CVE-2026-49078

Unauthenticated Other Vulnerability Type in WP Travel Engine = 6.7.10 versions...

EUVD-2026-36877

Unauthenticated Other Vulnerability Type in WP Travel Engine = 6.7.10 versions...

CVE-2026-48011

Shopware is an open commerce platform. Prior to versions 6.6.10.18 and 6.7.10.1, an attacker is able to enumerate the usernames of administrator users by performing a timing attack. Versions 6.6.10.18 and 6.7.10.1 fix the issue...

CVE-2025-41278

Nozomi Networks Labs identified a CWE-125: Out-of-bounds Read in Waterfall WF-500 RX Host in version 7.10.0.0 R2601141040 that allows attackers with access to the TX Host to execute code on the RX Host...

PT-2026-44816

Nozomi Networks Labs identified a CWE-125: Out-of-bounds Read in Waterfall WF-500 RX Host in version 7.10.0.0 R2601141040 that allows attackers with access to the TX Host to execute code on the RX Host...

Linux Distros Unpatched Vulnerability : CVE-2023-2905

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Due to a failure in validating the length of a provided MQTTCMDPUBLISH parsed message with a variable length header, Cesanta Mongoose, an embeddable web server,...

CVE-2026-4665

The CVE-2026-4665 entry concerns the WP Carousel Free plugin for WordPress (versions up to 2.7.10). Concrete details from connected documents describe a Stored Cross-Site Scripting flaw in the handling of fancybox data-caption attributes. The root cause is the fancybox-config.js logic reading the...

CVE-2026-0971

An improper session timeout issue in Fortra's GoAnywhere MFT prior to version 7.10.0 results in SAML configured Web Users being redirected to the regular login page instead of the SAML login page...

CVE-2026-1089 User‑Controlled HTTP Header In Fortra's GoAnywhere MFT Allows Arbitrary DNS Lookups

User‑Controlled HTTP Header in Fortra's GoAnywhere MFT prior to version 7.10.0 allows attackers to trigger a DNS lookup, as well as DNS Rebinding and Information Disclosure...

CVE-2026-0972

HTML injection is possible in system generated emails in Fortra's GoAnywhere MFT prior to 7.10.0. Note: The title, details, and description of this CVE were corrected post-publishing...

CVE-2025-14362 GoAnywhere MFT SFTP Service Login Vulnerable to Brute Force Attack Under Certain Circumstances

The login limit is not enforced on the SFTP service of Fortra's GoAnywhere MFT prior to 7.10.0 if the Web User attempting to be logged in to is configured to log in with an SSH Key, making the SSH key vulnerable to being guessed via Brute Force...

CVE-2025-14362 GoAnywhere MFT SFTP Service Login Vulnerable to Brute Force Attack Under Certain Circumstances

The login limit is not enforced on the SFTP service of Fortra's GoAnywhere MFT prior to 7.10.0 if the Web User attempting to be logged in to is configured to log in with an SSH Key, making the SSH key vulnerable to being guessed via Brute Force...

CVE-2025-1241 Encryption vulnerable to brute-force decryption in GoAnywhere MFT

Encrypted values in Fortra's GoAnywhere MFT prior to version 7.10.0 and GoAnywhere Agents prior to version 2.2.0 utilize a static IV which allows admin users to brute-force decryption of data...

Fortra GoAnywhere MFT 安全漏洞

Fortra GoAnywhere MFT is a file transfer software developed by the American company Fortra. Versions of Fortra GoAnywhere MFT prior to 7.10.0 contained a security vulnerability. This vulnerability stemmed from the SFTP service not enforcing login restrictions when the web user was configured to l...

PT-2026-33978

The login limit is not enforced on the SFTP service of Fortra's GoAnywhere MFT prior to 7.10.0 if the Web User attempting to be logged in to is configured to log in with an SSH Key, making the SSH key vulnerable to being guessed via Brute Force...

PAC4J has a Cross-Site Request Forgery (CSRF) Vulnerability

PAC4J is vulnerable to Cross-Site Request Forgery CSRF. A malicious attacker can craft a specially designed website which, when visited by a user, will automatically submit a forged cross-site request with a token whose hash collides with the victim's legitimate CSRF token. Importantly, the...

CVE-2026-40458 Cross-Site Request Forgery in PAC4J

PAC4J is vulnerable to Cross-Site Request Forgery CSRF. A malicious attacker can craft a specially designed website which, when visited by a user, will automatically submit a forged cross-site request with a token whose hash collides with the victim's legitimate CSRF token. Importantly, the...

CVE-2026-40458

PAC4J is vulnerable to Cross-Site Request Forgery CSRF. A malicious attacker can craft a specially designed website which, when visited by a user, will automatically submit a forged cross-site request with a token whose hash collides with the victim's legitimate CSRF token. Importantly, the...

pac4j 安全漏洞

pac4j is a simple yet powerful Java security engine developed by pac4j OpenSource. It is used to authenticate users, retrieve their configuration files, and manage authorizations, thereby protecting web applications and web services. There were security vulnerabilities in versions of pac4j before...

SUSE CVE-2023-43637

Due to the implementation of "deriveVaultKey", prior to version 7.10, the generated vault key would always have the last 16 bytes predetermined to be "arfoobarfoobarfo". This issue happens because "deriveVaultKey" calls "retrieveCloudKey" which will always return "foobarfoobarfoobarfoobarfoobarfo...