WordPress plugin Backup and Restore 路径遍历漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...

PT-2026-41466

Name of the Vulnerable Software and Affected Versions Fuel CMS version 1.4.13 Description Authenticated attackers can manipulate database queries by injecting SQL code through the col parameter in the Activity Log interface. By sending requests to the 'logs' endpoint with malicious SQL payloads i...

WordPress plugin Supsystic Ultimate Maps SQL注入漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. The...

PT-2026-41433

WordPress Plugin Buddypress 6.2.0 contains a persistent cross-site scripting vulnerability that allows authenticated attackers with moderator privileges to inject malicious script code through the figure parameter in wp:html blocks. Attackers can inject iframe elements with event handlers like...

PT-2026-41461

Name of the Vulnerable Software and Affected Versions WP Learn Manager version 1.1.2 Description A stored cross-site scripting issue allows unauthenticated attackers to inject malicious scripts. This is achieved by submitting POST requests to the 'jslm fieldordering' page using the fieldtitle...

WordPress plugin Supsystic Membership SQL注入漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. The...

PT-2026-41427

HS Brand Logo Slider 2.1 contains an unrestricted file upload vulnerability that allows authenticated users to bypass client-side file extension validation by uploading arbitrary files. Attackers can intercept upload requests to the logoupload parameter in the admin interface and rename files to...

PT-2026-41451

Name of the Vulnerable Software and Affected Versions LayerBB version 1.1.4 Description An SQL injection allows unauthenticated attackers to manipulate database queries by injecting SQL code. This is achieved by sending POST requests to the '/search.php' endpoint using malicious values in the...

PT-2026-41444

Supsystic Membership 1.4.7 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'search' and 'sidx' parameters. Attackers can send GET requests to the badges module with crafted payloads to extract...

PT-2026-41467

Name of the Vulnerable Software and Affected Versions Quick.CMS version 6.7 Description An issue in the sliders form allows authenticated attackers to inject malicious scripts by submitting payloads through the sDescription parameter. This can be achieved by crafting CSRF Cross-Site Request Forge...

PT-2026-41453

Name of the Vulnerable Software and Affected Versions EgavilanMedia PHPCRUD version 1.0 Description An SQL injection allows unauthenticated attackers to manipulate database queries by injecting SQL code. This is achieved by sending POST requests to the 'insert.php' endpoint using the firstname...

PT-2026-41443

Supsystic Pricing Table 1.8.7 contains an SQL injection vulnerability in the 'sidx' GET parameter that allows unauthenticated attackers to execute arbitrary SQL queries through the getListForTbl action. The plugin also contains stored cross-site scripting vulnerabilities in the 'Edit name' and...

OpenSolution Quick.CMS 跨站脚本漏洞

OpenSolution Quick.CMS is a lightweight website content management system developed by the Polish company OpenSolution. Version 6.7 of OpenSolution Quick.CMS contains a cross-site scripting vulnerability. This vulnerability stems from a cross-site scripting flaw in the sliders form, allowing...

Linux Distros Unpatched Vulnerability : CVE-2026-44699

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - LibJWT is a C JSON Web Token Library. From 3.0.0 to 3.3.2, libjwt accepts an RSA JWK that does not contain an alg parameter as the verification key for an...

WordPress plugin WP Learn Manager 跨站脚本漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. The...

LayerBB SQL注入漏洞

LayerBB is a set of small-scale forum software. Version 1.1.4 of LayerBB contains an SQL injection vulnerability. This vulnerability stems from SQL injection issues, which may allow unauthenticated attackers to inject SQL code through the searchquery parameter, thereby manipulating database queri...

CVE-2026-45365

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.11, an internal-only bypassfilter parameter is exposed on the /openai/chat/completions and /ollama/api/chat HTTP endpoints via FastAPI query string binding, allowing any authenticated...

CVE-2026-45365

Open WebUI suffers a parameter binding flaw: an internal bypass_filter parameter was exposed in the HTTP handlers for /openai/chat/completions and /ollama/api/chat via FastAPI query binding. This allowed any authenticated user to append ?bypass_filter=true and skip the ACL check, enabling access ...

CVE-2026-44554

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the POST /api/v1/retrieval/process/web endpoint accepts a user-supplied collectionname and an overwrite query parameter default: True. It performs no authorization check on whether t...

CVE-2026-44554 Open WebUI: Knowledge Base Destruction and RAG Poisoning via Unauthorized Collection Overwrite

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, the POST /api/v1/retrieval/process/web endpoint accepts a user-supplied collectionname and an overwrite query parameter default: True. It performs no authorization check on whether t...