1400 matches found
Team WordPress Plugin (TLP Team) <= 5.0.9 - SQL Injection
Team WordPress plugin = 5.0.11 contains a SQL injection caused by improper sanitization and escaping of a parameter in an AJAX action accessible to unauthenticated users, letting remote attackers execute arbitrary SQL commands. id: CVE-2025-14124 info: name: Team WordPress Plugin TLP Team = 5.0.9...
IBM BigFix Platform - Information Disclosure
IBM BigFix Platform 9.2 and 9.5 contains an information disclosure vulnerability caused by not enabling authenticated access in relay, letting remote attackers query and gather update and fixlet information, exploit requires no authentication. id: CVE-2019-4061 info: name: IBM BigFix Platform -...
Adobe ColdFusion - RDS Arbitrary File Write
ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Limitation of a Pathname to a Restricted Directory 'Path Traversal' vulnerability that could lead to arbitrary code execution in the context of the current user. The RDS FILEIO WRITE operation allows unauthenticated...
Malicious code in pipspeed (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b1037d713fe94f92e9f1302a1c8fdfcd03ee290e1f2076e7c01cbd1305499e91 The package's advertised public entry point pipspeed.optimize GETs a JSON document from https://www.jsonkeeper.com/b/53XMN an anonymous, mutable past...
Malicious code in fastify-addone (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 21b9e477cff478ab071039c18c3adb6577a07cc1d82687b9e7d7cd2594dc9ddf The package presents itself as fastify-plugin name fastify-addone, repository/homepage/bugs fields point at fastify/fastify-plugin and copies that...
CVE-2026-54753
A flaw was found in Nx, a monorepo solution for managing multiple projects. The local HTTP server, started by the nx graph command, incorrectly sent an Access-Control-Allow-Origin: header in its responses. This misconfiguration allows a remote attacker to read sensitive project information, such ...
Malicious code in next-locomotive-init (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9a11400eaa7dd74b24610ec815438de047089be7005b94c37717fa2b6f916ab6 The package's declared postinstall script reads the installer's OS username via os.userInfo.username and the machine hostname via os.hostname, compos...
CVE-2026-58371
A flaw was found in SeaweedFS. This vulnerability allows a remote attacker to disclose sensitive information by exploiting an unvalidated JSONP JavaScript Object Notation with Padding callback parameter. The system reflects the callback parameter directly into responses without proper validation ...
PT-2026-56195
Name of the Vulnerable Software and Affected Versions Django versions 6.0 through 6.0.6 Django versions 5.2 through 5.2.15 Description UpdateCacheMiddleware and the cache page decorator cache responses that vary on cookies when the incoming request contains unrelated cookies. This behavior allows...
EUVD-2026-40740
Insufficient policy enforcement in Extensions in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. Chromium security severity: Low...
CVE-2026-14118
Chrome DevTools in Google Chrome suffers from insufficient data validation , allowing a remote attacker to leak cross-origin data if a user is coerced into specific UI gestures on a crafted HTML page. Affected versions are prior to 150.0.7871.47 . Mitigation: upgrade to 150.0.7871.47 or later. CV...
CVE-2026-14071
CVE-2026-14071 describes a side-channel information leakage in WebAudio of Google Chrome, where a remote attacker could leak cross-origin data via a crafted HTML page. The vulnerability affects Chrome prior to version 150.0.7871.47. The available connected documents consistently indicate the issu...
CVE-2026-14050
Technical details are not publicly available in the provided documents. Monitor for updates on CVE-2026-14050.
CVE-2026-13935
Side-channel information leakage in ComputePressure in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to leak cross-origin data via a crafted HTML page. Chromium security severity: Medium...
CVE-2026-13892
CVE-2026-13892 concerns Chrome for iOS before version 150.0.7871.47, where an inappropriate implementation allowed a remote attacker who lured a user into specific UI gestures to leak cross-origin data via a crafted HTML page. The issue affects Chrome on iOS (Chromium-based) and has a Medium seve...
CVE-2026-11595
CVE-2026-11595 affects IBM WebSphere Application Server 9.0 and 8.5. The IBM Security Bulletin describes a path traversal vulnerability in the administrative console’s integrated help system that could allow a remote attacker to obtain sensitive information. Affected products/versions include Web...
CVE-2026-37453
MSI Center’s NBFoundation Service (MSIAPService.exe) has CVE-2026-37453: an insecure named pipe (\.\pipe\MSI_SERVICE_2) exposed to all authenticated users that allows untrusted clients to perform arbitrary memory and I/O-port read/write via the WinIO wrapper. Root cause is unauthenticated access ...
MAL-2026-6405 Malicious code in sypoi1 (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b22a9450e70ba1095097d2779ad6da01c111c37e940d890fbfc21d1aeb6a0f11 On require, index.js silently bootstraps a full Python runtime on the installer's machine — first via winget install -e --id Python.Python.3.12...
CVE-2026-50519
Initialization of a resource with an insecure default in GitHub Copilot and Visual Studio Code allows an unauthorized attacker to disclose information over a network...
Astra Linux – Vulnerability in Linux 5.15
In the Linux kernel, the following vulnerabilities have been resolved: - net: 9p: fixed a refcount leak in error handling of p9readwork. - p9reqput must be called when m-rreq-rc.sdata is NULL to avoid a temporary refcount leak. Dominique: made changes to the commit message, fixed arguments for...