27 matches found
OPENSUSE-SU-2026:21111-1 Security update for himmelblau
This update for himmelblau fixes the following issue - CVE-2026-45108: authentication bypass vulnerability in the Device Authorization Grant DAG flow bsc1266662. Changes for himmelblau: - Update to version 2.3.11+git1.116c6763: Update cargo vet audits for backport depsrust: bump the...
SUSE-SU-2026:22186-1 Security update for himmelblau
This update for himmelblau fixes the following issue - CVE-2026-45108: authentication bypass vulnerability in the Device Authorization Grant DAG flow bsc1266662. Changes for himmelblau: - Update to version 2.3.11+git1.116c6763: Update cargo vet audits for backport depsrust: bump the...
PT-2026-49258
Diesel allows loading a SQLite database from a byte buffer, represented as &u8, at runtime via the SqliteConnection::deserialize readonly database function. In previous versions of Diesel, this buffer was passed directly to libsqlite3. Since libsqlite3 requires the buffer to remain alive for as...
CVE-2026-35057
XenForo is affected in versions prior to 2.3.10 and prior to 2.2.19. The vulnerability is a stored XSS in structured text mentions, primarily impacting legacy profile post content. An attacker can inject malicious scripts via crafted mentions that are stored and executed when other users view the...
CVE-2026-21451
Bagisto is an open source laravel eCommerce platform. A stored Cross-Site Scripting XSS vulnerability exists in Bagisto prior to version 2.3.10 within the CMS page editor. Although the platform normally attempts to sanitize...
CVE-2026-21447
Bagisto is an open source laravel eCommerce platform. Prior to version 2.3.10, an Insecure Direct Object Reference vulnerability in the customer order reorder function allows any authenticated customer to add items from another customer's order to their own shopping cart by manipulating the order...
CVE-2026-21450
Bagisto is an open source laravel eCommerce platform. Versions prior to 2.3.10 are vulnerable to server-side template injection via type parameter, which can lead to remote code execution or another exploitation. Version 2.3.10 fixes the issue...
CVE-2026-21447
Bagisto is an open source laravel eCommerce platform. Prior to version 2.3.10, an Insecure Direct Object Reference vulnerability in the customer order reorder function allows any authenticated customer to add items from another customer's order to their own shopping cart by manipulating the order...
CVE-2026-21450
Bagisto SSTI (server-side template injection) in the type parameter allows remote code execution. Affected versions are prior to 2.3.10; version 2.3.10 contains the fix. Exploitation details cited include an example payload accessing the admin view (type={{7*7}}), which can lead to RCE and other ...
CVE-2026-21450 Bagisto has SSTI in parameter that can lead to RCE
Bagisto is an open source laravel eCommerce platform. Versions prior to 2.3.10 are vulnerable to server-side template injection via type parameter, which can lead to remote code execution or another exploitation. Version 2.3.10 fixes the issue...
CVE-2026-21451 Bagisto has HTML Filter Bypass that Enables Stored XSS
Bagisto is an open source laravel eCommerce platform. A stored Cross-Site Scripting XSS vulnerability exists in Bagisto prior to version 2.3.10 within the CMS page editor. Although the platform normally attempts to sanitize tags, the filtering can be bypassed by manipulating the raw HTTP POST...
CVE-2026-21446
Summary (CVE-2026-21446) Bagisto (Laravel-based eCommerce) prior to 2.3.10 exposes installer API endpoints under /install/api/* that remain accessible after installation. The root cause is unauthenticated access to API routes (no auth/CSRF in /install/api/*), enabling an attacker to create admin ...
PT-2026-1125
Name of the Vulnerable Software and Affected Versions Bagisto versions prior to 2.3.10 Description Bagisto, an open source Laravel eCommerce platform, has an issue where API routes remain active even after the initial installation is complete. The API endpoints /install/api/ are directly accessib...
CVE-2025-9075 ZoloBlocks – Gutenberg Block Editor Plugin with Advanced Blocks, Dynamic Content, Templates & Patterns <= 2.3.10 - Authenticated (Contributor+) Stored Cross-Site Scripting
The ZoloBlocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple Gutenberg blocks in versions up to, and including, 2.3.10. This is due to insufficient input sanitization and output escaping on user-supplied attributes within multiple block components including Google...
CVE-2025-32143 WordPress Accordion plugin <= 2.3.10 - PHP Object Injection vulnerability
Deserialization of Untrusted Data vulnerability in PickPlugins Accordion allows Object Injection. This issue affects Accordion: from n/a through 2.3.10...
WordPress plugin BU Slideshow 跨站脚本漏洞
WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A cross-site scripting...
WordPress BU Slideshow plugin <= 2.3.10 - Cross Site Scripting (XSS) vulnerability
Cross Site Scripting XSS vulnerability discovered by SOPROBRO Patchstack Alliance in WordPress Plugin BU Slideshow versions = 2.3.10...
Malicious code in @gthwebdev/ui-tooltip (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 62aaab200b33789e76005a82f8665eaec345f6c173d63c8fdae72dff0cc2855d Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
WordPress plugin IMGspider security vulnerability
WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a set of blogging platforms developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A security...
PT-2024-37540 · WordPress · Imgspider
Name of the Vulnerable Software and Affected Versions: IMGspider plugin for WordPress versions up to, and including, 2.3.10 Description: The IMGspider plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the upload function. This makes it possible fo...