CVE-2026-40023

Apache Log4cxx's XMLLayout https://logging.apache.org/log4cxx/1.7.0/classlog4cxx11xml11XMLLayout.html , in versions before 1.7.0, fails to sanitize characters forbidden by the XML 1.0 specification https://www.w3.org/TR/xml/charsets in log messages, NDC, and MDC property keys and values, producin...

CVE-2026-40023

Apache Log4cxx's XMLLayout https://logging.apache.org/log4cxx/1.7.0/classlog4cxx11xml11XMLLayout.html , in versions before 1.7.0, fails to sanitize characters forbidden by the XML 1.0 specification https://www.w3.org/TR/xml/charsets in log messages, NDC, and MDC property keys and values, producin...

CVE-2026-35577

CVE-2026-35577 affects Apollo MCP Server (GraphQL/MCP) prior to v1.7.0 where Host header validation was missing for HTTP StreamableHTTP transport. This could allow a local user running the MCP server on localhost to be influenced by a malicious site via DNS rebinding, bypassing same-origin policy...

CVE-2026-33903

Ella Core (private 5G core) is affected by CVE-2026-33903. Versions prior to 1.7.0 panic when processing a specially crafted NGAP LocationReport message, allowing an attacker to crash the process and cause service disruption for all connected subscribers. The fix is included in version 1.7.0, whi...

Ella Core 代码问题漏洞

Ella Core is an open-source solution developed by Ella Networks for use in private networks as a 5G core network solution. Versions of Ella Core prior to 1.7.0 contained code vulnerabilities. These vulnerabilities stemmed from kernel crashes that occurred when processing specially crafted NGAP...

CVE-2026-4393

Cross-Site Request Forgery CSRF vulnerability in Drupal Automated Logout allows Cross Site Request Forgery.This issue affects Automated Logout: from 0.0.0 before 1.7.0, from 2.0.0 before 2.0.2...

Drupal Unpublished Node Permissions 安全漏洞

Drupal Unpublished Node Permissions is an extension developed by Drupal Corporation that allows for controlling access to unpublished content. Versions of Drupal Unpublished Node Permissions prior to 1.7.0 contained security vulnerabilities; these vulnerabilities were due to improper authorizatio...

PT-2026-6729

Name of the Vulnerable Software and Affected Versions Mattermost Confluence plugin versions prior to 1.7.0 Description The Mattermost Confluence plugin does not properly sanitize user-controlled display names when rendering HTML templates. This allows authenticated Confluence users with malicious...

CVE-2025-68477 Langflow vulnerable to Server-Side Request Forgery

Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.7.0, Langflow provides an API Request component that can issue arbitrary HTTP requests within a flow. This component takes a user-supplied URL, performs only normalization and basic format checks, an...

Langflow 安全漏洞

Langflow is a Langflow open source visualization framework for building multi-agent and RAG applications. A security vulnerability exists in Langflow versions prior to 1.7.0 that stems from the API Request component not blocking private IP ranges and cloud metadata endpoints, which could lead to...

CVE-2025-24404

XML Injection RCE by parse http sitemap xml response vulnerability in Apache HertzBeat. The attacker needs to have an authenticated account with access, and add monitor parsed by xml, returned special content can trigger the XML parsing vulnerability. This issue affects Apache HertzBeat incubatin...

CVE-2025-3414

The Structured Content JSON-LD wpsc WordPress plugin before 1.7.0 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

CVE-2025-3414

The Structured Content JSON-LD wpsc WordPress plugin before 1.7.0 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

CVE-2025-3414

CVE-2025-3414 affects WordPress plugin Structured Content (JSON-LD) for the wpsc block, vulnerable before 1.7.0. The issue is that block options are not consistently validated/escaped before being output in a page/post where the block is embedded, enabling stored XSS by users with contributor rol...

TxtDot 安全漏洞

TxtDot is an HTTP proxy from TxtDot Open Source. A security vulnerability exists in TxtDot versions prior to 1.7.0. A remote attacker exploited the vulnerability to send an HTTP GET request to an arbitrary target using the server as a proxy and retrieve information in an internal network...

JOBE 命令注入漏洞

JOBE is a server for running small programming jobs in various programming languages by Richard Lobb, a personal developer. A command injection vulnerability exists in JOBE versions prior to 1.7.0, which originates in the function runinsandbox in the file application/libraries/LanguageTask.php,...

WordPress 插件 跨站请求伪造漏洞

Patreon is a subscription-based crowdfunding platform and Patreon WordPress is a WordPress plugin for the platform. A cross-site request forgery vulnerability exists in Patreon WordPress versions prior to 1.7.0. An attacker can exploit this vulnerability by tricking an administrator into visiting...

WordPress feed-them-social plugin cross-site scripting vulnerability

WordPress is a set of WordPress Software Foundation's blogging platform developed using the PHP language, which supports personal blog sites on servers with PHP and MySQL. A cross-site scripting vulnerability exists in the Facebook Feeds Load More button in versions of the WordPress...

DEBIAN-CVE-2010-3073

SSLCipher.cpp in EncFS before 1.7.0 does not properly handle integer data sizes when constructing headers intended for randomization of initialization vectors, which makes it easier for local users to obtain sensitive information by defeating cryptographic protection mechanisms...

PT-2009-6684 · Industrial Light & Magic +1 · Openexr +1

Name of the Vulnerable Software and Affected Versions: OpenEXR versions 1.2.2 through 1.6.1 OpenEXR versions prior to 1.7.0 Description: The decompression implementation in the Imf::hufUncompress function allows context-dependent attackers to cause a denial of service or possibly execute arbitrar...