PT-2026-33516

Name of the Vulnerable Software and Affected Versions Auth0 Next.js SDK versions 4.12.0 through 4.17.1 Description Simultaneous requests that trigger a nonce retry may cause the proxy cache fetcher to perform improper lookups for token request results. This occurs when projects use the proxy...

lodash vulnerable to Code Injection via `_.template` imports key names

Impact The fix for CVE-2021-23337 added validation for the variable option in .template but did not apply the same validation to options.imports key names. Both paths flow into the same Function constructor sink. When an application passes untrusted input as options.imports key names, an attacker...

CVE-2026-4800

CVE-2026-4800 is a lodash code-injection issue: when untrusted input is supplied in options.imports to _.template, default-parameter expressions can run at template compilation time. The root cause is that validation existed for the variable option but not for imports key names; lodash’s merge vi...

PT-2026-29336

Name of the Vulnerable Software and Affected Versions lodash versions prior to 4.18.0 Description The software contains a flaw related to template compilation. Specifically, insufficient validation of key names within the options.imports object used by the .template function can allow an attacker...

Apache Camel: KeycloakSecurityPolicy does not validate issuer of JWT tokens against configured realm

Cross-Realm Token Acceptance Bypass in KeycloakSecurityPolicy Apache Camel Keycloak component. The Camel-Keycloak KeycloakSecurityPolicy does not validate the iss issuer claim of JWT tokens against the configured realm. A token issued by one Keycloak realm is silently accepted by a policy...

EUVD-2025-15784

Malicious code in bioql PyPI...

CVE-2022-23410

AXIS IP Utility before 4.18.0 allows for remote code execution and local privilege escalation by the means of DLL hijacking. IPUtility.exe would attempt to load DLLs from its current working directory which could allow for remote code execution if a compromised DLL would be placed in the same...

CVE-2025-39349

Deserialization of Untrusted Data vulnerability in Potenzaglobalsolutions CiyaShop ciyashop allows Object Injection.This issue affects CiyaShop: from n/a through = 4.18.0...

CVE-2025-39349

Deserialization of Untrusted Data vulnerability in Potenzaglobalsolutions CiyaShop allows Object Injection.This issue affects CiyaShop: from n/a through 4.18.0...

WordPress eForm plugin <= 4.18.0 - Unauthenticated Stored Cross-Site Scripting vulnerability

Unauthenticated Stored Cross-Site Scripting vulnerability discovered by shaman0x01 in WordPress Plugin eForm - WordPress Form Builder versions = 4.18.0...

Important: Red Hat Security Advisory: OpenShift Virtualization 4.18.0 Images

Red Hat OpenShift Virtualization release 4.18.0 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which...

Gradio < 4.18.0 Vulnerability - CVE-2024-2206

The version of Gradio installed on the remote host is prior to 4.18.0. It is, therefore, affected by an SSRF vulnerability exists in the gradio-app/gradio due to insufficient validation of user-supplied URLs in the /proxy route. Attackers can exploit this vulnerability by manipulating the...

Sensei LMS < 4.18.0 - Contributor+ Stored XSS

Description The plugin does not validate and escape some of its block attributes before outputting them back in a page/post where the block is rendered, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

PT-2023-33024 · Softwarex · Softwarex

Name of the Vulnerable Software and Affected Versions: SoftwareX versions 4.18.0 Description: A bug in the network handling of inventories was introduced, allowing players to request the server to drop more items than they had available. This led to a server crash and is believed to have been...

Atlassian Jira Service Management 4.14.0 < 4.18.0 Template Injection Code Execution

According to its self-reported version number, the Atlassian Jira Service Management application running on the remote host is version 4.14.x prior to 4.18.0. It is, therefore, affected by a flaw which may allow remote attackers with Jira Administrator access to execute arbitrary Java code or...

kernel security update

4.18.0-372.9.1.0.2.el8.OL8 - debug: lockdown kgdb Orabug: 34270802 CVE-2022-21499 4.18.0-372.9.1.0.1.el8.OL8 - mei: me: disable driver on the ign firmware Alexander Usyskin Orabug: 34176425...

DEBIAN-CVE-2022-24729

CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. CKEditor4 prior to version 4.18.0 contains a vulnerability in the dialog plugin. The vulnerability allows abuse of a dialog input validator regular expression, which can cause a significant performance drop resulting in a brows...

CVE-2022-24728

CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A vulnerability has been discovered in the core HTML processing module and may affect all plugins used by CKEditor 4 prior to version 4.18.0. The vulnerability allows someone to inject malformed HTML bypassing content...

CVE-2022-24729

CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. CKEditor4 prior to version 4.18.0 contains a vulnerability in the dialog plugin. The vulnerability allows abuse of a dialog input validator regular expression, which can cause a significant performance drop resulting in a brows...

Security Bulletin: IBM Storage Support for Microsoft Volume Shadow Copy Service (VSS) and Virtual Disk Service (VDS) is affected by a vulnerability in Apache Log4j (CVE-2021-4104)

Summary A vulnerability was identified within the Apache Log4j library that is used by IBM Storage Support for Microsoft Volume Shadow Copy Service VSS and Virtual Disk Service VDS for IBM Spectrum Virtualize family and IBM DS8000 family storage systems. This vulnerability has been addressed...