418117 matches found
EUVD-2026-37790
Tinyproxy through 1.11.3, fixed in commit 364cdb6, fails to reject requests containing multiple Content-Length headers with differing values, forwarding all duplicate headers to the backend while using the first value to determine how many request body bytes to consume. Remote attackers can...
EUVD-2026-37789
Tinyproxy through 1.11.3, fixed in commit ff45d3b, fails to reconcile conflicting Content-Length and Transfer-Encoding: chunked headers, forwarding both verbatim to the backend while using Content-Length to determine how many request body bytes to consume. Remote attackers can desynchronize the...
EUVD-2026-37788
Starlette is a lightweight ASGI framework/toolkit. In versions 1.0.1 and below, when dispatching a request, HTTPEndpoint selects the handler by lowercasing the HTTP method and looking it up as an attribute with getattr, without restricting the lookup to a known set of HTTP verbs. When an...
EUVD-2026-37786
Tinyproxy through 1.11.3, fixed in commit 09312a1, fails to properly validate the Host header during stathost detection, allowing unauthenticated attackers to access the stats page by injecting a matching Host header or bypass detection via port manipulation. Remote attackers can trigger...
EUVD-2026-37785
Evil-WinRM through 3.9, fixed in commit 6ecd570, contains a path traversal vulnerability in the downloaddir function that allows a rogue or compromised remote Windows server to write files outside the intended download directory by returning filenames with traversal sequences from Get-ChildItem...
EUVD-2026-37784
libssh2 through 1.11.1, fixed in commit 7acf3df contains an out-of-bounds write vulnerability in ssh2transportread that fails to enforce upper bounds on packetlength field. Remote attackers can send crafted SSH packets with excessively large packetlength values to corrupt heap memory and achieve...
EUVD-2026-37783
Sonatype Nexus Repository Manager before 3.93.0 contains an authorization vulnerability in the proxy repository configuration that allows a delegated repository administrator to disclose stored upstream proxy credentials...
EUVD-2026-37782
libssh2 through 1.11.1, fixed in commit 1762685, contains a pre-authentication denial of service vulnerability in the SSHMSGEXTINFO handler in src/packet.c that allows a malicious SSH server to cause a client CPU exhaustion loop by sending a crafted extension count value. A malicious server can s...
EUVD-2026-37781
Use of an incorrectly resolved name or reference in the pinget backend in Devolutions UniGetUI 2026.2.0 and earlier allows a WinGet community catalog contributor to cause an installed application to be correlated to an unrelated, attacker-controlled catalog package and to execute an...
EUVD-2026-37646
Use of Hard-coded Credentials vulnerability in Mitsubishi Electric Room Air Conditioners for Japan and outside Japan; Wireless LAN Adapters for Room Air Conditioners for Japan and outside Japan; Wireless LAN Adapters for Packaged Air Conditioners for Japan and outside Japan; Refrigerators for...
EUVD-2026-37715
Contributor Arbitrary File Deletion in Fusion Builder = 3.15.4 versions...
EUVD-2025-210263
Unauthenticated Local File Inclusion in Granola = 1.13 versions...
EUVD-2025-210260
Unauthenticated Cross Site Scripting XSS in SweetDate Core 1.1.5 versions...
EUVD-2025-210259
Subscriber PHP Object Injection in Entrepreneur - Booking for Small Businesses WordPress Theme = 3.1.3 versions...
EUVD-2025-210254
Unauthenticated Local File Inclusion in LuxMed | Medicine & Healthcare Doctor WordPress Theme = 1.2.2 versions...
EUVD-2025-210252
Unauthenticated Local File Inclusion in Imba = 1.5.0 versions...
EUVD-2025-210261
Unauthenticated Local File Inclusion in Preservation = 1.10 versions...
EUVD-2025-210255
Unauthenticated Local File Inclusion in Dazzle = 1.0.0 versions...
EUVD-2025-210262
Unauthenticated Local File Inclusion in Gamic = 1.15 versions...
EUVD-2025-210256
Unauthenticated Local File Inclusion in Snow Club = 1.1 versions...
EUVD-2025-210251
Unauthenticated Cross Site Scripting XSS in Avante 3.0.5 versions...
EUVD-2025-210257
Unauthenticated Local File Inclusion in Fortius = 2.3.0 versions...
EUVD-2025-210258
Unauthenticated PHP Object Injection in Plumbing = 1.6 versions...
