20 matches found
EUVD-2026-42537
The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.3.7. This is due to the plugin not properly verifying that a user is authorized to perform an...
EUVD-2026-36887
Unauthenticated PHP Object Injection in Integration for Contact Form 7 HubSpot = 1.3.7 versions...
CVE-2026-41237 Froxlor has an incomplete fix for CVE-2026-30932
Froxlor is open source server administration software. In version 2.3.6 and earlier, the LOC record regex uses \s+ which matches newlines allowing embedded newlines to pass, TLSA matchingType=0 has no upper bound on hex data length, and all validators return raw input without zone-file escaping...
CVE-2026-41236 Froxlor has privilege escalation in SSH key synchronization via symlinked `authorized_keys` path
Froxlor is open source server administration software. Version 2.3.6 contains a symlink-following flaw in the root-owned SSH key synchronization path used for customer FTP users. The provisioning code appends public keys to /.ssh/authorizedkeys under a customer-controlled home directory without...
GHSA-8WMW-PRW8-2GGM Craftql vulnerable to Server-Side Request Forgery
Craftql v1.3.7 and before is vulnerable to Server-Side Request Forgery SSRF which allows an attacker to execute arbitrary code via the vendor/markhuot/craftql/src/Listeners/GetAssetsFieldSchema.php file...
EUVD-2026-18903
Kestra is an open-source, event-driven orchestration platform. Prior to version 1.3.7, Kestra default docker-compose deployment contains a SQL Injection vulnerability that leads to Remote Code Execution RCE in the following endpoint "GET /api/v1/main/flows/search". Once a user is authenticated,...
CVE-2025-71281
XenForo before 2.3.7 contains a template method-call restriction bypass. The issue stems from a loose prefix match instead of a strict first-word match for methods accessible via callbacks and variable method calls in templates, potentially allowing unauthorized method invocations. Affected softw...
CVE-2026-30402
An issue in wgcloud v.2.3.7 and before allows a remote attacker to execute arbitrary code via the test connection function...
CVE-2026-30402
An issue in wgcloud v.2.3.7 and before allows a remote attacker to execute arbitrary code via the test connection function...
CVE-2025-70960
A stored cross-site scripting XSS vulnerability in the Forums module of Tendenci CMS v15.3.7 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload...
CVE-2025-64723
Summary: Arduino IDE for macOS prior to 2.3.7 had overly permissive security entitlements that could bypass the macOS Hardened Runtime protections, enabling an attacker to inject malicious dynamic libraries into the process and access all TCC permissions granted to the app. Impact (as stated): by...
CVE-2025-67749
PCSX2 is a free and open-source PlayStation 2 PS2 emulator. In versions 2.5.377 and below, an unchecked offset and size used in a memcpy operation inside PCSX2's CDVD SCMD 0x91 and SCMD 0x8F handlers allow a specially crafted disc image or ELF to cause an out-of-bounds read from emulator memory...
CVE-2025-62415 bagisto - Cross Site Scripting (XSS) in TinyMCE Image Upload (HTML)
Bagisto is an open source laravel eCommerce platform. In Bagisto v2.3.7, the TinyMCE image upload functionality allows an attacker with sufficient privileges e.g. admin to upload a crafted HTML file containing embedded JavaScript. When viewed, the malicious code executes in the context of the...
PT-2024-36184 · Unknown · Yalla Ya! Simple Payment
Name of the Vulnerable Software and Affected Versions: yalla ya! Simple Payment versions 2.3.7 and earlier Description: The issue is related to Improper Neutralization of Input During Web Page Generation, also known as Cross-site Scripting. This allows for Reflected XSS, where an attacker can...
CVE-2023-7294
The Paytium: Mollie payment forms & donations plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the createmollieprofile function in versions up to, and including, 4.3.7. This makes it possible for authenticated attackers with subscriber-leve...
WordPress plugin Paytium: Mollie payment forms & donations 安全漏洞
WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed in the PHP language. WordPress plugin is an application plugin that supports personal blogs on PHP and MySQL servers. A security vulnerability exists in the WordPress plugin...
VulnCheck KEV: CVE-2023-7288
The Paytium: Mollie payment forms & donations plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the updateprofilepreference function in versions up to, and including, 4.3.7. This makes it possible for authenticated attackers with...
PT-2024-26963 · Livemesh · Elementor Addons
Name of the Vulnerable Software and Affected Versions: Elementor Addons by Livemesh plugin for WordPress versions up to, and including, 8.3.7 Description: The issue is related to Stored Cross-Site Scripting via the plugin's Marquee Text Widget, Testimonials Widget, and Testimonial Slider widgets...
CVE-2021-35048
Vulnerability in Fidelis Network and Deception CommandPost enables unauthenticated SQL injection through the web interface. The vulnerability could lead to exposure of authentication tokens in some versions of Fidelis software. The vulnerability is present in Fidelis Network and Deception version...
mojarra: Path traversal in ResourceManager.java:getLocalePrefix() via the loc parameter
The getLocalePrefix function in ResourceManager.java in Eclipse Mojarra before 2.3.7 is affected by Directory Traversal via the loc parameter. A remote attacker can download configuration files or Java bytecodes from applications...