30 matches found
OESA-2026-2500 expat security update
expat is a stream-oriented XML parser library written in C. expat excels with files too large to fit RAM, and where performance and flexibility are crucial. Security Fixes: In libexpat before 2.8.1, the computational complexity of attribute name collision checks allows a denial of service via...
CVE-2026-7636 Slider by Soliloquy <= 2.8.1 - Authenticated (Subscriber+) Information Disclosure via REST API Endpoint
The Slider by Soliloquy – Responsive Image Slider for WordPress plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.8.1 via the mapmetacap. This makes it possible for authenticated attackers, with subscriber-level access and above, to extra...
EUVD-2026-31416
The Slider by Soliloquy – Responsive Image Slider for WordPress plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.8.1 via the mapmetacap. This makes it possible for authenticated attackers, with subscriber-level access and above, to extra...
CVE-2026-45186
In libexpat before 2.8.1, the computational complexity of attribute name collision checks allows a denial of service via moderately sized crafted XML input...
CVE-2026-33548 MantisBT has Stored HTML Injection / XSS when displaying Tags in Timeline
Mantis Bug Tracker MantisBT is an open source issue tracker. In version 2.28.0, improper escaping of tag names retrieved from History in Timeline myviewpage.php allows an attacker to inject HTML and, if CSP settings permit, achieve execution of arbitrary JavaScript, when displaying a tag that has...
GHSA-J3MH-QMJJ-XP83 Ray Dashboard is vulnerable to path traversal through its static file handling mechanism
A path traversal vulnerability was identified in Ray Dashboard default port 8265 in Ray versions prior to 2.8.1. Due to improper validation and sanitization of user-supplied paths in the static file handling mechanism, an attacker can use traversal sequences e.g., ../ to access files outside the...
CVE-2026-32981
Ray Dashboard on port 8265 has a path traversal flaw in versions prior to 2.8.1 due to improper validation/sanitization of user-supplied paths in the static file handling, allowing access to files outside the static directory and causing local file disclosure. Reported with high severity (CVSS 3....
Linux Distros Unpatched Vulnerability : CVE-2026-30838
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - league/commonmark is a PHP Markdown parser. Prior to version 2.8.1, the DisallowedRawHtml extension can be bypassed by inserting a newline, tab, or other ASCII...
CVE-2026-30838
CVE-2026-30838 affects league/commonmark, a PHP Markdown parser. Prior to version 2.8.1, the DisallowedRawHtml extension can be bypassed by inserting ASCII whitespace between a disallowed HTML tag name and the closing >, e.g., , enabling a cross-site scripting (XSS) vector for applications tha...
CVE-2026-28427
CVE-2026-28427 affects OpenDeck (Linux software for the Elgato Stream Deck). Prior to version 2.8.1, the service listening on port 57118 serves static plugin files but does not sanitize path components properly. An attacker can use ../ sequences in the request path to traverse outside the intende...
WordPress ShopLentor plugin <= 2.8.1 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability
Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Ngô Thiên An ancorn in WordPress Plugin ShopLentor versions = 2.8.1...
CVE-2025-62857
CVE-2025-62857 affects QuMagie with a cross-site scripting (XSS) vulnerability. Affected versions are prior to 2.8.1; remediation is to upgrade to QuMagie 2.8.1 or later. Multiple sources (NVD, Red Hat, CVE lists, CNVD, EUVD, PT Security) corroborate the issue and fix. The provided documents do n...
CVE-2025-13588
A vulnerability was found in lKinderBueno Streamity Xtream IPTV Player up to 2.8. The impacted element is an unknown function of the file public/proxy.php. Performing manipulation results in server-side request forgery. The attack can be initiated remotely. The exploit has been made public and...
CVE-2025-13588
A vulnerability was found in lKinderBueno Streamity Xtream IPTV Player up to 2.8. The impacted element is an unknown function of the file public/proxy.php. Performing manipulation results in server-side request forgery. The attack can be initiated remotely. The exploit has been made public and...
CVE-2024-1960
The ShopLentor – WooCommerce Builder for Elementor & Gutenberg +12 Modules – All in One Solution formerly WooLentor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Special Offer Day Widget Banner Link in all versions up to, and including, 2.8.1 due to insufficient input...
CVE-2023-0293
The Mediamatic – Media Library Folders plugin for WordPress is vulnerable to authorization bypass due to a missing capability check on its AJAX actions in versions up to, and including, 2.8.1. This makes it possible for authenticated attackers, with subscriber-level permissions and above, to chan...
CVE-2023-50839
Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in JS Help Desk JS Help Desk – Best Help Desk & Support Plugin.This issue affects JS Help Desk – Best Help Desk & Support Plugin: from n/a through 2.8.1...
CVE-2024-54219
Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in thehp AIO Contact aio-contact.This issue affects AIO Contact: from n/a through = 2.8.1...
CVE-2023-43472
An issue in MLFlow versions 2.8.1 and before allows a remote attacker to obtain sensitive information via a crafted request to REST API...
CVE-2023-6019
A command injection existed in Ray's cpuprofile URL parameter allowing attackers to execute os commands on the system running the ray dashboard remotely without authentication. The issue is fixed in version 2.8.1+. Ray maintainers' response can be found here:...