Electerm: Importing unsafe bookmark data could lead to unsafe operation when clicking local type bookmark

Impact Persistent local-pty code execution via imported bookmarks or compromised sync targets. Affects users who import bookmark JSON files or who have electerm sync configured gist/WebDAV. The attacker can inject exec fields or global config to cause remote code to run when a bookmark is opened ...

GHSA-JGG9-RW32-44PJ Electerm: Importing unsafe bookmark data could lead to unsafe operation when clicking local type bookmark

Impact Persistent local-pty code execution via imported bookmarks or compromised sync targets. Affects users who import bookmark JSON files or who have electerm sync configured gist/WebDAV. The attacker can inject exec fields or global config to cause remote code to run when a bookmark is opened ...

Inspektor Gadget: Command Injection via malicious buildOptions manipulation

Impacted Resources inspektor-gadget/cmd/common/image/build.go inspektor-gadget/cmd/common/image/helpers/Makefile.build Description The ig binary provides a subcommand for image building, used to generate custom gadget OCI images. A part of this functionality is implemented in the file...

CVE-2026-4666

The wpForo Forum plugin for WordPress is vulnerable to unauthorized modification of data due to the use of extract$args, EXTROVERWRITE on user-controlled input in the edit method of classes/Posts.php in all versions up to, and including, 2.4.16. The postedit action handler in Actions.php passes...

CVE-2025-54550

The example examplexcom that was included in airflow documentation implemented unsafe pattern of reading value from xcom in the way that could be exploited to allow UI user who had access to modify XComs to perform arbitrary execution of code on the worker. Since the UI users are already highly...

free5gc UDR nudr-dr influenceData/subs-to-notify leaks SUPI in error response body without authentication

Summary An information disclosure vulnerability in the UDR service allows any unauthenticated attacker with access to the 5G Service Based Interface SBI to retrieve stored subscriber identifiers SUPI/IMSI with a single HTTP GET request requiring no parameters or credentials. Details The endpoint...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via unsafe template rendering that combines user input with permissive sanitizer handling of data URLs in the display of author and committer names. An attacker can execute arbitrary JavaScript in the context of...

CVE-2025-36353

IBM Db2 for Linux, UNIX and Windows includes Db2 Connect Server 11.5.0 - 11.5.9 and 12.1.0 - 12.1.3 could allow a local user to cause a denial of service due to improper neutralization of special elements in data query logic...

PT-2025-48291

Name of the Vulnerable Software and Affected Versions Astro versions 5.15.7 and below Description Astro, a web framework, is affected by a double URL encoding bypass. This allows unauthenticated attackers to bypass path-based authentication checks in Astro middleware, potentially granting...

WordPress Polylang plugin deserialization vulnerability

WordPress Polylang plugin is a multilingual WordPress plugin for creating and managing multilingual websites, supports switching from 1 to 10 or more languages, the core functionality is fully integrated with WordPress built-in features e.g. taxonomies without additional dependency on external...

CVE-2024-14009

Nagios XI versions prior to 2024R1.0.1 contain a privilege escalation vulnerability in the System Profile component. The System Profile feature is an administrative diagnostic/configuration capability. Due to improper access controls and unsafe handling of exported/imported profile data and...

CVE-2025-50739

iib0011 omni-tools v0.4.0 is vulnerable to remote code execution via unsafe JSON deserialization...

CVE-2025-62008 WordPress Product Table For WooCommerce plugin <= 1.2.4 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in acowebs Product Table For WooCommerce product-table-for-woocommerce.This issue affects Product Table For WooCommerce: from n/a through = 1.2.4...

WordPress plugin Addison 安全漏洞

WordPress is a blogging platform developed using the PHP language. The platform has the ability to set up a personal blog site on a PHP and MySQL based server.WordPress plugin is an application plugin. A deserialization vulnerability exists in the WordPress plugin Addison, which arises from unsaf...

EUVD-2021-26601

Malware in sbrugna...

EUVD-2019-0088

Malware in sbrugna...

EUVD-2023-2938

Malicious code in bioql PyPI...

CVE-2025-49841

GPT-SoVITS-WebUI is affected by unsafe deserialization in process_ckpt.py. User input (sovits_path) is passed to torch.load in load_sovits_new, enabling arbitrary code execution. Affected versions: 20250228v3 and prior. At publication, no patched versions are available. No exploitation details ar...

Emerson ValveLink 输入验证错误漏洞

Emerson ValveLink is a suite of digital valve configuration and diagnostic software from Emerson Electric USA. An input validation error vulnerability exists in Emerson ValveLink that stems from failure to properly validate input data, which could lead to unsafe data handling...

CVE-2021-3262

TripSpark VEO Transportation-2.2.x-XPBB-20201123-184084 NovusEDU-2.2.x-XPBB-20201123-184084 allows unsafe data inputs in POST body parameters from end users without sanitizing using server-side logic. It was possible to inject custom SQL commands into the "Student Busing Information" search queri...