Vite Dev Server - Path Traversal in Optimized Deps .map Handling

Vite development server versions prior to 8.0.5, 7.3.2, and 6.4.2 are vulnerable to path traversal through the optimized dependencies sourcemap handler. The dev server's handling of .map requests for optimized dependencies resolves file paths via normalizePathpath.resolveroot, url.slice1 and call...

WordPress Kali Forms <= 2.4.9 - Remote Code Execution

Kali Forms WordPress plugin = 2.4.9 contains a remote code execution caused by unsafe user input handling in 'formprocess' and 'preparepostdata' functions, letting unauthenticated attackers execute code on the server, exploit requires no authentication. id: CVE-2026-3584 info: name: WordPress Kal...

WSO2 - Server Side Request Forgery

WSO2 products contain SSRF and reflected XSS vulnerabilities in the deprecated Try-It feature accessible only to administrative users, caused by improper URL validation and direct content reflection, letting attackers trick admins into executing arbitrary JavaScript and querying internal services...

WordPress CBX Bookmark & Favorite Plugin <= 2.0.4 - SQL Injection

CBX Bookmark & Favorite WordPress plugin = 2.0.4 contains a SQL injection caused by insufficient escaping of the 'orderby' parameter, letting authenticated attackers with Subscriber-level access extract sensitive database information id: CVE-2025-13652 info: name: WordPress CBX Bookmark & Favorit...

WordPress Media Library Assistant <= 3.34 - SQL Injection

David Lingren Media Library Assistant = 3.34 contains an sql injection caused by improper neutralization of special elements in SQL commands, letting attackers execute arbitrary SQL queries, exploit requires crafted input. id: CVE-2026-34885 info: name: WordPress Media Library Assistant = 3.34 -...

Progress ShareFile Storage Zones Controller - Authentication Bypass

Customer Managed ShareFile Storage Zones Controller SZC contains an authentication bypass Execution After Redirect that allows unauthenticated attackers to access restricted configuration pages. This leads to changing system configuration and potential remote code execution. id: CVE-2026-2699 inf...

Apache CXF < 4.0.4 - Aegis DataBinding SSRF / Local File Read

Apache CXF before 4.0.4, 3.6.3 and 3.5.8 has a Server-Side Request Forgery SSRF vulnerability when using the Aegis DataBinding. The XOP Include mechanism in multipart SOAP requests can be abused to read local files or make server-side HTTP requests to arbitrary URLs. An attacker can use this to...

Pi-hole Reflected XSS in 404-Error Page

Pi-hole Admin Interface = 6.2.1 contains a reflected XSS vulnerability on the 404 error page. The URL path is reflected unsanitized into the class attribute of the body tag, allowing attribute injection via a crafted URL to execute arbitrary JavaScript in victim browsers. id: CVE-2025-53533 info:...

Ghost CMS Content API - SQL Injection

Ghost CMS before 6.19.1 is vulnerable to a blind SQL injection in the /ghost/api/content/tags/ endpoint via the filter parameter. This template checks for the vulnerability by sending a boolean-based payload. id: CVE-2026-26980 info: name: Ghost CMS Content API - SQL Injection author:...

NocoDB - User Enumeration

NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, the password forgot endpoint returned different responses for registered and unregistered emails, allowing user enumeration. This issue has been patched in version 0.301.3. id: CVE-2026-28358 info: name: NocoDB -...

Dify User Enumeration via Observable Response Discrepancy

Dify is an open-source LLM app development platform. Prior to 1.9.0, responses from the Dify API to existing and non-existent accounts differ, allowing an attacker to enumerate email addresses registered with Dify. Version 1.9.0 fixes the issue. id: CVE-2026-28288 info: name: Dify User Enumeratio...

Vite Dev Server - Information Exposure

Vite is a frontend tooling framework for JavaScript. Before versions 6.3.4, 6.2.7, 6.1.6, 5.4.19, and 4.5.14, the contents of files in the project root that are denied by a file matching pattern can be returned to the browser. Only apps explicitly exposing the Vite dev server to the network using...

