826 matches found
CVE-2026-15285
The Plus Addons for Elementor plugin for WordPress was vulnerable to Authenticated Contributor+ Stored Cross-Site Scripting via the Button widget's customattributes setting in versions up to and including 6.4.11. The render function in modules/widgets/tpbutton.php passed the raw customattributes...
CVE-2026-59817
Ghost is a Node.js content management system. From 6.27.0 before 6.44.0, Ghost's public donation checkout flow allowed an unauthenticated attacker to control donation checkout metadata and obtain full paid gift memberships for a minimal payment without exposing customer or member data or stealing...
CVE-2026-59731
Astro is a web framework for content-driven websites. Version 6.4.7 performs authorization decisions on a partially decoded pathname after reaching the iterative URL decoder limit, while later rewrite route matching performs an additional decodeURI operation and can resolve the request to a...
PT-2026-56516
Name of the Vulnerable Software and Affected Versions Astro version 6.4.7 Description Astro performs authorization decisions on a partially decoded pathname after reaching the iterative URL decoder limit. Subsequently, rewrite route matching performs an additional decodeURI operation, which can...
PYSEC-2026-1494 Kinto Attachment's attachments can be replaced on read-only records
Impact The attachment file of an existing record can be replaced if the user has "read" permission on one of the parent collection or bucket. And if the "read" permission is given to "system.Everyone" on one of the parent, then the attachment can be replaced on a record using an anonymous request...
galera and mariadb11.8 security, bug fix, and enhancement update
An update is available for mariadb11.8, galera. This update affects Rocky Linux 10. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list MariaDB is a community developed fork from MySQL - a multi-user,...
CVE-2026-57671
Unauthenticated Cross Site Scripting XSS in perfmatters = 2.6.4 versions...
WordPress Perfmatters plugin <= 2.6.4 - Unauthenticated Arbitrary File Read vulnerability
Unauthenticated Arbitrary File Read vulnerability discovered by daroo in WordPress Plugin perfmatters versions = 2.6.4...
Important: Red Hat Security Advisory: Red Hat AI Base Images 3.2.2 (ROCm 6.4)
Red Hat AI Base Images 3.2.2 ROCm 6.4 is now available. Red Hat® AI Base Images...
Important: Red Hat Security Advisory: Red Hat AI Base Images 3.3.2 (ROCm 6.4)
Red Hat AI Base Images 3.3.2 ROCm 6.4 is now available. Red Hat® AI Base Images...
RLSA-2026:33464 Important: mariadb:10.11 security, bug fix, and enhancement update
MariaDB is a multi-user, multi-threaded SQL database server that is binary compatible with MySQL. Security Fixes: mariadb: MariaDB Server: Arbitrary code execution via wsrepnotifycmd CVE-2026-49261 Bug Fixes and Enhancements: Rocky Linux8tracker Rebase Galera to 26.4.27 MariaDB:10.11 JIRA:Rocky...
EUVD-2026-40110
Unauthenticated Broken Access Control in Business Directory = 6.4.23 versions...
CVE-2026-57339
Unauthenticated Broken Access Control in Business Directory = 6.4.23 versions...
CVE-2026-57328 WordPress Business Directory plugin <= 6.4.22 - Cross Site Scripting (XSS) vulnerability
Subscriber Cross Site Scripting XSS in Business Directory = 6.4.22 versions...
MINI-464W-FR2W-JPRG
Bulletin has no description...
CVE-2026-54298
Astro is a web framework. Prior to 6.4.6, the spreadAttributes function in Astro's server-side rendering pipeline iterates over object keys and passes them directly to addAttribute, which interpolates the key into the HTML output without escaping. When a developer uses the spread syntax ...props ...
CVE-2026-54299
Summary of CVE-2026-54299 (Astro) : Astro SSR apps that prerender error pages (e.g., 404/500 with prerender = true) fetch those pages over HTTP using a URL derived from request.url, which is based on the Host header. If Host is not validated against allowedDomains, an attacker can direct the fetc...
CVE-2026-54298
Astro, prior to 6.4.6, is vulnerable to XSS via unescaped attribute names when spreading props onto HTML elements. The spreadAttributes path iterates over object keys and passes them to addAttribute, which interpolates the key into the HTML output without escaping, allowing attackers to inject ev...
MINI-VG67-5V64-VR6M
Bulletin has no description...
CVE-2025-52465
GeoServer is an open source server that allows users to share and edit geospatial data. Prior to versions 2.26.4 and 2.27.3, a vulnerability exists that allows an authenticated administrator with access to GeoServer's security system to pass arbitrary file names to the Master Password Dump web pa...