GitLab CE/EE 跨站请求伪造漏洞

GitLab Enterprise Edition EE and GitLab Community Edition CE are both products of the American company GitLab. GitLab Enterprise Edition is a content management system. GitLab Community Edition is a community version of GitLab. Versions of GitLab CE/EE prior to 18.9.6, 18.10.4, and 18.11.1 had a...

PT-2026-34561

Jellystat is a free and open source Statistics App for Jellyfin. Prior to version 1.1.10, multiple API endpoints in Jellystat build SQL queries by interpolating unsanitized request-body fields directly into raw SQL strings. An authenticated user can inject arbitrary SQL via POST /api/getUserDetai...

PowerDNS DNSdist 安全漏洞

PowerDNS DNSdist is a proxy software provided by PowerDNS, which offers capabilities for DNS traffic load balancing and security protection. PowerDNS DNSdist has a security vulnerability that stems from malicious backends capable of sending specially crafted UDP responses with query IDs differing...

Statamic 安全漏洞

Statamic is a powerful flat-file CMS built using Laravel by Statamic Inc. It allows all content, templates, assets, and settings to be stored in files rather than in a database. There were security vulnerabilities in versions prior to Statamic 5.73.20 and 6.13.0, which stemmed from insufficient...

PT-2026-34437

Name of the Vulnerable Software and Affected Versions PowerDNS dnsdist versions 1.9.0 through 1.9.12 PowerDNS dnsdist versions 2.0.0 through 2.0.3 Description An unauthenticated remote attacker can cause a denial-of-service by sending a crafted DNSCrypt query. This action triggers a divide-by-zer...

Jellystat SQL注入漏洞

Jellystat is a free and open-source statistical application developed by Thegan Govender as an individual project. Versions of Jellystat prior to 1.1.10 contained a SQL injection vulnerability. This vulnerability stemmed from multiple API endpoints that constructed queries by directly inserting...

PT-2026-34596

Name of the Vulnerable Software and Affected Versions CI4MS versions prior to 0.31.5.0 Description A Stored DOM XSS Cross-Site Scripting issue exists in the backup module. An attacker can manipulate the filename field using an SQL file to inject a hidden XSS payload, potentially leading to full...

PT-2026-34239

OwnTone Server versions 28.4 through 29.0 contain a SQL injection vulnerability in DAAP query and filter handling that allows attackers to inject arbitrary SQL expressions by supplying malicious values through the query= and filter= parameters for integer-mapped DAAP fields. Attackers can exploit...

PowerDNS DNSdist 安全漏洞

PowerDNS DNSdist is a proxy software provided by PowerDNS that offers capabilities for DNS traffic load balancing and security protection. PowerDNS DNSdist has a security vulnerability that stems from the ability of clients to trigger excessive memory allocation by generating a large number of...

Unity Linux 20.1060a / 20.1070a Security Update: kernel (UTSA-2026-013496)

"The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-013496 advisory. In the Linux kernel, the following vulnerability has been resolved: cifs: prevent bad output lengths in smb2ioctlqueryinfo When calling smb2ioctlqueryinfo with...

PowerDNS DNSdist 数字错误漏洞

PowerDNS DNSdist is a proxy software provided by PowerDNS, which offers capabilities for DNS traffic load balancing and security protection. PowerDNS DNSdist has a numerical error vulnerability; this vulnerability stems from the ability of clients to trigger a zero error by sending a specially...

PT-2026-34444

Name of the Vulnerable Software and Affected Versions The product name cannot be determined affected versions not specified Description A rogue backend can send a crafted UDP response with a query ID off by one relative to the maximum configured value. This triggers an out-of-bounds write, which ...

PowerDNS Authoritative Server 注入漏洞

The PowerDNS Authoritative Server is a DNS server developed by the Dutch company PowerDNS. There is an injection vulnerability in the PowerDNS Authoritative Server, which stems from incomplete escape sequences in LDAP queries when 8bit-dns is enabled, allowing users to query internal domain...

Linux Distros Unpatched Vulnerability : CVE-2026-33596

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A client might theoretically be able to cause a mismatch between queries sent to a backend and the received responses by sending a flood of perfectly timed...

PT-2026-34609

Name of the Vulnerable Software and Affected Versions @nocobase/database versions prior to 2.0.39 Description An issue exists in the queryParentSQL function within the core database package where a recursive CTE query is constructed by joining nodeIds using string concatenation instead of...

PT-2026-34246

CVE-2026-6833 The a+HRD developed by aEnrich has a SQL Injection vulnerability, allowing authenticated remote attackers to inject arbitrary SQL commands to read database contents. https://t.co/t19jGHdUjW...

SQLi-Injection-Payloads

No d...

EUVD-2026-24569

Craft CMS is a content management system CMS. Versions on the 4.x branch through 4.17.8 and the 5.x branch through 5.9.14 are vulnerable to Server-Side Request Forgery. The exploitation requires a few permissions to be enabled in the used GraphQL schema: "Edit assets in the volume" and "Create...

CVE-2026-41062

WWBN AVideo is an open source video platform. In versions 29.0 and below, the directory traversal fix introduced in commit 2375eb5e0 for objects/aVideoEncoderReceiveImage.json.php only checks the URL path component via parseurl$url, PHPURLPATH for .. sequences. However, the downstream function...

EUVD-2026-24541

WWBN AVideo is an open source video platform. In versions 29.0 and below, the directory traversal fix introduced in commit 2375eb5e0 for objects/aVideoEncoderReceiveImage.json.php only checks the URL path component via parseurl$url, PHPURLPATH for .. sequences. However, the downstream function...