HCL Aftermarket DPC 安全漏洞

HCL Aftermarket DPC is a digital spare parts and aftermarket management platform for HCL India. HCL Aftermarket DPC suffers from a file upload vulnerability, which stems from the application not strictly verifying or filtering user uploaded files, and can be exploited by an attacker to upload and...

PT-2026-28334

Name of the Vulnerable Software and Affected Versions Complianz – GDPR/CCPA Cookie Consent plugin for WordPress versions prior to 7.4.4.3 Description The Complianz – GDPR/CCPA Cookie Consent plugin for WordPress is susceptible to Stored Cross-Site Scripting. This occurs because the revert divs to...

CVE-2026-1001

Domoticz versions prior to 2026.1 contain a stored cross-site scripting vulnerability in the Add Hardware and rename device functionality of the web interface that allows authenticated administrators to execute arbitrary scripts by supplying crafted names containing script or HTML markup. Attacke...

SUSE CVE-2026-28279

osctrl is an osquery management solution. Prior to version 0.5.0, an OS command injection vulnerability exists in the osctrl-admin environment configuration. An authenticated administrator can inject arbitrary shell commands via the hostname parameter when creating or editing environments. These...

Domoticz 跨站脚本漏洞

Domoticz is an open-source smart home system developed by the Domoticz company. This system supports the monitoring and control of various smart home devices. Versions of Domoticz prior to 2026.1 contained a cross-site scripting vulnerability. This vulnerability stemmed from the Web interface’s...

CVE-2026-23920

A flaw was found in Zabbix. Authenticated users can bypass input validation in host and event action scripts by injecting a newline character. This bypass occurs because the validation regex, which uses start-of-line ^ and end-of-line $ anchors, operates in multiline mode. Successful exploitation...

CVE-2026-23920 Host and event action script regex validation can be bypassed in certain situations, leading to potential command injection

Host and event action script input is validated with a regex set by the administrator, but the validation runs in multiline mode. If ^ and $ anchors are used in user input validation, an injected newline lets authenticated users bypass the check and inject shell commands...

CVE-2026-23920 Host and event action script regex validation can be bypassed in certain situations, leading to potential command injection

Host and event action script input is validated with a regex set by the administrator, but the validation runs in multiline mode. If ^ and $ anchors are used in user input validation, an injected newline lets authenticated users bypass the check and inject shell commands...

GHSA-GMFG-3V4Q-9QR4 Authelia: Improper Neutralization of Input During Web Page Generation Leads to Potential Cross-site Scripting

Impact Official Weighted Severity Rating: Low This exploit is very unlikely to be the case for most users as it requires configuration of the Content Security Policy template value. Below represents a safe value, any other value other than unconfigured should be very carefully evaluated regardles...

CVE-2019-25630 PhreeBooks ERP 5.2.3 Arbitrary File Upload via Image Manager

PhreeBooks ERP 5.2.3 contains an arbitrary file upload vulnerability in the Image Manager component that allows authenticated attackers to upload malicious files by submitting requests to the image upload endpoint. Attackers can upload PHP files through the imgFile parameter to the...

EUVD-2026-14580

OpenClaw before 2026.3.2 contains a semantic drift vulnerability in node system.run approval hardening that rewrites wrapper command argv, allowing execution of unintended local scripts. Attackers who can influence wrapper argv and place malicious files in the approved working directory can execu...

EUVD-2026-14597

OpenClaw versions 2026.2.26 before 2026.3.1 contain a current working directory injection vulnerability in Windows wrapper resolution for .cmd/.bat files that allows shell execution fallback. Attackers can manipulate the current working directory to alter wrapper resolution behavior and achieve...

orpc 跨站脚本漏洞

Orpc is an open-source RPC and OpenAPI integration framework developed by MiddleAPI. Versions of Orpc prior to 1.13.9 contained a cross-site scripting vulnerability. This vulnerability stemmed from the OpenAPI documentation generation process, which included stored cross-site scripts. This could...

PT-2026-27381

PhreeBooks ERP 5.2.3 contains a remote code execution vulnerability in the image manager that allows authenticated attackers to upload and execute arbitrary PHP files by bypassing file extension controls. Attackers can upload malicious PHP files through the image manager endpoint and execute them...

PT-2026-27623

Name of the Vulnerable Software and Affected Versions Authelia versions 4.39.15 Description Authelia is an open-source authentication and authorization server. An attacker may potentially be able to inject javascript into the Authelia login page if specific conditions are met, including...

CVE-2026-32901

Affected software: OpenClaw prior to version 2026.3.2. Vulnerability type: semantic drift in node system.run approval hardening that rewrites wrapper argv, enabling execution of unintended local scripts when an attacker can influence argv and place malicious files in the approved working director...

Valkey: Valkey: Data tampering and denial of service via improper null character handling in Lua scripts

A flaw was found in Valkey, a distributed key-value database. A malicious user can exploit this vulnerability by using scripting commands to inject arbitrary information into the response stream. This is caused by improper handling of null characters in the error handling code for Lua scripts...

Security update for strongswan

This update for strongswan fixes the following issues: CVE-2026-25075: Fixed integer underflow when handling EAP-TTLS AVP bsc1259472. Other bug fixes: -Fix rpm scripts to not break swanctl.conf use bsc1256442: Guard rpm migration scripts migrating strongswan.service using ipsec.conf on less than...

SUSE-SU-2026:0978-1 Security update for strongswan

This update for strongswan fixes the following issues: - CVE-2026-25075: Fixed integer underflow when handling EAP-TTLS AVP bsc1259472. Other bug fixes: -Fix rpm scripts to not break swanctl.conf use bsc1256442: Guard rpm migration scripts migrating strongswan.service using ipsec.conf on less tha...

EUVD-2026-14273

The Yoast SEO – Advanced SEO with real-time guidance and built-in AI plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the the jsonText block attribute in all versions up to, and including, 27.1.1 due to insufficient input sanitization and output escaping. This makes it possib...