CVE-2026-7525

The CVE pertains to WordPress plugin My Calendar – Accessible Event Manager (versions ≤ 3.7.9). It describes an authorization bypass: authenticated users with custom-level access can tamper with the POST body (e.g., event_approved) to publish events or set statuses (cancelled, private) beyond the...

PT-2026-39216

Name of the Vulnerable Software and Affected Versions Postiz versions 2.21.6 through 2.21.6 Description Authenticated users with post creation privileges can store arbitrary HTML within post content by tampering with their save request. This content is then rendered on the main application origin...

CVE-2026-29933

A reflected cross-site scripting XSS vulnerability in the /index/login.html component of YZMCMS v7.4 allows attackers to execute arbitrary Javascript in the context of the user's browser via modifying the referrer value in the request header...

Craft CMS: Entries Authorship Spoofing via Mass Assignment

Description The entry creation process allows for Mass Assignment of the authorId attribute. A user with "Create Entries" permission can inject the authorIds or authorId parameter into the POST request, which the backend processes without verifying if the current user is authorized to assign...

GHSA-WRRR-8JCV-WJF5 LobeHub Vulnerable to Improper Authorization in Presigned Upload

Summary The file upload feature in Knowledge Base File Upload does not validate the integrity of the upload request, allowing users to intercept and modify the request parameters. As a result, it is possible to create arbitrary files in abnormal or unintended paths. In addition, since lobechat.co...

CVE-2026-23835

LobeHub is an open source human-and-AI-agent network. Prior to version 1.143.3, the file upload feature in Knowledge Base File Upload does not validate the integrity of the upload request, allowing users to intercept and modify the request parameters. As a result, it is possible to create arbitra...

PT-2025-41844

Name of the Vulnerable Software and Affected Versions SAP S/4HANA affected versions not specified Description An authenticated attacker with basic privileges can delete conditions from any shared rule of any user by manipulating the request parameter. This is due to a missing authorization check,...

EUVD-2015-8548

Malware in sbrugna...

RICOH Streamline NX 安全漏洞

RICOH Streamline NX is a document and print management software from RICOH Japan. A security vulnerability exists in RICOH Streamline NX versions 3.5.1 through 24R3 that originates from a man-in-the-middle attack that can be performed by an attacker to change the value of an HTTP request, which...

CVE-2025-55737

flaskBlog is a blog app built with Flask. In 2.8.0 and earlier, when deleting a comment, there's no validation of the ownership of the comment. Every user can delete an arbitrary comment of another user on every post, by simply intercepting the delete request and changing the commentID. The code...

CVE-2025-55737 flaskBlog arbitrary comment delete

flaskBlog is a blog app built with Flask. In 2.8.0 and earlier, when deleting a comment, there's no validation of the ownership of the comment. Every user can delete an arbitrary comment of another user on every post, by simply intercepting the delete request and changing the commentID. The code...

OESA-2025-1250 python-aiohttp security update

Async http client/server framework asyncio. Security Fixes: aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. The HTTP parser in AIOHTTP has numerous problems with header parsing, which could lead to request smuggling. This parser is only used when AIOHTTPNOEXTENSION...

undici: Undici Uses Insufficiently Random Values

A flaw was found in the undici package for Node.js. Undici uses Math.random to choose the boundary for a multipart/form-data request. It is known that the output of Math.random can be predicted if several of its generated values are known. If an app has a mechanism that sends multipart requests t...

undici: Undici Uses Insufficiently Random Values

A flaw was found in the undici package for Node.js. Undici uses Math.random to choose the boundary for a multipart/form-data request. It is known that the output of Math.random can be predicted if several of its generated values are known. If an app has a mechanism that sends multipart requests t...

undici: Undici Uses Insufficiently Random Values

A flaw was found in the undici package for Node.js. Undici uses Math.random to choose the boundary for a multipart/form-data request. It is known that the output of Math.random can be predicted if several of its generated values are known. If an app has a mechanism that sends multipart requests t...

CVE-2025-22150

A flaw was found in the undici package for Node.js. Undici uses Math.random to choose the boundary for a multipart/form-data request. It is known that the output of Math.random can be predicted if several of its generated values are known. If an app has a mechanism that sends multipart requests t...

CVE-2025-22150

Undici is an HTTP/1.1 client. Starting in version 4.5.0 and prior to versions 5.28.5, 6.21.1, and 7.2.3, undici uses Math.random to choose the boundary for a multipart/form-data request. It is known that the output of Math.random can be predicted if several of its generated values are known. If...

CVE-2025-22150 Undici Uses Insufficiently Random Values

Undici is an HTTP/1.1 client. Starting in version 4.5.0 and prior to versions 5.28.5, 6.21.1, and 7.2.3, undici uses Math.random to choose the boundary for a multipart/form-data request. It is known that the output of Math.random can be predicted if several of its generated values are known. If...

Debian dla-3900 : ruby-httparty - security update

The remote Debian 11 host has a package installed that is affected by a vulnerability as referenced in the dla-3900 advisory. - ------------------------------------------------------------------------- Debian LTS Advisory DLA-3900-1 [email protected] https://www.debian.org/lts/security/...

PT-2024-19270 · Phpmyfaq · Phpmyfaq

Name of the Vulnerable Software and Affected Versions: phpMyFAQ versions prior to 3.2.5 Description: The issue allows an attacker to spoof another user's details, making a compelling phishing case for removing another user's account. Although the front-end of the user removal page does not allow...