Lucene search
+L

1942 matches found

Github Security Blog
Github Security Blog
added 2026/05/15 9:31 p.m.13 views

Duplicate Advisory: phpMyFAQ has unauthenticated SQL injection via User-Agent header in BuiltinCaptcha

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-289f-fq7w-6q2w. This link is maintained to preserve external references. Original Description phpMyFAQ before 4.1.2 contains an unauthenticated SQL injection vulnerability in BuiltinCaptcha::garbageCollector and...

9.8CVSS5.5AI score0.01709EPSS
Exploits0References5Affected Software2
OSV
OSV
added 2026/05/15 9:31 p.m.9 views

GHSA-CH9Q-C9MP-J5GQ Duplicate Advisory: phpMyFAQ has unauthenticated SQL injection via User-Agent header in BuiltinCaptcha

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-289f-fq7w-6q2w. This link is maintained to preserve external references. Original Description phpMyFAQ before 4.1.2 contains an unauthenticated SQL injection vulnerability in BuiltinCaptcha::garbageCollector and...

9.8CVSS5.5AI score0.01709EPSS
Exploits0References4
NVD
NVD
added 2026/05/15 7:17 p.m.31 views

CVE-2026-46364

phpMyFAQ before 4.1.2 contains an unauthenticated SQL injection vulnerability in BuiltinCaptcha::garbageCollector and BuiltinCaptcha::saveCaptcha methods that interpolate unsanitized User-Agent headers into DELETE and INSERT queries. Unauthenticated attackers can exploit the public GET /api/captc...

9.8CVSS0.01709EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/05/15 6:36 p.m.12 views

CVE-2026-46364 phpMyFAQ - SQL Injection via User-Agent Header in BuiltinCaptcha

phpMyFAQ before 4.1.2 contains an unauthenticated SQL injection vulnerability in BuiltinCaptcha::garbageCollector and BuiltinCaptcha::saveCaptcha methods that interpolate unsanitized User-Agent headers into DELETE and INSERT queries. Unauthenticated attackers can exploit the public GET /api/captc...

9.8CVSS5.8AI score0.01709EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/05/15 6:36 p.m.43 views

CVE-2026-46364 phpMyFAQ - SQL Injection via User-Agent Header in BuiltinCaptcha

phpMyFAQ before 4.1.2 contains an unauthenticated SQL injection vulnerability in BuiltinCaptcha::garbageCollector and BuiltinCaptcha::saveCaptcha methods that interpolate unsanitized User-Agent headers into DELETE and INSERT queries. Unauthenticated attackers can exploit the public GET /api/captc...

9.8CVSS0.01709EPSS
Exploits0References3
CVE
CVE
added 2026/05/15 6:36 p.m.30 views

CVE-2026-46364

phpMyFAQ prior to version 4.1.2 is affected by an unauthenticated SQL injection in BuiltinCaptcha::garbageCollector() and BuiltinCaptcha::saveCaptcha(), where unsanitized User-Agent headers are interpolated into DELETE/INSERT queries. An attacker can target the public GET /api/captcha endpoint by...

9.8CVSS5.8AI score0.01709EPSS
Exploits0References3
EUVD
EUVD
added 2026/05/15 6:36 p.m.19 views

EUVD-2026-30601

phpMyFAQ before 4.1.2 contains an unauthenticated SQL injection vulnerability in BuiltinCaptcha::garbageCollector and BuiltinCaptcha::saveCaptcha methods that interpolate unsanitized User-Agent headers into DELETE and INSERT queries. Unauthenticated attackers can exploit the public GET /api/captc...

9.8CVSS5.8AI score0.01709EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/05/15 6:36 p.m.8 views

CVE-2026-46364

phpMyFAQ before 4.1.2 contains an unauthenticated SQL injection vulnerability in BuiltinCaptcha::garbageCollector and BuiltinCaptcha::saveCaptcha methods that interpolate unsanitized User-Agent headers into DELETE and INSERT queries. Unauthenticated attackers can exploit the public GET /api/captc...

9.8CVSS5.8AI score0.01709EPSS
Exploits0References4
OSV
OSV
added 2026/05/15 6:36 p.m.5 views

CVE-2026-46364 phpMyFAQ - SQL Injection via User-Agent Header in BuiltinCaptcha

phpMyFAQ before 4.1.2 contains an unauthenticated SQL injection vulnerability in BuiltinCaptcha::garbageCollector and BuiltinCaptcha::saveCaptcha methods that interpolate unsanitized User-Agent headers into DELETE and INSERT queries. Unauthenticated attackers can exploit the public GET /api/captc...

