CVE-2026-2932

A security flaw has been discovered in YiFang CMS up to 2.0.5. The impacted element is the function update of the file app/db/admin/DadPosition.php of the component Extended Management Module. Performing a manipulation of the argument name/index results in cross site scripting. The attack is...

PT-2026-21426

A vulnerability was found in itsourcecode Student Management System 1.0. The impacted element is an unknown function of the file /add student/ of the component Add Student Module. The manipulation results in cross site scripting. It is possible to launch the attack remotely. The exploit has been...

XOOPS CMS SQL注入漏洞

XOOPS CMS is a modular content management system developed by the XOOPS company. Version XOOPS CMS 2.5.9 has a SQL injection vulnerability. This vulnerability stems from the cid parameter being susceptible to SQL injections, which may allow unverified attackers to manipulate database queries...

PT-2026-21421

A weakness has been identified in YiFang CMS up to 2.0.5. This affects the function update of the file app/db/admin/D adManage.php of the component Extended Management Module. Executing a manipulation of the argument Name can lead to cross site scripting. The attack may be performed from remote...

PT-2026-21420

A security flaw has been discovered in YiFang CMS up to 2.0.5. The impacted element is the function update of the file app/db/admin/D adPosition.php of the component Extended Management Module. Performing a manipulation of the argument name/index results in cross site scripting. The attack is...

scsi: qla2xxx: Delay module unload while fabric scan in progress

...

CVE-2026-27574

OneUptime is a solution for monitoring and managing online services. In versions 9.5.13 and below, custom JavaScript monitor feature uses Node.js's node:vm module explicitly documented as not a security mechanism to execute user-supplied code, allowing trivial sandbox escape via a well-known...

CVE-2026-2825

A vulnerability has been found in rachelos WeRSS we-mp-rss up to 1.4.8. This impacts the function fixhtml of the file tools/fix.py of the component Article Module. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the...

CVE-2026-2819

A vulnerability was identified in Dromara RuoYi-Vue-Plus up to 5.5.3. This vulnerability affects the function SaServletFilter of the file /workflow/instance/deleteByInstanceIds of the component Workflow Module. The manipulation leads to missing authorization. The attack may be initiated remotely...

PT-2026-21362

ASN.1 TypeScript ESM library, including codecs for Basic Encoding Rules BER and Distinguished Encoding Rules DER. In versions 11.0.5 and below, in some cases, decoding an INTEGER could leak the underlying ArrayBuffer. This issue is expected to be fixed in version 11.0.6...

CVE-2026-2042

Nagios Host monitoringwizard Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Nagios Host. Authentication is required to exploit this vulnerability. The specific flaw exists within the...

CVE-2026-2042

Nagios Host monitoringwizard Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Nagios Host. Authentication is required to exploit this vulnerability. The specific flaw exists within the...

CVE-2018-25158 Chamilo LMS 1.11.8 Arbitrary File Upload via elfinder

Chamilo LMS 1.11.8 contains an arbitrary file upload vulnerability that allows authenticated users to upload and execute PHP files through the elfinder filemanager module. Attackers can upload files with image headers in the social myfiles section, rename them to PHP extensions, and execute...

CVE-2018-25158 Chamilo LMS 1.11.8 Arbitrary File Upload via elfinder

Chamilo LMS 1.11.8 contains an arbitrary file upload vulnerability that allows authenticated users to upload and execute PHP files through the elfinder filemanager module. Attackers can upload files with image headers in the social myfiles section, rename them to PHP extensions, and execute...

CVE-2018-25158

Chamilo LMS 1.11.8 contains an arbitrary file upload vulnerability in the elfinder filemanager module. Authenticated users can upload files (with image headers) in the social myfiles area, rename them to PHP extensions, and execute arbitrary code by accessing the uploaded files. Impact is high fo...

CVE-2026-2042

Nagios Host monitoringwizard Command Injection (CVE-2026-2042) affects Nagios Host installations. The flaw is in the monitoringwizard module where a user-supplied string is not properly validated before being used in a system call, allowing an attacker to execute arbitrary code with the service a...

Windows Registry Active Setup Persistence

This module will register a payload to run via the Active Setup mechanism in Windows. Active Setup is a Windows feature that runs once per user at login. It triggers in a user context, losing privileges from admin to user. Active Setup will open a popup box with "Personalized Settings" and the te...

GHSA-83PF-V6QQ-PWMR Fickling has a detection bypass via stdlib network-protocol constructors

Our assessment imtplib, imaplib, ftplib, poplib, telnetlib, and nntplib were added to the list of unsafe imports https://github.com/trailofbits/fickling/commit/6d20564d23acf14b42ec883908aed159be7b9ade. The UnusedVariables heuristic works as expected. Original report Summary Fickling's checksafety...

CVE-2025-15582

A security flaw has been discovered in detronetdip E-commerce 1.0.0. The impacted element is the function Delete/Update of the component Product Management Module. Performing a manipulation of the argument ID results in authorization bypass. Remote exploitation of the attack is possible. The...

CLSA-2026-1771597605 Fix CVE(s): CVE-2025-15367

SECURITY UPDATE: defect in poplib module, when passed a user-controlled command, commands can be injected using newlines - debian/patches/CVE-2025-15367.patch: Fix command injection by rejecting commands containing control characters - CVE-2025-15367...