CVE-2026-44502

Bugsink is a self-hosted error tracking tool. Prior to 2.1.3, Bugsink’s webhook URL validation could be partially bypassed because of a mismatch in URL parsing. The original validation logic parsed webhook URLs with Python’s urllib.parse.urlparse, then sent the request with requests.post. For...

GHSA-6V92-PH9P-HRPC AMF Vulnerable to Improper Resource Shutdown or Release

A security vulnerability has been detected in omec-project amf up to 2.1.3-dev. This impacts the function UERadioCapabilityCheckResponse of the file ngap/dispatcher.go. Such manipulation leads to null pointer dereference. The attack can be executed remotely. The exploit has been disclosed publicl...

CVE-2026-8782

A weakness has been identified in omec-project amf up to 2.1.3-dev. This affects an unknown function of the file ngap/handler.go of the component NGAP Message Handler. This manipulation causes null pointer dereference. Remote exploitation of the attack is possible. The exploit has been made...

amf 安全漏洞

AMF is an open-source library under the Apache License, developed by Free5GC. Versions of AMF such as 2.1.3-dev and earlier contain security vulnerabilities. These vulnerabilities stem from the operation of the RANConfiguration function in the file ngap/handler.go, which allows null pointer...

Server-side Request Forgery (SSRF)

Overview bugsink is a Self-hosted Error Tracking Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the validatewebhookurl process. An attacker can cause the application to send outbound HTTP POST requests to unintended hosts, including internal or...

CVE-2026-39387

BoidCMS is an open-source, PHP-based flat-file CMS for building simple websites and blogs, using JSON as its database. Versions prior to 2.1.3 are vulnerable to a critical Local File Inclusion LFI attack via the tpl parameter, which can lead to Remote Code Execution RCE.The application fails to...

PT-2026-32961

BoidCMS is an open-source, PHP-based flat-file CMS for building simple websites and blogs, using JSON as its database. Versions prior to 2.1.3 are vulnerable to a critical Local File Inclusion LFI attack via the tpl parameter, which can lead to Remote Code Execution RCE.The application fails to...

Sena Parani M10 Motorcycle Intercom 安全漏洞

Sena Parani M10 Motorcycle Intercom is a motorcycle helmet communication system from South Korea’s Sena company, capable of supporting connections with multiple devices. Version 2.1.3 of Sena Parani M10 Motorcycle Intercom contains a security vulnerability. This vulnerability stems from issues wi...

PT-2026-32094

Name of the Vulnerable Software and Affected Versions Parani M10 Motorcycle Intercom version 2.1.3 Description A Bluetooth Classic RFCOMM service is exposed without enforcing secure authentication or proper access control. This allows unauthorized attackers to cause a Denial of Service DoS by...

CVE-2026-5465 Amelia <= 2.1.3 - Insecure Direct Object Reference to Authenticated (Employee+) Privilege Escalation via 'externalId' Parameter

The Booking for Appointments and Events Calendar – Amelia plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.1.3. This is due to the UpdateProviderCommandHandler failing to validate changes to the externalId field when a Provider Employe...

CVE-2026-32462

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Liton Arefin Master Addons for Elementor master-addons allows DOM-Based XSS.This issue affects Master Addons for Elementor: from n/a through = 2.1.3...

EUVD-2026-15423

Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Login Disable allows Functionality Bypass.This issue affects Login Disable: from 0.0.0 before 2.1.3...

CVE-2026-1917

The Drupal Login Disable module is reported to allow login without the required access key via the HTTP request login route: the module does not check the access key on that route, enabling login without the key. This vulnerability is described in OSV-DRUPAL-CONTRIB-2026-008 and PT-2026-6544; no ...

SUSE CVE-2026-27899

WireGuard Portal or wg-portal is a web-based configuration portal for WireGuard server management. Prior to version 2.1.3, any authenticated non-admin user can become a full administrator by sending a single PUT request to their own user profile endpoint with "IsAdmin": true in the JSON body. Aft...

EUVD-2026-12023

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Liton Arefin Master Addons for Elementor master-addons allows DOM-Based XSS.This issue affects Master Addons for Elementor: from n/a through = 2.1.3...

CVE-2026-32462

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Liton Arefin Master Addons for Elementor master-addons allows DOM-Based XSS.This issue affects Master Addons for Elementor: from n/a through = 2.1.3...

CVE-2026-32462

CVE-2026-32462 affects Master Addons for Elementor (Master Addons) up to version 2.1.3. Root cause: improper input neutralization during web page generation enabling DOM-based XSS. Impact: authenticated users (Author+) could trigger stored cross-site scripting in the plugin code. Remediation: upd...

PT-2026-22659

Name of the Vulnerable Software and Affected Versions Master Addons for Elementor Premium plugin for WordPress versions up to and including 2.1.3 Description The Master Addons for Elementor Premium plugin for WordPress is susceptible to Remote Code Execution via the JLTMA Widget Admin::render...

CVE-2026-27899

WireGuard Portal or wg-portal is a web-based configuration portal for WireGuard server management. Prior to version 2.1.3, any authenticated non-admin user can become a full administrator by sending a single PUT request to their own user profile endpoint with "IsAdmin": true in the JSON body. Aft...

WireGuard Portal is Vulnerable to Privilege Escalation via User Self-Update to Admin Level

Privilege Escalation to Admin via User Self-Update in wg-portal Summary Any authenticated non-admin user can become a full administrator by sending a single PUT request to their own user profile endpoint with "IsAdmin": true in the JSON body. After logging out and back in, the session picks up...