2730 matches found
EUVD-2026-34067
morgan vulnerable to Log Forging via unneutralized control characters in :remote-user...
Atlassian Bitbucket - Remote Command Injection
Atlassian Bitbucket Server and Data Center is susceptible to remote command injection. Multiple API endpoints can allow an attacker with read permissions to a public or private Bitbucket repository to execute arbitrary code by sending a malicious HTTP request, thus making it possible to obtain...
EEF-CVE-2026-56810 mint buffers an entire chunked response chunk in memory in Mint.HTTP1.decode_body/5
Summary Allocation of Resources Without Limits or Throttling vulnerability in elixir-mint mint Mint.HTTP1 module allows a denial of service via an oversized chunked transfer-encoded response. This vulnerability is associated with program files lib/mint/http1.ex and program routines...
PT-2026-56038
Name of the Vulnerable Software and Affected Versions FOSSBilling versions prior to 0.8.0 Description A low-privileged staff account can grant arbitrary module permissions to itself, leading to persistent privilege escalation. A user possessing the staff.create and edit staff permission can call...
CVE-2026-27657 Gitea email settings allow changing another user's primary email address
Gitea versions before 1.25.5 allow a user to change another user's primary email address...
PT-2026-54390
Name of the Vulnerable Software and Affected Versions Google Chrome versions prior to 150.0.7871.47 Description Insufficient validation of untrusted input in Cast allows a remote attacker who has compromised the renderer process to perform privilege escalation via a crafted HTML page...
EUVD-2026-39740
Contributor Cross Site Scripting XSS in SeedProd Pro 6.19.5 versions...
PT-2026-51041
Name of the Vulnerable Software and Affected Versions Branda plugin for WordPress versions prior to 3.4.30 Description The plugin is susceptible to privilege escalation through account takeover. This occurs because the software fails to properly validate a user's identity before updating a...
EUVD-2026-37662
Unauthenticated Broken Access Control in WordPress Dating Theme = 11.2.0 versions...
EUVD-2026-37657
Subscriber SQL Injection in WooCommerce Frontend Manager – Ultimate 6.7.7 versions...
EUVD-2026-37013
Authorization Bypass Through User-Controlled Key vulnerability in elixir-grpc grpc allows authenticated attackers to access or modify resources belonging to other users by smuggling a conflicting value for any path-bound field via the query string or request body. In...
CVE-2026-34902
Unauthenticated Cross Site Scripting XSS in WooCommerce Product Table Lite = 4.6.3 versions...
EUVD-2026-36870
Unauthenticated Arbitrary File Download in WPC Product Options for WooCommerce = 3.2.1 versions...
PT-2026-49532
Name of the Vulnerable Software and Affected Versions elixir-grpc versions 0.8.0 through 0.9.x Description Authenticated attackers can access or modify resources belonging to other users by smuggling a conflicting value for any path-bound field via the query string or request body. This occurs in...
CVE-2026-47236
CVE-2026-47236 affects the Solidtime open‑source time-tracking app prior to version 0.12.2. The root cause is insufficient access control in the Jetstream-backed team page: invitations:view and members:view permissions gate the official APIs, but the Jetstream page authorizes access with only bel...
Spring Framework 6.2.x < 6.2.18.1 / 7.0.x < 7.0.7.1 SSRF
The version of Spring Framework installed on the remote host is 6.2.x prior to 6.2.18.1, or 7.0.x prior to 7.0.7.1. It is, therefore, affected by a vulnerability: - Due to incorrect host parsing, applications that rely on UriComponentsBuilder to parse and validate an externally provided URL strin...
EUVD-2026-36087
In Splunk SOAR Security Orchestration, Automation, and Response versions below 8.5.0, an unauthenticated attacker could inject American National Standards Institute ANSI escape codes into SOAR application log files through specially crafted HTTP request paths, which a terminal emulator might...
EUVD-2026-36081
In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, and Splunk Cloud Platform versions below 10.3.2512.13, 10.2.2510.15, 10.1.2507.23, and 9.3.2411.132, a low-privileged user that does not hold the 'admin' or 'power' Splunk roles could craft a malicious classic dashboard that...
CVE-2026-11572
Versions of the package degit before 2.8.6, from 3.0.0 and before 3.3.1 are vulnerable to Command Injection due to improper sanitisation of user input for git shell commands directly invoked with exec method by cloneWithGit and fetchRefs functions. An attacker can execute arbitrary operating syst...
CVE-2026-48101
7-Zip is a file archiver with a high compression ratio. Versions 9.21 through 26.00 contain an An uninitialized memory disclosure vulnerability in the UEFI capsule .scap parser in 7-Zip. The OpenCapsule function allocates a heap buffer of attacker-declared CapsuleImageSize up to 1 GiB without...