38448 matches found
CVE-2026-1378 WP Posts Re-order <= 1.0 - Cross-Site Request Forgery to Settings Update
The WP Posts Re-order plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce validation on the cptpluginoptions function. This makes it possible for unauthenticated attackers to update the plugin settings including...
WordPress plugin Contact List 跨站脚本漏洞
WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...
MiracleLinux 8 : glibc-2.28-251.el8_10.31 (AXSA:2026-341:02)
The remote MiracleLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2026-341:02 advisory. glibc: glibc: Information disclosure via zero-valued network query CVE-2026-0915 glibc: wordexp with WRDEREUSE and WRDEAPPEND may return uninitialize...
PT-2026-26942
Name of the Vulnerable Software and Affected Versions Suricata affected versions not specified Description Security issues have been resolved in the libsuricata8 0 4-8.0.4-1.1 package on openSUSE Tumbleweed. Recommendations At the moment, there is no information about a newer version that contain...
WordPress plugin Smarter Analytics 安全漏洞
WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...
CVE-2026-33180
HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. Prior to version 6.9.0, when setting headers in HTTP requests, the internal HTTP client sends headers first to the host in the initial URL but also, if asked to follow redirects and a 30X HTTP...
CVE-2026-33180 HAPI FHIR HTTP authentication leak in redirects
HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. Prior to version 6.9.0, when setting headers in HTTP requests, the internal HTTP client sends headers first to the host in the initial URL but also, if asked to follow redirects and a 30X HTTP...
CVE-2026-33180 HAPI FHIR HTTP authentication leak in redirects
HAPI FHIR is a complete implementation of the HL7 FHIR standard for healthcare interoperability in Java. Prior to version 6.9.0, when setting headers in HTTP requests, the internal HTTP client sends headers first to the host in the initial URL but also, if asked to follow redirects and a 30X HTTP...
CVE-2026-33171 Statamic has a path traversal in file dictionary fieldtype
Statamic is a Laravel and Git powered content management system CMS. Prior to versions 5.73.14 and 6.7.0, authenticated Control Panel users could read arbitrary .json, .yaml, and .csv files from the server by manipulating the file dictionary's filename configuration parameter in the fieldtype's...
UBUNTU-CVE-2025-63261
AWStats 8.0 is vulnerable to Command Injection via the open function...
EUVD-2025-208897
A weak authentication vulnerability has been reported to affect QHora. If an attacker gains local network access, they can then exploit the vulnerability to gain sensitive information. We have already fixed the vulnerability in the following version: QuRouter 2.6.2.007 and later...
WordPress RegistrationMagic plugin <= 6.0.7.6 - Broken Access Control vulnerability
Broken Access Control vulnerability discovered by Supakiad S. m3ez in WordPress Plugin RegistrationMagic versions = 6.0.7.6...
CVE-2025-62844
A weak authentication vulnerability has been reported to affect QHora. If an attacker gains local network access, they can then exploit the vulnerability to gain sensitive information. We have already fixed the vulnerability in the following version: QuRouter 2.6.2.007 and later...
EUVD-2024-55479
SysAK v2.0 and before is vulnerable to command execution via aaa;cat /etc/passwd...
CVE-2026-33312
Vikunja is an open-source self-hosted task management platform. Starting in version 0.20.2 and prior to version 2.2.0, the DELETE /api/v1/projects/:project/background endpoint checks CanRead permission instead of CanUpdate, allowing any user with read-only access to a project to permanently delet...
RUSTSEC-2026-0061 `tokio-fs` is unmaintained
The tokio-fs crate is unmaintained. It was part of the Tokio 0.1 ecosystem and has been superseded by the main tokio crate...
BIT-PARSE-2026-32886 Parse Server's Cloud function dispatch crashes server via prototype chain traversal
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0 and 8.6.47, remote clients can crash the Parse Server process by calling a cloud function endpoint with a crafted function name that traverses the JavaScript prototype chain of a...
CVE-2026-33129 h3 has an observable timing discrepancy in basic auth utils
H3 is a minimal HTTP framework. Versions 2.0.1-beta.0 through 2.0.0-rc.8 contain a Timing Side-Channel vulnerability in the requireBasicAuth function due to the use of unsafe string comparison !==. This allows an attacker to deduce the valid password character-by-character by measuring the server...
EUVD-2026-13610
In the Linux kernel, the following vulnerability has been resolved: netfilter: xtIDLETIMER: reject rev0 reuse of ALARM timer labels IDLETIMER revision 0 rules reuse existing timers by label and always call modtimer on timer-timer. If the label was created first by revision 1 with XTIDLETIMERALARM...
CVE-2026-33066
SiYuan is a personal knowledge management system. In versions 3.6.0 and below, the backend renderREADME function uses lute.New without calling SetSanitizetrue, allowing raw HTML embedded in Markdown to pass through unmodified. The frontend then assigns the rendered HTML to innerHTML without any...