9.3CVSS5.9AI score0.01709EPSS
Exploits0References5
CNNVD
CNNVD
added 2026/05/15 12:0 a.m.21 views

phpMyFAQ SQL注入漏洞

phpMyFAQ is a multilingual, fully database-driven FAQ system developed by Thorsten Rinne. Versions of phpMyFAQ prior to 4.1.2 contained an SQL injection vulnerability. This vulnerability stemmed from the BuiltinCaptcha::garbageCollector and BuiltinCaptcha::saveCaptcha methods, which inserted...

9.8CVSS5.9AI score0.01709EPSS
Exploits0References1
Veracode
Veracode
added 2026/05/14 6:6 p.m.41 views

Authentication Bypass

github.com/oauth2-proxy/oauth2-proxy is vulnerable to an authentication bypass. The vulnerability is due to improper handling of health check User-Agent values in authrequest-style integrations when --ping-user-agent or --gcp-healthchecks is enabled, which allows an unauthenticated remote attacke...

9.1CVSS5.8AI score0.00475EPSS
Exploits0References3Affected Software2
NVD
NVD
added 2026/05/13 5:16 a.m.12 views

CVE-2026-7635

The coreActivity: Activity Logging for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.0. This is due to the plugin failing to validate or strip PHP serialization syntax from the User-Agent HTTP header before storing it in the logmeta...

8.1CVSS0.00481EPSS
Exploits0References12
Cvelist
Cvelist
added 2026/05/13 4:26 a.m.71 views

CVE-2026-7635 coreActivity: Activity Logging for WordPress <= 3.0 - Unauthenticated PHP Object Injection via 'user_agent' Log Meta Field

The coreActivity: Activity Logging for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.0. This is due to the plugin failing to validate or strip PHP serialization syntax from the User-Agent HTTP header before storing it in the logmeta...

8.1CVSS0.00481EPSS
Exploits0References12
ATTACKERKB
ATTACKERKB
added 2026/05/13 4:26 a.m.7 views

CVE-2026-7635

The coreActivity: Activity Logging for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.0. This is due to the plugin failing to validate or strip PHP serialization syntax from the User-Agent HTTP header before storing it in the logmeta...

8.1CVSS5.8AI score0.00481EPSS
Exploits0References13
EUVD
EUVD
added 2026/05/13 4:26 a.m.14 views

EUVD-2026-29901

The coreActivity: Activity Logging for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.0. This is due to the plugin failing to validate or strip PHP serialization syntax from the User-Agent HTTP header before storing it in the logmeta...

8.1CVSS5.8AI score0.00481EPSS
Exploits0References12
Vulnrichment
Vulnrichment
added 2026/05/13 4:26 a.m.9 views

CVE-2026-7635 coreActivity: Activity Logging for WordPress <= 3.0 - Unauthenticated PHP Object Injection via 'user_agent' Log Meta Field

The coreActivity: Activity Logging for WordPress plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.0. This is due to the plugin failing to validate or strip PHP serialization syntax from the User-Agent HTTP header before storing it in the logmeta...

8.1CVSS5.8AI score0.00481EPSS
Exploits0References12
CVE
CVE
added 2026/05/13 4:26 a.m.19 views

CVE-2026-7635

The CVE-2026-7635 entry concerns the coreActivity: Activity Logging for WordPress plugin for WordPress, affected up to version 3.0. The vulnerability arises from unsanitized PHP serialization in the User-Agent header stored to the logmeta table and later deserialized via maybe_unserialize() durin...

8.1CVSS5.8AI score0.00481EPSS
Exploits0References12
CNNVD
CNNVD
added 2026/05/13 12:0 a.m.12 views

WordPress plugin coreActivity 代码问题漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. There we...

8.1CVSS6AI score0.00481EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/05/13 12:0 a.m.14 views

PT-2026-40565

Name of the Vulnerable Software and Affected Versions coreActivity: Activity Logging for WordPress versions prior to 3.1 Description The plugin is susceptible to PHP Object Injection, a condition where untrusted data is passed to a deserialization function, potentially allowing the execution of...

8.1CVSS6.2AI score0.00481EPSS
Exploits0References15
EUVD
EUVD
added 2026/05/12 3:31 p.m.8 views

EUVD-2026-29492

LWP::UserAgent versions before 6.83 for Perl leak Authorization and Proxy-Authorization headers on cross-origin redirects. On a 3xx response, the redirect handler strips only Host and Cookie before issuing the follow-up request. Caller-supplied Authorization and Proxy-Authorization headers are se...

5.8AI score0.00266EPSS
Exploits0References5
Rows per page
Query Builder