CVE-2026-6962

The Cost of Goods: Product Cost & Profit Calculator for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'algwccogproductcost' and 'algwccogproductprofit' shortcodes in all versions up to, and including, 4.1.0 due to insufficient input sanitization an...

SUSE CVE-2026-40016

Attacker can upload a malicious Sieve script over ManageSieve service or locally to bypass configured CPU time limits for Sieve up to 130 times of the configured limit. Attacker can use this to degrade server performance and bypass configured CPU time limits for Sieve scripts. Install fixed...

EUVD-2026-29878

A Remote Code Execution vulnerability in Claris FileMaker Cloud allowed a user with Admin Console privileges to bypass a front-end restriction on OS Script schedule types and execute arbitrary operating system commands on the underlying host. This issue is fixed in FileMaker Cloud 2.22.0.5...

PT-2026-40623

Kuicms Php EE 2.0 contains a persistent cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by submitting crafted content through the bbs reply endpoint. Attackers can send POST requests to /web/?c=bbs&a=reply with HTML and JavaScript payloads in t...

PT-2026-40566

Name of the Vulnerable Software and Affected Versions Hitachi Vantara Pentaho Data Integration & Analytics affected versions not specified Description The software contains a JDBC driver for H2 databases that allows external script execution. This occurs when a data source administrator creates a...

Hitachi Vantara Pentaho Data Integration and Analytics 安全漏洞

Hitachi Vantara Pentaho Data Integration and Analytics is a business intelligence dashboard designer developed by the American company Hitachi Vantara. There is a security vulnerability in Hitachi Vantara Pentaho Data Integration and Analytics, which stems from the JDBC driver of the H2 database,...

Next.js 跨站脚本漏洞

Next.js is a React framework open source by Vercel. Versions of Next.js from 13.0.0 to 15.5.16, as well as versions before 16.2.5, have a cross-site scripting vulnerability. This vulnerability arises from the use of the beforeInteractive script when embedding trusted content, where the serialized...

PT-2026-40837

Name of the Vulnerable Software and Affected Versions Translate Drupal with GTranslate versions 0.0.0 through 3.0.4 Description A Modification of Assumed-Immutable Data MAID issue in the GTranslate module allows Resource Location Spoofing. The module's widget JavaScript fails to sufficiently...

📄 Espanso 2.3.0 Shell and Script Extension Arbitrary Command Execution

The Shell and Script extensions in Espanso version 2.3.0 allow arbitrary command execution. No restart required. Config changes take effect immediately. Exploit Title: Espanso v2.3.0 - Shell & Script Extension Arbitrary Command Execution RCE Date: 2026-05-13 Exploit Author: Chokri Hammedi Softwar...

PT-2026-40830

Name of the Vulnerable Software and Affected Versions OPNsense versions prior to 26.1.8 Description Unsanitized user input is passed to the DHCP configuration of the configured interface and subsequently processed by a shell script. This allows remote code execution as root on the underlying...

cPanel SQL注入漏洞

cPanel is a web-based automated hosting platform developed by cPanel Inc. This platform is primarily used for automating the management of websites and servers. cPanel has a SQL injection vulnerability, which stems from insufficient SQL query cleaning in the sqloptimizer tool script. If the slow...

CVE-2026-43680

A Remote Code Execution vulnerability in Claris FileMaker Cloud allowed a user with Admin Console privileges to bypass a front-end restriction on OS Script schedule types and execute arbitrary operating system commands on the underlying host. This issue is fixed in FileMaker Cloud 2.22.0.5...

CVE-2026-43680

A Remote Code Execution vulnerability in Claris FileMaker Cloud allowed a user with Admin Console privileges to bypass a front-end restriction on OS Script schedule types and execute arbitrary operating system commands on the underlying host. This issue is fixed in FileMaker Cloud 2.22.0.5...

CVE-2026-43680

A Remote Code Execution vulnerability in Claris FileMaker Cloud allowed a user with Admin Console privileges to bypass a front-end restriction on OS Script schedule types and execute arbitrary operating system commands on the underlying host. This issue is fixed in FileMaker Cloud 2.22.0.5...

CVE-2026-43680

CVE-2026-43680 describes a remote code execution in Claris FileMaker Cloud where an Admin Console user could bypass a front-end restriction on OS Script schedule types and run arbitrary OS commands on the host. Documented impact suggests total compromise with HIGH confidentiality, integrity, and ...

CVE-2026-44259

efw4.X is an Enterprise Framework for Web. Prior to 4.08.010, the previewServlet serves files with their detected MIME type based on file extension, without any content sanitization or security headers. Files with .html, .htm, or .svg extensions are served as text/html or image/svg+xml...

MAL-2026-3684 Malicious code in @gusmano/reext (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 498a21b60dcdfe236ea0b1683e1ec64aa091643b6ad562c3845757eed79660d8 The npm preinstall lifecycle script dist/scripts/preinstall.js, wired via package.json "preinstall": "node./dist/scripts/preinstall.js" reads the...

CVE-2026-44259

efw4.X is an Enterprise Framework for Web. Prior to 4.08.010, the previewServlet serves files with their detected MIME type based on file extension, without any content sanitization or security headers. Files with .html, .htm, or .svg extensions are served as text/html or image/svg+xml...

CVE-2026-31254

The flash-attention project thru commit e724e2588cbe754beb97cf7c011b5e7e34119e62 2025-13-04 contains a code injection vulnerability CWE-94 in its training script. The script registers the Python eval function as a Hydra configuration resolver under the name eval. This allows configuration files t...

CLSA-2026-1778616298 redis: Fix of 2 CVEs

CVE-2026-23631: use-after-free in readSyncBulkPayload when a full resync happens while a timed-out script is still running on the replica - CVE-2026-25243: heap corruption and out-of-bounds reads in the RESTORE command deserialization path rdb.c, sds.c, zipmap.c...