OSV-2026-621 Use-of-uninitialized-value in vcardtime_from_string

OSS-Fuzz report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=505903588 Crash type: Use-of-uninitialized-value Crash state: vcardtimefromstring vcardvaluenewfromstring parsevcard...

OSV-2026-311 UNKNOWN READ in strncasecmp

OSS-Fuzz report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=487216732 Crash type: UNKNOWN READ Crash state: strncasecmp vcardcomponentstringtokind parsevcard...

OSV-2026-308 Heap-buffer-overflow in vcardstructured_new_from_string

OSS-Fuzz report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=486715154 Crash type: Heap-buffer-overflow WRITE 8 Crash state: vcardstructurednewfromstring vcardparametersetvaluefromstring parsevcard...

OSV-2026-272 Heap-use-after-free in vcardproperty_get_value

OSS-Fuzz report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=485932113 Crash type: Heap-use-after-free READ 8 Crash state: vcardpropertygetvalue vcardpropertygetversion parsevcard...

CVE-2020-37071

CraftCMS 3 vCard Plugin 1.0.0 contains a deserialization vulnerability that allows unauthenticated attackers to execute arbitrary PHP code through a crafted payload. Attackers can generate a malicious serialized payload that triggers remote code execution by exploiting the plugin's vCard download...

CVE-2020-37071

Summary: CVE-2020-37071 affects CraftCMS 3 vCard Plugin 1.0.0 and is a deserialization vulnerability that allows unauthenticated attackers to execute arbitrary PHP code via a crafted payload. The attack is triggered by exploiting the plugin’s vCard download functionality with a specially crafted ...

CVE-2020-37071 CraftCMS 3 vCard Plugin 1.0.0 - Remote Code Execution

CraftCMS 3 vCard Plugin 1.0.0 contains a deserialization vulnerability that allows unauthenticated attackers to execute arbitrary PHP code through a crafted payload. Attackers can generate a malicious serialized payload that triggers remote code execution by exploiting the plugin's vCard download...

CVE-2020-37071

CraftCMS 3 vCard Plugin 1.0.0 contains a deserialization vulnerability that allows unauthenticated attackers to execute arbitrary PHP code through a crafted payload. Attackers can generate a malicious serialized payload that triggers remote code execution by exploiting the plugin's vCard download...

CVE-2020-37071 CraftCMS 3 vCard Plugin 1.0.0 - Remote Code Execution

CraftCMS 3 vCard Plugin 1.0.0 contains a deserialization vulnerability that allows unauthenticated attackers to execute arbitrary PHP code through a crafted payload. Attackers can generate a malicious serialized payload that triggers remote code execution by exploiting the plugin's vCard download...

PT-2026-5822

CraftCMS 3 vCard Plugin 1.0.0 contains a deserialization vulnerability that allows unauthenticated attackers to execute arbitrary PHP code through a crafted payload. Attackers can generate a malicious serialized payload that triggers remote code execution by exploiting the plugin's vCard download...

CraftCMS 3 vCard Plugin 代码问题漏洞

The CraftCMS 3 vCard Plugin is a vCard generator plugin developed by Nathaniel Hammond. Version 1.0.0 of the CraftCMS 3 vCard Plugin has code vulnerabilities; these vulnerabilities stem from deserialization vulnerabilities, which may allow for the execution of arbitrary PHP code...

CVE-2025-13717

The Contact Form vCard Generator plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'wpgvccfcheckdownloadrequest' function in all versions up to, and including, 2.4. This makes it possible for unauthenticated attackers to export sensitive...

CVE-2025-13717

The Contact Form vCard Generator plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'wpgvccfcheckdownloadrequest' function in all versions up to, and including, 2.4. This makes it possible for unauthenticated attackers to export sensitive...

CVE-2025-13717 Contact Form vCard Generator <= 2.4 - Missing Authorization to Unauthenticated Sensitive Information Exposure via 'wp-gvc-cf-download-id' Parameter

The Contact Form vCard Generator plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'wpgvccfcheckdownloadrequest' function in all versions up to, and including, 2.4. This makes it possible for unauthenticated attackers to export sensitive...

CVE-2025-13717 Contact Form vCard Generator <= 2.4 - Missing Authorization to Unauthenticated Sensitive Information Exposure via 'wp-gvc-cf-download-id' Parameter

The Contact Form vCard Generator plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'wpgvccfcheckdownloadrequest' function in all versions up to, and including, 2.4. This makes it possible for unauthenticated attackers to export sensitive...

CVE-2025-13717

CVE-2025-13717 affects Contact Form vCard Generator for WordPress. The vulnerability arises from a missing authorization check in wp_gvc_cf_settings.php (function wp_gvccf_check_download_request) that exists in all versions up to and including 2.4. This enables unauthenticated attackers to export...

WordPress plugin Contact Form vCard Generator 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform has the ability to host personal blog sites on PHP and MySQL based servers.WordPress plugin is an application plugin. A security vulnerabili...

WordPress Contact Form vCard Generator plugin <= 2.4 - Missing Authorization to Unauthenticated Sensitive Information Exposure via 'wp-gvc-cf-download-id' Parameter vulnerability

Missing Authorization to Unauthenticated Sensitive Information Exposure via 'wp-gvc-cf-download-id' Parameter vulnerability discovered by Sopon Tangpathum SoNaJaa - freelance in WordPress Plugin Contact Form vCard Generator versions = 2.4...

CVE-2025-43824

The Profile widget in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, 7.4 GA through update 92, and older unsupported versions uses a user’s name in the “Content-Disposition” header, which allows...

Liferay Profile Widget does not prevent vCard extension spoofing

The Profile Widget in Liferay Portal 7.4.0 through 7.4.3.111, and older unsupported versions, and Liferay DXP 2023.Q4.0 through 2023.Q4.5, 2023.Q3.1 through 2023.Q3.8, 7.4 GA through update 92, and older unsupported versions uses a user’s name in the “Content-Disposition” header, which allows...