PT-2026-23920

A vulnerability was detected in code-projects Simple Flight Ticket Booking System 1.0. Affected is an unknown function of the file /Adminupdate.php. The manipulation of the argument flightno/airplaneid/departure/dtime/arrival/atime/ec/ep/bc/bp results in sql injection. The attack can be executed...

Wavlink WL-WN579X3-C 安全漏洞

Wavlink WL-WN579X3-C is a wireless network extender produced by Wavlink Corporation. The Wavlink WL-WN579X3-C 231124 version contains a security vulnerability. This vulnerability arises from incorrect handling of the parameter “delflag” in the file /cgi-bin/firewall.cgi, which may lead to a stack...

nab_script_exploit

No d...

CVE-2026-29780

emlparser serves as a python module for parsing eml files and returning various information found in the e-mail as well as computed information. Prior to version 2.0.1, the official example script examples/recursivelyextractattachments.py contains a path traversal vulnerability that allows...

CVE-2026-29780

emlparser serves as a python module for parsing eml files and returning various information found in the e-mail as well as computed information. Prior to version 2.0.1, the official example script examples/recursivelyextractattachments.py contains a path traversal vulnerability that allows...

CVE-2026-29780

Summary: CVE-2026-29780 affects the Python eml_parser library. The vulnerability resides in the official example script (examples/recursively_extract_attachments.py), where attachment filenames are used directly to build output paths without sanitization, enabling an attacker-controlled filename ...

CVE-2026-29780 eml_parser: Path Traversal in Official Example Script Leading to Arbitrary File Write

emlparser serves as a python module for parsing eml files and returning various information found in the e-mail as well as computed information. Prior to version 2.0.1, the official example script examples/recursivelyextractattachments.py contains a path traversal vulnerability that allows...

CVE-2026-29780 eml_parser: Path Traversal in Official Example Script Leading to Arbitrary File Write

emlparser serves as a python module for parsing eml files and returning various information found in the e-mail as well as computed information. Prior to version 2.0.1, the official example script examples/recursivelyextractattachments.py contains a path traversal vulnerability that allows...

CVE-2026-29780 eml_parser: Path Traversal in Official Example Script Leading to Arbitrary File Write

emlparser serves as a python module for parsing eml files and returning various information found in the e-mail as well as computed information. Prior to version 2.0.1, the official example script examples/recursivelyextractattachments.py contains a path traversal vulnerability that allows...

EUVD-2026-10134

The Infomaniak Connect for OpenID plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'endpointlogin' parameter of the infomaniakconnectgenericauthurl shortcode in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping. This makes...

Malicious code in chat-xdk (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 e1f6d17089af4d8a0d8ab4b5ab9398a250b54d8d605c178080a7f275a6ab4687 Installing the package or importing the module exfiltrates basic information about the host, and the package has no other purpose. --- Category: PROBABLYPENTES...

CVE-2026-1569

The Wueen plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wueen-blocket shortcode in all versions up to, and including, 0.2.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

CVE-2025-59540

Chamilo is a learning management system. Prior to version 1.11.34, a stored XSS vulnerability exists in Chamilo LMS that allows a staff account to execute arbitrary JavaScript in the browser of higher-privileged admin users. The issue arises because feedback input in the exercise history page is...

CVE-2026-2830

The WP All Import – Drag & Drop Import for CSV, XML, Excel & Google Sheets plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘filepath’ parameter in all versions up to, and including, 4.0.0 due to insufficient input sanitization and output escaping. This makes it possib...

CVE-2026-1825 Show YouTube video <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'id' Shortcode Attribute

The Show YouTube video plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'syv' shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

CVE-2026-1805 DA Media GigList <= 1.9.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'list_title' Shortcode Attribute

The DA Media GigList plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's damediagiglist shortcode in all versions up to, and including, 1.9.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

CVE-2026-1574 MyQtip – easy qTip2 <= 2.0.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

The MyQtip – easy qTip2 plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's myqtip shortcode in all versions up to, and including, 2.0.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

CVE-2026-30821 Flowise: Arbitrary File Upload via MIME Spoofing

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.0.13, the /api/v1/attachments/:chatflowId/:chatId endpoint is listed in WHITELISTURLS, allowing unauthenticated access to the file upload API. While the server validates uploads based on th...

CVE-2026-1902 Hammas Calendar <= 1.5.11 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'apix' Shortcode Attribute

The Hammas Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'apix' parameter in the 'hp-calendar-manage-redirect' shortcode in all versions up to, and including, 1.5.11 due to insufficient input sanitization and output escaping. This makes it possible for...

PT-2026-23856

A vulnerability has been found in Wavlink WL-NU516U1 240425. This vulnerability affects the function usb p910 of the file /cgi-bin/adm.cgi. Such manipulation of the argument Pr mode leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the...