106398 matches found
PT-2026-33445
Name of the Vulnerable Software and Affected Versions Dell PowerProtect Data Domain with Data Domain Operating System versions 7.7.1.0 through 8.5 Dell PowerProtect Data Domain with Data Domain Operating System versions 8.3.1.0 through 8.3.1.20 Dell PowerProtect Data Domain with Data Domain...
WordPress plugin Pz-LinkCard 安全漏洞
WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. There ar...
Eclipse Che Machine-Exec WebSocket Service Exposure Detector
This Python script is a lightweight security detection tool designed to identify potentially exposed or misconfigured machine-exec WebSocket services associated with Eclipse Che running on port 3333...
PT-2026-33453
Name of the Vulnerable Software and Affected Versions QueryMine sms versions up to 7ab5a9ea196209611134525ffc18de25c57d9593 Description A SQL injection flaw exists in the GET Request Parameter Handler component within the 'admin/deletecourse.php' file. A remote attacker can trigger this issue by...
Dell PowerProtect Data Domain 安全漏洞
The Dell PowerProtect Data Domain is a data protection-specific storage device designed for efficient backup, archiving and disaster recovery. A cross-site scripting vulnerability exists in Dell PowerProtect Data Domain. The vulnerability stems from a failure to properly handle user input and can...
VulnCheck KEV: CVE-2026-5231
The WP Statistics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'utmsource' parameter in all versions up to, and including, 14.16.4. This is due to insufficient input sanitization and output escaping. The plugin's referral parser copies the raw utmsource value into the...
Note Mark 安全漏洞
Note Mark is a web-based Markdown note-taking application developed by Leo Spratt. Versions of Note Mark prior to 0.19.1 contained security vulnerabilities. These vulnerabilities stemmed from the asset delivery handler’s inline handling of uploaded files and its reliance on magic bytes to detect...
PT-2026-33395
Name of the Vulnerable Software and Affected Versions WP Statistics versions prior to 14.16.5 Description Stored Cross-Site Scripting occurs due to insufficient input sanitization and output escaping. The referral parser copies the raw value of the 'utm source' parameter into the source name fiel...
WordPress plugin VideoZen 安全漏洞
WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. WordPres...
GLPI 10.0.18 Log Exposure Probe Script Directory Leak Detection
This Python script is designed to assess a GLPI application for potential information disclosure vulnerabilities, specifically focusing on exposed log files and sensitive directories...
Vaadin Flow and the axios npm supply-chain compromise
On March 31, 2026, compromised versions of the popular axios HTTP client library 1.14.1 and 0.30.4 were published to NPM via a hijacked maintainer account. The malicious versions injected [email protected], a cross-platform RAT dropper that connected to a command-and-control server. The...
GHSA-GJ9Q-8W99-MP8J OpenClaw: TOCTOU read in exec script preflight
Summary OpenClaw's exec script preflight validator previously validated and then read a script by mutable pathname. A local race could swap the path between validation and read, causing preflight analysis to inspect a different file identity than the one that passed the workspace boundary check...
Time-of-check Time-of-use (TOCTOU) Race Condition
Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Time-of-check Time-of-use TOCTOU Race Condition via the validateScriptFileForShellBleed function. An attacker can cause the preflight analysis to inspect a different file than the one tha...
OpenClaw: TOCTOU read in exec script preflight
Summary OpenClaw's exec script preflight validator previously validated and then read a script by mutable pathname. A local race could swap the path between validation and read, causing preflight analysis to inspect a different file identity than the one that passed the workspace boundary check...
GHSA-4FXQ-2X3X-6XQX zrok: Reflected XSS in GitHub OAuth callback via unsanitized refreshInterval error rendering
Summary The proxyUi template engine uses Go's text/template which performs no HTML escaping instead of html/template. The GitHub OAuth callback handlers in both publicProxy and dynamicProxy embed the attacker-controlled refreshInterval query parameter verbatim into an error message when...
ApostropheCMS: Stored XSS via CSS Custom Property Injection in @apostrophecms/color-field Escaping Style Tag Context
Summary The @apostrophecms/color-field module bypasses color validation for values prefixed with -- intended for CSS custom properties, but performs no HTML sanitization on these values. When styles containing attacker-controlled color values are rendered into tags — both in the global stylesheet...
Revive Adserver: Banner status override by advertiser‑level users
A vulnerability was reported in Revive Adserver 6.0.6 and earlier, which allowed an advertiser-level user to activate or deactivate a banner without proper permissions. The issue was caused by the banner-edit.php script, which allowed the banner status to be overwritten solely based on banner edi...
CVE-2026-6293
The Inquiry Form to Posts or Pages plugin for WordPress is vulnerable to Cross-Site Request Forgery leading to Stored Cross-Site Scripting in version 1.0. This is due to missing nonce validation on the plugin settings update handler, combined with insufficient input sanitization on all...
Dissecting Sapphire Sleet’s macOS intrusion from lure to compromise
In this article 1. Sapphire Sleet’s campaign lifecycle 2. Defending against Sapphire Sleet intrusion activity 3. Microsoft Defender detection and hunting guidance 4. Indicators of compromise Executive summary Microsoft Threat Intelligence uncovered a macOS‑focused cyber campaign by the North Kore...
Dissecting Sapphire Sleet’s macOS intrusion from lure to compromise
In this article 1. Sapphire Sleet’s campaign lifecycle 2. Defending against Sapphire Sleet intrusion activity 3. Microsoft Defender detection and hunting guidance 4. Indicators of compromise Executive summary Microsoft Threat Intelligence uncovered a macOS‑focused cyber campaign by the North Kore...