CVE-2026-1574 MyQtip – easy qTip2 <= 2.0.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

The MyQtip – easy qTip2 plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's myqtip shortcode in all versions up to, and including, 2.0.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

CVE-2026-30821 Flowise: Arbitrary File Upload via MIME Spoofing

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to version 3.0.13, the /api/v1/attachments/:chatflowId/:chatId endpoint is listed in WHITELISTURLS, allowing unauthenticated access to the file upload API. While the server validates uploads based on th...

CVE-2026-1902 Hammas Calendar <= 1.5.11 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'apix' Shortcode Attribute

The Hammas Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'apix' parameter in the 'hp-calendar-manage-redirect' shortcode in all versions up to, and including, 1.5.11 due to insufficient input sanitization and output escaping. This makes it possible for...

PT-2026-23856

A vulnerability has been found in Wavlink WL-NU516U1 240425. This vulnerability affects the function usb p910 of the file /cgi-bin/adm.cgi. Such manipulation of the argument Pr mode leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the...

PT-2026-23784

Name of the Vulnerable Software and Affected Versions XikeStor SKS8310-8X Network Switch versions prior to 1.04.B07 Description The XikeStor SKS8310-8X Network Switch firmware contains a stored cross-site scripting issue. Authenticated attackers can inject arbitrary script content through the...

MAL-2026-1277 Malicious code in prateek-yadav23 (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 e73aa57c13235ec4d3bcf7aa6139bb5a1bdbade9d72ae81a20c291766b9ac7ab Packages that might be part of testing for pentesting / malicious activity / joy, with suspicious activity that does not present any real harm. --- Category:...

Flowise has Arbitrary File Upload via MIME Spoofing

Vulnerability Description --- Vulnerability Overview - The /api/v1/attachments/:chatflowId/:chatId endpoint is listed in WHITELISTURLS, allowing unauthenticated access to the file upload API. - While the server validates uploads based on the MIME types defined in...

MAL-2026-1275 Malicious code in hostlists-plugins-default (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 21b72625bb74661ae95d3317fe4384105bb6dd6d026b049f84a192aeeeeae9df Installing the package or importing the module exfiltrates basic information about the host, and the package has no other purpose. --- Category: PROBABLYPENTES...

EUVD-2018-21633

Easyndexer 1.0 contains an arbitrary file download vulnerability that allows unauthenticated attackers to download sensitive files by manipulating the file parameter. Attackers can send POST requests to showtif.php with arbitrary file paths in the file parameter to retrieve system files like...

CVE-2018-25196

ServerZilla 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the email parameter. Attackers can send POST requests to reset.php with malicious email values containing SQL operators to bypass authenticati...

CVE-2018-25190

Easyndexer 1.0 contains a cross-site request forgery vulnerability that allows unauthenticated attackers to create administrative accounts by submitting forged POST requests. Attackers can craft malicious web pages that submit POST requests to createuser.php with parameters including username,...

CVE-2018-25182

Silurus Classifieds Script 2.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the ID parameter. Attackers can send GET requests to wcategory.php with crafted SQL payloads in the ID parameter to...

CVE-2018-25162

2-Plan Team 1.0.4 contains an arbitrary file upload vulnerability that allows authenticated attackers to upload executable PHP files by sending multipart form data to managefile.php. Attackers can upload PHP files through the userfile1 parameter with action=upload, which are stored in the files...

OESA-2026-1491 hsqldb security update

HSQLdb is a relational database engine written in JavaTM , with a JDBC driver, supporting a subset of ANSI-92 SQL. It offers a small about 100k, fast database engine which offers both in memory and disk based tables. Embedded and server modes are available. Additionally, it includes tools such as...

OESA-2026-1489 hsqldb security update

HSQLdb is a relational database engine written in JavaTM , with a JDBC driver, supporting a subset of ANSI-92 SQL. It offers a small about 100k, fast database engine which offers both in memory and disk based tables. Embedded and server modes are available. Additionally, it includes tools such as...

OESA-2026-1488 hsqldb security update

HSQLdb is a relational database engine written in JavaTM , with a JDBC driver, supporting a subset of ANSI-92 SQL. It offers a small about 100k, fast database engine which offers both in memory and disk based tables. Embedded and server modes are available. Additionally, it includes tools such as...

OESA-2026-1487 hsqldb security update

HSQLdb is a relational database engine written in JavaTM , with a JDBC driver, supporting a subset of ANSI-92 SQL. It offers a small about 100k, fast database engine which offers both in memory and disk based tables. Embedded and server modes are available. Additionally, it includes tools such as...

CVE-2018-25182 Silurus Classifieds Script 2.0 SQL Injection via wcategory.php

Silurus Classifieds Script 2.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the ID parameter. Attackers can send GET requests to wcategory.php with crafted SQL payloads in the ID parameter to...

CVE-2018-25182 Silurus Classifieds Script 2.0 SQL Injection via wcategory.php

Silurus Classifieds Script 2.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the ID parameter. Attackers can send GET requests to wcategory.php with crafted SQL payloads in the ID parameter to...

CVE-2018-25182

Silurus Classifieds Script 2.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the ID parameter. Attackers can send GET requests to wcategory.php with crafted SQL payloads in the ID parameter to...