CVE-2026-35470

OpenSTAManager

CVE-2026-35470 OpenSTAManager has a SQL Injection via righe Parameter in confronta_righe Modals

OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to 2.10.2, confrontarighe.php files across different modules in OpenSTAManager contain an SQL Injection vulnerability. The righe parameter received via $GET'righe' is directly concatenated into an S...

OpenSTAManager SQL注入漏洞

OpenSTAManager is an open-source management software for technical assistance and billing developed by Devcode. Versions of OpenSTAManager prior to 2.10.2 contained a SQL injection vulnerability, which stems from the direct concatenation of parameters, potentially leading to SQL injection attacks...

CVE-2026-35168

OpenSTAManager before version 2.10.2 exposes a vulnerability in the Aggiornamenti module (op=risolvi-conflitti-database). It accepts a JSON array of SQL statements via POST and executes them directly on the MySQL database without validation, allowlists, or sanitization, enabling an authenticated ...

CVE-2026-28805

OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to version 2.10.2, multiple AJAX select handlers in OpenSTAManager are vulnerable to Time-Based Blind SQL Injection through the optionsstato GET parameter. The user-supplied value is read from...

CVE-2026-28805

OpenSTAManager before v2.10.2 is vulnerable to Time-Based Blind SQL Injection via the options[stato] parameter in multiple AJAX endpoints (preventivi, ordini-cliente, contratti). The user-supplied value is read from $superselect['stato'] and concatenated into SQL WHERE clauses without sanitizatio...

CVE-2026-29782

OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to version 2.10.2, the oauth2.php file in OpenSTAManager is an unauthenticated endpoint $skippermissions = true. It loads a record from the zzoauth2 table using the attacker-controlled GET parameter...

OpenSTAManager 安全漏洞

OpenSTAManager is an open-source management software for technical assistance and billing developed by Devcode. Versions of OpenSTAManager prior to 2.10.2 contained security vulnerabilities. These vulnerabilities stemmed from a lack of validation in the database conflict resolution function, whic...

CVE-2026-25999

Klaw is a self-service Apache Kafka Topic Management/Governance tool/portal. Prior to 2.10.2, there is an improper access control vulnerability that allows unauthorized users to trigger a reset or deletion of metadata for any tenant. By sending a crafted request to the /resetMemoryCache endpoint,...

CVE-2022-0880

Cross-site Scripting XSS - Stored in GitHub repository star7th/showdoc prior to 2.10.2...

WordPress Better Messages plugin <= 2.10.2 - Unauthenticated Stored Cross-Site Scripting vulnerability

Unauthenticated Stored Cross-Site Scripting vulnerability discovered by zer0gh0st in WordPress Plugin BP Better Messages versions = 2.10.2...

CVE-2025-14154 Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss <= 2.10.2 - Unauthenticated Stored Cross-Site Scripting

The Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss plugin for WordPress is vulnerable to Stored Cross-Site Scripting via guest display name in all versions up to, and including, 2.10.2 due to insufficient input sanitization and output escaping. This make...

CVE-2025-14154

CVE-2025-14154 – The WordPress plugin “Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss” is affected by a Stored Cross-Site Scripting (XSS) via guest display name in all versions up to 2.10.2 due to insufficient input sanitization and output escaping. The ...

PT-2025-51814

The Better Messages – Live Chat for WordPress, BuddyPress, PeepSo, Ultimate Member, BuddyBoss plugin for WordPress is vulnerable to Stored Cross-Site Scripting via guest display name in all versions up to, and including, 2.10.2 due to insufficient input sanitization and output escaping. This make...

CVE-2025-64267

Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in WPSwings WooCommerce Ultimate Points And Rewards woocommerce-ultimate-points-and-rewards allows Retrieve Embedded Sensitive Data.This issue affects WooCommerce Ultimate Points And Rewards: from n/a through...

CVE-2025-64267

CVE-2025-64267 affects the WordPress plugin “WooCommerce Ultimate Points And Rewards” (versions

CVE-2025-64267 WordPress WooCommerce Ultimate Points And Rewards plugin <= 2.10.2 - Sensitive Data Exposure vulnerability

Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in WPSwings WooCommerce Ultimate Points And Rewards woocommerce-ultimate-points-and-rewards allows Retrieve Embedded Sensitive Data.This issue affects WooCommerce Ultimate Points And Rewards: from n/a through...

WordPress plugin WooCommerce Ultimate Points And Rewards 安全漏洞

WordPress WooCommerce Ultimate Points And Rewards plugin is a points and rewards management tool designed for WooCommerce, which awards points through customer behavior e.g., purchases, registrations, comments, etc. and supports redemption of discounts, coupons or free products, aiming to increas...

EUVD-2025-38145

Deserialization of Untrusted Data vulnerability in Cozmoslabs TranslatePress translatepress-multilingual allows Object Injection.This issue affects TranslatePress: from n/a through = 2.10.2...

EUVD-2024-3251

Malicious code in bioql PyPI...