CVE-2026-40584

RansomLook is a tool to monitor Ransomware groups and markets and extract their victims. Prior to 1.9.0, the API in the affected application improperly filters private location entries in website/web/api/genericapi.py. Because the code removes elements from a list while iterating over it, entries...

EUVD-2026-24180

RansomLook is a tool to monitor Ransomware groups and markets and extract their victims. Prior to 1.9.0, the API in the affected application improperly filters private location entries in website/web/api/genericapi.py. Because the code removes elements from a list while iterating over it, entries...

CVE-2026-40584 RansomLook - Improper Filtering of Private Location Entries in API Endpoints Leads to Information Exposure

RansomLook is a tool to monitor Ransomware groups and markets and extract their victims. Prior to 1.9.0, the API in the affected application improperly filters private location entries in website/web/api/genericapi.py. Because the code removes elements from a list while iterating over it, entries...

CVE-2026-40584 RansomLook - Improper Filtering of Private Location Entries in API Endpoints Leads to Information Exposure

RansomLook is a tool to monitor Ransomware groups and markets and extract their victims. Prior to 1.9.0, the API in the affected application improperly filters private location entries in website/web/api/genericapi.py. Because the code removes elements from a list while iterating over it, entries...

PT-2026-34021

RansomLook is a tool to monitor Ransomware groups and markets and extract their victims. Prior to 1.9.0, the API in the affected application improperly filters private location entries in website/web/api/genericapi.py. Because the code removes elements from a list while iterating over it, entries...

CVE-2025-12408

The Events Manager – Calendar, Bookings, Tickets, and more! plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 7.2.2.2 via the 'getlocation' action due to insufficient restrictions on which locations can be included. This makes it possible for...

CVE-2025-12408

The Events Manager – Calendar, Bookings, Tickets, and more! plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 7.2.2.2 via the 'getlocation' action due to insufficient restrictions on which locations can be included. This makes it possible for...

CVE-2025-12408 Events Manager <= 7.2.2.2 - Unauthenticated Information Exposure

The Events Manager – Calendar, Bookings, Tickets, and more! plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 7.2.2.2 via the 'getlocation' action due to insufficient restrictions on which locations can be included. This makes it possible for...

PT-2025-50921

The Events Manager – Calendar, Bookings, Tickets, and more! plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 7.2.2.2 via the 'get location' action due to insufficient restrictions on which locations can be included. This makes it possible for...

New Relic: User can run monitors at private locations, which he has no access to

@skavans discovered that insufficient validation was performed when configuring Synthetics monitors allowing deployment to arbitrary private locations with knowledge of the location ID: POST /accounts//validation.json HTTP/1.1 Host: synthetics.newrelic.com...

New Relic: Stored XSS at Synthetics private locations (planted through location label or description)

Hey team, I've discovered stored XSS at Synthetics private locations list. The Private locations page contains a script with private locations metadata inside and the user-input of location label and description aren't properly escaped as you can see below: html window.nr =...

New Relic: User is able to access and create private synthetics locations without upgrading (regression of #276157)

It seems like the fix done for 276157 wasn't enough, as I'm able to bypass it and generate private synthetics locations without approval or the proper plan. This is the page that users see when they navigate to the private synthetics location: F291890 I'm able bypass this by navigating as an Admi...