CVE-2026-40285

WeGIA is a web manager for charitable institutions. Versions prior to 3.6.10 contain a SQL injection vulnerability in dao/memorando/UsuarioDAO.php. The cpfusuario POST parameter overwrites the session-stored user identity via extract$REQUEST in DespachoControle::verificarDespacho, and the...

CVE-2025-63238

A Reflected Cross-Site Scripting XSS affects LimeSurvey versions prior to 6.15.11+250909, due to the lack of validation of gid parameter in getInstance function in application/models/QuestionCreate.php. This allows an attacker to craft a malicious URL and compromise the logged in user...

CVE-2026-24769

NocoDB is software for building databases as spreadsheets. Prior to version 0.301.0, a stored cross-site scripting XSS vulnerability exists in NocoDB’s attachment handling mechanism. Authenticated users can upload malicious SVG files containing embedded JavaScript, which are later rendered inline...

CVE-2025-61929 Cherry Studio allows one-click on a specific URL to cause a command to execute

Cherry Studio is a desktop client that supports for multiple LLM providers. Cherry Studio registers a custom protocol called cherrystudio://. When handling the MCP installation URL, it parses the base64-encoded configuration data and directly executes the command within it. In the files...

EUVD-2016-0920

Malware in sbrugna...

EUVD-2019-13323

Malware in sbrugna...

EUVD-2019-9634

Malware in sbrugna...

EUVD-2019-9601

Malware in sbrugna...

EUVD-2021-1206

Malware in sbrugna...

EUVD-2021-32950

Malicious code in bioql PyPI...

EUVD-2022-43587

Malicious code in bioql PyPI...

EUVD-2022-6966

Malicious code in bioql PyPI...

iOS Activation Flaw Enables Pre-User Device Compromise

A critical vulnerability exists in Apple’s iOS activation pipeline that allows remote XML payload injection before the user ever interacts with the device...

PT-2025-24255 · Unknown · Simple Membership

Name of the Vulnerable Software and Affected Versions: Simple Membership versions through 4.6.3 Description: The issue is related to Improper Neutralization of Input During Web Page Generation, also known as Cross-site Scripting, which allows Stored XSS. This means that an attacker can inject...

CVE-2022-3255

If an attacker can control a script that is executed in the victim's browser, then they can typically fully compromise that user. Amongst other things, the attacker can: Perform any action within the application that the user can perform. View any information that the user is able to view. Modify...

CVE-2021-25276

In SolarWinds Serv-U before 15.2.2 Hotfix 1, there is a directory containing user profile files that include users' password hashes that is world readable and writable. An unprivileged Windows user having access to the server's filesystem can add an FTP user by copying a valid profile file to thi...

CVE-2024-12776

In langgenius/dify v0.10.1, the /forgot-password/resets endpoint does not verify the password reset code, allowing an attacker to reset the password of any user, including administrators. This vulnerability can lead to a complete compromise of the application...

CVE-2024-10727

A reflected cross-site scripting XSS vulnerability exists in phpipam/phpipam versions 1.5.0 through 1.6.0. The vulnerability arises when the application receives data in an HTTP request and includes that data within the immediate response in an unsafe manner. This allows an attacker to execute...

CVE-2024-10727

A reflected cross-site scripting XSS vulnerability exists in phpipam/phpipam versions 1.5.0 through 1.6.0. The vulnerability arises when the application receives data in an HTTP request and includes that data within the immediate response in an unsafe manner. This allows an attacker to execute...

CVE-2024-10727

CVE-2024-10727 affects phpipam/phpipam versions 1.5.0–1.6.0. A reflected XSS occurs when HTTP request data is included in the immediate response in an unsafe manner, allowing arbitrary JavaScript execution in the user’s browser and potential full compromise. No remediation details are provided in...