CVE-2026-48151

Budibase is an open-source low-code platform. Prior to 3.39.0, the webhook schema-building endpoint is registered under builderRoutes, but the generic authorization middleware skips authorization for all paths matching /api/webhooks/schema. As a result, an unauthenticated caller can update the bo...

CVE-2026-46427 Budibase: Snowflake private key returned unmasked from datasource API to BASIC users

Budibase is an open-source low-code platform. Prior to 3.38.3, removeSecrets at packages/server/src/sdk/workspace/datasources/datasources.ts masks only datasource config fields whose schema type is DatasourceFieldType.PASSWORD. The Snowflake integration types its privateKey field as...

VulnCheck KEV: CVE-2025-67303

An issue in ComfyUI-Manager prior to version 3.38 allowed remote attackers to potentially manipulate its configuration and critical data. This was due to the application storing its files in an insufficiently protected location that was accessible via the web interface...

EUVD-2026-23753

SD-330AC and AMC Manager provided by silex technology, Inc. contain an issue with a sensitive information in resource not removed before reuse. An attacker may login to the device without knowing the password by sending a crafted packet...

CVE-2026-28291

simple-git enables running native Git commands from JavaScript. Versions up to and including 3.31.1 allow execution of arbitrary commands through Git option manipulation, bypassing safety checks meant to block dangerous options like -u and --upload-pack. The flaw stems from an incomplete fix for...

CVE-2026-33209 Avo has a XSS vulnerability on `return_to` param

Avo is a framework to create admin panels for Ruby on Rails apps. Prior to version 3.30.3, a reflected cross-site scripting XSS vulnerability exists in the returnto query parameter used in the avo interface. An attacker can craft a malicious URL that injects arbitrary JavaScript, which is execute...

WordPress Media Library Assistant plugin <= 3.33 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Attachment Taxonomy Modification vulnerability

Missing Authorization to Authenticated Subscriber+ Arbitrary Attachment Taxonomy Modification vulnerability discovered by Muhammad Sharief in WordPress Plugin Media LIbrary Assistant versions = 3.33...

CVE-2025-67111

An integer overflow in the RTPS protocol implementation of OpenDDS DDS before v3.33.0 allows attackers to cause a Denial of Service DoS via a crafted message...

CVE-2025-12955

The CVE-2025-12955 issue affects the WordPress plugin Live Sales Notification for WooCommerce (versions up to and including 2.3.39). The root cause is missing authorization and capability checks in the getOrders function when configured to display recent orders, allowing unauthenticated users to ...

CVE-2025-56463

Mercusys MW305R 3.30 and below is has a Transport Layer Security TLS certificate private key disclosure...

UBUNTU-CVE-2025-43972

An issue was discovered in GoBGP before 3.35.0. An attacker can cause a crash in the pkg/packet/bgp/bgp.go flowspec parser by sending fewer than 20 bytes in a certain context...

UBUNTU-CVE-2025-43970

An issue was discovered in GoBGP before 3.35.0. pkg/packet/mrt/mrt.go does not properly check the input length, e.g., by ensuring that there are 12 bytes or 36 bytes depending on the address family...

TAIWAN-CA(TWCA) JCICSecurityTool Input Validation Error Vulnerability

TAIWAN-CATWCA JCICSecurityTool is an application from Taiwan Web Certification TWCA. An input validation error vulnerability exists in TAIWAN-CATWCA JCICSecurityTool version v4.2.3.32, which stems from insufficient filtering of special characters in registry-related functions, and can be exploite...

INEA ME RTU 操作系统命令注入漏洞

The INEA ME RTU is a remote terminal unit from INEA. It implements the data interface between the remote device and the control center. A security vulnerability exists in INEA ME RTU version 3.36 and earlier, which stems from the presence of an operating system command injection vulnerability. Th...

SUSE CVE-2021-21706

In PHP versions 7.3.x below 7.3.31, 7.4.x below 7.4.24 and 8.0.x below 8.0.11, in Microsoft Windows environment, ZipArchive::extractTo may be tricked into writing a file outside target directory when extracting a ZIP file, thus potentially causing files to be created or overwritten, subject to OS...

PT-2021-5346 · Php +2 · Php +2

Name of the Vulnerable Software and Affected Versions: PHP versions 7.3.x through 7.3.30 PHP versions 7.4.x through 7.4.23 PHP versions 8.0.x through 8.0.10 Description: The issue arises from the incorrect restriction of the path name to a directory with limited access in the ZipArchive::extractT...

CVE-2021-32992

FATEK Automation WinProladder Versions 3.30 and prior do not properly restrict operations within the bounds of a memory buffer, which may allow an attacker to execute arbitrary code...

Serendipity freetag cross-site scripting vulnerability

Serendipity is a PHP-based blogging system from the Serendipity team. The system supports the creation of online journals, blogs, web pages and more. A cross-site scripting vulnerability exists in Serendipity freetag plugin versions prior to 3.30. The vulnerability stems from a lack of proper...

ZyXEL ZyWALL USG Cross-Site Request Forgery Vulnerability

ZyXEL ZyWALL USG is a network security firewall appliance from Hopkins ZyXEL Technology. A cross-site request forgery vulnerability exists in ZyXEL ZyWALL USG version 2.12 AQQ.2 and 3.30 AQQ.7. A remote attacker can exploit this vulnerability by adding user accounts with the help of the 'cmd'...

ABB IP Gateway Unauthorized Access Vulnerability (CNVD-2018-11991)

ABB IP GATEWAY is a building management system from ABB Switzerland. A security vulnerability exists in ABB IP GATEWAY version 3.39 and earlier, which originates from some configuration files containing passwords in clear text. An attacker could use this vulnerability to gain unauthorized access...