CVE-2026-6399

The General Options plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to and including 1.1.0. This is due to the use of sanitizetextfield for output escaping in the Contact Number adcontactnumber field — a function that strips HTML tags but does not encode...

Gearboxcomputers WifiHotSpot code-related vulnerabilities

Gearboxcomputers WifiHotSpot is a virtual router software developed by Gearboxcomputers. Version 1.0.0.0 of WifiHotSpot contains a code vulnerability. This vulnerability stems from the service path in WifiHotSpotService.exe that lacks quotation marks, which may lead to privilege escalation...

OESA-2026-1025 php security update

PHP is an HTML-embedded scripting language. PHP attempts to make it easy for developers to write dynamically generated web pages. PHP also offers built-in database integration for several commercial and non-commercial database management systems, so writing a database-enabled webpage with PHP is...

CVE-2025-67738

squid/cachemgr.cgi in Webmin before 2.600 does not properly quote arguments. This is relevant if Webmin's Squid module and its Cache Manager feature are available, and an untrusted party is able to authenticate to Webmin and has certain Cache Manager permissions the "cms" security option...

postgresql: PostgreSQL quoting APIs miss neutralizing quoting syntax in text that fails encoding validation

A flaw was found in PostgreSQL. Due to improper neutralization of quoting syntax, affected versions potentially allow a database input provider to achieve SQL injection in certain usage patterns. Specifically, SQL injection requires the application to use the affected function's result to constru...

UBUNTU-CVE-2024-9287

A vulnerability has been found in the CPython venv module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment "activation" scripts ie "source venv/bin/activate". This means that...

Important: less

Issue Overview: less through 653 allows OS command execution via a newline character in the name of a file, because quoting is mishandled in filename.c. Exploitation typically requires use with attacker-controlled file names, such as the files extracted from an untrusted archive. Exploitation als...

AZL-39933 CVE-2024-32487 affecting package less for versions less than 590-4

less through 653 allows OS command execution via a newline character in the name of a file, because quoting is mishandled in filename.c. Exploitation typically requires use with attacker-controlled file names, such as the files extracted from an untrusted archive. Exploitation also requires the...

Security Bulletin: An Eclipse Jetty vulnerability affects IBM Rational Functional Tester

Summary There are multiple vulnerabilities in Eclipse Jetty used by Rational Functional Tester. Rational Functional Tester has addressed the applicable CVEs. Vulnerability Details CVEID:CVE-2023-41900 DESCRIPTION: Eclipse Jetty could allow a remote authenticated attacker to bypass security...

Security Bulletin: IBM InfoSphere Information Server is affected by multiple vulnerabilities in Eclipse Jetty

Summary Multiple vulnerabilities in Eclipse Jetty used by IBM InfoSphere Information Server were addressed. Vulnerability Details CVEID:CVE-2023-36479 DESCRIPTION: Eclipse Jetty could provide weaker than expected security, caused by an errant command quoting flaw in the...

Security Bulletin: IBM Sterling Connect:Direct Web Services is vulnerable to multiple vulnerabilities due to Eclipse Jetty

Summary IBM Sterling Connect:Direct Web Services uses Eclipse Jetty. Vulnerability Details CVEID:CVE-2023-41900 DESCRIPTION: Eclipse Jetty could allow a remote authenticated attacker to bypass security restrictions, caused by improper authentication validation when using the optional nested...

Diffy 安全漏洞

Diffy is a simple distinction in Ruby by Sam Goldstein, a personal developer. Diffy suffers from a security vulnerability that stems from the fact that the function that calls the diff utility in Diffy 3.4.1 does not properly handle double quotes in filenames when running in a Windows environment...

UBUNTU-CVE-2016-7405

The qstr method in the PDO driver in the ADOdb Library for PHP before 5.x before 5.20.7 might allow remote attackers to conduct SQL injection attacks via vectors related to incorrect quoting...

DEBIAN-CVE-2014-0476

The slapper function in chkrootkit before 0.50 does not properly quote file paths, which allows local users to execute arbitrary code via a Trojan horse executable. NOTE: this is only a vulnerability when /tmp is not mounted with the noexec option...

glibc: insufficient quoting in the locale command output

locale/programs/locale.c in locale in the GNU C Library aka glibc or libc6 before 2.13 does not quote its output, which might allow local users to gain privileges via a crafted localization environment variable, in conjunction with a program that executes a script that uses the eval function...