3046 matches found
CVE-2026-2343
The PeproDev Ultimate Invoice WordPress plugin through 2.2.5 has a bulk download invoices action that generates ZIP archives containing exported invoice PDFs. The ZIP files are named predictably making it possible to brute force and retreive PII...
CVE-2026-2343
The CVE-2026-2343 entry concerns the PeproDev Ultimate Invoice WordPress plugin (up to version 2.2.5). Affected component: bulk download invoices action that creates ZIP archives containing exported invoice PDFs. Root cause: ZIPs are named predictably, enabling brute force access to PII stored in...
CVE-2026-2343 PeproDev Ultimate Invoice <= 2.2.5 - Unauthenticated Invoice Archive Download
The PeproDev Ultimate Invoice WordPress plugin through 2.2.5 has a bulk download invoices action that generates ZIP archives containing exported invoice PDFs. The ZIP files are named predictably making it possible to brute force and retreive PII...
PT-2026-27640
Name of the Vulnerable Software and Affected Versions PeproDev Ultimate Invoice WordPress plugin versions through 2.2.5 Description The plugin allows for the bulk download of invoices, generating ZIP archives containing exported invoice PDFs. The ZIP file names are predictable, potentially allowi...
Requests 安全漏洞
Requests is an elegant and simple HTTP library from the Python Foundation. With Requests, you can send HTTP/1.1 requests with great ease. There’s no need to manually add query strings to your URLs, nor to encode POST data using forms. Versions of Requests prior to 2.33.0 contained a security...
GO-2026-4778 Juju affected by Confused Deputy IDOR attack via Predictable user specified ID in Juju Secrets in github.com/juju/juju
Juju affected by Confused Deputy IDOR attack via Predictable user specified ID in Juju Secrets in github.com/juju/juju...
CTEK Chargeportal 代码问题漏洞
CTEK Chargeportal is an electric vehicle charging management platform developed by the Swedish company CTEK. CTEK Chargeportal has code-related vulnerabilities; these vulnerabilities stem from the predictable nature of session identifiers and the ability for multiple endpoints to use the same...
Missing Cryptographic Step
Overview Affected versions of this package are vulnerable to Missing Cryptographic Step due to missing validation in the keyshare process during the TLS 1.3 HelloRetryRequest handshake. An attacker can compromise the confidentiality of encrypted communications by sending a crafted HelloRetryReque...
DEBIAN-CVE-2026-3230
Missing required cryptographic step in the TLS 1.3 client HelloRetryRequest handshake logic in wolfSSL could lead to a compromise in the confidentiality of TLS-protected communications via a crafted HelloRetryRequest followed by a ServerHello message that omits the required keyshare extension,...
EUVD-2026-12823
Juju affected by Confused Deputy IDOR attack via Predictable user specified ID in Juju Secrets...
GHSA-5CJ2-RQQF-HX9P Juju affected by Confused Deputy IDOR attack via Predictable user specified ID in Juju Secrets
Summary Predictable secret ID and lack of secret origin API enable confused deputy attacks on Juju workloads. Details A Juju application can create a secret and grant it to another integrated application grantee. When they do so, the secret owner has to communicate the secret id to the grantee. T...
wolfSSL(CyaSSL) 安全漏洞
wolfSSL CyaSSL is a small, portable embedded SSL programming library developed by the American company wolfSSL, designed for developers working with embedded systems. wolfSSL CyaSSL contains a security vulnerability. This vulnerability stems from the lack of necessary encryption steps in the TLS...
HCL AION Information Disclosure Vulnerability (CNVD-2026-15145)
HCL AION is an AI lifecycle management platform from HCL India. HCL AION suffers from an information disclosure vulnerability that stems from the predictability of certain identifiers, which can be exploited by an attacker to cause the attacker to infer or guess system-generated values, triggerin...
CVE-2026-32742 Parse Server session creation endpoint allows overwriting server-generated session fields
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.17 and 8.6.42, an authenticated user can overwrite server-generated session fields sessionToken, expiresAt, createdWith when creating a session object via POST...
Predictable Value Range from Previous Values
Overview Affected versions of this package are vulnerable to Predictable Value Range from Previous Values when granting permissions to secrets using a predictable XID. An attacker can gain unauthorized access to resources associated with previously granted secrets by predicting secret identifiers...
CVE-2026-32694
In Juju from version 3.0.0 through 3.6.18, when a secret owner grants permissions to a secret to a grantee, the secret owner relies exclusively on a predictable XID of the secret to verify ownership. This allows a malicious grantee which can request secrets to predict past secrets granted by the...
CVE-2026-32694
In Juju from version 3.0.0 through 3.6.18, when a secret owner grants permissions to a secret to a grantee, the secret owner relies exclusively on a predictable XID of the secret to verify ownership. This allows a malicious grantee which can request secrets to predict past secrets granted by the...
CVE-2026-32694 Insecure Direct Object Reference attack via predictable secret ID in Juju
In Juju from version 3.0.0 through 3.6.18, when a secret owner grants permissions to a secret to a grantee, the secret owner relies exclusively on a predictable XID of the secret to verify ownership. This allows a malicious grantee which can request secrets to predict past secrets granted by the...
CVE-2026-32694 Insecure Direct Object Reference attack via predictable secret ID in Juju
In Juju from version 3.0.0 through 3.6.18, when a secret owner grants permissions to a secret to a grantee, the secret owner relies exclusively on a predictable XID of the secret to verify ownership. This allows a malicious grantee which can request secrets to predict past secrets granted by the...
CVE-2026-32694
In Juju from version 3.0.0 through 3.6.18, when a secret owner grants permissions to a secret to a grantee, the secret owner relies exclusively on a predictable XID of the secret to verify ownership. This allows a malicious grantee which can request secrets to predict past secrets granted by the...