Webmin < 1.920 - Authenticated Remote Code Execution

rpc.cgi in Webmin through 1.920 allows authenticated Remote Code Execution via a crafted object name because unserialisevariable makes an eval call. NOTE: the WebminServersIndex documentation states "RPC can be used to run any command or modify any file on a server, which is why access to it must...

WordPress Stop User Enumeration <=1.3.7 - Cross-Site Scripting

WordPress Stop User Enumeration 1.3.7 and earlier are vulnerable to unauthenticated reflected cross-site scripting. id: CVE-2017-18536 info: name: WordPress Stop User Enumeration =1.3.7 - Cross-Site Scripting author: daffainfo severity: medium description: WordPress Stop User Enumeration 1.3.7 an...

Astra Linux – Vulnerabilities in Linux, Linux-5.10, Linux-5.15, Linux-6.1

In the Linux kernel, the following vulnerability has been resolved: libceph: fixed a race condition between delayedwork and cephmoncstop The way delayed work is handled in cephmoncstop is prone to races with monfault, and possibly also finishhunting. Both of these can requeue the delayed work,...

Astra Linux – Vulnerability in Linux 5.10

In the Linux kernel, the following vulnerability has been resolved: octeonep: Fixed the issue where the host would hang during device reboot. When the host loses heartbeat messages from the device, the driver calls the device-specific ndostop function, which frees the resources. If the driver is...

Astra Linux – Vulnerability found in Linux 5.10, Linux 6.1, and Linux 5.15

In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Fix use after free on unload A system crash is observed due to a stack trace warning related to the use after free operation. There are two signals that can cause dpcthread to terminate: the UNLOADING flag and...

Astra Linux – Vulnerability in Linux 5.10

In the Linux kernel, the following vulnerabilities have been resolved: ASoC: qcom: qdsp6: Fixed the issue where q6apm removal ordering occurs during ADSP stop and start. During ADSP stop and start, the kernel crashes due to the order in which ASoC components are removed. During ADSP stop, the...

Astra Linux – Vulnerability found in Linux 6.1, Linux 5.15

In the Linux kernel, the following vulnerability has been resolved: ARM: 9317/1: kexec: Make smp stop calls asynchronous If a panic is triggered by a hrtimer interrupt, all online CPUs will be notified and set to offline. However, as highlighted in the commit 19dbdcb8039c “smp: Warn on function...

Astra Linux – Vulnerability found in Linux 5.10, Linux 6.1

In the Linux kernel, the following vulnerability has been resolved: smb: server: splitting ksmbdrdmastoplistening from ksmbdrdmaDestroy We cannot call destroyworkqueuesmbdirectwq; before stopsessions! Otherwise, existing connections will attempt to use smbdirectwq as a NULL pointer...

Astra Linux – Vulnerability in Linux 5.10

In the Linux kernel, the following vulnerability has been resolved: perf/x86/intel/pt: Fixed a crash that occurred with stop filters in single-range mode. A check for !buf-single was added before calling ptbufferregionsize in places where a missing check could cause a kernel crash. This fix...

CVE-2026-48876

Unauthenticated Cross Site Scripting XSS in Stop Spammers = 2026.3 versions...

CVE-2026-48876 WordPress Stop Spammers plugin <= 2026.3 - Cross Site Scripting (XSS) vulnerability

Unauthenticated Cross Site Scripting XSS in Stop Spammers = 2026.3 versions...

EUVD-2026-36853

Unauthenticated Cross Site Scripting XSS in Stop Spammers = 2026.3 versions...

CVE-2026-48876

CVE-2026-48876 is an unauthenticated XSS in the WordPress Stop Spammers plugin (versions

PT-2026-49483

Unauthenticated Cross Site Scripting XSS in Stop Spammers = 2026.3 versions...

CVE-2026-41662

Admidio is an open-source user management solution. Prior to version 5.0.9, Role::stopMembership does not verify whether removing a user from the administrator role leaves zero administrators. The deprecated Membership::stopMembership contains this safety check, but the current code path bypasses...

CVE-2026-5741

A weakness has been identified in suvarchal docker-mcp-server up to 0.1.0. The impacted element is the function stopcontainer/removecontainer/pullimage of the file src/index.ts of the component HTTP Interface. This manipulation causes os command injection. The attack is possible to be carried out...

CVE-2026-42276

Onyx is an open-source AI platform. Prior to versions 3.0.9, 3.1.6, and 3.2.6, the POST /chat/stop-chat-session/chatsessionid endpoint lets any authenticated user stop any other user's active chat session. The endpoint checks authentication but never verifies the session belongs to the caller. An...

CVE-2026-39848

Dockyard is a Docker container management app. Prior to 1.1.0, Docker container start and stop operations are performed through GET requests without CSRF protection. A remote attacker can cause a logged-in administrator's browser to request /apps/action.php?action=stop= or...

CVE-2026-45399

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, any authenticated user with low privileges can enumerate active background tasks across the system and stop tasks belonging to other users via the GET /api/tasks and POST...

PT-2026-46327

Unauthenticated Local File Inclusion in AirSupply = 2.0.0 versions...