CVE-2025-14774

Incorrect Authorization vulnerability in ABB T-MAC Plus. This issue affects T-MAC Plus: 4.0-24...

CVE-2025-14771

Files or directories accessible to external parties vulnerability in ABB T-MAC Plus. This issue affects T-MAC Plus: 4.0-24...

PT-2026-45907

Files or directories accessible to external parties vulnerability in ABB T-MAC Plus. This issue affects T-MAC Plus: 4.0-24...

CVE-2026-1829 Content Visibility for Divi Builder <= 4.02 - Authenticated (Contributor+) Remote Code Execution

The Content Visibility for Divi Builder plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.02 via the 'etpbtext' shortcode 'cvdbcontentvisibilitycheck' parameter. This makes it possible for authenticated attackers, with Contributor-level access and...

CVE-2026-7509 KIA Subtitle <= 4.0.1 - [Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')]

The KIA Subtitle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's the-subtitle shortcode before and after attributes in all versions up to, and including, 4.0.1. This is due to insufficient input sanitization and output escaping on user supplied attributes. This...

CVE-2026-36388

A Cross-Site Scripting XSS vulnerability was found in PHPGurukal Hospital Management System v4.0 in the /hospital/hms/edit-profile.php page. This flaw allows an authenticated attacker patient to inject a malicious script payload into the User Name parameter, which is stored in the application and...

EUVD-2026-25908

When configured to use an SSL bundle, Spring Boot's Elasticsearch auto-configuration does not perform hostname verification when connecting to the Elasticsearch server. Affected: Spring Boot 4.0.0–4.0.5; upgrade to 4.0.6 or later per vendor advisory...

CVE-2026-39704

CVE-2026-39704 concerns a missing authorization (broken access control) vulnerability in the WordPress plugin Precious Metals Automated Product Pricing – Pro (nfusionsolutions). Affected versions are through 4.0.5, where improperly configured access control security levels can be exploited. The P...

runZero Platform 安全漏洞

runZero Platform is an asset discovery and attack surface management platform developed by the US company runZero. Versions of runZero Platform prior to 4.0.260203.0 contained security vulnerabilities. These vulnerabilities were due to improper authorization, which could allow the MCP proxy to...

EUVD-2026-19069

A vulnerability was determined in Campcodes Complete POS Management and Inventory System up to 4.0.6. This affects an unknown function of the file app/Http/Controllers/SettingsController.php of the component Environment Variable Handler. Executing a manipulation can lead to injection. It is...

Deserialization of Untrusted Data

Overview Affected versions of this package are vulnerable to Deserialization of Untrusted Data in the unserialize process of the AccessTokenAuthenticator class when restoring OAuth token state from cache or storage using PHP's unserialize with allowedclasses = true. An attacker can achieve...

CVE-2026-24114

An issue was discovered in Tenda W20E V4.0brV15.11.0.6. Failure to validate pPortMapIndex may lead to buffer overflows when using strcpy...

CVE-2026-27794 LangGraph: BaseCache Deserialization of Untrusted Data may lead to Remote Code Execution

LangGraph Checkpoint defines the base interface for LangGraph checkpointers. Prior to version 4.0.0, a Remote Code Execution vulnerability exists in LangGraph's caching layer when applications enable cache backends that inherit from BaseCache and opt nodes into caching via CachePolicy. Prior to...

PT-2026-8309

Name of the Vulnerable Software and Affected Versions Tosei Self-service Washing Machine version 4.02 Description A flaw exists in Tosei Self-service Washing Machine version 4.02. The issue impacts an unknown function within the /cgi-bin/tosei datasend.php file. Manipulation of the adr txt 1...

GHSA-73F3-RQQF-2J54 Apache Syncope: Console XXE on Keymaster parameters

Improper Restriction of XML External Entity Reference vulnerability in Apache Syncope Console. An administrator with adequate entitlements to create or edit Keymaster parameters via Console can construct malicious XML text to launch an XXE attack, thereby causing sensitive data leakage occurs. Th...

CVE-2026-24422 phpMyFAQ: Public API endpoints expose emails and invisible questions

phpMyFAQ is an open source FAQ web application. In versions 4.0.16 and below, multiple public API endpoints improperly expose sensitive user information due to insufficient access controls. The OpenQuestionController::list endpoint calls Question::getAll with showAll=true by default, returning...

CVE-2026-22611

The CVE-2026-22611 issue affects the AWS SDK for .NET (versions 4.0.0 through 4.0.3.2) where the region input field could be set to an invalid value, causing AWS API calls to be routed to non-existent or non‑AWS hosts. A defense‑in‑depth enhancement was added in v4, validating that the region for...

CVE-2025-14436 Brevo for WooCommerce <= 4.0.49 - Unauthenticated Stored Cross-Site Scripting

The Brevo for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘userconnectionid’ parameter in all versions up to, and including, 4.0.49 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...

Selea CarPlateServer 访问控制错误漏洞

Selea CarPlateServer is a car plate recognition software from Selea, Italy. An access control error vulnerability exists in Selea CarPlateServer version 4.0.1.6, which originates from the ability to bypass authentication by manipulating the NOLISTEXEPATH configuration parameter, which could lead ...

CVE-2025-68951

CVE-2025-68951 affects phpMyFAQ. Versions 4.0.14 and 4.0.15 contain a stored XSS vulnerability where an attacker’s HTML entities in a display_name are decoded server-side and rendered unescaped in the admin user list (Twig |raw), enabling script execution in an administrator’s context. A patch ex...