364000 matches found
CVE-2026-57587
A SQL injection vulnerability in Nessus allows a remote, unauthenticated attacker who controls reverse DNS records for a scanned host to inject malicious SQL into the scan results database, potentially enabling exfiltration of scan-result data...
CVE-2026-57535
Content injected to PDF rendering contexts could, in many places, include HTML content including tags. If the src attribute of these images pointed to an URL, the PDF rendering engine would download the image from that place and display it, thereby leaking information about the rendering server a...
CVE-2026-57435
Nokogiri is an open source XML and HTML library for the Ruby programming language. Prior to 1.19.4, Nokogiri’s CRuby native extension could leave a Ruby wrapper pointing to freed memory when replacing the value of an XML attribute. If Ruby code had already accessed an attribute child node,...
CVE-2026-57533
Malicious HTML content could be injected into the page pretix shows when redirection to an untrusted page occurs. Since this page has a Content-Security-Policy, this can mainly be used for phishing purposes...
CVE-2026-57534
Malicious HTML content could be injected into the content of a page in the pretix-pages plugin...
CVE-2026-57436
Nokogiri is an open source XML and HTML library for the Ruby programming language. Prior to 1.19.4, Nokogiri::XML::Documentroot= validated only that the new root was a Nokogiri::XML::Node, allowing a DTD node to be set as the document root. The result is a heap use-after-free during garbage...
CVE-2026-57437
Nokogiri is an open source XML and HTML library for the Ruby programming language. Prior to 1.19.4, Nokogiri::XML::XPathContext did not keep its source document alive for garbage collection. If an XPathContext outlived its document and the document was collected, evaluating an XPath expression...
CVE-2026-57532
Malicious HTML content contained in the layout specification of a PDF ticket or badge layout was executed when the PDF editor is opened in the browser. This could allow one backend user to inject JavaScript into the browser context of another backend user. Due to requirements of the PDF rendering...
CVE-2026-57234
Nokogiri is an open source XML and HTML library for the Ruby programming language. Prior to 1.19.4, the NONET parse option, which Nokogiri turns on by default for Nokogiri::XML::Schema see CVE-2020-26247, was not correctly enforced on the JRuby implementation. As a result, a schema parsed with...
CVE-2026-57434
Nokogiri is an open source XML and HTML library for the Ruby programming language. Prior to 1.19.4, Nokogiri contains a bug when calling certain methods on allocated-but-uninitialized native wrapper classes that inherit from Nokogiri::XML::Node. This caused a NULL pointer dereference that could...
CVE-2026-57236
Nokogiri is an open source XML and HTML library for the Ruby programming language. Prior to 1.19.4, calling Documentencoding= with an invalid encoding e.g., a non-string, or a string containing a null byte raises an exception, but only after freeing the document's current encoding string without...
CVE-2026-57235
Nokogiri is an open source XML and HTML library for the Ruby programming language. Prior to 1.19.4, Nokogiri::XML::NodeSet and its alias slice checked the requested index against the node set's bounds using a 32-bit-truncated copy of the index. A large negative index could pass the check and then...
CVE-2026-49319
Remote Keyless Entry System RKES, using the 433 MHz key fob bearing FCC ID CWTR53R0 manufactured by ALPS ALPINE CO., LTD., is vulnerable to a roll-back attack against its rolling-code authentication. An attacker within RF range who records two consecutive lock or unlock transmissions from a...
CVE-2026-46735
Dell Display and Peripheral Manager DDPM Mac, versions prior to 2.3, contain an Improper Neutralization of Special Elements used in an OS Command 'OS Command Injection' vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Command...
CVE-2026-13222
Our payment integration with Oppwa-based payment methods did not properly validate payment status responses. An attacker could use a successful payment status response from one payment and supply it to the system for a different payment, gaining access to multiple valid tickets with only one...
CVE-2026-13225
Malicious HTML content could be injected into the email address of an order, which pretix showed without sanitization on the confirmation page for individual tickets in that order...
CVE-2026-13314
Malicious HTML content could be injected into the content rendered by the pretix-digital plugin...
CVE-2026-13223
Our payment integration with Computop-based payment methods did not properly validate payment status responses. An attacker could use a successful payment status response from one payment and supply it to the system for a different payment, gaining access to multiple valid tickets with only one...
