512 matches found
BIT-APPSMITH-2026-55455 Appsmith: SSRF in REST API / GraphQL datasource plugins via insufficient host denylist
Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 2.1, the outbound HTTP host filter applied by WebClientUtils used by the REST API and GraphQL datasource plugins validates hosts against an exact-match string denylist. The comprehensive address-class check...
CVE-2026-50189 Appsmith: RCE via Supervisord XML-RPC Admin Interface Exposed via /supervisor Caddy Route
Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 2.1, Appsmith's bundled supervisord exposes an XML-RPC interface on port 9001, reachable from outside the container via a Caddy reverse-proxy route at /supervisor/ on the public ingress. Combined with the...
CVE-2026-1607
The Surbma | Booking.com Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's surbma-bookingcom shortcode in all versions up to, and including, 2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possibl...
Appsmiths SQL Query autocomplete renderer contains a cross site scripting vulnerability
Overview A stored cross-site scripting XSS vulnerability has been discovered in Appsmith, specifically in the CodeMirror based SQL query editor’s autocomplete renderer. CVE-2026-7299 has been assigned to track the vulnerability. An attacker with developer level access to a shared PostgreSQL...
Projectworlds Gate Pass Management System SQL注入漏洞
The Projectworlds Gate Pass Management System is an open-source boarding pass management system developed by Projectworlds. Version 2.1 of the Projectworlds Gate Pass Management System has a SQL injection vulnerability. This vulnerability stems from the login and password parameters, which are...
CVE-2026-8274 npitre cramfs-tools Directory cramfsck.c do_directory path traversal
A security vulnerability has been detected in npitre cramfs-tools up to 2.1. Affected is the function dodirectory of the file cramfsck.c of the component Directory Handler. Such manipulation leads to path traversal. The attack can only be performed from a local environment. The exploit has been...
CVE-2026-8274
CVE-2026-8274 affects npitre cramfs-tools up to version 2.1. The vulnerability is in the Directory Handler’s cramfsck.c do_directory function and enables local path traversal. Exploitation requires local access; the vulnerability is disclosed publicly. A fix is available in version 2.2, with patc...
cramfs-tools 路径遍历漏洞
cramfs-tools is a compression read-only file system tool developed by Nicolas Pitre. Versions of cramfs-tools 2.1 and earlier contained a path traversal vulnerability, which originated from a function in the Directory Handler component called dodirectory in the cramfsck.c file, which allowed for...
Yeapook WDR201A WiFi Extender 操作系统命令注入漏洞
The Yeapook WDR201A WiFi Extender is a wireless signal extension device from the Yeapook company. The Yeapook WDR201A WiFi Extender HW V2.1 version and FW LFMZX28040922V1.02 version have a vulnerability related to operating system command injection. This vulnerability stems from insufficient inpu...
PT-2026-36261
Name of the Vulnerable Software and Affected Versions Fujian Apex LiveBOS versions prior to 2.1 Description A path traversal issue exists in the Endpoint component. A remote attacker can manipulate the filename argument in the '/feed/UploadImage.do' endpoint to access or overwrite files outside t...
CVE-2026-1607 Surbma | Booking.com <= 2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
The Surbma | Booking.com Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's surbma-bookingcom shortcode in all versions up to, and including, 2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possibl...
CVE-2026-5636
A weakness has been identified in PHPGurukul Online Shopping Portal Project 2.1. This affects an unknown part of the file /cancelorder.php of the component Parameter Handler. This manipulation of the argument oid causes sql injection. The attack may be initiated remotely. The exploit has been mad...
CVE-2026-5635
CVE-2026-5635 affects PHPGurukul Online Shopping Portal Project 2.1. The vulnerability is in the Parameter Handler’s /categorywise-products.php, where manipulating the cid parameter leads to SQL injection. Attacks can be launched remotely and the exploit has been released publicly. Concrete remed...
PHPGurukul Online Shopping Portal Project SQL注入漏洞
The PHPGurukul Online Shopping Portal Project is an online shopping portal project developed by PHPGurukul Corporation. Version 2.1 of the PHPGurukul Online Shopping Portal Project contains a SQL injection vulnerability. This vulnerability arises from incorrect handling of the parameter filename ...
PHPGurukul Online Shopping Portal Project SQL注入漏洞
The PHPGurukul Online Shopping Portal Project is an online shopping portal project of PHPGurukul Corporation. Version 2.1 of the PHPGurukul Online Shopping Portal Project has a SQL injection vulnerability. This vulnerability arises from incorrect handling of the parameter filename in the file...
PT-2026-30428
A flaw has been found in PHPGurukul PHPGurukul Online Shopping Portal Project up to 2.1. Impacted is an unknown function of the file /pending-orders.php of the component Parameter Handler. This manipulation of the argument ID causes sql injection. The attack is possible to be carried out remotely...
PHPGurukul Online Shopping Portal Project SQL注入漏洞
The PHPGurukul Online Shopping Portal Project is an online shopping portal project of PHPGurukul Corporation. Version 2.1 of the PHPGurukul Online Shopping Portal Project has a SQL injection vulnerability. This vulnerability arises from incorrect handling of the parameter “pid” in the...
CVE-2026-25457
Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in Select-Themes Mixtape mixtape allows PHP Local File Inclusion.This issue affects Mixtape: from n/a through = 2.1...
CVE-2026-25017 WordPress NaturaLife Extensions plugin <= 2.1 - Local File Inclusion vulnerability
Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in stmcan NaturaLife Extensions naturalife-extensions allows PHP Local File Inclusion.This issue affects NaturaLife Extensions: from n/a through = 2.1...
CVE-2026-25018 WordPress NaturaLife Extensions plugin <= 2.1 - Reflected Cross Site Scripting (XSS) vulnerability
Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in stmcan NaturaLife Extensions naturalife-extensions allows Reflected XSS.This issue affects NaturaLife Extensions: from n/a through = 2.1...