EUVD-2026-9095

Statmatic is a Laravel and Git powered content management system CMS. Prior to versions 5.73.11 and 6.4.0, stored XSS vulnerability in svg and icon related components allow authenticated users with appropriate permissions to inject malicious JavaScript that executes when viewed by higher-privileg...

CVE-2026-28516 openDCIM <= 23.04 SQL Injection in Config::UpdateParameter

openDCIM version 23.04, through commit 4467e9c4, contains a SQL injection vulnerability in Config::UpdateParameter. The install.php and container-install.php handlers pass user-supplied input directly into SQL statements using string interpolation without prepared statements or proper input...

CVE-2026-28411

WeGIA Web Manager prior to version 3.6.5 is vulnerable to an authentication bypass via unsafe use of extract($_REQUEST). The issue allows an unauthenticated attacker to overwrite local variables across multiple PHP scripts, enabling unauthorized access to administrative and protected areas. remed...

CVE-2026-28272 Kiteworks Email Protection Gateway has a Cross-site Scripting vulnerability

Kiteworks is a private data network PDN. Prior to version 9.2.0, a vulnerability in Kiteworks Email Protection Gateway allows authenticated administrators to inject malicious scripts through a configuration interface. The stored script executes when users interact with the affected user interface...

CVE-2026-2244

A vulnerability in Google Cloud Vertex AI Workbench from 7/21/2025 to 01/30/2026 allows an attacker to exfiltrate valid Google Cloud access tokens of other users via abuse of a built-in startup script. All instances after January 30th, 2026 have been patched to protect from this vulnerability. No...

EUVD-2024-55454

The OVRI Payment plugin for WordPress contains malicious .htaccess files in version 1.7.0. The files contain directives to prevent the execution of certain scripts while allowing execution of known malicious PHP files. If moved outside of the plugin's directory, they may interfere with the proper...

Security update for valkey

This update for valkey fixes the following issues: Update to version 8.0.7. Security issues fixed: CVE-2025-67733: data tampering and denial of service via improper null character handling in Lua scripts bsc1258746. CVE-2026-21863: denial of service via invalid clusterbus packet bsc1258788. Other...

CVE-2024-10938

The OVRI Payment plugin for WordPress contains malicious .htaccess files in version 1.7.0. The files contain directives to prevent the execution of certain scripts while allowing execution of known malicious PHP files. If moved outside of the plugin's directory, they may interfere with the proper...

Command Injection

Overview Affected versions of this package are vulnerable to Command Injection in the osctrl-admin environment configuration. An attacker can execute arbitrary shell commands on every endpoint that enrolls using a compromised environment by injecting commands into the hostname parameter, which ar...

Command Injection

Overview Affected versions of this package are vulnerable to Command Injection in the osctrl-admin environment configuration. An attacker can execute arbitrary shell commands on every endpoint that enrolls using a compromised environment by injecting commands into the hostname parameter, which ar...

openDCIM 安全漏洞

openDCIM is an open-source data center inventory management DCIM application. Version 23.04 of openDCIM contains a security vulnerability. This vulnerability stems from the lack of authorization checks in the install.php and container-install.php files, which may allow unauthorized application...

PT-2026-22425

Name of the Vulnerable Software and Affected Versions openDCIM version 23.04 through commit 4467e9c4 Description The installer and upgrade handler expose LDAP configuration functionality without enforcing application role checks. This allows any authenticated user to access the functionality...

PT-2026-22319

The Simple Download Monitor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom field in all versions up to, and including, 4.0.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access...

PT-2026-22396

Name of the Vulnerable Software and Affected Versions Kiteworks versions prior to 9.2.0 Description Kiteworks Email Protection Gateway contains a flaw that allows authenticated administrators to inject malicious scripts through a configuration interface. These scripts execute when users interact...

CLSA-2026-1771855894 python-virtualenv: Fix of CVE-2024-53899

CVE-2024-53899: Quote template strings in activation scripts...

CVE-2026-28279

osctrl is an osquery management solution. Prior to version 0.5.0, an OS command injection vulnerability exists in the osctrl-admin environment configuration. An authenticated administrator can inject arbitrary shell commands via the hostname parameter when creating or editing environments. These...

CVE-2026-28279 `osctrl-admin` Vulnerable to OS Command Injection via Environment Configuration

osctrl is an osquery management solution. Prior to version 0.5.0, an OS command injection vulnerability exists in the osctrl-admin environment configuration. An authenticated administrator can inject arbitrary shell commands via the hostname parameter when creating or editing environments. These...

RLSA-2026:3187 Important: grafana-pcp security update

The Grafana plugin for Performance Co-Pilot includes datasources for scalable time series from pmseries and Redis, live PCP metrics and bpftrace scripts from pmdabpftrace, as well as several dashboards. Security Fixes: golang: net/url: Memory exhaustion in query parameter parsing in net/url...

CVE-2026-27510

CVE-2026-27510 affects Unitree Go2 firmware 1.1.7–1.1.11 with the Go2 Android app (com.unitree.doggo2). The issue is remote code execution due to missing integrity protection and validation of user-created programs. The Android app stores programs in a local SQLite database (unitree_go2.db, table...

Valkey: Valkey: Data tampering and denial of service via improper null character handling in Lua scripts

A flaw was found in Valkey, a distributed key-value database. A malicious user can exploit this vulnerability by using scripting commands to inject arbitrary information into the response stream. This is caused by improper handling of null characters in the error handling code for Lua scripts...