ChurchCRM - API Authentication Bypass via URL Injection

ChurchCRM 7.1.0 contains an authentication bypass caused by improper API middleware URL handling in ChurchCRM/Slim/Middleware/AuthMiddleware.php, letting unauthenticated attackers access protected API endpoints, exploit requires crafted request URL with 'api/public id: CVE-2026-39339 info: name:...

WordPress User Messages <= 1.2.4 - Reflected XSS

WordPress User Messages plugin = 1.2.4 contains a reflected cross-site scripting caused by lack of sanitization and escaping of a parameter before outputting it in the page, letting attackers execute malicious scripts in the context of high privilege users, exploit requires victim to load a...

CVE-2020-37255

creationtimestamp| type| source ---|---|--- 2026-06-20 15:54:23+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3moq7q64bi42u...

CVE-2025-62198

creationtimestamp| type| source ---|---|--- 2026-06-20 15:26:11+00:00| seen| https://bsky.app/profile/infosec.skyfleet.blue/post/3moq65qz3vt2a 2026-06-22 11:52:39+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mout5qyudc22...

CVE-2019-25756

creationtimestamp| type| source ---|---|--- 2026-06-19 19:30:06+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3moo3cxp2gs27...

CVE-2026-56142

creationtimestamp| type| source ---|---|--- 2026-06-19 16:35:27+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3monrkomijt2z 2026-06-20 14:01:25+00:00| seen| https://bsky.app/profile/hugovalters.bsky.social/post/3mopzg6xmjp2d...

CVE-2026-12620

The GridTime 3000 GNSS Time Server leaks the access token in the URL parameters of some endpoints. This issue affects GridTime 3000: from 1.0r0.03 through 1.1r0.0...

CVE-2026-44663

creationtimestamp| type| source ---|---|--- 2026-06-18 21:58:43+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3molt5sr3cn22...

CVE-2026-40181

A flaw was found in React Router. This vulnerability allows a remote attacker to redirect users to an external, potentially malicious, website. This occurs when specially crafted URLs, containing paths starting with //, are passed to the redirect function, causing them to be misinterpreted as...

CVE-2026-20178

The CVE-2026-20178 issue affects the browser-based Cisco Webex App. Root cause: improper input validation of URL parameters in an HTTP request, enabling an unauthenticated, remote attacker to persuade a user to click a crafted URL and be redirected to a malicious webpage. Impact is limited to use...

net/url: Incorrect parsing of IPv6 host literals in net/url

The Go standard library function net/url.Parse insufficiently validated the host/authority component and accepted some invalid URLs by effectively treating garbage before an IP-literal as ignorable. The function should have rejected this as invalid...

BIT-MARIADB-MIN-2026-44170 MariaDB: Argument injection in CONNECT REST Xcurl on Windows via unsanitized URL

MariaDB server is a community developed fork of MySQL server. From versions 10.6.1 to before 10.6.26, 10.11.1 to before 10.11.17, 11.4.1 to before 11.4.11, 11.8.1 to before 11.8.7, and 12.3.1, MariaDB on WIndows with installed CONNECT engine and enabled REST support interpolated table HTTP...

GHSA-4GRM-H2QV-H6W6

creationtimestamp| type| source ---|---|--- 2026-06-16 00:56:16+00:00| seen| https://gist.github.com/alon710/bc7929d92c51f42ce9344791ed6ca313...

Use of Incorrectly-Resolved Name or Reference

Overview starlette is a The little ASGI library that shines. Affected versions of this package are vulnerable to Use of Incorrectly-Resolved Name or Reference in the reconstruction of request.url when the HTTP request path does not begin with /. An attacker can mislead the application into trusti...

GHSA-7C78-JF6Q-G5CM

creationtimestamp| type| source ---|---|--- 2026-06-15 17:11:14+00:00| seen| https://gist.github.com/alon710/0bdb094f8b35593b7efeef728ecec669...

CVE-2026-12208

creationtimestamp| type| source ---|---|--- 2026-06-15 03:57:31+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mocfdpu4yu2s...

Malicious code in @giftyhq/widget-components (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8ad3f12a6a12fbfa60e4a72747df6974f89906200568926b99a8c93c489b5e62 package.json declares "preinstall": "node index.js", which fires automatically on npm install. index.js collects host fingerprinting data —...

CVE-2026-47224

creationtimestamp| type| source ---|---|--- 2026-06-12 18:49:15+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mo4frj5cbt22...

CVE-2026-44170 MariaDB: Argument injection in CONNECT REST Xcurl on Windows via unsanitized URL

MariaDB server is a community developed fork of MySQL server. From versions 10.6.1 to before 10.6.26, 10.11.1 to before 10.11.17, 11.4.1 to before 11.4.11, 11.8.1 to before 11.8.7, and 12.3.1, MariaDB on WIndows with installed CONNECT engine and enabled REST support interpolated table HTTP...

CVE-2026-9641

creationtimestamp| type| source ---|---|--- 2026-06-12 15:53:29+00:00| seen| https://bsky.app/profile/infosec.skyfleet.blue/post/3mo43x72deo2v 2026-06-12 18:39:15+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mo4f7m6z7522 2026-06-14 10:48:56+00:00| seen|...