WordPress plugin coreActivity 代码问题漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. There we...

PT-2026-40817

Name of the Vulnerable Software and Affected Versions SQLBot versions prior to 1.8.0 Description An Insecure Direct Object Reference IDOR and authorization bypass issue exists in the '/api/v1/datasource/exportDsSchema' and '/api/v1/datasource/uploadDsSchema' endpoints. This allows an attacker to...

vm2 安全漏洞

vm2 is a high-level virtual machine/sandbox developed by Czech developer Patrik Simek. It runs untrusted code using Node’s built-in modules listed in the allowlist. Versions of vm2 prior to 3.11.0 have security vulnerabilities; these vulnerabilities stem from sandbox boundary violations. During...

PT-2026-40557

The Cost Calculator Builder plugin for WordPress is vulnerable to Unauthenticated Price Manipulation and Insecure Direct Object Reference IDOR in all versions up to, and including, 4.0.1 only when used in combination with Cost Calculator Builder PRO. This is due to the ccb woocommerce payment AJA...

ROS-20260513-73-0019

Vulnerability in lxd due to insufficient control over modification of dynamically defined object characteristics. Exploitation of the vulnerability could allow an attacker acting remotely to execute arbitrary code...

Linux Distros Unpatched Vulnerability : CVE-2026-8161

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - [email protected] and lower versions are vulnerable to denial of service via uncaught exception. By sending a multipart/form-data request with a field name that...

CVE-2026-44341 GoJobs: Insecure Direct Object Reference (IDOR) in Job Retrieval Endpoint

GoJobs is a REST API for a Job Board platform. The application exposes a job retrieval endpoint that allows unauthenticated users to access job details by directly manipulating object identifiers. The endpoint lacks proper authentication and authorization checks, resulting in unauthorized access ...

CVE-2026-44341

Summary: CVE-2026-44341 affects the GoJobs REST API (Job Board) and stems from an insecure direct object reference in the job retrieval endpoint. The endpoint allows unauthenticated access by manipulating object identifiers, due to missing authentication and authorization checks. Impact (as state...

CVE-2026-44341 GoJobs: Insecure Direct Object Reference (IDOR) in Job Retrieval Endpoint

GoJobs is a REST API for a Job Board platform. The application exposes a job retrieval endpoint that allows unauthenticated users to access job details by directly manipulating object identifiers. The endpoint lacks proper authentication and authorization checks, resulting in unauthorized access ...

UltraJSON has a Memory Leak in ujson.dump() on Write Failure

Summary When ujson.dump writes to a file-like object and the write operation raises an exception, the serialized JSON string object is not decremented, leaking memory. Each failed write operation leaks the full size of the serialized payload. Code that uses ujson.dumps rather than ujson.dump or...

Missing Release of Memory after Effective Lifetime

Overview ujson is an Ultra fast JSON encoder and decoder for Python Affected versions of this package are vulnerable to Missing Release of Memory after Effective Lifetime in the objToJSONFile function in objToJSON.c, when a write operation to a file-like object fails and raises an exception. An...

CVE-2026-44011

Craft CMS is a content management system CMS. From 4.0.0 to before 4.17.12 and 5.9.18, Craft CMS which contains an input-handling flaw in a Yii object creation path that let any authenticated user inject malicious configuration and execute arbitrary commands on the server. The request-controlled...

CVE-2026-44011 Craft CMS: Potential authenticated Remote Code Execution via malicious attached Behavior

Craft CMS is a content management system CMS. From 4.0.0 to before 4.17.12 and 5.9.18, Craft CMS which contains an input-handling flaw in a Yii object creation path that let any authenticated user inject malicious configuration and execute arbitrary commands on the server. The request-controlled...

CVE-2026-44011

Craft CMS versions 4.0.0–4.17.11 and 5.0–5.9.17 contain an input-handling flaw in a Yii object creation path that lets an authenticated user inject malicious configuration and execute arbitrary commands. The issue arises because the request-controlled field layouts data is converted into a live F...

CVE-2026-44011

Craft CMS is a content management system CMS. From 4.0.0 to before 4.17.12 and 5.9.18, Craft CMS which contains an input-handling flaw in a Yii object creation path that let any authenticated user inject malicious configuration and execute arbitrary commands on the server. The request-controlled...

CVE-2026-42355 NanaZip: Uncontrolled recursion in NanaZip Electron ASAR parser causes stack exhaustion

NanaZip is an open source file archive. From 5.0.1252.0 to before 6.0.1698.0, an uncontrolled recursion vulnerability exists in the Electron Archive ASAR parser in NanaZip. When opening a crafted .asar file with deeply nested JSON in the header, both nlohmann::json::parse and the handler's...

EUVD-2026-29500

The nexent v1.7.5.2 backend service contains an unauthorized arbitrary storage file deletion vulnerability in its file management API. The DELETE /storage/objectname:path endpoint lacks authentication, authorization, and input validation mechanisms. Unauthenticated remote attackers can send craft...

EUVD-2023-34492

An insecure direct object reference in MK-Auth 23.01K4.9 allows attackers to access and send support calls for other users via manipulation of the chamado parameter through a crafted GET request...

WordPress Tutor LMS – eLearning and online course solution plugin <= 3.9.9 - Insecure Direct Object Reference to Authenticated (Instructor+) Arbitrary Post Deletion vulnerability

Insecure Direct Object Reference to Authenticated Instructor+ Arbitrary Post Deletion vulnerability discovered by molten bit in WordPress Plugin Tutor LMS versions = 3.9.9...

CVE-2023-30059

An insecure direct object reference in MK-Auth 23.01K4.9 allows attackers to access and send support calls for other users via manipulation of the chamado parameter through a crafted GET request...