279 matches found
CVE-2026-61428
PraisonAI AgentMail versions before 4.6.78 lack signature verification in webhook mode, allowing unauthenticated attackers to inject messages with spoofed sender addresses. Attackers can POST crafted message.received events to the webhook endpoint to inject arbitrary content into the agent and...
CVE-2026-61428
PraisonAI AgentMail is affected by CVE-2026-61428 in versions before 4.6.78, where webhook messages lack signature verification. This enables unauthenticated attackers to POST crafted message.received events to the webhook endpoint, injecting arbitrary content into the agent and triggering replie...
CVE-2026-12955
The GDPR Cookie Consent plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check and missing nonce verification on the gdprcookieconsentajaxsaveschedulescan function the wpajaxgccsaveschedulescan AJAX action in versions up to, and including, 4.3.6...
CVE-2026-12955 Cookie Banner for GDPR / CCPA <= 4.3.6 - Missing Authorization to Authenticated (Subscriber+) Scan Schedule Modification via gcc_save_schedule_scan AJAX Action
The GDPR Cookie Consent plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check and missing nonce verification on the gdprcookieconsentajaxsaveschedulescan function the wpajaxgccsaveschedulescan AJAX action in versions up to, and including, 4.3.6...
EUVD-2026-42846
The Easy Upload Files During Checkout plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 3.0.1. This is due to missing authorization checks in the ufdccustominit function, which processes the 'eufdc-delete' parameter without any nonce verification,...
EUVD-2026-42558
The Colissimo Officiel : Méthodes de livraison pour WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the updateShippingMethod function registered to the wpajaxlpcorderaffect AJAX action in versions up to, and including, 2.9.0...
CVE-2026-47828
The CVE affects bosh-cli versions prior to 7.10.4. During bosh create-env/delete-env, the CLI uploads CPI packages and rendered job templates to the VM’s DAV blobstore over HTTPS without verifying the server certificate, despite a CA certificate being present in the manifest. This enables a netwo...
DEBIAN-CVE-2026-12252
In nltk/nltk versions 3.9.3 and earlier, five Stanford interface classes StanfordPOSTagger, StanfordNERTagger, StanfordParser, StanfordDependencyParser, and StanfordNeuralDependencyParser are vulnerable to untrusted JAR code execution. These classes accept user-controllable JAR paths and execute...
EUVD-2026-41656
In nltk/nltk versions 3.9.3 and earlier, five Stanford interface classes StanfordPOSTagger, StanfordNERTagger, StanfordParser, StanfordDependencyParser, and StanfordNeuralDependencyParser are vulnerable to untrusted JAR code execution. These classes accept user-controllable JAR paths and execute...
CVE-2026-12090
The Taskbuilder – Project Management & Task Management Tool With Kanban Board plugin for WordPress is vulnerable to generic SQL Injection via the 'wppmprojfilter' parameter in all versions up to, and including, 5.0.8 due to insufficient escaping on the user supplied parameter and lack of sufficie...
CVE-2026-57995 phpMyFAQ - Privilege Escalation via Missing Self-Rights Constraint in GroupController::updatePermissions
phpMyFAQ before 4.1.5 contains a privilege escalation vulnerability in GroupController::updatePermissions that allows GROUPEDIT administrators to grant arbitrary rights to groups without verifying they hold those rights themselves. A delegated administrator can exploit this by assigning high-valu...
CVE-2026-57995
phpMyFAQ
PYSEC-2026-326 dcap-qvl has Missing Verification for QE Identity
Impact This vulnerability involves a critical gap in the cryptographic verification process within the dcap-qvl. The library fetches QE Identity collateral including qeidentity, qeidentitysignature, and qeidentityissuerchain from the PCCS. However, it skips to verify the QE Identity signature...
Session Hijacking
Chainlit is vulnerable to Session Hijacking. The vulnerability is due to missing ownership verification during WebSocket session restoration, where a valid sessionId can be used to restore another user's authenticated session, allowing attackers to gain unauthorized access with the victim's...
CVE-2026-56130
"Remember me" cookie age is not verified on the server. This potentially allows an attacker to intercept a valid cookie and reuse it indefinitely, even after the configured expiration time has passed. This issue affects all Apache Shiro versions from 1.2.4 through 2.x, and 3.0.0-alpha-1, only whe...
EUVD-2026-38668
The Assistio plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check and missing nonce verification on the assistioplugindeleteassistiosettings function in versions up to, and including, 1.1.2. This makes it possible for authenticated attackers,...
CVE-2026-54322
Daytona is a secure and elastic infrastructure runtime for AI-generated code execution and agent workflows. Prior to 0.185.0, Daytona's organization role update and delete endpoints authorized the caller as an owner of the organization named in the request path, but resolved and mutated the targe...
GHSA-6P9M-Q3JP-47H4 Gogs: LFS dedupe path leaks private repo content across tenants
Summary Git LFS storage is content-addressed by OID alone /// but per-repo authorization lives in the lfsobject table keyed repoid, oid. serveUpload skips re-uploading when the OID file already exists on disk and inserts a new repoid, oid row pointing at it without verifying the request body hash...
CVE-2026-56357 n8n - Webhook Forgery via Missing HMAC-SHA256 Signature Verification in GitHub Webhook Trigger
n8n before 1.123.15 and 2.5.0 contains a webhook forgery vulnerability in the GitHub Webhook Trigger node that fails to implement HMAC-SHA256 signature verification. Attackers who know the webhook URL can send unsigned POST requests to trigger workflows with arbitrary data, spoofing GitHub webhoo...
CVE-2026-56357
n8n’s GitHub Webhook Trigger node is affected in versions before 1.123.15 and 2.5.0 due to missing HMAC-SHA256 signature verification. This allows an attacker who knows the webhook URL to send unsigned POST requests, potentially triggering workflows with arbitrary data and spoofing GitHub webhook...