CVE-2025-13447

OS Command Injection Remote Code Execution Vulnerability in API in Progress LoadMaster allows an authenticated attacker with “User Administration” permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the API input parameters...

CVE-2025-13444

OS Command Injection Remote Code Execution Vulnerability in API in Progress LoadMaster allows an authenticated attacker with “User Administration” permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the API input parameters...

CVE-2025-13447

CVE-2025-13447 corresponds to a remote code execution via OS Command Injection in Progress LoadMaster API. The connected ZDI advisories detail multiple command-injection flaws (delapikey, delcert, listapikeys, addapikey, getcipherset) that allow authenticated network-adjacent attackers to execute...

CVE-2025-13444 OS Command Injection Remote Code Execution Vulnerability in Progress LoadMaster

OS Command Injection Remote Code Execution Vulnerability in API in Progress LoadMaster allows an authenticated attacker with “User Administration” permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the API input parameters...

CVE-2025-14507 EventPrime - Events Calendar, Bookings and Tickets <= 4.2.7.0 - Unauthenticated Sensitive Information Exposure via REST API

The EventPrime - Events Calendar, Bookings and Tickets plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.2.7.0 via the REST API. This makes it possible for unauthenticated attackers to extract sensitive booking data including user names,...

Schneider Electric EcoStruxure Power Build Rapsody (Update A)

GENERAL SECURITY RECOMMENDATIONS We strongly recommend the following industry cybersecurity best practices. Locate control and safety system networks and remote devices behind firewalls and isolate them from the business network. Install physical controls so no unauthorized personnel can access...

Schneider Electric Zigbee Products

GENERAL SECURITY RECOMMENDATIONS We strongly recommend the following industry cybersecurity best practices. https://www.se.com/us/en/download/document/7EN52-0390/ Locate control and safety system networks and remote devices behind firewalls and isolate them from the business network. Install...

On-Chip Semi-Device-Independent Quantum Random Number Generator Exploiting Contextuality

We present a semi-device-independent quantum random number generator QRNG based on the violation of a contextuality inequality, implemented by the integration of two silicon photonic chips. Our system combines a heralded single-photon source with a reconfigurable interferometric mesh to implement...

Siemens Industrial Edge Devices 安全漏洞

Siemens Industrial Edge Devices is a family of industrial edge devices from Siemens, Germany, used for field data processing and intelligent control. A security vulnerability exists in Siemens Industrial Edge Devices that stems from improper authentication of specific API endpoints, which could...

PT-2026-2384

Name of the Vulnerable Software and Affected Versions Mailhog version 1.0.1 Description Mailhog version 1.0.1 has a stored cross-site scripting issue. Attackers can inject malicious scripts through email attachments. By sending crafted emails with XSS payloads, attackers can execute arbitrary API...

Progress LoadMaster 安全漏洞

Progress LoadMaster is a high performance Application Delivery Controller ADC and load balancer from Progress, Inc. A security vulnerability exists in Progress LoadMaster that stems from an uncleaned API input parameter, which could lead to the execution of arbitrary commands by an authenticated...

EUVD-2026-1919

wlc is a Weblate command-line client using Weblate's REST API. Prior to 1.17.0, wlc supported providing unscoped API keys in the setting. This practice was discouraged for years, but the code was never removed. This might cause the API key to be leaked to different servers...

CVE-2026-22033 Label Studio vulnerable to full account takeover by chaining Stored XSS + IDOR in User Profile via custom_hotkeys field

Label Studio is a multi-type data labeling and annotation tool. In 1.22.0 and earlier, a persistent stored cross-site scripting XSS vulnerability exists in the customhotkeys functionality of the application. An authenticated attacker or one who can trick a user/administrator into updating their...

Linux Distros Unpatched Vulnerability : CVE-2026-22251

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - wlc is a Weblate command-line client using Weblate's REST API. Prior to 1.17.0, wlc supported providing unscoped API keys in the setting. This practice was...

CVE-2025-67811

Area9 Rhapsode 1.47.3 allows SQL Injection via multiple API endpoints accessible to authenticated users. Insufficient input validation allows remote attackers to inject arbitrary SQL commands, resulting in unauthorized database access and potential compromise of sensitive data. Fixed in v.1.47.4...

PT-2026-2222

Name of the Vulnerable Software and Affected Versions OpenProject versions prior to 16.6.2 Description OpenProject is a web-based project management software. A user with low privileges can view the full names of other users. User IDs are assigned sequentially, allowing an attacker to extract a...

CVE-2021-31996

An issue was discovered in the algorithmica crate through 2021-03-07 for Rust. There is a double free in mergesort::merge...

CVE-2021-22027

The vRealize Operations Manager API 8.x prior to 8.5 contains a Server Side Request Forgery in an end point. An unauthenticated malicious actor with network access to the vRealize Operations Manager API can perform a Server Side Request Forgery attack leading to information disclosure...

CVE-2017-18440

cPanel before 64.0.21 allows demo users to execute traceroute via api2 SEC-244...

CVE-2017-18589

An issue was discovered in the cookie crate before 0.7.6 for Rust. Large integers in the Max-Age of a cookie cause a panic...