37 matches found
Malicious Package
Overview @t-in-one/prefillcreditdatatoken is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and...
Malicious Package
Overview @t-in-one/prefilltransformersdatatoken is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization...
CVE-2026-4257
The Contact Form by Supsystic plugin for WordPress is vulnerable to Server-Side Template Injection SSTI leading to Remote Code Execution RCE in all versions up to, and including, 1.7.36. This is due to the plugin using the Twig TwigLoaderString template engine without sandboxing, combined with th...
WordPress Contact Form by Supsystic plugin <= 1.7.36 - Unauthenticated Server-Side Template Injection via Prefill Functionality vulnerability
Unauthenticated Server-Side Template Injection via Prefill Functionality vulnerability discovered by kiseki - Heroes Cyber Security in WordPress Plugin Contact Form by Supsystic versions = 1.7.36...
CVE-2026-4257
The Contact Form by Supsystic plugin for WordPress is vulnerable to Server-Side Template Injection SSTI leading to Remote Code Execution RCE in all versions up to, and including, 1.7.36. This is due to the plugin using the Twig TwigLoaderString template engine without sandboxing, combined with th...
CVE-2026-4257
CVE-2026-4257 (Contact Form by Supsystic for WordPress) is an SSTI vulnerability that enables unauthenticated remote code execution in all versions up to 1.7.36. The root cause is the plugin’s use of the Twig Twig_Loader_String engine without sandboxing, combined with the cfsPreFill prefill featu...
CVE-2026-4257 Contact Form by Supsystic <= 1.7.36 - Unauthenticated Server-Side Template Injection via Prefill Functionality
The Contact Form by Supsystic plugin for WordPress is vulnerable to Server-Side Template Injection SSTI leading to Remote Code Execution RCE in all versions up to, and including, 1.7.36. This is due to the plugin using the Twig TwigLoaderString template engine without sandboxing, combined with th...
CVE-2026-4257
The Contact Form by Supsystic plugin for WordPress is vulnerable to Server-Side Template Injection SSTI leading to Remote Code Execution RCE in all versions up to, and including, 1.7.36. This is due to the plugin using the Twig TwigLoaderString template engine without sandboxing, combined with th...
PT-2026-29130
Name of the Vulnerable Software and Affected Versions Contact Form by Supsystic plugin for WordPress versions up to and including 1.7.36 Description The Contact Form by Supsystic plugin for WordPress is susceptible to Server-Side Template Injection SSTI, which can lead to Remote Code Execution RC...
CVE-2026-26220 LightLLM <= 1.1.0 PD Mode Unsafe Deserialization RCE
LightLLM version 1.1.0 and prior contain an unauthenticated remote code execution vulnerability in PD prefill-decode disaggregation mode. The PD master node exposes WebSocket endpoints that receive binary frames and pass the data directly to pickle.loads without authentication or validation. A...
CVE-2026-26220 LightLLM <= 1.1.0 PD Mode Unsafe Deserialization RCE
LightLLM version 1.1.0 and prior contain an unauthenticated remote code execution vulnerability in PD prefill-decode disaggregation mode. The PD master node exposes WebSocket endpoints that receive binary frames and pass the data directly to pickle.loads without authentication or validation. A...
PT-2026-8395
Name of the Vulnerable Software and Affected Versions LightLLM versions prior to 1.2.0 Description LightLLM version 1.1.0 and prior contain an unauthenticated remote code execution issue in PD prefill-decode disaggregation mode. The PD master node exposes WebSocket endpoints that receive binary...
Exposing the Systematic Vulnerability of Open-Weight Models to Prefill Attacks
As the capabilities of large language models continue to advance, so does their potential for misuse. While closed-source models typically rely on external defenses, open-weight models must primarily depend on internal safeguards to mitigate harmful behavior. Prior red-teaming research has largel...
CVE-2025-64515
Open Forms allows users create and publish smart forms. Prior to versions 3.2.7 and 3.3.3, forms where the prefill data fields are dynamically set to readonly/disabled can be modified by malicious users deliberately trying to modify data they're not supposed to. For regular users, the form fields...
CVE-2025-64515
Open Forms allows users create and publish smart forms. Prior to versions 3.2.7 and 3.3.3, forms where the prefill data fields are dynamically set to readonly/disabled can be modified by malicious users deliberately trying to modify data they're not supposed to. For regular users, the form fields...
CVE-2025-64515 Open Forms prefill data in read-only components can be tampered
Open Forms allows users create and publish smart forms. Prior to versions 3.2.7 and 3.3.3, forms where the prefill data fields are dynamically set to readonly/disabled can be modified by malicious users deliberately trying to modify data they're not supposed to. For regular users, the form fields...
CVE-2025-64515 Open Forms prefill data in read-only components can be tampered
Open Forms allows users create and publish smart forms. Prior to versions 3.2.7 and 3.3.3, forms where the prefill data fields are dynamically set to readonly/disabled can be modified by malicious users deliberately trying to modify data they're not supposed to. For regular users, the form fields...
EUVD-2025-198098
Open Forms allows users create and publish smart forms. Prior to versions 3.2.7 and 3.3.3, forms where the prefill data fields are dynamically set to readonly/disabled can be modified by malicious users deliberately trying to modify data they're not supposed to. For regular users, the form fields...
CVE-2025-64515 Open Forms prefill data in read-only components can be tampered
Open Forms allows users create and publish smart forms. Prior to versions 3.2.7 and 3.3.3, forms where the prefill data fields are dynamically set to readonly/disabled can be modified by malicious users deliberately trying to modify data they're not supposed to. For regular users, the form fields...
CVE-2025-64515
Open Forms (Open Formulieren) is affected prior to versions 3.2.7 and 3.3.3 where prefill data fields that are dynamically set to readonly/disabled could be tampered with by malicious users. The underlying issue is that these fields can be modified despite a UI restriction, enabling data tamperin...