CVE-2026-9509

CVE-2026-9509 affects Suprema BioStar 2 Server (versions 2.9.8, 2.9.10, 2.9.11). An unhandled exception triggered by unauthenticated HTTP POST requests to the /api/migration endpoint can cause a denial of service, halting critical processes and leaving the system offline until services or the ser...

PT-2026-44833

An unhandled exception in Suprema BioStar 2 Server, versions 2.9.8, 2.9.10, and 2.9.11, that allows an unauthenticated remote attacker to cause a denial of service DoS by sending HTTP POST requests to the ‘/api/migration’ endpoint. This request triggers a failure that halts critical processes,...

Astra Linux - уязвимость в libxml2

There is a flaw in the XML entity encoding functionality of libxml2 in versions prior to 2.9.11. An attacker who can provide a crafted file for processing by an application that utilizes the affected functionality of libxml2 may trigger an out-of-bounds read. The most likely impact of this flaw i...

CVE-2025-52353

An arbitrary code execution vulnerability in Badaso CMS 2.9.11. The Media Manager allows authenticated users to upload files containing embedded PHP code via the file-upload endpoint, bypassing content-type validation. When such a file is accessed via its URL, the server executes the PHP payload,...

Badaso 安全漏洞

Badaso is an open source Laravel Vue headless CMS from Uasoft Open Source. A security vulnerability exists in Badaso version 2.9.11, which stems from Media Manager allowing the upload of files containing PHP code, which could lead to arbitrary code execution...

DEBIAN-CVE-2025-54571

ModSecurity is an open source, cross platform web application firewall WAF engine for Apache, IIS and Nginx. In versions 2.9.11 and below, an attacker can override the HTTP response’s Content-Type, which could lead to several issues depending on the HTTP scenario. For example, we have demonstrate...

OESA-2025-1752 mod_security security update

Security Fixes: A vulnerability was found in OWASP ModSecurity 2.9.8/2.9.10 and classified as critical.Using CWE to declare the problem leads to CWE-119. The product performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary...

OPENSUSE-SU-2025:15313-1 apache2-mod_security2-2.9.11-1.1 on GA media

These are all security issues fixed in the apache2-modsecurity2-2.9.11-1.1 package on the GA media of openSUSE Tumbleweed...

CVE-2025-27153

Escalade GLPI plugin is a ticket escalation process helper for GLPI. Prior to version 2.9.11, there is an improper access control vulnerability. This can lead to data exposure and workflow disruptions. This issue has been patched in version 2.9.11...

SUSE CVE-2025-52891

ModSecurity is an open source, cross platform web application firewall WAF engine for Apache, IIS and Nginx. In versions 2.9.8 to before 2.9.11, an empty XML tag can cause a segmentation fault. If SecParseXmlIntoArgs is set to On or OnlyArgs, and the request type is application/xml, and at least...

DEBIAN-CVE-2025-52891

ModSecurity is an open source, cross platform web application firewall WAF engine for Apache, IIS and Nginx. In versions 2.9.8 to before 2.9.11, an empty XML tag can cause a segmentation fault. If SecParseXmlIntoArgs is set to On or OnlyArgs, and the request type is application/xml, and at least...

CVE-2025-52891 ModSecurity empty XML tag causes segmentation fault

ModSecurity is an open source, cross platform web application firewall WAF engine for Apache, IIS and Nginx. In versions 2.9.8 to before 2.9.11, an empty XML tag can cause a segmentation fault. If SecParseXmlIntoArgs is set to On or OnlyArgs, and the request type is application/xml, and at least...

ModSecurity -- empty XML tag causes segmentation fault

[email protected] reports: ModSecurity is an open source, cross platform web application firewall WAF engine for Apache, IIS and Nginx. In versions 2.9.8 to before 2.9.11, an empty XML tag can cause a segmentation fault. If SecParseXmlIntoArgs is set to On or OnlyArgs, and the reques...

CVE-2025-27153 Escalade GLPI Plugin Vulnerable to Improper Access Control

Escalade GLPI plugin is a ticket escalation process helper for GLPI. Prior to version 2.9.11, there is an improper access control vulnerability. This can lead to data exposure and workflow disruptions. This issue has been patched in version 2.9.11...

CVE-2025-27153

CVE-2025-27153 concerns the Escalade GLPI plugin for GLPI. Prior to version 2.9.11, an improper access control vulnerability could allow exposure of data and disrupt workflows. The issue has been patched in version 2.9.11. The published metrics indicate a base CVSS v3.1 score of 6.5 (MEDIUM) with...

PT-2024-16353 · WordPress · Wp User Manager

Name of the Vulnerable Software and Affected Versions: The WP User Manager – User Profile Builder & Membership plugin for WordPress versions up to, and including, 2.9.11 Description: The issue is related to unauthorized access of data due to a missing capability check on the validate user meta ke...

PT-2024-16120 · Unknown +1 · Wp User Manager +2

Name of the Vulnerable Software and Affected Versions: The WP User Manager – User Profile Builder & Membership plugin for WordPress versions up to, and including, 2.9.11 Description: The issue is related to a missing capability check on the add sidebar and remove sidebar functions. This allows...

WordPress Stock Quotes List Plugin <= 2.9.11 is vulnerable to Cross Site Scripting (XSS)

Software Stock Quotes List Type Plugin Vulnerable versions = 2.9.11 Fixed in 2.9.12 OWASP Top 10 A7: Cross-Site Scripting XSS Classification Cross Site Scripting XSS CVE CVE-2023-41666 Patch priority Low CVSS severity Low 6.5 Developer Claim ownership PSID 8915def85604 Credits deokhunKim Required...

GHSA-P57W-9Q28-J6V7 phpMyFAQ CSRF

phpMyFAQ before 2.9.11 allows CSRF...

phpMyFAQ CSRF

phpMyFAQ before 2.9.11 allows CSRF...