Improper Validation of Array Index

Overview Magick.NET-Q16-x86 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package are...

Improper Validation of Array Index

Overview Magick.NET-Q8-x86 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package are...

Improper Validation of Array Index

Overview Magick.NET-Q16-OpenMP-x64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package a...

Improper Validation of Array Index

Overview Magick.NET-Q16-x64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package are...

Budibase: CouchDB Reduce Injection via Unsanitized Calculation Parameter in V1 Views API

Security Advisory: CouchDB Reduce Injection via Unsanitized Calculation Parameter in V1 Views API Affected Software: Budibase Affected Component: packages/server/src/api/controllers/view/viewBuilder.ts, packages/server/src/api/routes/view.ts CWE: CWE-94 Improper Control of Generation of Code...

Arbitrary Code Injection

Overview @budibase/server is a Budibase Web Server Affected versions of this package are vulnerable to Arbitrary Code Injection via the calculation parameter in the V1 Views API, which is interpolated directly into a CouchDB reduce function without validation. An attacker can execute arbitrary...

Regular Expression Denial of Service (ReDoS)

Overview multiparty is a multipart/form-data parser which supports streaming Affected versions of this package are vulnerable to Regular Expression Denial of Service ReDoS via the Content-Disposition filename parameter parsing. An attacker can cause excessive resource consumption and block the...

NPM: multiparty vulnerable to Denial of Service via Uncaught Exception in filename* parameter parsing

NPM: multiparty vulnerable to Denial of Service via Uncaught Exception in filename parameter parsing vulnerability discovered by ? in WordPress Npm multiparty versions = 4.2.3...

GHSA-XH3C-6GCQ-G4RV multiparty vulnerable to Denial of Service via Uncaught Exception in filename* parameter parsing

Impact [email protected] and lower versions are vulnerable to denial of service via uncaught exception. By sending a multipart/form-data request with a Content-Disposition: filename=utf-8'' header containing a malformed percent-encoding e.g., %FF, %GG, the parser invokes decodeURI on the value...

Arcane Backend: Unauthenticated reflected XSS via SVG color parameter enables admin account takeover

Summary The unauthenticated GET /api/app-images/logo endpoint reflects a user-supplied color query parameter into the body of an SVG document via strings.ReplaceAll with no escaping. The substitution lands inside a element of the embedded logo.svg, allowing an attacker to close the style block an...

GHSA-Q2PJ-8V84-9MH5 Arcane Backend: Unauthenticated reflected XSS via SVG color parameter enables admin account takeover

Summary The unauthenticated GET /api/app-images/logo endpoint reflects a user-supplied color query parameter into the body of an SVG document via strings.ReplaceAll with no escaping. The substitution lands inside a element of the embedded logo.svg, allowing an attacker to close the style block an...

CVE-2020-37242

Supsystic Ultimate Maps 1.1.12 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'sidx' GET parameter. Attackers can send crafted requests to the getListForTbl action with boolean-based blind or...

Insertion of Sensitive Information Into Sent Data

Overview n8n-mcp is an Integration between n8n workflow automation and Model Context Protocol MCP Affected versions of this package are vulnerable to Insertion of Sensitive Information Into Sent Data in the telemetry sanitization process in event-validator.ts. An operator with access to the...

SUSE-SU-2026:1954-1 Security update for perl-Crypt-URandom

This update for perl-Crypt-URandom fixes the following issue: - CVE-2026-2474: negative length parameter in the XS function can lead to a heap-based buffer overflow bsc1258266. Changes for perl-Crypt-URandom: - updated to 0.550.0 0.55 - Fix for sysread/read failures. Thanks to Miha Purg for GH20 ...

CVE-2026-6381

The WP Maps WordPress plugin before 4.9.3 does not properly sanitize a parameter before using it in a file path, allowing authenticated users to perform Local File Inclusion attacks...

CVE-2026-6495 Ajax Load More < 7.8.4 - Reflected XSS

The Ajax Load More WordPress plugin before 7.8.4 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

CVE-2026-6495

The CVE-2026-6495 entry concerns the Ajax Load More WordPress plugin and a Reflected XSS vulnerability in versions before 7.8.4 , caused by failure to sanitize/escape a parameter before output . This could affect high-privilege accounts (e.g., admins) if an attacker can induce the vulnerable para...

CVE-2026-6495

The Ajax Load More WordPress plugin before 7.8.4 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

CVE-2026-8777

A vulnerability was found in Edimax BR-6428NS 1.10. This issue affects the function formStaDrvSetup of the file /goform/formStaDrvSetup of the component POST Request Handler. Performing a manipulation of the argument stadrvssid results in command injection. The attack can be initiated remotely. T...

CVE-2026-8776

Edimax BR-6428NS v1.10 is affected by CVE-2026-8776 due to a buffer overflow in POST Request Handler’s formPPTPSetup (pptpUserName). The issue can be exploited remotely; public exploit exists and exploit maturity is PROOF-OF-CONCEPT. Vendor did not respond to disclosure. CVSS metrics indicate HIG...