CVE-2026-25726

CVE-2026-25726 (Cloudreve) : Prior to 4.13.0, Cloudreve uses the weak Go PRNG math/rand seeded with time.Now().UnixNano() to generate critical secrets (secret_key, hash_id_salt) stored in the DB. An attacker can fetch the administrator account creation time via public APIs, brute-force the PRNG s...

CVE-2025-67716

The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. Versions 4.9.0 through 4.12.1 contain an input-validation flaw in the returnTo parameter, which could allow attackers to inject unintended OAuth query parameters into the Auth0 authorization request...

PT-2025-50563

The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. Versions 4.9.0 through 4.12.1 contain an input-validation flaw in the returnTo parameter, which could allow attackers to inject unintended OAuth query parameters into the Auth0 authorization request...

CVE-2025-54866

Wazuh is a free and open source platform used for threat prevention, detection, and response. From version 4.3.0 to before 4.13.0, a missing ACL on "C:\Program Files x86\ossec-agent\authd.pass" exposes the password to all "Authenticated Users" on the local machine. This issue has been patched in...

CVE-2025-54866 Wazuh installation fails to protected authd.pass on Windows

Wazuh is a free and open source platform used for threat prevention, detection, and response. From version 4.3.0 to before 4.13.0, a missing ACL on "C:\Program Files x86\ossec-agent\authd.pass" exposes the password to all "Authenticated Users" on the local machine. This issue has been patched in...

Wazuh 安全漏洞

Wazuh is a Wazuh open source application. It is used to collect, aggregate, index and analyze security data to help organizations detect intrusions, threats and behavioral anomalies. A security vulnerability exists in Wazuh versions 4.3.0 through prior to 4.13.0, which stems from a missing ACL in...

CVE-2025-13206 GiveWP - Donation Plugin and Fundraising Platform <= 4.13.0 - Unauthenticated Stored Cross-Site Scripting via 'name'

The GiveWP – Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘name’ parameter in all versions up to, and including, 4.13.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated...

EUVD-2021-13987

Malware in sbrugna...

WordPress YITH WooCommerce Product Add-Ons plugin <= 4.13.0 - Reflected Cross Site Scripting (XSS) vulnerability

Reflected Cross Site Scripting XSS vulnerability discovered by Le Ngoc Anh Patchstack Alliance in WordPress Plugin YITH WooCommerce Product Add-Ons versions = 4.13.0...

WordPress YITH WooCommerce Product Add-Ons Plugin <= 4.13.0 is vulnerable to Cross Site Scripting (XSS)

Software YITH WooCommerce Product Add-Ons Type Plugin Vulnerable versions = 4.13.0 Fixed in 4.13.1 OWASP Top 10 A3: Injection Classification Cross Site Scripting XSS CVE CVE-2024-47367 Patch priority Medium CVSS severity Medium 7.1 Developer YITH PSID 4f86ebd3a7b4 Credits Le Ngoc Anh Required...

Spoofing

ckeditor is an open source WYSIWYG HTML editor with rich content support. A vulnerability has been discovered in the clipboard Widget plugin if used alongside the undo feature. The vulnerability allows a user to abuse undo functionality using malformed widget HTML, which could result in executing...

CVE-2021-32808

ckeditor is an open source WYSIWYG HTML editor with rich content support. A vulnerability has been discovered in the clipboard Widget plugin if used alongside the undo feature. The vulnerability allows a user to abuse undo functionality using malformed widget HTML, which could result in executing...

CVE-2021-32808 Cross-site scripting in ckeditor via abuse of undo functionality

ckeditor is an open source WYSIWYG HTML editor with rich content support. A vulnerability has been discovered in the clipboard Widget plugin if used alongside the undo feature. The vulnerability allows a user to abuse undo functionality using malformed widget HTML, which could result in executing...

WordPress File Upload plugin <= 4.12.2 - Directory Traversal vulnerability leading to Remote Code Execution (RCE)

Directory Traversal vulnerability leading to Remote Code Execution RCE discovered by p4w in WordPress File Upload plugin versions = 4.12.2. Solution Update the WordPress File Upload plugin to the latest available version at least 4.13.0...

DomainMOD <= 4.13.0 Multiple Vulnerabilities

DomainMOD is prone to multiple vulnerabilities. SPDX-FileCopyrightText: 2019 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:domainmod:domainmod"; ifdescripti...

CVE-2018-5225

In browser editing in Atlassian Bitbucket Server from version 4.13.0 before 5.4.8 the fixed version for 4.13.0 through 5.4.7, 5.5.0 before 5.5.8 the fixed version for 5.5.x, 5.6.0 before 5.6.5 the fixed version for 5.6.x, 5.7.0 before 5.7.3 the fixed version for 5.7.x, and 5.8.0 before 5.8.2 the...