PT-2026-33533

ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the public API login endpoint /api/public/user/login returns distinguishable HTTP response codes based on whether a username exists: 404 for non-existent users and 401 for valid users with incorrect passwords. An...

GROWI vulnerable to stored cross-site scripting

Overview GROWI provided by GROWI, Inc. contains the following vulnerability. Stored cross-site scripting CWE-79 - CVE-2026-26291 Norihide Saito reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact An arbitrary...

CVE-2026-5754

Radware Alteon vADC load-balancer, version 34.5.4.0, contains a reflected XSS in the ReturnTo parameter of the /protected/login route due to lack of input sanitization. An attacker can craft a link that injects JavaScript, which is reflected in the victim’s browser, enabling actions such as steal...

EUVD-2025-209310

D-Link DI-8300 v16.07.26A1 was discovered to contain a buffer overflow via the fx parameter in the jingxasp function. This vulnerability allows attackers to cause a Denial of Service DoS via a crafted input...

CVE-2026-39562

Missing Authorization vulnerability in BoldGrid Client Invoicing by Sprout Invoices sprout-invoices allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Client Invoicing by Sprout Invoices: from n/a through = 20.8.10...

CVE-2026-39617 WordPress Bluestreet theme <= 1.7.3 - Cross Site Request Forgery (CSRF) to Arbitrary Plugin Installation vulnerability

Cross-Site Request Forgery CSRF vulnerability in priyanshumittal Bluestreet bluestreet allows Cross Site Request Forgery.This issue affects Bluestreet: from n/a through = 1.7.3...

PT-2026-31552

Name of the Vulnerable Software and Affected Versions PHPGurukul Online Course Registration version 3.1 Description A security issue exists in PHPGurukul Online Course Registration 3.1 related to the processing of the /admin/check availability.php file. Manipulation of the regno argument can lead...

EUVD-2026-19701

An issue that could allow access to Explorer groups from outside of the authorized organization scope has been resolved. This is an instance of CWE-863: Incorrect Authorization, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:L/A:L 4.4 Medium. This issue was fixed in...

CVE-2026-30613

An information disclosure vulnerability exists in AZIOT 1 Node Smart Switch 16amp- WiFi/Bluetooth Enabled Software Version: 1.1.9 due to improper access control on the UART debug interface. An attacker with physical access can connect to the UART interface and obtain sensitive information from th...

EUVD-2026-19480

Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to 1.4.11, the getClientIP function in lib/admin/session.ts trusted the first leftmost entry of the X-Forwarded-For header, which is fully controlled by the client. An attacker could forge their source IP address to...

CVE-2026-30613

An information disclosure vulnerability exists in AZIOT 1 Node Smart Switch 16amp- WiFi/Bluetooth Enabled Software Version: 1.1.9 due to improper access control on the UART debug interface. An attacker with physical access can connect to the UART interface and obtain sensitive information from th...

PT-2026-30563

A vulnerability has been found in itsourcecode Construction Management System 1.0. Affected is an unknown function of the file /borrowed equip report.php of the component Parameter Handler. The manipulation of the argument Home leads to sql injection. It is possible to initiate the attack remotel...

PT-2026-29329

An arbitrary file overwrite vulnerability in RAREPROB SOLUTIONS PRIVATE LIMITED Video player Play All Videos v1.0.135 allows attackers to overwrite critical internal files via the file import process, leading to arbtrary code execution or information exposure...

Off-by-one Error

Overview Affected versions of this package are vulnerable to Off-by-one Error in the CapSoftwareVersion.DecodeFromBytes function. An attacker can cause a denial of service by remotely manipulating the data argument to trigger an off-by-one error. Remediation Upgrade...

CVE-2019-25655

Device Monitoring Studio 8.10.00.8925 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long string to the server connection dialog. Attackers can trigger the crash by entering a malformed server name or address containing...

[SECURITY] Fedora 42 Update: htslib-1.23.1-1.fc42

HTSlib is an implementation of a unified C library for accessing common file formats, such as SAM, CRAM and VCF, used for high-throughput sequencing data, and is the core library used by samtools and bcftools...

CVE-2025-55272

HCL Aftermarket DPC is affected by Banner Disclosure vulnerability where attackers gain insights into the system’s software and version details which would allow them to craft software specific attacks...

PT-2026-28546

Name of the Vulnerable Software and Affected Versions Gematik Authenticator versions prior to 4.16.0 Description Gematik Authenticator is used to securely authenticate users for login to digital health applications. Versions prior to 4.16.0 are susceptible to authentication flow hijacking. An...

CVE-2025-55272 HCL Aftermarket DPC is affected by Banner Disclosure vulnerability

HCL Aftermarket DPC is affected by Banner Disclosure vulnerability where attackers gain insights into the system’s software and version details which would allow them to craft software specific attacks...

PT-2026-28147

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, the billing file-download endpoint interface/billing/get claim file.php only verifies that the caller has a valid session and CSRF token, but does not check any ACL...