94 matches found
CVE-2026-45320
DataEase (open source data visualization/analysis tool) is affected by an SQL injection in dashboard variables. Prior to version 2.10.23, dashboard SQL variables (e.g., ${deptId}) are processed by SqlparserUtils.transFilter(), whose final branch returns raw user input for non-in and non-between o...
CVE-2026-50529 DataEase: Link Token Leakage Prior to Share Password/Ticket Validation
DataEase is an open source data visualization and analysis tool. Prior to 2.10.24, the /de2api/share/proxyInfo share interface generates and returns X-DE-LINK-TOKEN before validating the share password or ticket, allowing unauthenticated attackers who know a protected share UUID to obtain a valid...
PYSEC-2026-1029 TensorFlow vulnerable to floating point exception in `Conv2D`
Impact If Conv2D is given empty input and the filter and padding sizes are valid, the output is all-zeros. This causes division-by-zero floating point exceptions that can be used to trigger a denial of service attack. python import tensorflow as tf import numpy as np with tf.device"CPU": also can...
EUVD-2026-38218
Authorization handling for component configuration verification requests in Apache NiFi 1.15.0 through 2.9.0 allows clients with read access to submit proposed configuration properties. The proposed properties override current configuration, enabling users with read access to invoke predefined...
CVE-2026-44913
Improper escaping of database table names in the CaptureChangeMySQL Processor included with Apache NiFi 1.2.0 through 2.9.0 allows for injecting SQL commands using crafted naming. Manual quoted boundaries added in Apache NiFi 1.8.0 narrowed the scope of potential injection options, but did not...
CVE-2026-7486 SQLi in Netcad's E-İmar
Improper neutralization of special elements used in an SQL command 'SQL injection' vulnerability in Netcad Software Inc. E-İmar allows SQL Injection. This issue affects E-İmar: from 2.10.1.0 before 3.0.2...
Important: Red Hat Security Advisory: multicluster engine for Kubernetes v2.10.3 security update
The multicluster engine for Kubernetes 2.10 General Availability release images, which add new features and enhancements, bug fixes, and updated container images. The multicluster engine for Kubernetes v2.10 images The multicluster engine for Kubernetes provides the foundational components that a...
CVE-2026-44367
Klaw is a self-service Apache Kafka Topic Management/Governance tool/portal. Prior to version 2.10.4, a vulnerability exists in the user registration and login mechanisms due to inconsistent handling of username case sensitivity, leading to a targeted Denial of Service DoS and complete account...
Joomla Component Ek Rishta SQL注入漏洞
The Joomla Component Ek Rishta is a Joomla-based dating and networking website component developed by the Ek Rishta team. Version 2.10 of the Ek Rishta component contains an SQL injection vulnerability. This vulnerability arises from the injection of malicious code through the username parameter,...
CLEANSTART-2026-AP92343 Security fixes for CVE-2026-32280, CVE-2026-32281, CVE-2026-32282, CVE-2026-32283, CVE-2026-32285, CVE-2026-32287, CVE-2026-32289, CVE-2026-33186, CVE-2026-33810, CVE-2026-34986, ghsa-65xw-vw82-r86x, ghsa-6g7g-w4f8-9c9x, ghsa-78h2-9frx-2jm8, ghsa-p77j-4mvh-x3m3 applied in versions: 2.10.3-r0
Multiple security vulnerabilities affect the tempo-fips package. These issues are resolved in later releases. See references for individual vulnerability details...
Joomla! extension EkRishta SQL注入漏洞
The Joomla! extension EkRishta is an open-source community extension designed to provide Joomla websites with functions for matchmaking and marriage-related services. Version 2.10 of the Joomla! extension EkRishta contains a SQL injection vulnerability. This vulnerability stems from persistent...
GHSA-V4GP-HF5J-4566 IKUS Rdiffweb allows an attacker with any valid or stolen access token to act as other users
IKUS Rdiffweb version 2.10.5 and below have an improper authorization flaw that allows an attacker with any valid or stolen access token to act as other users. The API does not enforce binding between the authenticated subject and the targeted user/tenant, so crafted requests can read or modify...
CVE-2026-38751
OpenSTAManager version 2.10 and earlier contains an arbitrary file upload vulnerability in the module update functionality modules/aggiornamenti/uploadmodules.php...
CVE-2026-42052 beets is Vulnerable to XSS
Beets is the media library management system. Prior to version 2.10.0, the bundled web UI uses Underscore template interpolation mode for untrusted metadata fields. In this runtime, is raw insertion and HTML escaping is only performed by . Rendered output is then inserted with .html..., allowing...
CVE-2026-38751
OpenSTAManager version 2.10 and earlier contains an arbitrary file upload vulnerability in the module update functionality modules/aggiornamenti/uploadmodules.php...
CVE-2025-67796
IKUS Rdiffweb before 2.10.5 has an improper authorization flaw that allows an attacker with any valid or stolen access token to act as other users. The API does not enforce binding between the authenticated subject and the targeted user/tenant, so crafted requests can read or modify other users...
CVE-2026-5110
The Gravity Forms plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting in versions up to and including 2.10.0. This is due to insufficient input validation and output escaping in the SingleProduct field when used inside a Repeater field. When SingleProduct fields are...
EUVD-2026-18204
Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Mark O’Donnell MSTW League Manager allows DOM-Based XSS.This issue affects MSTW League Manager: from n/a through 2.10...
WordPress MSTW League Manager plugin <= 2.10 - Cross Site Scripting (XSS) vulnerability
Cross Site Scripting XSS vulnerability discovered by Conor Sullivan in WordPress Plugin MSTW League Manager versions = 2.10...
EUVD-2026-14666
WPGraphQL provides a GraphQL API for WordPress sites. Prior to version 2.10.0, an authorization flaw in updateComment allows an authenticated low-privileged user including a custom role with zero capabilities to change moderation status of their own comment for example to APPROVE without the...