34 matches found
OWASP FinBot CTF 0.2
FinBot is an Agentic AI security CTF platform from OWASP. Interact with AI agents, exploit real vulnerabilities, and learn to secure agentic systems. All from your browser...
Astra Linux - уязвимость в exiv2
Exiv2 is a command-line utility and C++ library for reading, writing, deleting, and modifying the metadata of image files. An infinite loop was discovered in Exiv2 versions v0.27.4 and earlier. This infinite loop occurs when Exiv2 is used to modify the metadata of a specially crafted image file. ...
zantetsu-ffi is unmaintained
The zantetsu-ffi crate is no longer maintained. The Node.js, Python, and C FFI bindings it provided were removed as part of the zantetsu 0.2 release, which refocused the project on its core Rust library. A tombstone version 0.2.0 has been published and 0.1.4 has been yanked. There is no replaceme...
CVE-2026-33301 OpenEMR has arbitrary image file read via PDF generator
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, users with the Notes - my encounters role can fill Eye Exam forms in patient encounters. The answers to the form can be printed out in PDF form. An arbitrary file read...
CVE-2025-69874
nanotar through 0.2.0 has a path traversal vulnerability in parseTar and parseTarGzip that allows remote attackers to write arbitrary files outside the intended extraction directory via a crafted tar archive containing path traversal sequence...
SUSE CVE-2026-23742
Skipper is an HTTP router and reverse proxy for service composition. The default skipper configuration before 0.23.0 was -lua-sources=inline,file. The problem starts if untrusted users can create lua filters, because of -lua-sources=inline , for example through a Kubernetes Ingress resource. The...
CVE-2026-24134 StudioCMS has an Authorization Bypass Through User-Controlled Key
StudioCMS is a server-side-rendered, Astro native, headless content management system. Versions prior to 0.2.0 contain a Broken Object Level Authorization BOLA vulnerability in the Content Management feature that allows users with the "Visitor" role to access draft content created by...
Missing Authorization
Overview studiocms is an A Community-Driven Astro native CMS. Built from the ground up by the Astro community. Affected versions of this package are vulnerable to Missing Authorization via the edit endpoint in the content management feature. An attacker can gain unauthorized access to draft conte...
CVE-2018-18863
NGA ResourceLink 20.0.2.1 allows local file inclusion...
PT-2025-49347
The Yet Another WebClap for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'text' parameter of the webclap button shortcode in all versions up to, and including, 0.2 due to insufficient input sanitization and output escaping. This makes it possible for...
WordPress WP Global Screen Options plugin <= 0.2 - Cross-Site Request Forgery to Screen Options Update vulnerability
Cross-Site Request Forgery to Screen Options Update vulnerability discovered by Nabil Irawan - Heroes Cyber Security in WordPress Plugin WP Global Screen Options versions = 0.2...
WordPress plugin WP Global Screen Options 跨站请求伪造漏洞
WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed in the PHP language. The platform has the ability to host personal blog sites on PHP and MySQL based servers.WordPress plugin is an application plugin. A cross-site request...
CVE-2025-52665
CVE-2025-52665 affects UniFi Access Application 3.3.22–3.4.31, where a misconfigured management API is exposed without proper authentication, allowing attackers on the management network to access management functions. Affected component: the UniFi Access management API; root cause: misconfigurat...
CVE-2025-62714
Karmada Dashboard is a general-purpose, web-based control panel for Karmada which is a multi-cluster management project. Prior to version 0.2.0, there is an authentication bypass vulnerability in the Karmada Dashboard API. The backend API endpoints e.g., /api/v1/secret, /api/v1/service did not...
CVE-2025-48093
Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Calvaweb Password only login password-only-login allows Reflected XSS.This issue affects Password only login: from n/a through = 0.2...
CVE-2025-48093 WordPress Password only login plugin <= 0.2 - Reflected Cross Site Scripting (XSS) vulnerability
Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Calvaweb Password only login password-only-login allows Reflected XSS.This issue affects Password only login: from n/a through = 0.2...
WordPress Password only login plugin <= 0.2 - Reflected Cross Site Scripting (XSS) vulnerability
Reflected Cross Site Scripting XSS vulnerability discovered by Nguyen Xuan Chien in WordPress Plugin Password only login versions = 0.2...
CVE-2025-8688
The Inline Stock Quotes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's stock shortcode in all versions up to, and including, 0.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...
CVE-2025-8688 Inline Stock Quotes <= 0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via stock Shortcode
The Inline Stock Quotes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's stock shortcode in all versions up to, and including, 0.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...
CVE-2025-6061 kk Youtube Video <= 0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting
The kk Youtube Video plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'kkytv' shortcode in all versions up to, and including, 0.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...