PT-2026-30969

OrangeHRM is a comprehensive human resource management HRM system. From 5.0 to 5.8, OrangeHRM Open Source allowed authenticated users to bypass disabled-module access controls via URL-encoded request paths and access functionality of modules disabled by an administrator. This vulnerability is fix...

CVE-2026-27129

Craft is a content management system CMS. In versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22, the SSRF validation in Craft CMS’s GraphQL Asset mutation uses gethostbyname, which only resolves IPv4 addresses. When a hostname has only AAAA IPv6 records, the function returns the...

CVE-2026-25496 Craft has a stored XSS in Number Prefix & Suffix Fields

Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, a stored XSS vulnerability exists in the Number field type settings. The Prefix and Suffix fields are rendered using the |md|raw Twig filter without proper escaping,...

Craft CMS SQL注入漏洞

Craft CMS is an open-source content management system developed by Craft CMS. Versions 4.0.0-RC1 to 4.16.17, and 5.0.0-RC1 to 5.8.21 of Craft CMS have SQL injection vulnerabilities. These vulnerabilities stem from improper cleaning of the criteriaorderBy parameter input, which may lead to SQL...

CVE-2026-25487

Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator's browser. This occurs because the Tax Rates 'Name' field in the...

cg-django-uaa (=2.1.9), deeplabelnet (>=0.1.0 <=0.1.16) +22 more potentially affected by CVE-2025-14550 via django (>=5.2.0 <=5.2.10)

django PYPI version =5.2.0, =0.1.0, =0.1.0, =1.3.0, =1.92.0.5, =4.2.0, =0.0.7, =3.0.0, =0.1.0, =5.2.0, =5.2.1 - djbackup =2.1.0 and more Source cves: CVE-2025-14550 Source advisory: SNYK:PYTHON-DJANGO-15198929...

PT-2026-2488

Name of the Vulnerable Software and Affected Versions Fortinet FortiSandbox versions 4.0 through 5.0.4 Fortinet FortiSandbox version 4.4 Fortinet FortiSandbox version 4.2 Description An authenticated attacker may be able to proxy internal requests limited to plaintext endpoints only by sending...

CVE-2025-53679

An improper neutralization of special elements used in an OS command 'OS Command Injection' vulnerability CWE-78 vulnerability in Fortinet FortiSandbox 5.0.0 through 5.0.2, FortiSandbox 4.4.0 through 4.4.7, FortiSandbox 4.2 all versions, FortiSandbox 4.0 all versions, FortiSandbox Cloud 24.1,...

11x-wagtail-blog (>=0.0.0 <=0.2.0), aldryn-django (>=5.0.2.0 <=5.0.11.0) +254 more potentially affected by CVE-2025-13372 via django (>=5.0.0 <=5.1.14)

django PYPI version =5.0.0, =0.0.0, =5.0.2.0, =0.0.15, =1.14.3, =0.0.20, =0.0.13, =0.0.19, =0.0.34, =0.0.50, =0.0.5, =0.0.11, =1.0.3, =0.1.0, =0.2.5 and more Source cves: CVE-2025-13372 Source advisory: SNYK:PYTHON-DJANGO-14157810...

EUVD-2025-175345

A stack-based buffer overflow exists in the getmergemac function of the httpd binary on Linksys E1200 v2 routers Firmware E1200v2.0.11.001us.tar.gz. The function concatenates up to six user-supplied CGI parameters matching 05 into a fixed-size buffer a2 without proper bounds checking, appending...

EUVD-2023-41302

IBM Aspera Faspex 5.0.0 through 5.0.13.1 uses a cross-domain policy file that includes domains that should not be trusted...

Honeywell Experion PKS 安全漏洞

Honeywell Experion PKS is a process automation system from Honeywell USA. A security vulnerability exists in Honeywell Experion PKS versions 520.1 to 520.2 TCU9 and 530 to 530 TCU3, which stems from uninitialized variables and could result in a denial of service...

Insyde InsydeH2O 缓冲区错误漏洞

Insyde InsydeH2O is a C-language source from Insyde Corporation of Taiwan, which implements the new technology "EFI/UEFI" specification designed to replace the traditional BIOS Basic Input/Output System. A security vulnerability exists in Insyde InsydeH2O versions 5.0 through 5.5, which is caused...

CVE-2017-1281

IBM Rational Quality Manager and IBM Rational Collaborative Lifecycle Management 5.0 through 5.0.2 and 6.0 through 6.0.5 are vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially...