CVE-2026-45551

Group-Office is an enterprise customer relationship management and groupware tool. Prior to 26.0.25, 25.0.100, and 6.8.165, GroupOffice allows authenticated users to persist arbitrary legacy settings for any userid via index.php?r=core/saveSetting. A separate client-side sink in the email module...

GHSA-7H2M-M8VJ-598H Django Uses Persistent Cookies Containing Sensitive Information

An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. Response headers do not vary on cookies if a session is not modified, but SESSIONSAVEEVERYREQUEST is True. A remote attacker can steal a user's session after that user visits a cached public page. Earlier, unsupported Django serie...

CVE-2026-0811

The Advanced Contact form 7 DB plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.9. This is due to missing or incorrect nonce validation on the 'vszcf7savesettingcallback' function. This makes it possible for unauthenticated attackers to...

PT-2026-31389

The Advanced Contact form 7 DB plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.9. This is due to missing or incorrect nonce validation on the 'vsz cf7 save setting callback' function. This makes it possible for unauthenticated attackers t...

CVE-2024-13315

The Shopwarden – Automated WooCommerce monitoring & testing plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.11. This is due to missing or incorrect nonce validation on the savesetting function. This makes it possible for unauthenticated...

PT-2024-38037 · WordPress · File Manager Pro – Filester

Name of the Vulnerable Software and Affected Versions: File Manager Pro – Filester plugin for WordPress versions up to, and including, 1.8.2 Description: The issue allows authenticated attackers with granted permissions by an Administrator to update plugin settings for user role restrictions. Thi...

CVE-2024-7172

A vulnerability classified as critical was found in TOTOLINK A3600R 4.1.2cu.5182B20201102. Affected by this vulnerability is the function getSaveConfig of the file /cgi-bin/cstecgi.cgi?action=save&setting. The manipulation of the argument httphost leads to buffer overflow. The attack can be...

CVE-2024-7157

A vulnerability was found in TOTOLINK A3100R 4.1.2cu.5050B20200504. It has been classified as critical. This affects the function getSaveConfig of the file /cgi-bin/cstecgi.cgi?action=save&setting. The manipulation of the argument httphost leads to buffer overflow. It is possible to initiate the...

PT-2024-38134 · Totolink · Totolink A3600R

Name of the Vulnerable Software and Affected Versions: TOTOLINK A3600R version 4.1.2cu.5182 B20201102 Description: A critical vulnerability was found in the getSaveConfig function of the /cgi-bin/cstecgi.cgi?action=save&setting file. The manipulation of the http host argument leads to a buffer...

CVE-2024-5770

The WP Force SSL & HTTPS SSL Redirect plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'ajaxsavesetting' function in versions up to, and including, 1.66. This makes it possible for authenticated attackers, subscriber-level permission...

PT-2024-37136 · WordPress · Wp Force Ssl & Https Ssl Redirect

Name of the Vulnerable Software and Affected Versions: WP Force SSL & HTTPS SSL Redirect plugin for WordPress versions up to, and including, 1.66 Description: The issue is related to unauthorized modification of data due to a missing capability check on the ajax save setting function. This allows...

CVE-2023-40923

MyPrestaModules ordersexport before v5.0 was discovered to contain multiple SQL injection vulnerabilities at send.php via the key and savesetting parameters...

CVE-2023-40923

MyPrestaModules ordersexport before v5.0 was discovered to contain multiple SQL injection vulnerabilities at send.php via the key and savesetting parameters...

DuckDuckGo: DOM XSS on duckduckgo.com search

Hey there, there is a DOM XXS vulnerability on the https://duckduckgo.com/ search result page through the kp and kae parameters of the Cloud Save feature. POC URL:...

Design/Logic Flaw

cccaajaxhandler.php in Trend Micro Smart Protection Server 2.5 before build 2200, 2.6 before build 2106, and 3.0 before build 1330 allows remote authenticated users to execute arbitrary commands via shell metacharacters in the 1 host or 2 apikey parameter in a register action, 3 enable parameter ...

CVE-2016-6266

cccaajaxhandler.php in Trend Micro Smart Protection Server 2.5 before build 2200, 2.6 before build 2106, and 3.0 before build 1330 allows remote authenticated users to execute arbitrary commands via shell metacharacters in the 1 host or 2 apikey parameter in a register action, 3 enable parameter ...