162 matches found
CVE-2026-15097
The Themify Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'heightslider' Slider Module Field in all versions up to, and including, 7.7.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...
CVE-2026-29519
CVE-2026-29519 affects Lucee CFML Server across 5.3.x, 6.1.x, 6.2.x, and 7.0.x release lines. It describes a reflected cross-site scripting vulnerability in URL path parsing, where unauthenticated remote attackers can cause arbitrary JavaScript to execute in a victim’s browser by embedding payloa...
CVE-2026-47826
CVE-2026-47826 is a directory traversal vulnerability in the BOSH CLI (blobs.yaml path). Affected are BOSH CLI versions before v7.10.4; exploitation can allow an attacker to write arbitrary files and exfiltrate sensitive data via crafted input in blobs.yaml. Connected advisories from Snyk describ...
WordPress WPJAM Basic plugin <= 7.0 - PHP Object Injection vulnerability
PHP Object Injection vulnerability discovered by hhhai in WordPress Plugin WPJAM Basic versions = 7.0...
CVE-2026-31016
CVE-2026-31016 is a Cross Site Request Forgery vulnerability affecting Squidex.io Squidex CMS up to version 7.21.0 (and earlier). The issue enables a remote attacker to escalate privileges via the IdentityServer account profile endpoint. The vulnerability is documented with a CVSS v3.1 base score...
CVE-2026-56057 WordPress Uncanny Automator Pro plugin <= 7.3.0.6 - PHP Object Injection vulnerability
Subscriber PHP Object Injection in Uncanny Automator Pro = 7.3.0.6 versions...
EUVD-2026-39694
Unauthenticated PHP Object Injection in Uncanny Automator = 7.3.1.2 versions...
CVE-2026-40741
Unauthenticated Broken Access Control in Redsys for WooCommerce Light = 7.0.0 versions...
CVE-2026-27333
Unauthenticated Deserialization of untrusted data in Paid Videochat Turnkey Site = 7.3.23 versions...
CVE-2026-40741 WordPress Redsys for WooCommerce Light plugin <= 7.0.0 - Broken Access Control vulnerability
Unauthenticated Broken Access Control in Redsys for WooCommerce Light = 7.0.0 versions...
CVE-2026-33244
React Router is a router for React. In versions 7.5.1 through 7.13.1, when using Framework Mode with pre-rendering enabled, improper neutralization of the HTTP Location header value can permit Cross-Site Scripting XSS in the statically generated HTML files if the redirect location comes from an...
SUSE CVE-2022-23708
A flaw was discovered in Elasticsearch 7.17.0's upgrade assistant, in which upgrading from version 6.x to 7.x would disable the in-built protections on the security index, allowing authenticated users with “” index permissions access to this index...
WordPress Slider Revolution plugin <= 7.0.9 - Unauthenticated Sensitive Information Exposure vulnerability
Unauthenticated Sensitive Information Exposure vulnerability discovered by Nos1x0 in WordPress Plugin Slider Revolution versions = 7.0.9...
aratinga (=0.1.0a0.dev3), coop (>=7.1.0 <=7.2.1) +7 more potentially affected by CVE-2026-44199 via wagtail (>=7.1.0 <=7.2.3)
wagtail PYPI version =7.1.0, =7.1.0, =1.1.1, =2.0.0, =0.0.1, =7.1.0a1, =7.2.0b0 Source cves: CVE-2026-44199 Source advisory: OSV:GHSA-PWM3-7FV4-G6XX...
nbconvert 路径遍历漏洞
nbconvert is a format conversion library from the Jupyter organization. It converts Jupyter .ipynb notebook files into other static formats, including HTML, LaTeX, PDF, Markdown, etc. Version 6.5 to 7.17.0 of nbconvert has a path traversal vulnerability. This vulnerability stems from the improper...
CVE-2026-5050
The CVE-2026-5050 entry details a vulnerability in the Payment Gateway for Redsys & WooCommerce Lite plugin for WordPress. Affected versions are up to and including 7.0.0. The root cause is improper verification of cryptographic signatures: successful_request() handlers compute a local signature ...
Security Bulletin: vulerability in IBM Spectrum Symphony with IBM WebSphere Application Server Liberty
Summary vulerability in IBM Spectrum Symphony with IBM WebSphere Application Server Liberty Vulnerability Details CVEID:CVE-2024-56339 DESCRIPTION: IBM WebSphere Application Server 9.0 and WebSphere Application Server Liberty 17.0.0.3 through 25.0.0.7 could allow a remote attacker to bypass...
CVE-2026-39940 ChurchCRM has an Open Redirect via the ‘linkBack’ URL Parameter in DonatedItemEditor.php
ChurchCRM is an open-source church management system. Prior to 7.0.0, it was possible in many places across the ChurchCRM application to create a link that, when visited by an authenticated user, would redirect them to any URL chosen by an attacker if they clicked 'Cancel' button on the page. For...
CVE-2026-5082 Amon2::Plugin::Web::CSRFDefender versions from 7.00 through 7.03 for Perl generate an insecure session id
Amon2::Plugin::Web::CSRFDefender versions from 7.00 through 7.03 for Perl generate an insecure session id. The generatesessionid function will attempt to read bytes from the /dev/urandom device, but if that is unavailable then it generates bytes using SHA-1 hash seeded with the built-in rand...
EUVD-2025-209116
Hardcoded Password Vulnerability have been found in CENTUM. Affected products contain a hardcoded password for the user account PROG used for CENTUM Authentication Mode within the system. Under the following conditions, there is a risk that an attacker could log in as the PROG user. The default...