CVE-2026-48238 Open ISES Tickets < 3.44.2 SQL Injection via ajax/mobile_main.php id Parameter

Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in ajax/mobilemain.php where the id GET parameter is concatenated into the WHERE clause of a SELECT statement used as a ticket-existence sanity check without sanitization. Authenticated attackers can craft requests that alter...

CVE-2024-13971 Arbitrary File Read and Server Side Request Forgery via XML External Entities in Lobster_pro

Unauthenticated attackers can exploit a weakness in the XML parser functionality of Lobsterpro prior to version 4.12.6-GA. This allows them to obtain read access to files on the application server and adjacent network shares, and perform HTTP GET requests to arbitrary services...

CVE-2026-5870

Integer overflow in Skia in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. Chromium security severity: High...

CVE-2026-35526

Strawberry GraphQL is a library for creating GraphQL APIs. Prior to 0.312.3, Strawberry GraphQL's WebSocket subscription handlers for both the graphql-transport-ws and legacy graphql-ws protocols allocate an asyncio.Task and associated Operation object for every incoming subscribe message without...

CVE-2026-4736 Math Issue in No-Chicken/Echo-Mate

Improper Handling of Values vulnerability in No-Chicken Echo-Mate SDK/rv1106-sdk/sysdrv/source/kernel/include/net/netfilter modules. This vulnerability is associated with program files nftables.H‎, nftbyteorder.C‎, nftmeta.C‎. This issue affects Echo-Mate: before V250329...

CVE-2026-3938

Insufficient policy enforcement in Clipboard in Google Chrome prior to 146.0.7680.71 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. Chromium security severity: Low...

PT-2026-24219

A vulnerability has been identified in SICAM SIAPP SDK All versions V2.1.7. An out-of-bounds write vulnerability exists in SICAM SIAPP SDK. This could allow an attacker to write data beyond the intended buffer, potentially leading to denial of service, or arbitrary code execution...

rustfs 跨站脚本漏洞

RustFS is a high-performance object storage system developed by RustFS. Versions of RustFS prior to 1.0.0-alpha.83 contained a cross-site scripting vulnerability. This vulnerability stems from stored-cross-site scripts and could lead to credential leakage and account takeover attacks...

CVE-2026-25221

PolarLearn is a free and open-source learning program. In 0-PRERELEASE-15 and earlier, the OAuth 2.0 implementation for GitHub and Google login providers is vulnerable to Login Cross-Site Request Forgery CSRF. The application fails to implement and verify the state parameter during the...

PT-2025-50894

Parse Server is an open source backend that can be deployed to any infrastructure that runs Node.js. In versions prior to 8.6.0-alpha.2, a GitHub CI workflow is triggered in a way that grants the GitHub Actions workflow elevated permissions, giving it access to GitHub secrets and write permission...

CVE-2025-63562

The CVE describes a vulnerability in Summer Pearl Group Vacation Rental Management Platform prior to version 1.0.2 where server-side authorization is insufficient. Authenticated attackers can manipulate request parameters (e.g., owner or resource id) to call endpoints and perform create, update, ...

CVE-2025-62363

CVE-2025-62363 affects yt-grabber-tui prior to version 1.0-rc. The root cause is a configurable path_to_yt_dlp that lets an attacker with write access to the configuration or the executable’s filesystem location replace yt-dlp or symlink to a malicious binary. When yt-grabber-tui invokes yt-dlp, ...

SAMSUNG Mobile devices 安全漏洞

SAMSUNG Mobile devices are a range of Samsung mobile devices, including cell phones, tablets, etc., from the South Korean company Samsung SAMSUNG. A security vulnerability exists in SAMSUNG Mobile devices versions prior to SMR Sep-2025 Release 1, which stems from improper privilege management and...

CVE-2025-34161

CVE-2025-34161 affects Coolify versions prior to v4.0.0-beta.420.7. A remote code execution flaw exists in the project deployment workflow: authenticated users with low privileges can inject arbitrary shell commands through the Git Repository field during project creation, leading to arbitrary co...

PT-2025-33493 · Plane · Plane

Name of the Vulnerable Software and Affected Versions: Plane versions prior to 0.28.0 Description: Plane is open-source project management software. A stored cross-site scripting XSS vulnerability exists in the description html field. This flaw allows an attacker to inject malicious JavaScript co...

CVE-2024-8031

The Secure Downloads WordPress plugin before 1.2.3 is vulnerable does not properly restrict which files can be downloaded. This makes it possible for authenticated attackers, with admin-level access and above, to download arbitrary files that may contain sensitive information like wp-config.php...

AZL-40580 CVE-2024-33875 affecting package hdf5 for versions less than 1.14.4.3-1

HDF5 Library through 1.14.3 has a heap-based buffer overflow in H5Olayoutencode in H5Olayout.c, resulting in the corruption of the instruction pointer...

CVE-2023-48431

A vulnerability has been identified in SINEC INS All versions V1.0 SP2 Update 2. Affected software does not correctly validate the response received by an UMC server. An attacker can use this to crash the affected software by providing and configuring a malicious UMC server or by manipulating the...

EverShop Security Breach

EverShop is EverShop open source a NodeJS e-commerce platform. A security vulnerability exists in EverShop versions prior to v.1.0.0-rc.8. A remote attacker can exploit this vulnerability to obtain sensitive information via a specially crafted request to the DELETE function in the api/files...

PT-2023-24599 · Unknown · Notation-Go

Name of the Vulnerable Software and Affected Versions: notation versions prior to v1.0.0-rc.6 Description: An attacker who has compromised a registry can cause users to verify the wrong artifact. This issue allows an attacker to lead a user into verifying the wrong artifact if they control or...