WordPress File Manager <= 7.2.1 - Directory Traversal

File Manager and File Manager Pro plugins for WordPress versions up to 7.2.1 and 8.3.4 contain a directory traversal caused by the 'target' parameter in mkfilefoldermanageractioncallbackshortcode, letting attackers read arbitrary files and upload files outside designated directories, exploit...

Payara Server - Cross-Site Scripting

Payara Server versions 4.1.2.191.54, 5.83.0, 6.34.0, and 7.2026.1 contain a stored XSS vulnerability caused by improper input sanitization in the REST Management Interface. This allows attackers to mislead administrators into changing the admin password via a URL payload; however, the exploit...

MetInfo CMS <= 8.1 - Remote Code Execution

MetInfo CMS 7.9, 8.0, and 8.1 contain an unauthenticated PHP code injection vulnerability caused by insufficient input neutralization in the execution path, letting remote attackers execute arbitrary code remotely, exploit requires crafted requests. id: CVE-2026-29014 info: name: MetInfo CMS = 8....

SolarView Compact < 6.00 - Directory Traversal

SolarView Compact before version 6.00 is vulnerable to directory traversal via the file parameter in downloader.php. An unauthenticated attacker can read arbitrary files from the system by using path traversal sequences with a null byte bypass to access sensitive files such as /etc/passwd. id:...

SureForms <= 1.13.1 - Sensitive Information Exposure

SureForms WordPress plugin = 1.13.1 contains a sensitive information exposure caused by setting 'authcallback' to 'returntrue' in 'srfmemailnotification' post meta registration, letting unauthenticated attackers access sensitive email notification data, exploit requires no authentication. id:...

Lodash Template - Server-Side Template Injection (RCE)

Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function. id: CVE-2021-23337 info: name: Lodash Template - Server-Side Template Injection RCE author: DhiyaneshDk severity: high description: | Lodash versions prior to 4.17.21 are vulnerable to Command Injectio...

WordPress WP Clone <= 2.4.2 - Database Backup Exposure

Clone WordPress plugin 2.4.3 contains a buffer overflow caused by storing in-progress backup information in publicly accessible buffer files at a static file path, letting attackers access sensitive backup data, exploit requires no special privileges id: CVE-2023-6750 info: name: WordPress WP Clo...

WeGIA <= 3.6.4 - Remote Code Execution

WeGIA = 3.6.5 contains a remote code execution caused by improper validation of backup file names in the database restoration functionality, letting attackers with administrative access execute arbitrary OS commands id: CVE-2026-28409 info: name: WeGIA = 3.6.4 - Remote Code Execution author:...

WordPress FastDup <= 2.1.9 Sensitive Information Exposure - Directory Listing

FastDup WordPress plugin 2.2 contains a directory listing vulnerability caused by lack of access restrictions in sensitive directories, letting attackers view export files, exploit requires no authentication. id: CVE-2023-6592 info: name: WordPress FastDup = 2.1.9 Sensitive Information Exposure -...

TinaCMS - Path Traversal

TinaCMS CLI 2.1.8 contains a file system read vulnerability caused by disabled Vite server.fs.strict setting, letting unauthenticated attackers read arbitrary files on the host system, exploit requires access to the dev server. id: CVE-2026-29066 info: name: TinaCMS - Path Traversal author:...

User Registration & Membership WordPress plugin - Open Redirect

User Registration & Membership WordPress plugin = 5.1.4 contains an open redirect caused by insufficient validation of 'redirecttoonlogout' parameter, letting attackers redirect users to malicious external URLs after logout, exploit requires crafted URL. id: CVE-2026-6203 info: name: User...

WordPress WPCOM Member <= 1.7.6 - SQL Injection

WPCOM Member plugin for WordPress up to 1.7.6 contains a time-based SQL Injection caused by insufficient escaping and lack of preparation on the 'userphone' parameter, letting unauthenticated attackers extract sensitive information, exploit requires sending crafted 'userphone' parameter. id:...

WordPress Hummingbird <= 3.18.0 - Sensitive Information Exposure via Log File

Hummingbird Performance WordPress plugin = 3.18.0 contains a sensitive information exposure caused by improper handling in the 'request' function, letting unauthenticated attackers extract sensitive data including Cloudflare API credentials, exploit requires no authentication. id: CVE-2025-14437...

