Security Bulletin: A vulnerability has been identified in IBM DevOps Plan that allows a Host Header Injection attack due to improper handling of the Host header in HTTP requests. (CVE-2026-4096)

Summary A vulnerability has been identified in IBM DevOps Plan that allows a Host Header Injection attack due to improper handling of the Host header in HTTP requests. Version 3.0.7 addresses the vulnerability. Vulnerability Details CVEID:CVE-2026-4096 DESCRIPTION: IBM DevOps Plan is vulnerable t...

WordPress myCred plugin <= 3.0.3 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Jakub Herman in WordPress Plugin myCred versions = 3.0.3...

CVE-2026-3608

Sending a maliciously crafted message to the kea-ctrl-agent, kea-dhcp-ddns, kea-dhcp4, or kea-dhcp6 daemons over any configured API socket or HA listener can cause the receiving daemon to exit with a stack overflow error. This issue affects Kea versions 2.6.0 through 2.6.4 and 3.0.0 through 3.0.2...

CVE-2026-3608

CVE-2026-3608 affects Kea daemons (kea-ctrl-agent, kea-dhcp-ddns, kea-dhcp4, kea-dhcp6). A maliciously crafted message over any configured API socket or HA listener can cause the receiving daemon to exit with a stack overflow. Affected versions: 2.6.0–2.6.4 and 3.0.0–3.0.2. Exploitation details a...

CVE-2026-4004

The Task Manager plugin for WordPress is vulnerable to arbitrary shortcode execution via the 'search' AJAX action in all versions up to, and including, 3.0.2. This is due to missing capability checks in the callbacksearch function and insufficient input validation that allows shortcode syntax...

PT-2026-6183

Name of the Vulnerable Software and Affected Versions Apache Syncope versions 3.0 through 3.0.15 Apache Syncope versions 4.0 through 4.0.3 Description A reflected cross-site scripting XSS issue exists in the Enduser Login page of Apache Syncope. An attacker could potentially steal user credential...

CVE-2025-62078

Missing Authorization vulnerability in Fahad Mahmood Easy Upload Files During Checkout easy-upload-files-during-checkout allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Easy Upload Files During Checkout: from n/a through = 3.0.0...

Astra Linux - уязвимость в haproxy

HAProxy 2.9.x before 2.9.10, 3.0.x before 3.0.4, and 3.1.x through 3.1-dev6 allows a remote denial of service for HTTP/2 zero-copy forwarding h2send loop under a certain set of conditions, as exploited in the wild in 2024...

ImageSharp 安全漏洞

ImageSharp is a new, full-featured, fully managed, cross-platform 2D graphics API open-sourced by Six Labors. A security vulnerability exists in ImageSharp versions prior to 2.1.11 and 3.0.0 through 3.1.10, which stems from the possibility of entering an infinite loop when processing specially...

CVE-2023-23638

A deserialization vulnerability existed when dubbo generic invoke, which could lead to malicious code execution. This issue affects Apache Dubbo 2.7.x version 2.7.21 and prior versions; Apache Dubbo 3.0.x version 3.0.13 and prior versions; Apache Dubbo 3.1.x version 3.1.5 and prior versions...

Nextcloud Security Breach

Nextcloud is an open source suite of self-hosted file synchronization and sharing communication application platform from Nextcloud, Germany. A security vulnerability exists in Nextcloud that stems from improper handling of request URLs, which allows users to load unallowed application pages...

OpenSSL Security Vulnerabilities

OpenSSL is an open source capable general-purpose cryptographic library from the OpenSSL team that implements the Secure Sockets Layer SSLv2/v3 and Secure Transport Layer TLSv1 protocols. It supports a wide range of cryptographic algorithms, including symmetric ciphers, hashing algorithms, secure...

CVE-2023-34635

Wifi Soft Unibox Administration 3.0 and 3.1 is vulnerable to SQL Injection. The vulnerability occurs because of not validating or sanitizing the user input in the username field of the login page...

SUSE CVE-2014-5326

Cross-site scripting XSS vulnerability in Direct Web Remoting DWR through 2.0.10 and 3.x through 3.0.RC2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors...

B&R Industrial Automation GmbH Runtime 跨站脚本漏洞

B&R Industrial Automation GmbH Runtime is a major component of AS from B&R Industrial Automation GmbH, Austria. A cross-site scripting vulnerability exists in B&R Industrial Automation GmbH Runtime version 3.00 and C4.93, which stems from the presence of a Reflective Cross-Site Scripting XSS...

UBUNTU-CVE-2020-11800

Zabbix Server 2.2.x and 3.0.x before 3.0.31, and 3.2 allows remote attackers to execute arbitrary code...

PT-2019-12124 · Red Lion Controls · Crimson

Name of the Vulnerable Software and Affected Versions: Red Lion Controls Crimson versions 3.0 and prior Red Lion Controls Crimson version 3.1 prior to release 3112.00 Description: The issue allows an attacker to access configuration files due to the use of a hard-coded password for encrypting...

CVE-2018-1745

IBM Security Key Lifecycle Manager 2.7 and 3.0 could allow an unauthenticated user to restart the SKLM server due to missing authentication. IBM X-Force ID: 148424...

CVE-2016-6418

Cross-site scripting XSS vulnerability in Cisco Videoscape Distribution Suite Service Manager VDS-SM 3.0 through 3.4.0 allows remote attackers to inject arbitrary web script or HTML via a crafted URL, aka Bug ID CSCva14552...

Firefox crashes with evidence of memory corruption

Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox 3.0.x before 3.0.15 and 3.5.x before 3.5.4 allow remote attackers to cause a denial of service memory corruption and application crash or possibly execute arbitrary code via unknown vectors...