WordPress Restrict User Access <= 2.5 - Cross-Site Scripting

WordPress Restrict User Access – Membership Plugin with Force versions before 2.6 is vulnerable to Reflected Cross-Site Scripting via the 'ruasection' parameter in the admin level edit page. id: CVE-2024-29138 info: name: WordPress Restrict User Access = 2.5 - Cross-Site Scripting author: Shivam...

CVE-2026-45691

A flaw was found in Nextcloud Server. An attacker could reuse a pre-two-factor authentication 2FA session cookie as a Bearer token. This allows them to authenticate against DAV endpoints, granting unauthorized read and write access and bypassing the mandatory two-factor authentication. Mitigation...

CVE-2026-45691

Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, a pre-2FA session cookie created after successful password authentication but before TOTP completion could be reused as a Bearer token to authenticat...

CVE-2026-45691

Summary: CVE-2026-45691 affects Nextcloud Server prior to 32.0.9 and 33.0.3, where a pre-2FA session cookie created after password auth but before TOTP could be reused as a Bearer token to access DAV endpoints, bypassing mandatory two-factor authentication and granting read/write access. Impact: ...

PT-2026-45535

Nextcloud is an open source content collaboration platform. In Nextcloud Server from versions 32.0.0 to before 32.0.9, and 33.0.0 to before 33.0.3, a pre-2FA session cookie created after successful password authentication but before TOTP completion could be reused as a Bearer token to authenticat...

Astra Linux - уязвимость в binutils

There is a flaw in binutils /bfd/pef.c. An attacker who can submit a crafted input file for processing by the objdump program could cause a null pointer dereference. The greatest threat of this flaw is to the availability of the application. This flaw affects binutils versions prior to 2.34...

WWW::Mechanize::Cached 代码问题漏洞

WWW::Mechanize::Cached is an open-source module developed by libwww-perl for the Perl language, serving as an extension to WWW::Mechanize. Versions of WWW::Mechanize::Cached prior to version 2.00 contained code vulnerabilities. These vulnerabilities stemmed from the ability to deserialize HTTP...

Wireshark 2.0.x < 2.0.13 Multiple Vulnerabilities

The version of Wireshark installed on the remote Windows host is prior to 2.0.13. It is, therefore, affected by multiple vulnerabilities as referenced in the wireshark-2.0.13 advisory. - In Wireshark 2.2.0 to 2.2.6 and 2.0.0 to 2.0.12, the RGMP dissector could crash. This was addressed in...

HashiCorp Vault 安全漏洞

HashiCorp Vault is a private key access management tool developed by the American company HashiCorp. Versions of HashiCorp Vault prior to 2.0.0, as well as versions prior to 1.21.5, 1.20.10, and 1.19.16, contain security vulnerabilities. These vulnerabilities stem from Vault’s practice of...

CVE-2026-4393

The CVE-2026-4393 issue is a CSRF vulnerability in the Drupal Automated Logout module. The Root Cause: the logout routes are not sufficiently protected against CSRF, enabling an authenticated user to trigger unintended actions. Affected software: Drupal Automated Logout module; affected versions ...

CVE-2026-33148 URL Parameter Injection in FDC Food Search API Causes Server Crash and Exposes Internal API Key

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. In versions prior to 2.6.0, the FDC USDA FoodData Central search endpoint constructs an upstream API URL by directly interpolating the user-supplied query parameter into the URL string without...

PT-2026-28380

Name of the Vulnerable Software and Affected Versions Tandoor Recipes versions prior to 2.6.0 Description Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. In versions prior to 2.6.0, the SyncViewSet.query synced folder action in...

CVE-2026-27602 Modoboa has an OS Command Injection

Modoboa is a mail hosting and management platform. Prior to version 2.7.1, execcmd in modoboa/lib/sysutils.py always runs subprocess calls with shell=True. Since domain names flow directly into shell command strings without any sanitization, a Reseller or SuperAdmin can include shell metacharacte...

CVE-2026-33335 Vikunja Desktop allows arbitrary local application invocation via unvalidated shell.openExternal

Vikunja is an open-source self-hosted task management platform. Starting in version 0.21.0 and prior to version 2.2.0, the Vikunja Desktop Electron wrapper passes URLs from window.open calls directly to shell.openExternal without any validation or protocol allowlisting. An attacker who can place ...

Huawei EulerOS: Security Advisory for net-snmp (EulerOS-SA-2026-1291)

The remote host is missing an update for the Huawei EulerOS SPDX-FileCopyrightText: 2026 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

CVE-2026-27116

Vikunja has a reflected HTML injection in the Projects module prior to version 2.0.0: the URL parameter filter is rendered into the DOM without output encoding when clicking “Filter.” Scripts/iframes are blocked, but SVG, links, and formatting tags may render, enabling SVG-based phishing buttons,...

CVE-2026-25478

Litestar is an Asynchronous Server Gateway Interface ASGI framework. Prior to 2.20.0, CORSConfig.allowedoriginsregex is constructed using a regex built from configured allowlist values and used with fullmatch for validation. Because metacharacters are not escaped, a malicious origin can match...

CVE-2026-24515

In libexpat before 2.7.4, XMLExternalEntityParserCreate does not copy unknown encoding handler user data...

PT-2026-1404

Name of the Vulnerable Software and Affected Versions FastDup – Fastest WordPress Migration & Duplicator plugin versions prior to 2.7 Description The FastDup plugin for WordPress has a path traversal issue affecting versions up to 2.7. Authenticated attackers with Contributor-level access or high...

Nanjing Hanyuan HY511 POE 安全漏洞

Nanjing Hanyuan HY511 POE is an embedded smart display panel from Nanjing Hanyuan, China. A security vulnerability exists in Nanjing Hanyuan HY511 POE versions prior to 2.1 and plugins prior to 0.1, which stems from insufficient device cookie validation, and could lead to an attacker downloading...