5071 matches found
CVE-2026-55208
Pimcore Studio Backend Bundle is the backend bundle for Pimcore Studio. Prior to 2025.4.6 and 2026.1.6, an authenticated user can extract the admin password hash and other database content through time-based blind SQL injection in the DateFilter column key parameter. The POST...
CVE-2026-5005
CVE-2026-5005 : A stored cross-site scripting (XSS) vulnerability in Twiser Informatics Technology Consulting, Trade and Education Inc. OKRs & Goals due to improper input neutralization during web page generation. Affected versions are OKRs & Goals from 28220 before 28398. The CVSS 3.1 vector ind...
EUVD-2026-42518
A network attacker positioned between UAA and its LDAP directory can impersonate the directory using any certificate from any trusted CA, then harvest the LDAP bind password and every end-user password sent during simple-bind authentication, and return forged group memberships that grant themselv...
WordPress aBlocks plugin < 2.9.1 - Privilege Escalation vulnerability
Privilege Escalation vulnerability discovered by Evan NR in WordPress Plugin aBlocks versions 2.9.1...
CVE-2026-14868
The encryption algorithm used to protect the configuration of user accounts, stored in the built-in user directory of PcVue projects, all versions prior to 17.0.0, is not strong enough for the level of protection required. A local attacker could alter the existing configuration and ultimately gai...
EUVD-2026-42031
Credentials of built-in users are insecurely stored in the User directory of PcVue projects, all versions prior to 17.0.0. A local attacker could retrieve users’ credentials. Active Directory accounts are not affected by this vulnerability...
PT-2026-56174
Name of the Vulnerable Software and Affected Versions PcVue versions prior to 17.0.0 Description The encryption algorithm used to protect the configuration of user accounts within the built-in user directory of projects is insufficient. This weakness allows a local attacker to modify the existing...
EUVD-2025-210433
ownCloud is a file storage, synchronization, and sharing application. In ownCloud 10 prior to version 10.15.3, an attacker with administrative privileges can exploit a path traversal vulnerability in the system to execute arbitrary code. Upgrade ownCloud 10 to version 10.15.3 or later to receive ...
CVE-2026-27780 Gitea pre-receive hook can miss branch-protection checks after scanner errors
Gitea versions before 1.26.0 do not fail closed on bufio.Scanner errors while processing pre-receive hook input, allowing oversized input to bypass branch-protection checks...
CVE-2026-20909
Gitea (go-gitea/gitea) versions before 1.25.5 are affected by an access control issue in the tracked-time list endpoint, allowing potential disclosure of time-tracking data due to insufficient permission checks. The vulnerability is mitigated by upgrading to version 1.25.5 or higher (as per the l...
CVE-2026-20909 Gitea tracked-time list endpoint has insufficient permission checks
Gitea versions before 1.25.5 have insufficient permission checks when listing tracked time entries...
PT-2026-55593
Name of the Vulnerable Software and Affected Versions Gitea versions prior to 1.25.5 Description Insufficient visibility checks exist within organization permission APIs, which may affect hidden members and private organizations. Recommendations Update to version 1.25.5 or later...
CVE-2026-55952 TLS 1.3 server denial of service via malformed ClientHello pre-shared key extension
The Erlang/OTP ssl application does not validate that the PSK identity list and binder list carried in a TLS 1.3 ClientHello pre-shared key extension have equal length before passing them to the session ticket handler. In tlshandshake13:handlepresharedkey/3, an OfferedPreSharedKeys record with a...
EUVD-2026-41369
Improper neutralization of input during web page generation 'cross-site scripting' vulnerability in TR7 Cyber Defense Inc. Web Application Firewall allows DOM-Based XSS. This issue affects Web Application Firewall: from v1.0.42.239 before v1.4.0.117...
CVE-2026-58038 Stored XSS through javascript URLs in SVGs generated by EasyTimeline
Improper Neutralization of Input During Web Page Generation XSS or 'Cross-site Scripting' vulnerability in Wikimedia Foundation timeline. This vulnerability is associated with program files includes/Timeline.Php, scripts/EasyTimeline.Pl. This issue affects timeline: from before 1.46.0, 1.45.4,...
EUVD-2026-41012
Improper Neutralization of Input During Web Page Generation XSS or 'Cross-site Scripting' vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Special.Apisandbox/ApiSandboxLayout.Js. This issue affects MediaWiki: from...
PT-2026-54228
Name of the Vulnerable Software and Affected Versions Google Chrome versions prior to 150.0.7871.47 Description An inappropriate implementation in PerformanceAPIs allows a remote attacker to leak cross-origin data through the use of a crafted HTML page. Recommendations Update Google Chrome to...
PYSEC-2026-277 Apache Airflow Google Provider Improper Input Validation vulnerability
Improper Input Validation vulnerability in the Apache Airflow Google Provider. This issue affects Apache Airflow Google Provider versions before 8.10.0...
PYSEC-2026-270 OS Command Injection in Apache Airflow
Improper Neutralization of Special Elements used in an OS Command 'OS Command Injection' vulnerability in Apache Airflow Pig Provider, Apache Airflow allows an attacker to control commands executed in the task execution context, without write access to DAG files. This issue affects Pig Provider...
CVE-2025-0824
Lack of validation for firmware update in Hitachi Hitachi Virtual Storage Platform One Block 23, 24, 26, 28. This issue affects Hitachi Virtual Storage Platform One Block 23, 24, 26, 28: before DKCMAIN A3-04-21-40/00, ESM A3-04-21/00...