TREK 安全漏洞

TREK is a self-hosted, real-time collaboration travel planning tool developed by Maurice’s individual developer. It supports map management, budget tracking, and itinerary management. Versions of TREK prior to 3.0.18 contained security vulnerabilities. These vulnerabilities stemmed from the login...

tickets 跨站脚本漏洞

Tickets is an open-source public safety scheduling and tracking application developed by Open ISES. Versions of tickets prior to 3.44.2 contained a cross-site scripting vulnerability. This vulnerability stemmed from the use of the id and ticketid GET parameters in the patientw.php file, allowing...

EUVD-2026-30499

A vulnerability in mlflow/mlflow versions 3.9.0 and earlier allows unauthenticated access to certain FastAPI routes when the server is started with authentication enabled --app-name basic-auth and served via uvicorn ASGI. The FastAPI permission middleware only enforces authentication on /gateway/...

CVE-2026-8587

Use after free in Extensions in Google Chrome on Mac prior to 148.0.7778.168 allowed an attacker who convinced a user to install a malicious extension to execute arbitrary code via a crafted Chrome Extension. Chromium security severity: Medium...

SSRF Check 安全漏洞

SSRF Check is a check string developed by Felippe Regazio to detect whether it contains potential SSRF attacks. Versions of SSRF Check prior to 1.3.0 have security vulnerabilities; these vulnerabilities stem from the inability to prevent server-side request forgery attacks that map IPv4 addresses...

CVE-2026-6309

Use after free in Viz in Google Chrome prior to 147.0.7727.101 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. Chromium security severity: High...

CVE-2025-63238

A Reflected Cross-Site Scripting XSS affects LimeSurvey versions prior to 6.15.11+250909, due to the lack of validation of gid parameter in getInstance function in application/models/QuestionCreate.php. This allows an attacker to craft a malicious URL and compromise the logged in user...

CVE-2026-5860

Use after free in WebRTC in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. Chromium security severity: High...

ChurchCRM 代码问题漏洞

ChurchCRM is an open-source CRM system developed for churches. Versions of ChurchCRM prior to 6.5.3 had code vulnerabilities. These vulnerabilities stemmed from path traversal vulnerabilities in the backup restoration function, which could allow authenticated administrators to upload arbitrary...

Payload 跨站脚本漏洞

Payload is a headless CMS and application framework built using TypeScript, Node.js, React, and MongoDB. Versions of Payload prior to 3.78.0 contained a cross-site scripting vulnerability. This vulnerability stemmed from improper cleaning of user inputs in the administration panel, which could le...

CVE-2026-3106 Multiple vulnerabilities in Teampass

Blind Cross-Site Scripting XSS in Teampass, versions prior to 3.1.5.16, within the password manager login functionality in the 'contraseña' parameter of the login form 'redacted/index.php'. During failed authentication attempts, the application does not properly clean or encode the information...

CVE-2026-32567 WordPress YML for Yandex Market plugin < 5.3.0 - Arbitrary File Deletion vulnerability

Improper Limitation of a Pathname to a Restricted Directory 'Path Traversal' vulnerability in icopydoc YML for Yandex Market yml-for-yandex-market allows Path Traversal.This issue affects YML for Yandex Market: from n/a through 5.3.0...

WordPress Sanzo theme < 2.4.3 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Theme Sanzo versions 2.4.3...

Blinko 安全漏洞

Blinko is an open-source AI-based card-based note-taking application designed for users who want to quickly capture and organize fleeting ideas. Versions of Blinko prior to 1.8.4 contained security vulnerabilities. These vulnerabilities stemmed from unauthorized access to the/api/v1/comment/creat...

TinaCMS 路径遍历漏洞

TinaCMS is an open-source headless CMS developed by Tina for Markdown, MDX, and JSON formats. Versions of TinaCMS prior to 2.1.2 contained a path traversal vulnerability. This vulnerability stemmed from the use of path.join to combine paths without verifying that the resolved path remained within...

CVE-2026-28281 InstantCMS has Multiple CSRF Vulnerabilities

InstantCMS is a free and open source content management system. Prior to 2.18.1, InstantCMS does not validate CSRF tokens, which allows attackers grant moderator privileges to users, execute scheduled tasks, move posts to trash, and accept friend requests on behalf of the user. This vulnerability...

CVE-2026-22769

CVE-2026-22769 affects Dell RecoverPoint for Virtual Machines (RP4VMs) versions prior to 6.0.3.1 HF1, where a hard-coded credential vulnerability can allow an unauthenticated attacker to gain full control of the underlying OS with root-level persistence. A PoC circulating in PacketStorm demonstra...

CVE-2025-57792 SQL Injection Vulnerability in Explorance Blue

Explorance Blue versions prior to 8.14.9 contain a SQL injection vulnerability caused by insufficient validation of user input in a web application endpoint. An attacker can supply crafted input that is executed as part of backend database queries. The issue is exploitable without authentication,...

CVE-2026-24816

The CVE-2026-24816 issue affects the datavane tis project (tis-console) and is described as a Loop with Unreachable Exit Condition (an “infinite loop”) in ChangeDomainAction.Java. Affected version range is tis before v4.3.0. The Red Hat, NVD, CIRCL, OSV, and other feeds consistently reference the...

GPAC buffer error vulnerability

GPAC is an open-source multimedia framework developed by GPAC. Versions of GPAC prior to 2.4.0 contained a buffer error vulnerability, which stemmed from out-of-bounds writing in the SRT subtitle import component...