4392 matches found
Joomla! Agora 3.0.0b - Local File Inclusion
Joomla! Agora 3.0.0b comagora allows remote attackers to include and execute arbitrary local files via local file inclusion in the action parameter to the avatars page, reachable through index.php. id: CVE-2009-3053 info: name: Joomla! Agora 3.0.0b - Local File Inclusion author: daffainfo severit...
Ghost CMS <=4.32 - Cross-Site Scripting
Ghost CMS 4.0.0 to 4.3.2 contains a DOM cross-site scripting vulnerability. An unused endpoint added during the development of 4.0.0 allows attackers to gain access by getting logged-in users to click a link containing malicious code. id: CVE-2021-29484 info: name: Ghost CMS =4.32 - Cross-Site...
Cacti 1.2.24 - SQL Injection
Cacti is an open source operational monitoring and fault management framework. Affected versions are subject to a SQL injection discovered in graphview.php. Since guest users can access graphview.php without authentication by default, if guest users are being utilized in an enabled state, there...
Rukovoditel <= 3.2.1 - Cross Site Scripting
A stored cross-site scripting XSS vulnerability in the Users Alerts feature /index.php?module=usersalerts/usersalerts of Rukovoditel v3.2.1 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Title parameter after clicking "Add". id:...
MAL-2026-6895 Malicious code in ts-bigtn (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 3fe9cda51a9c873f69575fec5aada84c81b0b7e907d060f28d6c6e95dc381911 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Malicious code in df-vision (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 0f31f7bc1ea70d57f022adc0005cee3e7e6190a458d9bc57a84b1c2966979db7 The package was found to contain malicious code or consuming dependency that contains malicious code Source: ghsa-malware...
UBUNTU-CVE-2026-53331
In the Linux kernel, the following vulnerability has been resolved: slimbus: qcom-ngd-ctrl: Avoid ABBA on txlock/ctrl-lock During the SSR/PDR down notification the txlock is taken with the intent to provide synchronization with active DMA transfers. But during this period qcomslimngddown is...
GHSA-CCJC-4QC3-JXQC Incus has an arbitrary file write via path traversal in S3 multipart upload
Summary The S3 protocol upload endpoint is vulnerable to path traversal and allows creation of arbitrary files on the host. This behavior could lead to arbitrary command execution. In internal/server/storage/s3/local/multipart.go, user-controlled upload ID is appended to the uploads directory...
firefox: thunderbird: Memory safety bugs fixed in Firefox ESR 115.37, Firefox ESR 140.12, Thunderbird ESR 140.12, Firefox 152 and Thunderbird 152
A flaw was found in Firefox and Thunderbird. The Mozilla Foundation's Security Advisory describes the following issue: Memory safety bugs present in Firefox ESR 115.36, Firefox ESR 140.11, Thunderbird ESR 140.11, Firefox 151 and Thunderbird 151. Some of these bugs showed evidence of memory...
Astra Linux – Vulnerability in Python 3.11
Python-Markdown version 3.8 contains a vulnerability where malformed HTML-like sequences can cause html.parser.HTMLParser to raise an unhandled AssertionError during Markdown parsing. Since Python-Markdown does not catch this exception, any application that processes Markdown controlled by...
Improper Verification of Cryptographic Signature
Overview CoreWCF.Primitives is a port of the service side of Windows Communication Foundation WCF to .NET Core. The goal of this project is to enable existing WCF services to move to .NET Core. Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature...
CVE-2026-56209
An arbitrary address write vulnerability was found in libaom, the reference AV1 codec implementation. A missing bounds check in the SVC Scalable Video Coding layer ID control function allows an attacker to inject an arbitrary pointer into the cyclic refresh map field via crafted image pixel value...
CVE-2026-46847
Vulnerability in the Oracle WebCenter Portal product of Oracle Fusion Middleware component: Runtime Tools. Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise Oracle WebCent...
CVE-2026-35307
Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware component: Core. Supported versions that are affected are 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0 and 15.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle...
Malicious code in @mastra/temporal (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 214be711b41a8883e3252f0e9e41bc902d62da7650334b2efdc7424194989101 The package was found to contain malicious code or consuming dependency that contains malicious code Source: ghsa-malware...
Exploit for CVE-2026-10795
CVE Lab: CVE-2026-10795 - UpdraftPlus UpdraftCentral RPC Authe...
libtiff: libtiff: Arbitrary code execution or denial of service via signed integer overflow in TIFF file processing
A flaw was found in the libtiff library. A remote attacker could exploit a signed integer overflow vulnerability in the putcontig8bitYCbCr44tile function by providing a specially crafted TIFF file. This flaw can lead to an out-of-bounds heap write due to incorrect memory pointer calculations,...
ImageMagick 资源管理错误漏洞
ImageMagick is a set of open-source image processing software developed by the ImageMagick project. It can read, convert, and write images in various formats. Versions of ImageMagick prior to 6.9.13-50 and 7.1.2-25 contained a resource management vulnerability. This vulnerability stemmed from...
MAL-2026-5376 Malicious code in @doaction/rrweb-sdk (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6efd52baa69926a32dbac2a3c5eb53c361935e9a3386d2893bf2d7506ab4dfea @doaction/[email protected] is a dependency-confusion / namespace-impersonation package targeting the rrweb session-recording SDK ecosystem. The...
CVE-2026-46287
A flaw was found in the Linux kernel's txgbe network driver. When removing a module for a copper Network Interface Card NIC with an external physical layer PHY, the driver failed to acquire the necessary RTNL Routing Netlink lock before disconnecting the PHY. This oversight can lead to an RTNL...