CVE-2026-42194

Admidio is an open-source user management solution. Prior to version 5.0.9, the incomplete SSRF fix in Admidio's fetchmetadata.php validates the resolved IP address but passes the original hostname-based URL to curlinit, leaving a DNS rebinding TOCTOU window that allows redirecting requests to...

CVE-2026-41658 Admidio: Missing Authorization on Inventory Module Destructive Endpoints Allows Any Authenticated User to Delete Items

Admidio is an open-source user management solution. Prior to version 5.0.9, the Admidio inventory module enforces authorization for destructive operations delete, retire, reinstate only in the UI layer by conditionally rendering buttons. The backend POST handlers at modules/inventory.php for...

EUVD-2026-28266

Admidio is an open-source user management solution. Prior to version 5.0.9, the contactsdata.php endpoint uses a weaker permission check isAdministratorUsers, requiring only roledituser=true than the frontend UI contacts.php which correctly requires the stronger isAdministrator requiring...

CVE-2026-41656 Admidio: Path Traversal via Unvalidated `name` Parameter in Document Add Mode Enables Arbitrary Server File Read

Admidio is an open-source user management solution. Prior to version 5.0.9, the add mode in modules/documents-files.php accepts a name parameter validated only as 'string' type HTML encoding, allowing path traversal characters ../ to pass through unfiltered. Combined with the absence of CSRF...

Improper Check for Unusual or Exceptional Conditions

Overview admidio/admidio is a free open source user management system for websites of organizations and groups. Affected versions of this package are vulnerable to Improper Check for Unusual or Exceptional Conditions in the stopMembership function. An attacker can cause a denial of administrative...

CVE-2026-39629

Improper Neutralization of Script-Related HTML Tags in a Web Page Basic XSS vulnerability in kutethemes Uminex uminex allows Code Injection.This issue affects Uminex: from n/a through = 1.0.9...

WordPress Advanced CF7 DB plugin <= 2.0.9 - Cross-Site Request Forgery to Form Entry Deletion vulnerability

Cross-Site Request Forgery to Form Entry Deletion vulnerability discovered by Kai Aizen in WordPress Plugin Advanced Contact form 7 DB versions = 2.0.9...

CVE-2026-24544

Missing Authorization vulnerability in Harmonic Design HD Quiz hd-quiz allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects HD Quiz: from n/a through = 2.0.9...

CVE-2025-67933

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in taskbuilder Taskbuilder taskbuilder allows Reflected XSS.This issue affects Taskbuilder: from n/a through = 4.0.9...

CVE-2025-67922 WordPress Grand Restaurant theme < 7.0.9 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in ThemeGoods Grand Restaurant grandrestaurant allows Reflected XSS.This issue affects Grand Restaurant: from n/a through 7.0.9...

EUVD-2025-38141

Missing Authorization vulnerability in kamleshyadav Miraculous miraculous allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Miraculous: from n/a through 2.0.9...

MAL-2025-49318 Malicious code in stark-recurser (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 54520ff73a8cd962cb9ab3db426b6c93987e6b616edf752e0e5f6f346293af1b The package stark-recurser was found to contain malicious code. Source: ossf-package-analysis...

CVE-2025-60208 WordPress Advanced Custom Fields : CPT Options Pages plugin <= 2.0.9 - Cross Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery CSRF vulnerability in Tusko Trush Advanced Custom Fields : CPT Options Pages acf-cpt-options-pages allows Object Injection.This issue affects Advanced Custom Fields : CPT Options Pages: from n/a through = 2.0.9...

CVE-2025-53459

CVE-2025-53459 is rejected by the CVE Numbering Authority and does not represent an active vulnerability entry.

CVE-2025-39553

CVE-2025-39553 (Church Admin plugin) details : A Missing Authorization vulnerability affects WordPress Church Admin instances using versions from unknown up to 5.0.9. The CVE entry indicates potential unauthorized access leading to data exposure (the vulnerability is categorized as Missing Author...

CVE-2025-39553 WordPress Church Admin plugin <= 5.0.9 - Sensitive Data Exposure vulnerability

Missing Authorization vulnerability in andymoyle Church Admin. This issue affects Church Admin: from n/a through 5.0.9...

CVE-2025-58628

CVE-2025-58628 refers to a SQL injection vulnerability in the WordPress theme Miraculous (versions before 2.0.9). The issue is caused by improper neutralization of special elements in SQL commands, enabling blind SQL injection. Public writeups and vulnerability feeds confirm affected software as ...

SUSE CVE-2025-29918

Suricata is a network Intrusion Detection System, Intrusion Prevention System and Network Security Monitoring engine. A PCRE rule can be written that leads to an infinite loop when negated PCRE is used. Packet processing thread becomes stuck in infinite loop limiting visibility and availability i...

MongoDB Server 安全漏洞

MongoDB Server is the United States MongoDB company's set of open source NoSQL database . The database provides collection-oriented storage , dynamic query , data replication and automatic failover and other functions . A security vulnerability exists in MongoDB Server versions prior to 6.0.23,...

CVE-2024-22889

Due to incorrect access control in Plone version v6.0.9, remote attackers can view and list all files hosted on the website via sending a crafted request...