EUVD-2026-39392

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in Jacob N. Breetvelt WP Photo Album Plus allows Blind SQL Injection. This issue affects WP Photo Album Plus: from n/a through 9.1.13.005...

phpMyChat-Plus 1.98 - Cross-Site Scripting

phpMyChat-Plus 1.98 contains a cross-site scripting vulnerability via pmcusername parameter of passreset.php in password reset URL. id: CVE-2019-19908 info: name: phpMyChat-Plus 1.98 - Cross-Site Scripting author: madrobot severity: medium description: | phpMyChat-Plus 1.98 contains a cross-site...

Zoho ManageEngine ADSelfService Plus 6121 - Username Enumeration

Zoho ManageEngine ADSelfService Plus 6121 is vulnerable to username enumeration CVE-2022-28987. The Forgot Password functionality responds differently for existing and non-existing users, allowing attackers to enumerate valid usernames. id: CVE-2022-28987 info: name: Zoho ManageEngine ADSelfServi...

Plus Addons for Elementor Page Builder < 4.1.10 - Open Redirect

WordPress Plus Addons for Elementor Page Builder before 4.1.10 did not validate a redirect parameter on a specifically crafted URL before redirecting the user to it, leading to an open redirect issue. id: CVE-2021-24358 info: name: Plus Addons for Elementor Page Builder 4.1.10 - Open Redirect...

WordPress The Plus Addons for Elementor <4.1.12 - Cross-Site Scripting

WordPress The Plus Addons for Elementor plugin before 4.1.12 is susceptible to cross-site scripting. The plugin does not properly sanitize some of its fields in the heplusmorepost AJAX action, which is exploitable by both unauthenticated and authenticated users. An attacker can inject arbitrary...

The Plus Addons for Elementor Page Builder < 4.1.7 - Authentication Bypass

The Plus Addons for Elementor plugin before version 4.1.7 allowed attackers to bypass authentication, gain admin access, and create accounts with elevated roles, even when registration was disabled and the Login widget was inactive. id: CVE-2021-24175 info: name: The Plus Addons for Elementor Pag...

AJ-Report < 1.4.1 - Remote Code Execution

AJ-Report before version 1.4.1 is affected by an authentication bypass vulnerability. A remote and unauthenticated attacker can append ";swagger-ui" to HTTP requests to bypass authentication and execute arbitrary Java code on the victim server through script engine injection in the validation rul...

ionCube Tester Plus <= 1.3 - Local File Inclusion

The ionCube Tester Plus plugin for WordPress versions = 1.3 is vulnerable to unauthenticated arbitrary file read via path traversal. The 'ininame' parameter in loader-wizard.php is not properly sanitized, allowing attackers to read sensitive files such as wp-config.php and /etc/passwd without...

Zoho ManageEngine ADSelfService Plus v6113 - Unauthenticated Remote Command Execution

Zoho ManageEngine ADSelfService Plus version 6113 and prior are vulnerable to a REST API authentication bypass vulnerability that can lead to remote code execution. id: CVE-2021-40539 info: name: Zoho ManageEngine ADSelfService Plus v6113 - Unauthenticated Remote Command Execution author:...

JSONPath Plus < 10.3.0 - Remote Code Execution

Versions of the package jsonpath-plus before 10.3.0 are vulnerable to Remote Code Execution RCE due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of eval='safe' mode. Note: This is caused by an incomplete fix for...

Zoho ManageEngine - Access Control Bypass

Zoho ManageEngine Access Manager Plus before 4302, Password Manager Pro before 12007, and PAM360 before 5401 are vulnerable to access-control bypass on a few Rest API URLs for SSOutAction. SSLAction. LicenseMgr. GetProductDetails. GetDashboard. FetchEvents. and Synchronize via the ../RestAPI...

NETGEAR ProSAFE Plus - Unauthenticated Remote Code Execution

NETGEAR ProSAFE Plus before 2.6.0.43 is susceptible to unauthenticated remote code execution. Any HTML page is allowed as a valid endpoint to submit POST requests, allowing debug action via the submitId and debugCmd parameters. The problem is publicly exposed in the login.html webpage, which has ...

Malicious code in normalize-plus (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a8d9638f9c3f81ac15972cf2ff227b2d426a72c5e37035e54402648fe8120675 On import, normalize-plus's top-level initPlugin performs an HTTP GET against https://jsonkeeper.com/b/CI3HT, parses the JSON response, and evaluates...

MAL-2026-6399 Malicious code in normalize-plus (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a8d9638f9c3f81ac15972cf2ff227b2d426a72c5e37035e54402648fe8120675 On import, normalize-plus's top-level initPlugin performs an HTTP GET against https://jsonkeeper.com/b/CI3HT, parses the JSON response, and evaluates...

CVE-2026-11374

In ManageEngine ADSelfService Plus, RecoveryManager Plus, M365 Manager Plus, and ADAudit Plus, the SSO tickets generated to authenticate that session could be predicted by an unauthenticated user, leading to account takeover...

CVE-2026-11374 Account Takeover via Predictable SSO Ticket Generation

In ManageEngine ADSelfService Plus, RecoveryManager Plus, M365 Manager Plus, and ADAudit Plus, the SSO tickets generated to authenticate that session could be predicted by an unauthenticated user, leading to account takeover...

Zoho ManageEngine ADAudit Plus <7600 - XML Entity Injection/Remote Code Execution

Zoho ManageEngine ADAudit Plus before version 7060 is vulnerable to an unauthenticated XML entity injection attack that can lead to remote code execution. id: CVE-2022-28219 info: name: Zoho ManageEngine ADAudit Plus 7600 - XML Entity Injection/Remote Code Execution author: dwisiswant0 severity:...

PT-2026-51487

Name of the Vulnerable Software and Affected Versions ADSelfService Plus versions prior to 6529 RecoveryManager Plus versions prior to 6321 M365 Manager Plus versions prior to 4817 ADAudit Plus versions prior to 8703 Description In ADSelfService Plus, RecoveryManager Plus, M365 Manager Plus, and...

CVE-2025-4994 Authentication Bypass for SafeLine SL6 and SL6+

The SafeLine SL6 and SL6+ devices integrated into elevator emergency intercom systems are vulnerable to an authentication bypass. This vulnerability allows attackers to bypass authentication requirements and access the device's configuration service via the Bluetooth Low Energy BLE interface...

EUVD-2025-210297

The SafeLine SL6 and SL6+ devices integrated into elevator emergency intercom systems are vulnerable to an authentication bypass. This vulnerability allows attackers to bypass authentication requirements and access the device's configuration service via the Bluetooth Low Energy BLE interface...