CVE-2026-5737

The Independent Analytics plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.14.9. This is due to a public tracking route at /wp-json/iawp/search that accepts attacker-controlled referrerurl values when the signature matches, combined with a...

CVE-2026-5737 Independent Analytics <= 2.14.9 - Unauthenticated Server-Side Request Forgery via Tracking Route

The Independent Analytics plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.14.9. This is due to a public tracking route at /wp-json/iawp/search that accepts attacker-controlled referrerurl values when the signature matches, combined with a...

WordPress ARForms plugin <= 1.5.8 - Unauthenticated Stored Cross-Site Scripting via arf_http_referrer_url vulnerability

Unauthenticated Stored Cross-Site Scripting via arfhttpreferrerurl vulnerability discovered by drop in WordPress Plugin ARForms Form Builder versions = 1.5.8...

EUVD-2002-1628

Malware in sbrugna...

BIT-MOODLE-2024-33999 moodle: unsafe direct use of $_SERVER['HTTP_REFERER'] in admin/tool/mfa/index.php

The referrer URL used by MFA required additional sanitizing, rather than being used directly...

CVE-2024-33999

The referrer URL used by MFA required additional sanitizing, rather than being used directly...

CVE-2024-33999

The referrer URL used by MFA required additional sanitizing, rather than being used directly...

CVE-2024-33999

The referrer URL used by MFA required additional sanitizing, rather than being used directly...

CVE-2024-33999 moodle: unsafe direct use of $_SERVER['HTTP_REFERER'] in admin/tool/mfa/index.php

The referrer URL used by MFA required additional sanitizing, rather than being used directly...

CVE-2024-33999 moodle: unsafe direct use of $_SERVER['HTTP_REFERER'] in admin/tool/mfa/index.php

The referrer URL used by MFA required additional sanitizing, rather than being used directly...

WordPress Plugin Contact Form, Survey & Popup Form Security Vulnerability

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on PHP and MySQL servers.WordPress plugin is an application plugin. WordPress Plugin Contact Form, Survey & Pop...

SUSE CVE-2018-20483

setfilemetadata in xattr.c in GNU Wget before 1.20.1 stores a file's origin URL in the user.xdg.origin.url metadata attribute of the extended attributes of the downloaded file, which allows local users to obtain sensitive information e.g., credentials contained in the URL by reading this attribut...

CVE-2021-20222

A flaw was found in keycloak. The new account console in keycloak can allow malicious code to be executed using the referrer URL. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability...

CVE-2021-20222

A flaw was found in keycloak. The new account console in keycloak can allow malicious code to be executed using the referrer URL. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability...

CVE-2021-20222

A flaw was found in keycloak. The new account console in keycloak can allow malicious code to be executed using the referrer URL. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability...

Cross-Site Scripting (XSS)

keycloak-theme is vulnerable to cross-site scripting XSS. An attacker is able to inject and execute arbitrary Javascript in a user's browser via the referrer URL in the new account console...

CVE-2021-20222

A flaw was found in keycloak. The new account console in keycloak can allow malicious code to be executed using the referrer URL. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability...

ASB-A-142125338

In generateInfo of PackageInstallerSession.java, there is a possible leak of cross-profile URI data during app installation due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for...

wget: Information exposure in set_file_metadata function in xattr.c

setfilemetadata in xattr.c in GNU Wget before 1.20.1 stores a file's origin URL in the user.xdg.origin.url metadata attribute of the extended attributes of the downloaded file, which allows local users to obtain sensitive information e.g., credentials contained in the URL by reading this attribut...

SQL injection in DefaultReferralManager

In confluence-core/confluence/src/java/com/atlassian/confluence/links/DefaultReferralManager.java the DefaultReferralManager class the deleteReferrersWithPrefix method is vulnerable to sql injection through the user controlled 'prefix' parameter. It is possible to exploit this issue as an Admin...