EUVD-2026-23203

The Livemesh Addons for Elementor plugin for WordPress is vulnerable to unauthorized modification of data and Stored Cross-Site Scripting via plugin settings in all versions up to, and including, 9.0. This is due to missing authorization checks on the AJAX handler laeadminajax and insufficient...

CVE-2025-48536

CVE-2025-48536 affects Android’s SettingsSliceProvider.java, specifically grantAllowlistedPackagePermissions. A third-party app could abuse a “confused deputy” flaw to modify secure settings, enabling local elevation of privilege with no extra execution privileges and no user interaction required...

EUVD-2023-53951

Malicious code in bioql PyPI...

EUVD-2022-24995

Malicious code in bioql PyPI...

EUVD-2025-15178

Malicious code in bioql PyPI...

EUVD-2024-50149

Malicious code in bioql PyPI...

EUVD-2023-58630

Malicious code in bioql PyPI...

EUVD-2024-46330

Malicious code in bioql PyPI...

CVE-2024-4627

The Rank Math SEO WordPress plugin before 1.0.219 does not sanitise and escape some of its settings, which could allow users with access to the General Settings by default admin, however such access can be given to lower roles via the Role Manager feature of the Rank Math SEO WordPress plugin...

CVE-2023-34750

bloofox v0.5.2.1 was discovered to contain a SQL injection vulnerability via the cid parameter at admin/index.php?mode=settings=projects=edit...

CVE-2023-27216

An issue found in D-Link DSL-3782 v.1.03 allows remote authenticated users to execute arbitrary code as root via the network settings page...

CVE-2024-6857

The WP MultiTasking WordPress plugin through 0.1.12 does not have CSRF check when updating its Header, Footer and Body Script Settings, which could allow attackers to make logged admins perform such action via a CSRF attack...

CVE-2024-10480

CVE-2024-10480 affects the 3DPrint Lite WordPress plugin prior to 2.1. The issue is a missing CSRF check when updating plugin settings, enabling a logged-in attacker to change settings via CSRF. The Red Hat/NVD entries describe the same flaw and patch in version 2.1 or later. Impact is limited to...

GHSA-6C5Q-FG3G-QHHV LibreNMS stored cross-site scripting (XSS) vulnerability in the Device Settings section

A stored cross-site scripting XSS vulnerability in the Device Settings section of LibreNMS v24.9.0 to v24.10.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Display Name parameter...

curl: -H with space prefix leads to previous header injection when used with --proxy

Summary: Hi team, I hope you're doing well. Recently I came accross this weird curl behavior where -H "spaceheader: value" would inject the header in the previous HTTP header. Tried it on mac OS Sequoia 15.1 with curl version curl 8.11.0 aarch64-apple-darwin24.1.0 libcurl/8.11.0 OpenSSL/3.4.0...

PT-2024-24515 · Wondercms · Wondercms

Name of the Vulnerable Software and Affected Versions: WonderCMS version 3.4.3 Description: A cross-site scripting XSS vulnerability in the Settings section allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the ADMIN LOGIN URL parameter under the Securi...

PT-2023-20959 · WordPress · The Ultimate Product Catalog

Name of the Vulnerable Software and Affected Versions: The Ultimate Product Catalog WordPress plugin versions prior to 5.2.6 Description: The issue allows high privilege users, such as admins, to perform Stored Cross-Site Scripting attacks. This can occur even when the unfiltered html capability ...

EC-CUBE improperly handles HTTP Host header values

Overview EC-CUBE provided by EC-CUBE CO.,LTD. improperly handles HTTP Host header values CWE-913. EC-CUBE CO.,LTD. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and EC-CUBE CO.,LTD. coordinated under the Information Security Early Warning...

qutebrowser -- Remote code execution due to CSRF

qutebrowser team reports: Due to a CSRF vulnerability affecting the qute://settings page, it was possible for websites to modify qutebrowser settings. Via settings like editor.command, this possibly allowed websites to execute arbitrary code...