WordPress Checklist <1.1.9 - Cross-Site Scripting

WordPress Checklist plugin before 1.1.9 contains a cross-site scripting vulnerability. The fill parameter is not correctly filtered in the checklist-icon.php file. id: CVE-2019-16525 info: name: WordPress Checklist 1.1.9 - Cross-Site Scripting author: daffainfo severity: medium description:...

WordPress Meta SEO <= 4.5.2 - Open Redirect

The WP Meta SEO WordPress plugin before 4.5.3 did not authorize several AJAX actions, which allowed low-privilege users to update certain data and resulted in an arbitrary redirect vulnerability. id: CVE-2023-0876 info: name: WordPress Meta SEO = 4.5.2 - Open Redirect author: Khalid6468 severity:...

osTicket < v1.16.6 - Cross-Site Scripting

Cross-site Scripting XSS - Generic in GitHub repository osticket/osticket prior to v1.16.6. id: CVE-2023-1318 info: name: osTicket v1.16.6 - Cross-Site Scripting author: ritikchaddha severity: medium description: | Cross-site Scripting XSS - Generic in GitHub repository osticket/osticket prior to...

WPZOOM Social Icons Widget <= 4.2.15 - Missing Authorization

WPZOOM Social Icons Widget & Block versions up to 4.2.15 contain a missing authorization vulnerability caused by insufficient access control in the widget and block, letting attackers perform unauthorized actions, exploit requires no special conditions. id: CVE-2024-30464 info: name: WPZOOM Socia...

IceWarp 11.4.6.0 - Cross-Site Scripting

IceWarp 11.4.6.0 was discovered to contain a cross-site scripting XSS vulnerability via the color parameter. id: CVE-2023-39600 info: name: IceWarp 11.4.6.0 - Cross-Site Scripting author: Imjust0 severity: medium description: | IceWarp 11.4.6.0 was discovered to contain a cross-site scripting XSS...

osTicket < 1.10.2 - Cross-Site Scripting

Cross-site scripting XSS vulnerability in /ajax.php/form/help-topic in Enhancesoft osTicket before 1.10.2 allows remote attackers to inject arbitrary web script or HTML via the "message" parameter. id: CVE-2018-7192 info: name: osTicket 1.10.2 - Cross-Site Scripting author: ritikchaddha severity:...

WordPress Plugin Flexible Custom Post Type < 0.1.7 - Cross-Site Scripting

A cross-site scripting vulnerability in edit-post.php in the Flexible Custom Post Type plugin before 0.1.7 for WordPress allows remote attackers to inject arbitrary web script or HTML via the id parameter. id: CVE-2011-5106 info: name: WordPress Plugin Flexible Custom Post Type 0.1.7 - Cross-Site...

WordPress Stop Spammers <2021.9 - Cross-Site Scripting

WordPress Stop Spammers plugin before 2021.9 contains a reflected cross-site scripting vulnerability. It does not escape user input when blocking requests such as matching a spam word, thus outputting it in an attribute after sanitizing it to remove HTML tags. id: CVE-2021-24245 info: name:...

osTicket < 1.10.2 - Cross-Site Scripting

Cross-site scripting XSS vulnerability in /scp/directory.php in Enhancesoft osTicket before 1.10.2 allows remote attackers to inject arbitrary web script or HTML via the "order" parameter. id: CVE-2018-7193 info: name: osTicket 1.10.2 - Cross-Site Scripting author: ritikchaddha severity: medium...

MAGMI - Cross-Site Request Forgery

MAGMI Magento Mass Importer is vulnerable to cross-site request forgery CSRF due to a lack of CSRF tokens. Remote code execution via phpcli command is also possible in the event that CSRF is leveraged against an existing admin session. id: CVE-2020-5776 info: name: MAGMI - Cross-Site Request...

WordPress Integrator 1.32 - Cross-Site Scripting

A cross-site scripting vulnerability in wp-integrator.php in the WordPress Integrator module 1.32 for WordPress allows remote attackers to inject arbitrary web script or HTML via the redirectto parameter to wp-login.php. id: CVE-2012-5913 info: name: WordPress Integrator 1.32 - Cross-Site Scripti...

Imgproxy < 3.14.0 - Cross-site Scripting (XSS)

Cross-site Scripting XSS - Reflected in GitHub repository imgproxy/imgproxy prior to 3.14.0. id: CVE-2023-1496 info: name: Imgproxy 3.14.0 - Cross-site Scripting XSS author: pdteam severity: medium description: Cross-site Scripting XSS - Reflected in GitHub repository imgproxy/imgproxy prior to...

CVE-2026-38978

A flaw was found in Transmission. A clickjacking weakness exists in the browser-facing WebUI and RPC Remote Procedure Call response paths. This vulnerability could allow a remote attacker to trick a user into performing unintended actions by overlaying malicious content over legitimate interface...

Apache ActiveMQ security vulnerabilities

Apache ActiveMQ is an open-source messaging middleware developed by the Apache Foundation in the United States. It supports Java Message Service, clustering, Spring Framework, etc. There is a security vulnerability in Apache ActiveMQ. This vulnerability stems from the default access policy of the...

ZeusCart Cross-Site Request Forgery Vulnerability

ZeusCart is an e-commerce shopping cart system developed by ZeusCart Inc. Version 4.0 of ZeusCart contains a cross-site request forgeing vulnerability. This vulnerability stems from cross-site request forgery, allowing attackers to manipulate user behavior by tricking users into accessing pages...

EUVD-2026-32606

Budibase is an open-source low-code platform. Prior to 3.35.4, the buildMatcherRegex / matches functions in packages/backend-core/src/middleware/matchers.ts route patterns are compiled into unanchored regular expressions and tested against ctx.request.url, which includes the full query string. Th...

Improper Access Control

@delmaredigital/payload-puck is vulnerable to Improper Access Control. The vulnerability is due to the use of Payload's local API with overrideAccess: true in /api/puck/ CRUD endpoints, which allows an attacker to bypass collection-level access controls and perform unauthorized actions...

CVE-2026-33381

A flaw was found in Grafana. When a user's access to mint tokens for a service account is revoked, the system may temporarily allow the user to continue minting tokens for a few seconds. This could lead to a temporary bypass of access control, potentially enabling unauthorized actions if the toke...

MAL-2026-4578 Malicious code in hiura-baileys (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5ebb60061f29d4f4279bca1129ebfccefb928bd22364f26961205935ff71393f This is a fork of the Baileys WhatsApp library that adds undocumented behavior abusing the consumer's authenticated WhatsApp account for the author's...

Always-Incorrect Control Flow Implementation

Overview Flask-Security is a Simple security for Flask apps. Affected versions of this package are vulnerable to Always-Incorrect Control Flow Implementation in the OAuth reauthentication for stale sessions. An attacker can perform unauthorized account actions by completing OAuth verification wit...