CVE-2026-1890 LeadConnector < 3.0.22 - Unauthenticated Rest Call

The LeadConnector WordPress plugin before 3.0.22 does not have authorization in a REST route, allowing unauthenticated users to call it and overwrite existing data...

CVE-2026-1890

CVE-2026-1890 concerns the WordPress plugin LeadConnector prior to 3.0.22. The issue is an unauthenticated REST route that lacks proper authorization, allowing unauthenticated callers to invoke the route and overwrite existing data. The CVSS 3.1 base score is 5.3 (Medium), with network attack vec...

CVE-2026-33183

Saloon is a PHP library for API integrations. CVE-2026-33183 (pre‑4.0.0) describes a path-traversal in fixture handling: fixture names could be treated as file paths under the fixture directory, allowing ../ traversal to escape the base directory and read/write arbitrary files if the fixture name...

PT-2026-28216

The LeadConnector WordPress plugin before 3.0.22 does not have authorization in a REST route, allowing unauthenticated users to call it and overwrite existing data...

PT-2026-28382

Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.8.6 Description Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.8.6, any authenticated user can overwrite any file's content by ID through the...

WordPress plugin LeadConnector 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...

CVE-2026-33222

A flaw was found in NATS-Server, a high-performance messaging system. This vulnerability allows users with JetStream admin API access to restore data from one stream to unintended stream names. This can lead to unauthorized modification or overwriting of data that should have been protected,...

CVE-2026-32647

A flaw was found in NGINX's ngxhttpmp4module. This Out-of-Bounds Read/Write vulnerability occurs due to improper handling of specially crafted MP4 files. A local authenticated attacker, by supplying a malicious MP4 file, can trigger a buffer over-read or overwrite in worker memory. This can lead ...

Path Traversal

SiYuan is vulnerable to Path Traversal. The vulnerability is due to improper validation of file paths in the importZipMd function, which allows an authenticated attacker to overwrite arbitrary files on the system and potentially achieve remote code execution...

Improper Handling Of Symbolic Links

github.com/argoproj/argo-workflows is vulnerable to Improper Handling Of Symbolic Links. The vulnerability is due to flawed validation in the untar process when resolving symbolic links, which allows an attacker to overwrite critical files such as /var/run/argo/argoexec with a malicious script th...

SUSE CVE-2026-25921

Gogs is an open source self-hosted Git service. Prior to version 0.14.2, overwritable LFS object across different repos leads to supply-chain attack, all LFS objects are vulnerable to be maliciously overwritten by malicious attackers. This issue has been patched in version 0.14.2...

SUSE CVE-2026-29111

systemd, a system and service manager, as PID 1 hits an assert and freezes execution when an unprivileged IPC API call is made with spurious data. On version v249 and older the effect is not an assert, but stack overwriting, with the attacker controlled content. From version v250 and newer this i...

SUSE CVE-2026-32647

NGINX Open Source and NGINX Plus have a vulnerability in the ngxhttpmp4module module, which might allow an attacker to trigger a buffer over-read or over-write to the NGINX worker memory resulting in its termination or possibly code execution, using a specially crafted MP4 file. This issue affect...

CVE-2026-33330

The CVE-2026-33330 issue affects FileRise (self-hosted web file manager / WebDAV) through the ONLYOFFICE integration. A broken access control flaw allows an authenticated user with read-only privileges to obtain a signed save callback URL for a file and directly forge the ONLYOFFICE save callback...

CVE-2026-33330 FileRise ONLYOFFICE integration allows read-only users to overwrite files via forged save callback

FileRise is a self-hosted web file manager / WebDAV server. Prior to version 3.10.0, a broken access control issue in FileRise's ONLYOFFICE integration allows an authenticated user with read-only access to obtain a signed save callbackUrl for a file and then directly forge the ONLYOFFICE save...

CVE-2026-33330

FileRise is a self-hosted web file manager / WebDAV server. Prior to version 3.10.0, a broken access control issue in FileRise's ONLYOFFICE integration allows an authenticated user with read-only access to obtain a signed save callbackUrl for a file and then directly forge the ONLYOFFICE save...

CVE-2026-33330 FileRise ONLYOFFICE integration allows read-only users to overwrite files via forged save callback

FileRise is a self-hosted web file manager / WebDAV server. Prior to version 3.10.0, a broken access control issue in FileRise's ONLYOFFICE integration allows an authenticated user with read-only access to obtain a signed save callbackUrl for a file and then directly forge the ONLYOFFICE save...

CVE-2026-33330 FileRise ONLYOFFICE integration allows read-only users to overwrite files via forged save callback

FileRise is a self-hosted web file manager / WebDAV server. Prior to version 3.10.0, a broken access control issue in FileRise's ONLYOFFICE integration allows an authenticated user with read-only access to obtain a signed save callbackUrl for a file and then directly forge the ONLYOFFICE save...

CVE-2026-33527

Parse Server is affected; prior to 8.6.57 and 9.6.0-alpha.48, an authenticated user could overwrite server-generated session fields (expiresAt, createdWith) on their own session via the REST API, bypassing the configured session lifetime and making a session effectively permanent. The issue has b...

CVE-2026-32647

NGINX Open Source and NGINX Plus have a vulnerability in the ngxhttpmp4module module, which might allow an attacker to trigger a buffer over-read or over-write to the NGINX worker memory resulting in its termination or possibly code execution, using a specially crafted MP4 file. This issue affect...