1398902 matches found
GHSA-RWW4-4W9C-7733 vulnerabilities
Vulnerabilities for packages: mcp-atlassian...
CVE-2026-9147
creationtimestamp| type| source ---|---|--- 2026-07-18 13:30:27+00:00| seen| https://infosec.exchange/users/offseq/statuses/116941221213811825 2026-07-18 13:30:30+00:00| seen| https://bsky.app/profile/offseq.bsky.social/post/3mqweqn3ya72g 2026-07-18 14:00:39+00:00| seen|...
MINI-93CQ-RJQ3-6RF7
Bulletin has no description...
CVE-2024-58356 SurrealDB before 2.1.4 Permission Bypass via DEFINE TABLE OVERWRITE
SurrealDB before 2.1.4 silently fails to overwrite table definitions when the DEFINE TABLE ... OVERWRITE clause is used on tables defined with TYPE RELATION. Because table definitions include the PERMISSIONS clause, an attempt to tighten a table's permissions via OVERWRITE does not take effect, a...
CVE-2024-58356
SurrealDB before 2.1.4 silently fails to overwrite table definitions when the DEFINE TABLE ... OVERWRITE clause is used on tables defined with TYPE RELATION. Because table definitions include the PERMISSIONS clause, an attempt to tighten a table's permissions via OVERWRITE does not take effect, a...
CVE-2026-16117
Impact: @fastify/http-proxy versions up to and including 11.5.0 fail to rewrite the request prefix when the prefix segment is URL-encoded. Fastify's router URL-decodes paths for route matching, but request.url retains the original encoded form, and the prefix-rewrite step uses a literal string...
WordPress vulnerabilities can be addressed through Automattic.
There are two vulnerabilities present in WordPress Core 6.8.6, 6.9.5, and 7.0.2. An unauthorized malicious individual can exploit these vulnerabilities to execute arbitrary code remotely. To do this, a malicious HTTP request must be sent to the batch API of a WordPress site. Since vulnerabilities...
CVE-2026-47870
CVE-2026-47870 affects VMware Avi Load Balancer. A malicious authenticated user with network access can potentially execute remote code due to a privilege-escalation flaw. Affected versions and fixes shown in public records: 32.1.1 (fixed in 32.1.2); 31.1.1–31.2.2 (fixed in 31.2.2-2p3); 30.1.1–30...
Cacti - Cross-Site Scripting
Cacti contains a cross-site scripting vulnerability via "http:///authchangepassword.php?ref=alert1" which can successfully execute the JavaScript payload present in the "ref" URL parameter. id: CVE-2021-26247 info: name: Cacti - Cross-Site Scripting author: dhiyaneshDK severity: medium descriptio...
Erxes <0.23.0 - Cross-Site Scripting
Erxes before 0.23.0 contains a cross-site scripting vulnerability. The value of topicID parameter is not escaped and is triggered in the enclosing script tag. id: CVE-2021-32853 info: name: Erxes 0.23.0 - Cross-Site Scripting author: dwisiswant0 severity: critical description: Erxes before 0.23.0...
Python Flask-Security - Open Redirect
Python Flask-Security contains an open redirect vulnerability. Existing code validates that the URL specified in the next parameter is either relative or has the same network location as the requesting URL. Certain browsers accept and fill in the blanks of possibly incomplete or malformed URLs. A...
SAS/Internet 9.4 1520 - Local File Inclusion
SAS/Internet 9.4 build 1520 and earlier allows local file inclusion. The samples library included by default in the appstart.sas file, allows end-users of the application to access the sample.webcsf1.sas program, which contains user-controlled macro variables that are passed to the DS2CSF macro...
VelotiSmart Wifi - Directory Traversal
VelotiSmart WiFi B-380 camera devices allow directory traversal via the uc-http service 1.0.0, as demonstrated by /../../etc/passwd on TCP port 80. id: CVE-2018-14064 info: name: VelotiSmart Wifi - Directory Traversal author: 0xAkoko severity: critical description: VelotiSmart WiFi B-380 camera...
Tattile Camera < 1.181.5 - Default Login
Tattile Smart+, Vega, and Basic device families firmware = 1.181.5 contain a broken authentication caused by default credentials not forced to be changed, letting attackers with management interface access gain administrative privileges. id: CVE-2026-26341 info: name: Tattile Camera 1.181.5 -...
Starlette - Improper Validation of Unsafe Equivalence in Input
A flaw was found in Starlette, a lightweight ASGI Asynchronous Server Gateway Interface framework. A remote attacker could exploit this vulnerability by sending a specially crafted HTTP Host request header. This malformed header could cause the request.url to be incorrectly reconstructed, leading...
WordPress Copyright Proof <=4.16 - Cross-Site-Scripting
WordPress Copyright Proof plugin 4.16 and prior contains a cross-site scripting vulnerability. It does not sanitize and escape a parameter before outputting it back via an AJAX action available to both unauthenticated and authenticated users when a specific setting is enabled. id: CVE-2022-1906...
Helmet Store Showroom - Cross Site Scripting
Helmet Store Showroom 1.0 is vulnerable to Cross Site Scripting XSS. id: CVE-2022-46073 info: name: Helmet Store Showroom - Cross Site Scripting author: Harsh severity: medium description: | Helmet Store Showroom 1.0 is vulnerable to Cross Site Scripting XSS. impact: | Successful exploitation of...
Online Birth Certificate System 1.2 - Stored Cross-Site Scripting
Online Birth Certificate System 1.2 contains multiple stored cross-site scripting vulnerabilities in the component /obcs/user/profile.php, which allows an attacker to execute arbitrary web script or HTML via a crafted payload injected into the fname or lname parameters. id: CVE-2022-29005 info:...
WordPress Accessibility Helper <0.6.0.7 - Cross-Site Scripting
WordPress Accessibility Helper plugin before 0.6.0.7 contains a cross-site scripting vulnerability. It does not sanitize and escape the wahi parameter before outputting back its base64 decode value in the page. id: CVE-2022-0150 info: name: WordPress Accessibility Helper 0.6.0.7 - Cross-Site...
WordPress Shareaholic <9.7.6 - Information Disclosure
WordPress Shareaholic plugin prior to 9.7.6 is susceptible to information disclosure. The plugin does not have proper authorization check in one of the AJAX actions, available to both unauthenticated before 9.7.5 and authenticated in 9.7.5 users, allowing them to possibly obtain sensitive...