CVE-2026-3498

The BlockArt Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'clientId' block attribute in all versions up to, and including, 2.2.15. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

CVE-2026-3498

CVE-2026-3498 involves the BlockArt Blocks WordPress plugin. It is vulnerable to Stored Cross-Site Scripting via the 'clientId' block attribute in all versions up to and including 2.2.15, caused by insufficient input sanitization and output escaping. Authenticated attackers with Author-level acce...

EUVD-2026-21617

The BlockArt Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'clientId' block attribute in all versions up to, and including, 2.2.15. This is due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

CVE-2026-35175

Ajenti is a Linux and BSD modular server admin panel. Prior to 2.2.15, an authenticated user using the authusers plugin authentication method could install a custom package even if this user is not superuser. This vulnerability is fixed in 2.2.15...

CVE-2026-35175

Ajenti is a Linux and BSD modular server admin panel. Prior to 2.2.15, an authenticated user using the authusers plugin authentication method could install a custom package even if this user is not superuser. This vulnerability is fixed in 2.2.15...

CVE-2026-35175 Ajenti has an authorization bypass during custom package installation

Ajenti is a Linux and BSD modular server admin panel. Prior to 2.2.15, an authenticated user using the authusers plugin authentication method could install a custom package even if this user is not superuser. This vulnerability is fixed in 2.2.15...

CVE-2026-35175

Ajenti (Linux/BSD modular server admin panel) contains an authorization bypass vulnerability (CVE-2026-35175) where an authenticated user using the auth_users method could install a custom package even without superuser privileges. Red Hat/NVD entries confirm the issue and that it is fixed in ver...

Ajenti has an authorization bypass during custom package installation

Impact An authenticated user using the authusers plugin authentication method could install a custom package even if this user is not superuser. Patches This is fixed in the version 2.2.15. Users should upgrade to this version as soon as possible...

CVE-2022-23907

CMS Made Simple v2.2.15 was discovered to contain a reflected cross-site scripting XSS vulnerability via the parameter m1fmmessage...

CVE-2025-61787 Deno is Vulnerable to Command Injection on Windows During Batch File Execution

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Versions prior to 2.5.3 and 2.2.15 are vulnerable to Command Line Injection attacks on Windows when batch files are executed. In Windows, CreateProcess always implicitly spawns cmd.exe if a batch file .bat, .cmd, etc. is being executed ev...

CVE-2025-61787 Deno is Vulnerable to Command Injection on Windows During Batch File Execution

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Versions prior to 2.5.3 and 2.2.15 are vulnerable to Command Line Injection attacks on Windows when batch files are executed. In Windows, CreateProcess always implicitly spawns cmd.exe if a batch file .bat, .cmd, etc. is being executed ev...

CVE-2025-61787

Deno prior to 2.5.3 and 2.2.15 is vulnerable to Windows batch file command-injection because CreateProcess() can spawn cmd.exe when executing batch files (.bat/.cmd), enabling user-controlled argument injection (e.g., triggering calc.exe). CVE-2025-61787 states these issues are fixed in 2.5.3 and...

CVE-2025-61785

Summary : CVE-2025-61785 affects Deno versions prior to 2.5.3 and 2.2.15, where Deno.FsFile.prototype.utime and utimeSync are not properly restricted by --deny-write=./. This allows changing atime/mtime on a read-only opened file even when write is disallowed, bypassing the permission model. The ...

CVE-2025-61785 Deno's --deny-write check does not prevent permission bypass

Deno is a JavaScript, TypeScript, and WebAssembly runtime. In versions prior to 2.5.3 and 2.2.15, Deno.FsFile.prototype.utime and Deno.FsFile.prototype.utimeSync are not limited by the permission model check --deny-write=./. It's possible to change to change the access atime and modification mtim...

EUVD-2023-3310

Malicious code in bioql PyPI...

CVE-2023-50714

yii2-authclient is an extension that adds OpenID, OAuth, OAuth2 and OpenId Connect consumers for the Yii framework 2.0. In yii2-authclient prior to version 2.2.15, the Oauth2 PKCE implementation is vulnerable in 2 ways. First, the authCodeVerifier should be removed after usage similar to authStat...

WordPress plugin EventON security vulnerability

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on servers running PHP and MySQL.WordPress plugin is an application plugin. A security vulnerability exists in...

CVE-2024-35756

Improper Neutralization of Input During Web Page Generation XSS or 'Cross-site Scripting' vulnerability in CeiKay Tooltip CK tooltip-ck allows Stored XSS.This issue affects Tooltip CK: from n/a through 2.2.15...

PT-2024-26710 · Unknown · Tooltip Ck

Name of the Vulnerable Software and Affected Versions: Tooltip CK versions through 2.2.15 Description: The issue is related to Improper Neutralization of Input During Web Page Generation, also known as Cross-site Scripting XSS. This allows for Stored XSS attacks. Recommendations: For versions...

CVE-2023-50714

yii2-authclient is an extension that adds OpenID, OAuth, OAuth2 and OpenId Connect consumers for the Yii framework 2.0. In yii2-authclient prior to version 2.2.15, the Oauth2 PKCE implementation is vulnerable in 2 ways. First, the authCodeVerifier should be removed after usage similar to authStat...