CVE-2026-29170

A cross-site scripting vulnerability exists in modproxyftp's HTML directory list generation in Apache HTTP Server 2.4.67 and earlier when listing FTP directory contents either via forward or reverse proxy configuration. Users are recommended to upgrade to version 2.4.68, which fixes this issue...

CVE-2026-29167

CVE-2026-29167 is a Use After Free vulnerability in Apache HTTP Server when using mod_ldap in per-directory configuration. The issue affects Apache HTTP Server versions 2.4.0 through 2.4.67. The CVSS base score is 9.8 (Network, N), with high impact on confidentiality, integrity, and availability....

Important: httpd

Issue Overview: An escalation of privilege bug in various modules in Apache HTTP 2.4.66 and earlier allows local .htaccess authors to read files with the privileges of the httpd user. Users are recommended to upgrade to version 2.4.67, which fixes this issue. CVE-2026-24072 Heap-based Buffer...

CVE-2026-34059 affecting package httpd for versions less than 2.4.67-1

CVE-2026-34059 affecting package httpd for versions less than 2.4.67-1. An upgraded version of the package is available that resolves this issue...

CVE-2026-29169

A NULL pointer dereference in moddavlock in Apache HTTP Server 2.4.66 and earlier may allow an attacker to crash the server with a malicious request.moddavlock is not used internally by moddav or moddavfs. The only known use-case for moddavlock was moddavsvn from Apache Subversion earlier than...

EUVD-2026-26944

An escalation of privilege bug in various modules in Apache HTTP 2.4.66 and earlier allows local .htaccess authors to read files with the privileges of the httpd user. Users are recommended to upgrade to version 2.4.67, which fixes this issue...

WordPress Internal Link Juicer: SEO Auto Linker for WordPress plugin <= 2.24.6 - Unauthenticated Reflected Cross-Site Scripting vulnerability

Unauthenticated Reflected Cross-Site Scripting vulnerability discovered by Asaf Mozes in WordPress Plugin Internal Link Juicer: SEO Auto Linker for WordPress versions = 2.24.6...

CVE-2026-25342

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in kutethemes Boutique kute-boutique allows Reflected XSS.This issue affects Boutique: from n/a through 2.4.6...

CVE-2026-25342 WordPress Boutique theme < 2.4.6 - Reflected Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in kutethemes Boutique kute-boutique allows Reflected XSS.This issue affects Boutique: from n/a through 2.4.6...

CVE-2025-67547 WordPress Konte theme <= 2.4.6 - Broken Access Control vulnerability

Missing Authorization vulnerability in uixthemes Konte konte allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Konte: from n/a through = 2.4.6...

WordPress HT Mega - Absolute Addons For Elementor plugin <= 2.4.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Lightbox Widget vulnerability

WordPress HT Mega - Absolute Addons For Elementor plugin = 2.4.6 - Authenticated Contributor+ Stored Cross-Site Scripting via Lightbox Widget vulnerability discovered by wesley wcraft in WordPress Plugin HT Mega versions = 2.4.6...

CVE-2025-69317

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in scriptsbundle CarSpot carspot allows Reflected XSS.This issue affects CarSpot: from n/a through 2.4.6...

OESA-2026-1066 fluidsynth security update

FluidSynth is a free software synthesizer. Its currently based on the SoundFont 2 specifications and supports real time MIDI effect controls. It can be used as a shared library for embedding in other applications, can play MIDI files and has a command line shell. Many other applications use...

CVE-2026-22779

BlackSheep is an asynchronous web framework to build event based web applications with Python. Prior to 2.4.6, the HTTP Client implementation in BlackSheep is vulnerable to CRLF injection. Missing headers validation makes it possible for an attacker to modify the HTTP requests e.g. insert a new...

CVE-2026-22779 BlackSheep ClientSession is vulnerable to CRLF injection

BlackSheep is an asynchronous web framework to build event based web applications with Python. Prior to 2.4.6, the HTTP Client implementation in BlackSheep is vulnerable to CRLF injection. Missing headers validation makes it possible for an attacker to modify the HTTP requests e.g. insert a new...

CVE-2026-22779 BlackSheep ClientSession is vulnerable to CRLF injection

BlackSheep is an asynchronous web framework to build event based web applications with Python. Prior to 2.4.6, the HTTP Client implementation in BlackSheep is vulnerable to CRLF injection. Missing headers validation makes it possible for an attacker to modify the HTTP requests e.g. insert a new...

CVE-2025-65090

XWiki Full Calendar Macro displays objects from the wiki on the calendar. Prior to version 2.4.6, users with the rights to view the Calendar.JSONService page including guest users can exploit the data leak vulnerability by accessing database info, with the exception of passwords. This issue has...

CVE-2025-65082 affecting package httpd for versions less than 2.4.66-1

CVE-2025-65082 affecting package httpd for versions less than 2.4.66-1. An upgraded version of the package is available that resolves this issue...

EUVD-2025-203546

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in Select-Themes Stockholm Core stockholm-core allows PHP Local File Inclusion.This issue affects Stockholm Core: from n/a through = 2.4.6...

WordPress Cryptocurrency (Token), Launchpad (Presale), ICO & IDO, Airdrop by TokenICO plugin <= 2.4.7 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Jonas Benjamin Friedli in WordPress Plugin Cryptocurrency Token, Launchpad Presale, ICO & IDO, Airdrop by TokenICO versions = 2.4.7...