34370 matches found
CVE-2026-33203 SiYuan has an Unauthenticated WebSocket DoS via Auth Keepalive Bypass
SiYuan is a personal knowledge management system. Prior to version 3.6.2, the SiYuan kernel WebSocket server accepts unauthenticated connections when a specific "auth keepalive" query parameter is present. After connection, incoming messages are parsed using unchecked type assertions on...
WordPress Pelicula theme < 1.10 - PHP Object Injection vulnerability
PHP Object Injection vulnerability discovered by Denver Jackson in WordPress Theme Pelicula versions 1.10...
EUVD-2026-13772
Frigate is a network video recorder NVR with realtime local object detection for IP cameras. Prior to version 0.16.3, the /ffprobe endpoint accepts arbitrary user-controlled URLs without proper validation, allowing Server-Side Request Forgery SSRF attacks. An attacker can use the Frigate server t...
WordPress Pendulum theme < 3.1.5 - PHP Object Injection vulnerability
PHP Object Injection vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Theme Pendulum versions 3.1.5...
WordPress Vex theme < 1.2.9 - PHP Object Injection vulnerability
PHP Object Injection vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Theme Vex versions 1.2.9...
GHSA-564F-WX8X-878H Vikunja read-only users can delete project background images via broken object-level authorization
Summary The DELETE /api/v1/projects/:project/background endpoint checks CanRead permission instead of CanUpdate, allowing any user with read-only access to a project to permanently delete its background image. Details The RemoveProjectBackground handler pkg/modules/background/handler/background.g...
WordPress JS Archive List plugin <= 6.1.7 - PHP Object Injection vulnerability
PHP Object Injection vulnerability discovered by daroo in WordPress Plugin JS Archive List versions = 6.1.7...
CVE-2026-33312 Read-only Vikunja users can delete project background images via broken object-level authorization
Vikunja is an open-source self-hosted task management platform. Starting in version 0.20.2 and prior to version 2.2.0, the DELETE /api/v1/projects/:project/background endpoint checks CanRead permission instead of CanUpdate, allowing any user with read-only access to a project to permanently delet...
OESA-2026-1657 jtidy security update
JTidy is the Java port for HTML Tidy, which is an HTML syntax checker and a nice printer. JTidy can be used as a tool to clean up misformatted HTML. In addition, JTidy provides a DOM interface to the documents being processed, effectively enabling you to use JTidy as a DOM parser for real HTML...
EUVD-2026-13657
Deserialization of Untrusted Data vulnerability in TotalSuite TotalContest Lite allows Object Injection.This issue affects TotalContest Lite: from n/a through 2.9.1...
CVE-2026-0677
Deserialization of Untrusted Data vulnerability in TotalSuite TotalContest Lite totalcontest-lite allows Object Injection.This issue affects TotalContest Lite: from n/a through = 2.9.1...
SUSE CVE-2025-12044
Vault and Vault Enterprise “Vault” are vulnerable to an unauthenticated denial of service when processing JSON payloads. This occurs due to a regression from a previous fix for +HCSEC-2025-24+|https://discuss.hashicorp.com/t/hcsec-2025-24-vault-denial-of-service-though-complex-json-payloads/76393...
CVE-2026-0677 WordPress TotalContest Lite plugin <= 2.9.1 - PHP Object Injection vulnerability
Deserialization of Untrusted Data vulnerability in TotalSuite TotalContest Lite totalcontest-lite allows Object Injection.This issue affects TotalContest Lite: from n/a through = 2.9.1...
CVE-2026-0677
CVE-2026-0677 concerns the WordPress plugin TotalContest Lite (
CVE-2026-0677 WordPress TotalContest Lite plugin <= 2.9.1 - PHP Object Injection vulnerability
Deserialization of Untrusted Data vulnerability in TotalSuite TotalContest Lite totalcontest-lite allows Object Injection.This issue affects TotalContest Lite: from n/a through = 2.9.1...
CVE-2026-0677
Deserialization of Untrusted Data vulnerability in TotalSuite TotalContest Lite allows Object Injection.This issue affects TotalContest Lite: from n/a through 2.9.1...
BIT-CEPH-2020-1760
A flaw was found in the Ceph Object Gateway, where it supports request sent by an anonymous user in Amazon S3. This flaw could lead to potential XSS attacks due to the lack of proper neutralization of untrusted input...
BIT-CEPH-2020-12059
An issue was discovered in Ceph through 13.2.9. A POST request with an invalid tagging XML can crash the RGW process by triggering a NULL pointer exception...
CVE-2026-32701
Qwik is a performance-focused JavaScript framework. Versions prior to 1.19.2 improperly inferred arrays from dotted form field names during FormData parsing. By submitting mixed array-index and object-property keys for the same path, an attacker could cause user-controlled properties to be writte...
CVE-2026-33061 Jexactyl has Stored DOM Cross-Site Scripting (XSS) via unescaped JSON in Blade template
Jexactyl is a customisable game management panel and billing system. Commits after 025e8dbb0daaa04054276bda814d922cf4af58da and before e28edb204e80efab628d1241198ea4f079779cfd inject server-side objects into client-side JavaScript through resources/views/templates/wrapper.blade.php. Using unescap...