EUVD-2025-210250
Unauthenticated SQL Injection in Advanced Ads – Tracking 3.0.7 versions...
EUVD-2026-37559
The Taskbuilder WordPress plugin before 5.0.8 does not properly sanitise a URL parameter before echoing it into inline JavaScript on a frontend page containing one of its shortcodes, leading to a Reflected Cross-Site Scripting vulnerability that can be triggered against any logged-in user...
EUVD-2026-37563
The Permalink Manager Lite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via post titles in the admin URI Editor interface in all versions up to, and including, 2.5.3.3 due to insufficient output escaping. This makes it possible for authenticated attackers, with...
EUVD-2025-210253
Unauthenticated PHP Object Injection in Reisen = 1.4.1 versions...
EUVD-2025-210249
Unauthenticated Insecure Direct Object References IDOR in School Management = 93.1.0 versions...
EUVD-2026-37562
The Points Management System For Gamification, Ranks, Badges, and Loyalty Rewards Program – myCred plugin for WordPress is vulnerable to Stored Cross-Site Scripting via 'wrap' Shortcode Attribute in all versions up to, and including, 3.1 due to insufficient input sanitization and output escaping...
EUVD-2026-37558
The LearnPress WordPress plugin before 4.3.7 does not gate the edit context on one of its REST endpoint behind the editusers capability, allowing unauthenticated visitors to retrieve each returned user's roles, full capabilities map, extra capabilities, locale, and registration date via a crafted...
EUVD-2026-37647
Unauthenticated Arbitrary File Download in WP Media folder Addon = 4.0.1 versions...
EUVD-2026-37633
Unauthenticated Cross Site Scripting XSS in JetEngine = 3.8.10 versions...
EUVD-2026-37638
Unauthenticated Broken Authentication in SMS Alert Order Notifications = 3.9.3 versions...
EUVD-2026-37640
Subscriber Broken Authentication in Melhor Envio = 2.16.3 versions...
EUVD-2026-37636
Unauthenticated Cross Site Scripting XSS in JetFormBuilder = 3.6.0.1 versions...
EUVD-2026-37635
Unauthenticated Cross Site Scripting XSS in Popup box = 6.2.9 versions...
EUVD-2026-37628
Unauthenticated PHP Object Injection in JetEngine = 3.8.10 versions...
EUVD-2026-37643
Unauthenticated Privilege Escalation in Registration Form for WooCommerce = 1.0.9 versions...
EUVD-2026-37629
Unauthenticated Insecure Direct Object References IDOR in Clean Login = 1.15 versions...
EUVD-2026-37644
Unauthenticated SQL Injection in WP eMember v10.9.4 versions...
EUVD-2026-37642
Unauthenticated PHP Object Injection in WP Activity Log = 5.6.3.1 versions...
EUVD-2026-37634
Unauthenticated Cross Site Scripting XSS in JetEngine = 3.8.10 versions...
EUVD-2026-37637
Subscriber Privilege Escalation in JetFormBuilder = 3.6.1 versions...
EUVD-2026-37557
The weMail: Email Marketing, Email Automation, Newsletters, Subscribers & Email Optins for WooCommerce WordPress plugin before 2.1.3 does not properly escape a user-supplied parameter before reflecting it into an HTML attribute on a non-nonce-protected AJAX response, allowing unauthenticated...
EUVD-2026-37631
Unauthenticated SQL Injection in JobSearch = 3.2.9 versions...
EUVD-2026-37627
Unauthenticated Arbitrary File Upload in SigmaForms Pro – AI Generated Forms = 1.4.5 versions...
EUVD-2026-37625
Unauthenticated Sensitive Data Exposure in JetBlog = 2.4.8 versions...
EUVD-2026-37641
Subscriber Privilege Escalation in Falang multilanguage = 1.4.2 versions...
EUVD-2026-37553
RadiX AX6600 WiFi 6 Tri-Band Gaming Router contains an OS command injection vulnerability, which may lead to arbitrary command execution with the root privilege by a user who logs in to the web console as an administrator...
EUVD-2026-37556
The WP Magnific Popup WordPress plugin through 1.0 does not properly escape user-controlled link URLs before injecting them into the DOM when displaying image load error messages, allowing authenticated attackers with Author-level access or above to perform Stored Cross-Site Scripting attacks...