MAL-2026-3711 Malicious code in ethers-web (npm)

--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis 7b57e9cfd1db5527382181f22fbf36f8bbc8cc0df4f701d2b4d6bc7ec7dbc407 The OpenSSF Package Analysis project identified 'ethers-web' @ 1.0.0 npm as malicious. It is considered malicious because: - The package...

EUVD-2026-10195

A security flaw has been discovered in RyuzakiShinji biome-mcp-server up to 1.0.0. Affected by this issue is some unknown functionality of the file biome-mcp-server.ts. Performing a manipulation results in command injection. The attack can be initiated remotely. The exploit has been released to t...

CVE-2025-64645

IBM Concert 1.0.0 through 2.1.0 could allow a local user to escalate their privileges due to a race condition of a symbolic link...

CVE-2025-14138

CVE-2025-14138 : WPLG Default Mail From (WordPress) is vulnerable to Reflected Cross-Site Scripting via $_SERVER['PHP_SELF'] in all versions up to 1.0.0. Affected: WordPress plugin WPLG Default Mail From; exploitation possible by tricking an authenticated? no—un/authenticated user? The descriptio...

CVE-2025-13860 Easy Jump Links Menus <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The Easy Jump Links Menus plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the htags parameter in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level...

PT-2025-49238

The Trail Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions a...

youlai-mall 安全漏洞

youlai-mall is a full-stack mall system by youlaitech open source. A security vulnerability exists in youlai-mall version 1.0.0 and 2.0.0, which stems from a mis-control of dynamically recognized variables in the file /mall-ums/app-api/v1/addresses...

CVE-2025-12586

The Conditional Maintenance Mode for WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing nonce validation when toggling the maintenance mode status. This makes it possible for unauthenticated attackers to...

siddheshtea (=1.1.6) potentially affected by unknown CVE via aji-23 (=1.0.0)

aji-23 NPM version =1.0.0 is affected by a known vulnerability. The following packages have a transitive dependency on aji-23 and may be impacted: - siddheshtea =1.1.6 Source cves: unknown CVE Source advisory: OSV:MAL-2025-152062...

siddheshtea (=1.1.6) potentially affected by unknown CVE via nokire-nakala78 (=1.0.0)

nokire-nakala78 NPM version =1.0.0 is affected by a known vulnerability. The following packages have a transitive dependency on nokire-nakala78 and may be impacted: - siddheshtea =1.1.6 Source cves: unknown CVE Source advisory: OSV:MAL-2025-163034...

CVE-2025-11878

The ST Categories Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's st-categories shortcode in versions less than, or equal to, 1.0.0. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

Oracle WebLogic Server (October 2025 CPU)

The 12.2.1.4.0, 14.1.1.0.0, and 14.1.2.0.0 versions of WebLogic Server installed on the remote host are affected by multiple vulnerabilities as referenced in the October 2025 CPU advisory. - Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware component: Centralized...

CVE-2025-9697 Ajax WooSearch <= 1.0.0 - Unauthenticated SQL Injection

The Ajax WooSearch WordPress plugin through 1.0.0 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection...

CVE-2025-10196

The Survey Anyplace plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'surveyanyplaceembed' shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

PT-2025-40248

Name of the Vulnerable Software and Affected Versions Fiora chat application version 1.0.0 Description A Cross Site Scripting XSS issue exists in the Fiora chat application. The application allows the execution of arbitrary JavaScript code when malicious SVG files are rendered by other users...

CVE-2025-9944

CVE-2025-9944 affects the Professional Contact Form plugin for WordPress (all versions up to 1.0.0). Root cause: missing/invalid nonce validation in the watch_for_contact_form_submit function, enabling CSRF. Impact: unauthenticated attackers can trigger test emails by tricking an admin into perfo...

Oberon microsystem AG ocrypto library 安全漏洞

Oberon microsystem AG ocrypto library is a cryptographic software library from the Swiss company Oberon. A security vulnerability exists in Oberon microsystem AG ocrypto library versions prior to 1.0.0 through 1.5.1, which stems from a padding predicate attack on the AES-CBC PKCS7 decryption...

My-Blog 安全漏洞

My-Blog is ZHENFENG13 individual developer by SpringBoot + Mybatis + Thymeleaf and other technologies to achieve the Java blog system, page beautiful, full-featured, easy to deploy and perfect code. A security vulnerability exists in My-Blog version 1.0.0, which stems from the lack of protection...

Security Bulletin: Astronomer with IBM is vulnerable to memory consumption and denial of service due to the net/http package (CVE-2021-44716, CVE-2022-27664)

Summary net/http is used by Astronomer with IBM as part of the request processing functionality. Vulnerability Details CVEID:CVE-2021-44716 DESCRIPTION: net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memory consumption in the header canonicalization cache via HTTP/2...

Tenda FH451 formSafeClientFilter Function Buffer Overflow Vulnerability

The Tenda FH451 is a router from the Chinese company Tenda. The Tenda FH451 version 1.0.0.9 suffers from a buffer overflow vulnerability that originates from the parameter Go/page in file /goform/SafeClientFilter that fails to properly validate the length of the input data, which can be exploited...