421 matches found
WordPress KIDZ theme <= 5.24 - PHP Object Injection vulnerability
PHP Object Injection vulnerability discovered by João Pedro S Alcântara Kinorth in WordPress Theme KIDZ versions = 5.24...
CVE-2026-33171 Statamic has a path traversal in file dictionary fieldtype
Statamic is a Laravel and Git powered content management system CMS. Prior to versions 5.73.14 and 6.7.0, authenticated Control Panel users could read arbitrary .json, .yaml, and .csv files from the server by manipulating the file dictionary's filename configuration parameter in the fieldtype's...
CVE-2026-33155 DeepDiff has Memory Exhaustion DoS through SAFE_TO_IMPORT
DeepDiff is a project focused on Deep Difference and search of any Python data. From version 5.0.0 to before version 8.6.2, the pickle unpickler RestrictedUnpickler validates which classes can be loaded but does not limit their constructor arguments. A few of the types in SAFETOIMPORT have...
CVE-2026-32875 UltraJSON has an integer overflow handling large indent leads to buffer overflow or infinite loop
UltraJSON is a fast JSON encoder and decoder written in pure C with bindings for Python 3.7+. Versions 5.10 through 5.11.0 are vulnerable to buffer overflow or infinite loop through large indent handling. ujson.dumps crashes the Python interpreter segmentation fault when the product of the indent...
Craft CMS 安全漏洞
Craft CMS is an open-source content management system developed by Craft Studio. Vulnerabilities existed in versions of Craft CMS from 4.0.0-RC1 to 4.17.6, as well as in versions 5.0.0-RC1 to 5.9.12. These vulnerabilities stemmed from a potential exploit where low-privilege users or unverified...
CVE-2026-29784
Ghost is a Node.js content management system. From version 5.101.6 to 6.19.2, incomplete CSRF protections around /session/verify made it possible to use OTCs in login sessions different from the requesting session. In some scenarios this might have made it easier for phishers to take over a Ghost...
CVE-2026-28103
Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in LambertGroup LBG Zoominoutslider lbgzoominoutslider allows Reflected XSS.This issue affects LBG Zoominoutslider: from n/a through = 5.4.5...
be.yildiz-games:module-messaging-activemq (>=1.0.0 <=1.0.1), cn.codeforfun:jfinal-activemq (=0.3) +215 more potentially affected by CVE-2025-66168 +1 more via org.apache.activemq:activemq-all (>=5.0.0 <=5.19.1)
org.apache.activemq:activemq-all MAVEN version =5.0.0, =1.0.0, =6.0.03, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.3-rc1, =2.0.0, =3.0.0, =8.0.0, =2.0.0, =1.0.0, =1.0.1, =1.0.2 and more Source cves: CVE-2025-66168, CVE-2026-40046 Source advisory: SNYK:JAVA-ORGAPACHEACTIVEMQ-15426350...
Astra Linux – Vulnerability in Linux 6.1
In the Linux kernel, the following vulnerabilities have been resolved: Squashfs: negative file sizes are now rejected in squashfsread inode. Syskaller reports a “WARNING in ovlcopyupfile” in overlayfs. This warning occurs because the underlying Squashfs file system returns a file with a negative...
Digital Arts FinalCode Client 安全漏洞
Digital Arts FinalCode Client is an enterprise-level information rights management client software developed by Digital Arts Inc. The Digital Arts FinalCode Client Ver.5 series and Ver.6 series contain security vulnerabilities. These vulnerabilities stem from incorrect default permissions, which...
CVE-2026-27129
Craft is a content management system CMS. In versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22, the SSRF validation in Craft CMS’s GraphQL Asset mutation uses gethostbyname, which only resolves IPv4 addresses. When a hostname has only AAAA IPv6 records, the function returns the...
CVE-2026-25368
Missing Authorization vulnerability in codepeople Calculated Fields Form calculated-fields-form allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Calculated Fields Form: from n/a through = 5.4.4.1...
CVE-2026-25388
Missing Authorization vulnerability in scripteo Ads Pro ap-plugin-scripteo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ads Pro: from n/a through = 5.0...
WordPress Ads Pro plugin <= 5.0 - Broken Access Control vulnerability
Broken Access Control vulnerability discovered by Trương Hữu Phúc truonghuuphuc in WordPress Plugin Ads Pro versions = 5.0...
CVE-2026-26370
WordPress Plugin "Survey Maker" versions 5.1.7.7 and prior contain a cross-site scripting vulnerability. If this vulnerability is exploited, an arbitrary script may be executed in the user's web browser...
Statamic affected by privilege escalation via stored cross-site scripting
Impact Stored XSS vulnerability in html fieldtypes allow authenticated users with field management permissions to inject malicious JavaScript that executes when viewed by higher-privileged users. Patches This has been fixed in 6.3.2 and 5.73.9...
WordPress plugin WpEvently 安全漏洞
WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. There is...
WordPress WpEvently plugin <= 5.1.1 - PHP Object Injection vulnerability
PHP Object Injection vulnerability discovered by Phat RiO in WordPress Plugin WpEvently versions = 5.1.1...
CVE-2026-2543
A vulnerability was identified in vichan-devel vichan up to 5.1.5. This vulnerability affects unknown code of the file inc/mod/pages.php of the component Password Change Handler. The manipulation of the argument Password leads to unverified password change. The attack can be initiated remotely. T...
Craft CMS 代码问题漏洞
Craft CMS is an open-source content management system developed by Craft CMS. There are code vulnerabilities in versions 4.0.0-RC1 to 4.16.17, and from 5.0.0-RC1 to 5.8.21 of Craft CMS. These vulnerabilities stem from the IP address validation function’s inability to recognize alternate...