24 matches found
CVE-2026-12154
The CVE concerns the WordPress plugin Reviews Widgets for Google, Yelp & TripAdvisor (fb-reviews-widget)
GHSA-3VCG-PV95-PQ54 SFTPGo has stored XSS via inline parameter on public shares and user file download
Summary The inline query parameter on the browsable-share file download and on the authenticated user file download suppressed Content-Disposition: attachment, so an HTML file stored in a share or home directory could be served as text/html and execute in SFTPGo's web origin stored XSS. Impact Lo...
GHSA-H64P-8H4R-6GFH SFTPGo has path confinement bypass in public browsable share partial ZIP download
Summary The public web-client endpoint for partial ZIP downloads of a browsable share did not correctly confine the client-supplied files entries to the shared directory. A requester able to reach a public share could read files located outside the shared directory, as long as the target's...
JLSEC-2026-378
In libexpat through 2.7.3, a crafted file with an approximate size of 2 MiB can lead to dozens of seconds of processing time...
CVE-2026-40096
immich is a high performance self-hosted photo and video management solution. Versions prior to 2.7.3 contain an open redirect vulnerability in the shared album functionality, where the album name is inserted unsanitized into a tag in api.service.ts. A registered attacker can create a shared albu...
CVE-2026-40096
Immich (self-hosted photo/video manager) contains an open redirect in rendering via the shared album name in API code (api.service.ts) affecting versions prior to 2.7.3. An attacker can craft a shared album name that injects a URL into a meta refresh, causing a victim opening the shared link to ...
EUVD-2026-22816
immich is a high performance self-hosted photo and video management solution. Versions prior to 2.7.3 contain an open redirect vulnerability in the shared album functionality, where the album name is inserted unsanitized into a tag in api.service.ts. A registered attacker can create a shared albu...
EUVD-2026-16271
Stirling-PDF is a locally hosted web application that allows you to perform various operations on PDF files. In version 2.7.3, the /api/v1/convert/eml/pdf endpoint with parameter downloadHtml=true returns unsanitized HTML from the email body with Content-Type: text/html. An attacker who sends a...
CVE-2025-68031
Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in faraz sms افزونه پیامک حرفه ای فراز اس ام اس farazsms allows Reflected XSS.This issue affects افزونه پیامک حرفه ای فراز اس ام اس: from n/a through = 2.7.3...
CVE-2025-66382
In libexpat through 2.7.3, a crafted file with an approximate size of 2 MiB can lead to dozens of seconds of processing time...
CVE-2025-58464
Summary: CVE-2025-58464 affects QuMagie with a relative path traversal vulnerability. Multiple sources (NVD, Red Hat, ENISA EUVD) describe a flaw that could allow a remote attacker to read contents of unexpected files or system data. Affected software: QuMagie (prior to version 2.7.3). Vulnerabil...
PT-2025-45436
Name of the Vulnerable Software and Affected Versions QuMagie versions prior to 2.7.3 Description A relative path traversal issue exists in QuMagie. A remote attacker may be able to read the contents of unexpected files or system data by exploiting this issue. Recommendations Update to QuMagie...
CVE-2025-58809
CVE-2025-58809 affects the WordPress plugin “To Lead For Salesforce.” The vulnerability is a Cross-Site Request Forgery (CSRF) vulnerability that can also enable a reflected XSS. Affected versions are listed as n/a through 2.7.3.9. Remediation per sources is to update to a version later than 2.7....
WordPress WP Abstracts plugin <= 2.7.3 - Cross-Site Request Forgery to Arbitrary Account Deletion vulnerability
Cross-Site Request Forgery to Arbitrary Account Deletion vulnerability discovered by SOPROBRO in WordPress Plugin WP Abstracts versions = 2.7.3...
PT-2024-30876
Name of the Vulnerable Software and Affected Versions Catch Themes Full frame versions 2.7.2 and earlier Description The issue is related to Improper Neutralization of Input During Web Page Generation, also known as Cross-site Scripting XSS. Specifically, it is a Stored XSS vulnerability. This...
OpenJDK: integer truncation issue in Xalan-J (JAXP, 8285407)
The Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode. Users are recommended to update to version 2.7.3 o...
PT-2024-21786 · Ibm · Vios +1
Name of the Vulnerable Software and Affected Versions: IBM AIX versions 7.2 through 7.3 VIOS versions 3.1 through 4.1 Description: The Unix domain datagram socket implementation in IBM AIX could potentially expose applications using Unix domain datagram sockets with the SO PEERID operation, which...
SUSE CVE-2020-36382
OpenVPN Access Server 2.7.3 to 2.8.7 allows remote attackers to trigger an assert during the user authentication phase via incorrect authentication token data in an early phase of the user authentication resulting in a denial of service...
GHSA-J3CH-VJPH-8Q6V Command injection in Alluxio
In Alluxio before 2.7.3, the logserver does not validate the input stream. NOTE: this is not the same as the CVE-2021-44228 Log4j vulnerability...
CVE-2022-0273
creationtimestamp| type| source ---|---|--- 2022-01-30 16:23:55+00:00| seen| https://t.me/cibsecurity/36567...