Liferay Portal & DXP - Cross-Site Scripting

Liferay Portal 7.4.0 through 7.4.3.133 and Liferay DXP 2024.Q1.1 through 2025.Q1.4 contain a reflected XSS caused by improper sanitization in entrycoverimagecaption.jsp, letting remote non-authenticated attackers inject JavaScript. id: CVE-2025-4576 info: name: Liferay Portal & DXP - Cross-Site...

CP Image Store with Slideshow <= 1.0.67 - SQL Injection

The CP Image Store with Slideshow WordPress plugin before 1.0.68 does not sanitise and escape the orderingby query parameter before using it in a SQL statement in pages where the codepeople-image-store is embed, allowing unauthenticated users to perform an SQL injection attack. id: CVE-2022-1692...

CraftCMS SEOmatic - Server-Side Template Injection

In the SEOmatic plugin up to 3.4.11 for Craft CMS 3, it is possible for unauthenticated attackers to perform a Server-Side. Template Injection, allowing for remote code execution. id: CVE-2021-41749 info: name: CraftCMS SEOmatic - Server-Side Template Injection author: iamnoooob,ritikchaddha...

PuneethReddyHC action.php SQL Injection

An unauthenticated SQL injection vulnerability exists in PuneethReddyHC Online Shopping through the /action.php prId parameter. Using a post request does not sanitize the user input. id: CVE-2021-41648 info: name: PuneethReddyHC action.php SQL Injection author: daffainfo severity: high descriptio...

PuneethReddyHC Online Shopping System homeaction.php SQL Injection

An unauthenticated SQL injection vulnerability exists in PuneethReddyHC Online Shopping System through the /homeaction.php catid parameter. Using a post request does not sanitize the user input. id: CVE-2021-41649 info: name: PuneethReddyHC Online Shopping System homeaction.php SQL Injection...

ECOA Building Automation System - Arbitrary File Retrieval

The ECOA BAS controller suffers from an arbitrary file disclosure vulnerability. Using the 'fname' POST parameter in viewlog.jsp, attackers can disclose arbitrary files on the affected device and disclose sensitive and system information. id: CVE-2021-41293 info: name: ECOA Building Automation...

BillQuick Web Suite SQL Injection

BQE BillQuick Web Suite 2018 through 2021 before 22.0.9.1 allows SQL injection for unauthenticated remote code execution. Successful exploitation can include the ability to execute arbitrary code as MSSQLSERVER$ via xpcmdshell. id: CVE-2021-42258 info: name: BillQuick Web Suite SQL Injection...

PlaceOS 1.2109.1 - Open Redirection

PlaceOS Authentication Service before 1.29.10.0 allows app/controllers/auth/sessionscontroller.rb open redirect. id: CVE-2021-41826 info: name: PlaceOS 1.2109.1 - Open Redirection author: geeknik severity: medium description: PlaceOS Authentication Service before 1.29.10.0 allows...

Visual Tools DVR VX16 4.2.28.0 - Unauthenticated OS Command Injection

Visual Tools DVR VX16 4.2.28.0 could allow an unauthenticated, remote attacker to perform command injection attacks against an affected device. id: CVE-2021-42071 info: name: Visual Tools DVR VX16 4.2.28.0 - Unauthenticated OS Command Injection author: gy741 severity: critical description: Visual...

KONGA 0.14.9 - Privilege Escalation

KONGA 0.14.9 allows attackers to set higher privilege users to full administration access. The attack vector is a crafted condition, as demonstrated by the /api/user/ID at ADMIN parameter. id: CVE-2021-42192 info: name: KONGA 0.14.9 - Privilege Escalation author: rschio severity: high description...

myfactory FMS - Cross-Site Scripting

myfactory.FMS before 7.1-912 allows cross-site scripting via the UID parameter. id: CVE-2021-42565 info: name: myfactory FMS - Cross-Site Scripting author: madrobot,daffainfo severity: medium description: | myfactory.FMS before 7.1-912 allows cross-site scripting via the UID parameter. impact: |...

