SAP NetWeaver Application Server for ABAP, an authenticated attacker with user privileges could read Database Analyzer Log Files via a specific RFC function module. The attacker with the necessary privileges to execute this function module could potentially...

EUVD-2026-10442

Due to missing authorization check in SAP NetWeaver Application Server for ABAP, an authenticated attacker could execute specific ABAP function module to read, modify or insert entries into the database configuration table of the ABAP system. This unauthorized content change could lead to reduced...

EUVD-2026-10445

Due to missing authorization check in SAP NetWeaver Application Server for ABAP, an authenticated attacker could execute specific ABAP function module and read the sensitive information from database catalog of the ABAP system. This vulnerability has low impact on the application's confidentialit...

GO-2026-4624 Gokapi has CSRF in Login Endpoint in github.com/forceu/gokapi

Gokapi has CSRF in Login Endpoint in github.com/forceu/gokapi. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive reports from vulnerability scanners, please suggest an edi...

GO-2026-4573 ZITADEL's truncated opaque tokens are still valid in github.com/zitadel/zitadel

ZITADEL's truncated opaque tokens are still valid in github.com/zitadel/zitadel. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive reports from vulnerability scanners,...

CVE-2026-30978 Heap-use-after-free in CIccCmm::AddXform()

iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to 2.3.1.5, there is a heap-use-after-free in CIccCmm::AddXform causing invalid vptr dereference and crash. This vulnerability is fixed in 2.3.1.5...

CVE-2026-30918

facileManager is a modular suite of web apps built with the sysadmin in mind. Prior to 6.0.4 , a reflected XSS occurs when an application receives data from an untrusted source and uses it in its HTTP responses in a way that could lead to vulnerabilities. It is possible to inject malicious...

CVE-2026-30919

facileManager is a modular suite of web apps built with the sysadmin in mind. Prior to 6.0.4 , stored XSS also known as persistent or second-order XSS occurs when an application receives data from an untrusted source and includes that data in its subsequent HTTP responses in an unsafe manner. Thi...

CVE-2026-27689

Due to an uncontrolled resource consumption Denial of Service vulnerability, an authenticated attacker with regular user privileges and network access can repeatedly invoke a remote-enabled function module with an excessively large loop-control parameter. This triggers prolonged loop execution th...