CVE-2026-57619
Contributor Sensitive Data Exposure in Elementor Website Builder = 4.1.3 versions...
CVE-2026-57429
Contributor Broken Access Control in Slim SEO = 4.6.2 versions...
CVE-2026-56053
Subscriber PHP Object Injection in EventPrime = 4.3.4.1 versions...
CVE-2026-56071
Unauthenticated Cross Site Scripting XSS in Forminator = 1.53.1 versions...
CVE-2026-56122
Winstone Servlet Engine through 0.9.10 contains a path traversal vulnerability that allows unauthenticated attackers to read arbitrary files by sending HTTP GET requests with dot-dot-slash sequences that are not sanitized when serving static files from the configured webroot. Attackers can traver...
CVE-2026-56054
Subscriber Arbitrary File Deletion in JS Help Desk = 3.1.1 versions...
CVE-2026-56051
Unauthenticated Cross Site Scripting XSS in TablePress = 3.3.1 versions...
CVE-2026-56014
Unauthenticated Cross Site Scripting XSS in Master Slider = 3.11.2 versions...
CVE-2026-56049
Contributor Remote Code Execution RCE in Post Snippets = 4.0.19 versions...
CVE-2026-56006
Unauthenticated Cross Site Scripting XSS in H5P = 1.17.6 versions...
CVE-2026-56023
Customer Broken Access Control in UPI QR Code Payment Gateway for WooCommerce = 1.6.2 versions...
CVE-2026-56050
Improper Access Control vulnerability in Themeisle PPOM for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects PPOM for WooCommerce: from n/a through 33.0.18...
CVE-2026-56042
Customer Cross Site Scripting XSS in Advanced Order Export For WooCommerce = 4.0.9 versions...
CVE-2026-56013
Unauthenticated Insecure Direct Object References IDOR in License Manager for WooCommerce = 3.0.15 versions...
CVE-2026-56005
Subscriber Cross Site Scripting XSS in WP Activity Log = 5.6.3.1 versions...
CVE-2026-54848
Insertion of Sensitive Information Into Sent Data vulnerability in Saad Iqbal APIExperts Square for WooCommerce allows Retrieve Embedded Sensitive Data. This issue affects APIExperts Square for WooCommerce: from n/a through 4.7.3...
CVE-2026-54849
Unauthenticated SQL Injection in Premmerce Wishlist for WooCommerce = 1.1.11 versions...
CVE-2026-54843
Unauthenticated SQL Injection in MDTF = 1.3.7 versions...
CVE-2026-54845
Unauthenticated Local File Inclusion in MDTF = 1.3.8 versions...
CVE-2026-54842
Missing Authorization vulnerability in Royal Plugins Royal MCP allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Royal MCP: from n/a through 1.4.25...
CVE-2026-54841
Unauthenticated Sensitive Data Exposure in Vitepos = 3.4.2 versions...
CVE-2026-54844
Unauthenticated Broken Access Control in CheckView Automated Testing = 2.1.0 versions...
CVE-2026-54836
Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in YMC Filter allows SQL Injection. This issue affects YMC Filter: from n/a through 3.11.5...
CVE-2026-54829
Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in Jacob N. Breetvelt WP Photo Album Plus allows Blind SQL Injection. This issue affects WP Photo Album Plus: from n/a through 9.1.13.005...
CVE-2026-54838
Subscriber SQL Injection in WC Vendors Marketplace = 2.6.8 versions...
CVE-2026-54830
Unauthenticated Broken Access Control in Five Star Restaurant Reservations = 2.7.19 versions...
CVE-2026-54822
Subscriber SQL Injection in SALESmanago & Leadoo = 3.11.2 versions...
CVE-2026-54828
Unauthenticated Broken Access Control in Motors = 1.4.109 versions...
CVE-2026-54821
Subscriber Sensitive Data Exposure in Visual Link Preview = 2.3.1 versions...
CVE-2026-54823
Contributor Remote Code Execution RCE in Widget Options = 4.2.3 versions...
CVE-2026-52690
Spoofing replies to Recursor might mark an IP of an authoritative server as not supporting EDNS, causing valdiation of DNSSEC records served by that server to fail...
CVE-2026-49506
Dell Wyse Management Suite, versions prior to WMS 5.5 HF1, contain an Improper Limitation of a Pathname to a Restricted Directory 'Path Traversal' vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to Remote Code Execution...