NPM: Astro: XSS via Unescaped Attribute Names in Spread Props

NPM: Astro: XSS via Unescaped Attribute Names in Spread Props vulnerability discovered by ? in WordPress Npm astro versions 6.4.6...

PT-2026-43299

Name of the Vulnerable Software and Affected Versions Traccar versions prior to 6.13.0 Description An authorization bypass exists in the GPS tracking system where the 'DeviceResource.uploadImage' endpoint fails to invoke the permissionsService.checkEdit function. While the system uses...

CVE-2026-47099 TeleJSON < 6.0.0 DOM-based XSS via parse() Function

TeleJSON prior to 6.0.0 contains a DOM-based cross-site scripting vulnerability in the parse function that allows attackers to execute arbitrary JavaScript by delivering a crafted JSON payload containing a malicious constructor-name property value. The custom reviver passes the constructor name...

Sparx Systems Sparx Pro Cloud Server 安全漏洞

Sparx Pro Cloud Server is a modeling and service platform developed by Sparx Systems in Australia. It supports remote access to model repositories and collaborative management. Versions of Sparx Pro Cloud Server prior to version 6.1 contained security vulnerabilities. These vulnerabilities stemme...

CVE-2026-45054

CubeCart is an ecommerce software solution. Prior to 6.7.0, the admin orders-transactions listing page admin.php?g=orders&node=transactions builds a raw ORDER BY SQL fragment from the attacker-controlled $GET'sort' array without column or direction validation. Both the column key and the directio...

CVE-2026-39358 CubeCart: Time-based Blind SQL Injection

CubeCart is an ecommerce software solution. Prior to 6.6.0, Authenticated Time-Based Blind SQL Injection vulnerabilities were identified in the sorting parameters sortprice, sortactivity, sortadmin, and sortcustomer of the Products and Logs endpoints in CubeCart v6.x. This allows an attacker to...

CubeCart 代码注入漏洞

CubeCart is an open-source e-commerce software developed by CubeCart. Versions of CubeCart prior to 6.7.0 had a code injection vulnerability. This vulnerability stemmed from authenticated server-side template injections in multiple modules. The application insecurely evaluated inputs provided by...

Astra Linux – Vulnerability found in Linux 5.10, Linux 5.15

In the Linux kernel before version 6.0.3, the file drivers/gpu/drm/virtio/virtgpuobject.c misinterprets the return value of drmgemshmemgetsgtable. It expects the value to be NULL in the error case, but in reality, it is an error pointer...

UBUNTU-CVE-2026-41526

In KDE KCoreAddons before 6.25, KShell::quoteArgs is intended to safely quote arguments so that they can be passed to a shell command. This parsing does not adequately handle metacharacters, leading to an escape from the shell. All applications relying on this method in a security-critical path t...

CVE-2026-35521

FTLDNS pihole-FTL provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution RCE vulnerability in the DHCP hosts configuration parameter dhcp.hosts. This vulnerability allows an authenticat...

ChurchCRM 安全漏洞

ChurchCRM is an open-source CRM system developed for churches. Versions of ChurchCRM prior to 6.5.3 contained security vulnerabilities. These vulnerabilities stemmed from the use of a specially crafted URL in the Referer request header, which could trigger server-side HTTP/HTTPS requests to...

WordPress StreamVid theme < 6.8.6 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by Phat RiO in WordPress Theme StreamVid versions 6.8.6...

EUVD-2026-10147

Karapace is an open-source implementation of Kafka REST and Schema Registry. Prior to version 6.0.0, there is a Path Traversal vulnerability in the backup reader backup/backends/v3/backend.py. If a malicious backup file is provided to Karapace, an attacker may exploit insufficient path validation...

PT-2026-22406

Name of the Vulnerable Software and Affected Versions Statmatic versions 6.0.0 through 6.3.9 Description Statmatic is a Laravel and Git powered content management system CMS. Authenticated Control Panel users may, under certain conditions, obtain elevated privileges without completing the intende...

PT-2026-6303

Name of the Vulnerable Software and Affected Versions Group-Office versions prior to 6.8.150 Group-Office versions prior to 25.0.82 Group-Office versions prior to 26.0.5 Description An authenticated user with System Administrator privileges can trigger a server-side request forgery SSRF through t...

B&R Industrial Automation Process Visualization Interface log information leakage vulnerability

B&R Industrial Automation Process Visualization Interface is a process visualization tool developed by B&R Industrial Automation in Austria. Versions of the B&R Industrial Automation Process Visualization Interface prior to version 6.5 contained a vulnerability related to log information leakage...

EUVD-2026-3214

An Allocation of Resources Without Limits or Throttling vulnerability in the ANSL-Server component of B&R Automation Runtime versions prior to 6.5 and prior to R4.93 could be exploited by an unauthenti-cated attacker on the network to win a race condition, resulting in permanent denial-of-service...

CVE-2021-2297

Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization component: Core. The supported version that is affected is Prior to 6.1.20. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to...

PT-2025-52983

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 6.4.0-rc3 Description A use-after-free issue exists in the Linux kernel related to the handling of OPP Operational Power Policy tables after probe deferral. Specifically, when dev pm opp of find icc paths in...

EUVD-2025-203315

NXLog Agent before 6.11 can load a file specified by the OPENSSLCONF environment variable...