CVE-2026-47075

Improper Neutralization of CRLF Sequences vulnerability in benoitc hackney allows HTTP Request Splitting. hackney does not percent-encode carriage return \r or line feed \n characters in the URL query component before constructing the HTTP/1.1 request target. Characters outside the grammar define...

CVE-2026-40967

Summary : CVE-2026-40967 affects Spring AI 1.0.0–1.0.5 (fix in 1.0.6) and 1.1.0–1.1.4 (fix in 1.1.5). In several FilterExpressionConverter implementations, filter expression keys/values aren’t properly escaped, enabling an attacker to alter vector store queries. This could impact query integrity ...

Improper Neutralization of Special Elements in Data Query Logic

Overview org.springframework.ai:spring-ai-pgvector-store is a Spring AI PGVector Vector Store Affected versions of this package are vulnerable to Improper Neutralization of Special Elements in Data Query Logic via the FilterExpressionConverter implementations. An attacker can alter underlying...

UBUNTU-CVE-2026-33609

Incomplete escaping of LDAP queries when running with 8bit-dns enabled allows users to perform queries of internal domain subtrees...

RediSearch Query Injection in @langchain/langgraph-checkpoint-redis

Summary A query injection vulnerability exists in the @langchain/langgraph-checkpoint-redis package's filter handling. The RedisSaver and ShallowRedisSaver classes construct RediSearch queries by directly interpolating user-provided filter keys and values without proper escaping. RediSearch has...

CVE-2024-10851

The Razorpay Payment Button Plugin plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of addqueryarg & removequeryarg without appropriate escaping on the URL in all versions up to, and including, 2.4.6. This makes it possible for unauthenticated attackers to injec...

CVE-2024-5329

The Unlimited Elements For Elementor Free Widgets, Addons, Templates plugin for WordPress is vulnerable to blind SQL Injection via the ‘dataaddonID’ parameter in all versions up to, and including, 1.5.109 due to insufficient escaping on the user supplied parameter and lack of sufficient preparati...

PT-2023-18361 · WordPress · Web Directory Free

Name of the Vulnerable Software and Affected Versions: The Web Directory Free for WordPress versions up to, and including, 1.6.7 Description: The issue allows authenticated attackers with contributor-level privileges to extract sensitive information from the database due to insufficient escaping ...

GoCD 注入漏洞

GoCd is a continuous delivery server. GoCD suffers from an injection vulnerability that stems from the fact that the gocd-ldap-authentication-plugin included in GoCD Server fails to properly escape special characters when constructing an LDAP query using a username. An attacker could use this...

Moodle Cross-Site Scripting Vulnerability (CNVD-2021-07506)

Moodle is a learning platform designed to provide educators, administrators, and learners with a powerful, secure, and integrated system for creating personalized learning environments. A reflected cross-site scripting vulnerability exists in Moodle versions prior to 3.10.1. The vulnerability ste...

Moodle 跨站脚本漏洞

Moodle is a learning platform designed to provide educators, administrators, and learners with a powerful, secure, and integrated system for creating personalized learning environments. A reflected cross-site scripting vulnerability exists in Moodle versions prior to 3.10.1. The vulnerability ste...

DEBIAN-CVE-2005-2301

PowerDNS before 2.9.18, when running with an LDAP backend, does not properly escape LDAP queries, which allows remote attackers to cause a denial of service failure to answer ldap questions and possibly conduct an LDAP injection attack...