NetBiblio WebOPAC - Cross-Site Scripting

NetBiblio WebOPAC before 4.0.0.320 is affected by a reflected cross-site scripting vulnerability in its Wikipedia module through /NetBiblio/search/shortview via the searchTerm parameter. id: CVE-2021-42551 info: name: NetBiblio WebOPAC - Cross-Site Scripting author: compr00t severity: medium...

Sourcecodester Online Event Booking and Reservation System 2.3.0 - Cross-Site Scripting

Sourcecodester Online Event Booking and Reservation System 2.3.0 contains a cross-site scripting vulnerability in PHP/MySQL via the msg parameter to /event-management/index.php. An attacker can leverage this vulnerability in order to change the visibility of the website. Once the target user clic...

Grafana 8.0.0 <= v.8.2.2 - Angularjs Rendering Cross-Site Scripting

Grafana is an open-source platform for monitoring and observability. In affected versions if an attacker is able to convince a victim to visit a URL referencing a vulnerable page, arbitrary JavaScript content may be executed within the context of the victim's browser. The user visiting the...

myfactory FMS - Cross-Site Scripting

myfactory.FMS before 7.1-912 allows cross-site scripting via the Error parameter. id: CVE-2021-42566 info: name: myfactory FMS - Cross-Site Scripting author: madrobot,daffainfo severity: medium description: | myfactory.FMS before 7.1-912 allows cross-site scripting via the Error parameter. impact...

ECOA Building Automation System - Directory Traversal Content Disclosure

The ECOA BAS controller suffers from a directory traversal content disclosure vulnerability. Using the GET parameter cpath in File Manager fmangersub, attackers can disclose directory content on the affected device id: CVE-2021-41291 info: name: ECOA Building Automation System - Directory Travers...

Redash Setup Configuration - Default Secrets Disclosure

Redash Setup Configuration is vulnerable to default secrets disclosure Insecure Default Initialization of Resource. If an admin sets up Redash versions =10.0 and prior without explicitly specifying the REDASHCOOKIESECRET or REDASHSECRETKEY environment variables, a default value is used for both...

Apache Druid - Local File Inclusion

Apache Druid ingestion system is vulnerable to local file inclusion. The InputSource is used for reading data from a certain data source. However, the HTTP InputSource allows authenticated users to read data from other sources than intended, such as the local file system, with the privileges of t...

Virtua Software Cobranca <12R - Blind SQL Injection

Virtua Cobranca before 12R allows blind SQL injection on the login page. id: CVE-2021-37589 info: name: Virtua Software Cobranca 12R - Blind SQL Injection author: princechaddha severity: high description: | Virtua Cobranca before 12R allows blind SQL injection on the login page. impact: |...

XStream 1.4.18 - Remote Code Execution

XStream 1.4.18 is susceptible to remote code execution. An attacker can execute commands of the host by manipulating the processed input stream, thereby making it possible to obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the...

WordPress iQ Block Country <=1.2.11 - Cross-Site Scripting

WordPress iQ Block Country plugin 1.2.11 and prior contains a cross-site scripting vulnerability. An attacker can execute arbitrary script in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and...

Nova noVNC - Open Redirect

Nova noVNC contains an open redirect vulnerability. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify data, and/or execute unauthorized operations. id: CVE-2021-3654 info: name: Nova noVNC - Open Redirect author: geeknik severity: medium...

Tiny Java Web Server - Cross-Site Scripting

A reflected cross-site scripting vulnerability in the web server TTiny Java Web Server and Servlet Container TJWS =1.115 allows an adversary to inject malicious code on the server's "404 Page not Found" error page. id: CVE-2021-37573 info: name: Tiny Java Web Server - Cross-Site Scripting author:...

Kramer VIAware - Remote Code Execution

KRAMER VIAware through August 2021 allows remote attackers to execute arbitrary code because ajaxPages/writeBrowseFilePathAjax.php accepts arbitrary executable pathnames. id: CVE-2021-36356 info: name: Kramer VIAware - Remote Code Execution author: gy741 severity: critical description: KRAMER...

GitLab CE/EE - Remote Code Execution

GitLab CE/EE 14.0 prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1 is susceptible to remote code execution. An authenticated user authorized to import projects can import a maliciously crafted project, thus possibly being able to execute malware, obtain sensitive information, modi...