EUVD-2026-25368

Kirby is an open-source content management system. Kirby's Xml::value method has special handling for blocks. If the input value is already valid CDATA, it is not escaped a second time but allowed to pass through. However, prior to versions 4.9.0 and 5.4.0, it was possible to trick this check int...

CVE-2026-35452

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the plugin/CloneSite/client.log.php endpoint serves the clone operation log file without any authentication. Every other endpoint in the CloneSite plugin directory enforces User::isAdmin. The log contains internal filesyste...

CVE-2026-33478

WWBN AVideo is an open source video platform. In versions up to and including 26.0, multiple vulnerabilities in AVideo's CloneSite plugin chain together to allow a completely unauthenticated attacker to achieve remote code execution. The clones.json.php endpoint exposes clone secret keys without...

EUVD-2022-24916

Malicious code in bioql PyPI...

CVE-2024-0978

The My Private Site plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.0.14 via the REST API. This makes it possible for unauthenticated attackers to bypass the plugin's site privacy feature and view restricted page and post content...

CVE-2022-1627

The My Private Site WordPress plugin before 3.0.8 does not have CSRF check in place when updating its settings, which could allow attackers to make a logged in admin change them via a CSRF attack...

CVE-2023-51470 WordPress Rencontre – Dating Site Plugin <= 3.11.1 is vulnerable to PHP Object Injection

Deserialization of Untrusted Data vulnerability in Jacques Malgrange Rencontre – Dating Site.This issue affects Rencontre – Dating Site: from n/a through 3.11.1...

Exploit for Command Injection in Wwbn Avideo

WWBN AVideo currentVersion Authenticated RCE A command in...

WordPress My Private Site plugin跨站请求伪造漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation. WordPress is a set of blogging platforms developed using the PHP language. WordPress plugin is an application plugin. WordPress My Private Site plugin version 3.0.8 or earlier is vulnerable to cross-site request forgery...

GHSA-X8Q8-4HP5-463W Improper Limitation of a Pathname to a Restricted Directory in Elasticsearch

Directory traversal vulnerability in Elasticsearch before 1.4.5 and 1.5.x before 1.5.2, when a site plugin is enabled, allows remote attackers to read arbitrary files via unspecified vectors...

WordPress Rencontre – Dating Site plugin <= 3.1.2 - SQL Injection (SQLi) and Cross-Site Scripting (XSS) vulnerabilities

SQL Injection SQLi and Cross-Site Scripting XSS vulnerabilities found by Admavidhya N in WordPress Rencontre – Dating Site plugin versions = 3.1.2. Solution 10 July 2019 - waiting for approval...

Elasticsearch vulnerability CVE-2015-3337

Summary: All Elasticsearch versions prior to 1.5.2 and 1.4.5 are vulnerable to a directory traversal attack that allows an attacker to retrieve files from the server running Elasticsearch. This vulnerability is not present in the initial installation of Elasticsearch. The vulnerability is exposed...

Elasticsearch Arbitrary File Disclosure Vulnerability

Elasticsearch is the Netherlands Elasticsearch company's set of open source distributed RESTful search engine built on Lucene , it is mainly used in cloud computing , and supports the use of JSON over HTTP for data indexing . A security vulnerability exists in Elasticsearch versions prior to 1.5....

DSA-3241-1 elasticsearch - security update

Bulletin has no description...