CVE-2026-9369

CVE-2026-9369 affects NousResearch hermes-agent 2026.4.23, specifically the CLI web-dashboard component. The vulnerability lies in the function _discover_dashboard_plugins within hermes_cli/web_server.py, where manipulating the argument HERMES_ENABLE_PROJECT_PLUGINS causes an incorrect comparison...

WordPress EventPrime plugin <= 4.3.2.1 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by hhhai in WordPress Plugin EventPrime versions = 4.3.2.1...

WordPress MasterStudy LMS plugin <= 3.7.29 - SQL Injection vulnerability

SQL Injection vulnerability discovered by walow in WordPress Plugin MasterStudy LMS versions = 3.7.29...

Malicious code in tailwind-typography-stylecss (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 273b99f5721643d8ba8335fd73b46b4b32f81406d73f44e7a16552e16b8becd6 Package name 'tailwind-typography-stylecss' impersonates the official '@tailwindcss/typography' plugin; the shipped README is a verbatim copy of the...

CLSA-2026-1779582830 vim: Fix of CVE-2026-46483

CVE-2026-46483: fix command injection in tar plugin Vimuntar when decompressing .tgz archives by passing the special flag to shellescape upstream vim 9.2.0479...

PT-2026-43105

Name of the Vulnerable Software and Affected Versions Roundcube Webmail versions 1.6.x prior to 1.6.16 Roundcube Webmail versions 1.7.x prior to 1.7.1 Description A pre-authentication SQL injection exists in the virtuser query plugin. The issue stems from a backslash escape bypass within the preg...

ROS-20260524-73-0036

A vulnerability in the zip.vim plugin of the vim text editor is related to an incorrect restriction of the path name of a restricted directory. Exploitation of the vulnerability could allow an attacker to execute arbitrary commands...

PT-2026-42929

A security flaw has been discovered in NousResearch hermes-agent 2026.4.23. Affected is the function discover dashboard plugins of the file hermes cli/web server.py of the component CLI web-dashboard Interface. Performing a manipulation of the argument HERMES ENABLE PROJECT PLUGINS results in...

Malicious code in hardhat-gas-analytics (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 71b0b8dd866d9c1f4516f4e537a2d61ea3cbe87f06b0195a24c0dea76fef44c0 This package typosquats the widely-used hardhat-gas-reporter Hardhat plugin matching its cache filename .hardhatgasreporteroutput.json and replicatin...

EUVD-2018-21872

WordPress Ultimate Form Builder Lite plugin version 1.3.7 and below contains an SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the entryid POST parameter. Attackers can send POST requests to the admin-ajax.php endpoint...

CVE-2018-25352 WordPress Ultimate Form Builder Lite 1.3.7 SQL Injection via entry_id

WordPress Ultimate Form Builder Lite plugin version 1.3.7 and below contains an SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the entryid POST parameter. Attackers can send POST requests to the admin-ajax.php endpoint...

CVE-2018-25347

The vulnerability affects WordPress WordPress Contact Form Maker Plugin 1.12.20. It exposes SQL injection in the FormMakerSQLMapping and generete_csv_fmc AJAX actions, allowing an authenticated attacker to manipulate database queries via the name and search_labels parameters to potentially extrac...

CVE-2018-25346

WordPress Form Maker Plugin 1.12.24 and below contains SQL injection vulnerabilities that allow authenticated attackers to manipulate database queries by injecting SQL code through the FormMakerSQLMapping and generetecsv actions. Attackers can submit POST requests with malicious SQL payloads in t...

CVE-2018-25346

WordPress Form Maker Plugin ≤ 1.12.24 contains SQL injection via admin-ajax.php (FormMakerSQLMapping, generete_csv). Authenticated attackers can send POST payloads in name/search_labels to manipulate queries, potentially extracting/modifying data or escalating privileges in the WordPress database...

CVE-2018-25346 WordPress Form Maker Plugin 1.12.24 SQL Injection via admin-ajax.php

WordPress Form Maker Plugin 1.12.24 and below contains SQL injection vulnerabilities that allow authenticated attackers to manipulate database queries by injecting SQL code through the FormMakerSQLMapping and generetecsv actions. Attackers can submit POST requests with malicious SQL payloads in t...

CVE-2018-25346 WordPress Form Maker Plugin 1.12.24 SQL Injection via admin-ajax.php

WordPress Form Maker Plugin 1.12.24 and below contains SQL injection vulnerabilities that allow authenticated attackers to manipulate database queries by injecting SQL code through the FormMakerSQLMapping and generetecsv actions. Attackers can submit POST requests with malicious SQL payloads in t...

[SECURITY] Fedora 42 Update: docker-buildx-0.34.0-1.fc42

Docker CLI plugin for extended build capabilities with BuildKit...

[SECURITY] Fedora 43 Update: docker-buildx-0.34.0-1.fc43

Docker CLI plugin for extended build capabilities with BuildKit...

Malicious code in @zaamx/netme (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3ff8cae34ceeb5f691ca4c4f92fbe10d0bc4e6b9eddf081e7c99ab1ee6193c98 This Medusa plugin hardcodes outbound POST requests to https://n8n.lidxi.com/webhook/ in multiple subscribers and admin routes, with no configuration...

Exploit for CVE-2026-6279

CVE-2026-6279 Avada Builder = 3.15.2 — Unauthenticated RCE v...