Cryptocurrency Widgets Pack <= 1.8.1 - SQL Injection

Cryptocurrency Widgets Pack Plugin =1.8.1 for WordPress contains an unauthenticated SQL injection caused by unsanitized user input in database queries, letting attackers execute arbitrary SQL commands, exploit requires no authentication. id: CVE-2022-44588 info: name: Cryptocurrency Widgets Pack ...

News & Blog Designer Pack – WordPress Blog Plugin <= 3.4.1 - Unauthenticated Local File Inclusion

The News & Blog Designer Pack WordPress plugin up to version 3.4.1 contains a remote code execution caused by local file inclusion in the bdpgetmorepost function, letting unauthenticated attackers include arbitrary PHP files, exploit requires AJAX request with crafted POST data. id: CVE-2023-5815...

Ruby on Rails - Open Redirect via Host Header Injection

Ruby on Rails action pack before 6.1.2.1, 6.0.3.5 contains an open redirect caused by special crafted Host headers in combination with allowed host formats, letting attackers redirect users to malicious websites, exploit requires attacker to control Host headers. id: CVE-2021-22881 info: name: Ru...

EUVD-2026-38387

MessagePack for C is a MessagePack serializer for C. Prior to 2.5.301 and 3.1.7, the parameterless MessagePackInputFormatter constructor uses default serializer options, which resolve to MessagePackSerializerOptions.Standard with MessagePackSecurity.TrustedData. The formatter is designed for...

EUVD-2026-38386

MessagePack for C is a MessagePack serializer for C. Prior to 2.5.301 and 3.1.7, when MessagePack-CSharp decompresses Lz4Block or Lz4BlockArray payloads, it reads declared uncompressed lengths from the wire and allocates output buffers based on those lengths before validating that the compressed...

EUVD-2026-38384

MessagePack for C is a MessagePack serializer for C. Prior to 2.5.301 and 3.1.7, MessagePack-CSharp's JSON conversion helpers contain multiple recursion paths that do not consistently enforce a depth limit. These paths are in the JSON conversion component rather than normal typed MessagePack...

EUVD-2026-38382

MessagePack for C is a MessagePack serializer for C. Prior to 2.5.301 and 3.1.7, UnsafeBlitFormatterBase.Deserialize reads an attacker-controlled byteLength from an extension payload and allocates an array based on that value before validating it against the extension header length or remaining...

Astra Linux – Vulnerability in Rails

Action Pack is a framework for handling and responding to web requests. Under certain circumstances, response bodies may not be closed properly. If a response does not notify the system of a close operation, ActionDispatch::Executor will not know to reset the thread local state for the next...

EUVD-2026-37591

Contributor Local File Inclusion in Element Pack Pro = 9.0.6 versions...

ROOT-APP-MAVEN-CVE-2025-68390 CVE-2025-68390 in io.root.org.elasticsearch.plugin:x-pack-core - Patched by Root

Root has patched CVE-2025-68390 in the io.root.org.elasticsearch.plugin:x-pack-core package for Root:Maven. Multiple fixed versions available...

ROOT-APP-MAVEN-CVE-2025-68384 CVE-2025-68384 in io.root.org.elasticsearch.plugin:x-pack-security - Patched by Root

Root has patched CVE-2025-68384 in the io.root.org.elasticsearch.plugin:x-pack-security package for Root:Maven. Multiple fixed versions available...

CVE-2026-40721

Contributor Local File Inclusion in Element Pack Pro = 9.0.6 versions...

CVE-2026-40721 WordPress Element Pack Pro plugin <= 9.0.6 - Local File Inclusion vulnerability

Contributor Local File Inclusion in Element Pack Pro = 9.0.6 versions...

CVE-2026-40721

CVE-2026-40721 affects WordPress Element Pack Pro plugin, &lt;= 9.0.6, with a Local File Inclusion vulnerability. The CVSS 3.1 vector (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) yields a base score of 7.5 (HIGH). Exploitation is reported as network-based with high attack complexity and requires no user...

Security Bulletin: IBM WebSphere Application Server is affected by remote code execution (CVE-2026-9311, CVE-2026-9330)

Summary IBM WebSphere Application Server is affected by remote code execution. Vulnerability Details CVEID:CVE-2026-9330 DESCRIPTION: IBM WebSphere Application Server 9.0, and 8.5 is affected by an improper validation of user-supplied data during deserialization using the SAML Web Single Sign-On...

SUSE CVE-2026-47734

Dulwich is a pure-Python implementation of the Git file formats and protocols. Starting in version 0.1.0 and prior to version 1.2.5, a client with push access could push a tiny crafted thin pack 174 bytes whose delta header declares a huge destsize. When dulwich ingested it via addthinpack /...

CVE-2026-47734

A flaw was found in Dulwich, a pure-Python implementation of Git file formats and protocols. A remote attacker with push access to a Dulwich-based Git server could send a specially crafted thin pack. This crafted pack, with a manipulated delta header, would cause the server to allocate excessive...

CVE-2026-47734 Dulwich has unbounded memory allocation in receive-pack from crafted thin packs

Dulwich is a pure-Python implementation of the Git file formats and protocols. Starting in version 0.1.0 and prior to version 1.2.5, a client with push access could push a tiny crafted thin pack 174 bytes whose delta header declares a huge destsize. When dulwich ingested it via addthinpack /...

EUVD-2026-36193

Dulwich is a pure-Python implementation of the Git file formats and protocols. Starting in version 0.1.0 and prior to version 1.2.5, a client with push access could push a tiny crafted thin pack 174 bytes whose delta header declares a huge destsize. When dulwich ingested it via addthinpack /...

CVE-2026-47734 Dulwich has unbounded memory allocation in receive-pack from crafted thin packs

Dulwich is a pure-Python implementation of the Git file formats and protocols. Starting in version 0.1.0 and prior to version 1.2.5, a client with push access could push a tiny crafted thin pack 174 bytes whose delta header declares a huge destsize. When dulwich ingested it via addthinpack /...