Server-side Request Forgery (SSRF)

Overview admidio/admidio is a free open source user management system for websites of organizations and groups. Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the fetchmetadata.php process when user-supplied input is passed to filegetcontents after only...

Cross-site Request Forgery (CSRF)

Overview admidio/admidio is a free open source user management system for websites of organizations and groups. Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF in the savemembership process. An attacker can alter membership start and end dates for any member of...

CVE-2026-28430

Chamilo LMS is a learning management system. Prior to version 1.11.34, there is an unauthenticated SQL injection vulnerability which allows remote attackers to execute arbitrary SQL commands via the customdates parameter. By chaining this with a predictable legacy password reset mechanism, an...

CVE-2026-32262 Craft CMS has a Path Traversal Vulnerability in AssetsController

Craft CMS is a content management system CMS. From version 4.0.0-RC1 to before version 4.17.5 and from version 5.0.0-RC1 to before version 5.9.11, the AssetsController-replaceFile method has a targetFilename body parameter that is used unsanitized in a deleteFile call before...

Buffer Overflow

Overview Affected versions of this package are vulnerable to Buffer Overflow via the setcookiegeneratecallback function. An attacker can cause a buffer overflow by providing a callback that returns a cookie value greater than 256 bytes. Note: This is only exploitable if the application explicitly...

GHSA-76C2-3Q6G-XVPM Aureus ERP vulnerable to cross-site scripting in the Chatter Message Handler

A vulnerability was determined in Aureus ERP up to 1.3.0-BETA1. The affected element is an unknown function of the file plugins/webkul/chatter/resources/views/filament/infolists/components/messages/content-text-entry.blade.php of the component Chatter Message Handler. Executing a manipulation of...

EUVD-2025-208725

Global file reads caused by improper URL checks in webserver in Softing Industrial Automation GmbH smartLinks on docker filesystem modules allows file access. This issue affects smartLink SW-HT: through 1.42 smartLink SW-PN: through 1.03...

CVE-2026-0977

IBM CICS Transaction Gateway for Multiplatforms 9.3 and 10.1 could allow a user to transfer or view files due to improper access controls...

[SECURITY] Fedora 42 Update: python3.6-3.6.15-53.fc42

Python 3.6 package for developers. This package exists to allow developers to test their code against an older version of Python. This is not a full Python stack and if you wish to run your applications with Python 3.6, see other distributions that support it, such as CentOS or RHEL with Software...

[SECURITY] Fedora 43 Update: qgis-3.44.8-1.fc43

Geographic Information System GIS manages, analyzes, and displays databases of geographic information. QGIS supports shape file viewing and editing, spatial data storage with PostgreSQL/PostGIS, projection on-the-fly, map composition, and a number of other features via a plugin interface. QGIS al...

SAMSUNG Secure Folder 安全漏洞

Samsung Secure Folder is a privacy protection software developed by South Korea’s Samsung Corporation. Versions of Samsung Secure Folder prior to the SMR Mar-2026 Release 1 had security vulnerabilities. These vulnerabilities stemmed from improper export of Android application components, which...

Malicious code in minify-mangle-names (npm)

The package 'minify-mangle-names' is part of the PhantomRaven supply chain attack campaign Wave 2. It uses a Remote Dynamic Dependency RDD technique: the published package appears benign but includes a URL-based dependency in package.json pointing to an attacker-controlled C2 server...

Malicious code in yoshi-base (npm)

The package 'yoshi-base' is part of the PhantomRaven supply chain attack campaign Wave 2. It uses a Remote Dynamic Dependency RDD technique: the published package appears benign but includes a URL-based dependency in package.json pointing to an attacker-controlled C2 server npm.jpartifacts.com...

Adobe DNG SDK Input Validation Error Vulnerability

Adobe DNG SDK is the United States of America Audobee Adobe company's a software development kit to provide the ability to read and write DNG files. An input validation error vulnerability exists in Adobe DNG SDK, which can be exploited by an attacker to cause a denial of service in an applicatio...

PT-2026-25602

Improper verification of cryptographic signature in Smart Switch prior to version 3.7.69.15 allows remote attackers to potentially bypass authentication...

Chamilo LMS 代码注入漏洞

Chamilo LMS is an open-source online learning and collaboration system developed by Chamilo. This system supports the creation of teaching content, remote training, and online quizzes. Prior to version 1.11.36 of Chamilo LMS, there was a code injection vulnerability. This vulnerability stemmed fr...

Wowza Media Systems Wowza Streaming Engine 跨站请求伪造漏洞

Wowza Media Systems Wowza Streaming Engine is a powerful, customizable, and scalable media server software developed by Wowza Media Systems. It enables reliable streaming of high-quality video and audio to any device. Version 4.5.0 of Wowza Streaming Engine contains a cross-site request forgeing...

PT-2026-25773

Name of the Vulnerable Software and Affected Versions AWS API MCP Server versions 0.2.14 through 1.3.8 Description The AWS API MCP Server, used to enable AI assistants to interact with AWS services, has an issue where file access restrictions can be bypassed. This affects the 'no-access' and...

D-Link多款产品 命令注入漏洞

D-Link DNS-320, etc., are products of D-Link Corporation, a Chinese company. The D-Link DNS-320 is a NAS Network Attached Storage device. The D-Link DNS-120 is a network storage adapter. The D-Link DNS-315L is a network attached storage device. Several D-Link products have command injection...

Pigeon 注入漏洞

Pigeon is a lightweight bulletin board/notepad/social system/blog developed by Akkariin Meiko as an individual project. Versions of Pigeon prior to 1.0.201 contained a injection vulnerability. This vulnerability stemmed from the application’s use of unvalidated $SERVERHTTPHOST in the email...