SpotAuditor 5.3.1.0 contains a denial of service vulnerability that allows unauthenticated attackers to crash the application by submitting excessive data in the registration name field. [CVSS 7.5 HIGH]
Deviceviewer versions up to 3.12.0.1 contains a vulnerability that allows attackers to change passwords without proper validation of the old password field (CVSS 6.5).
OrientDB 3.0.17 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by creating users with script payloads in the name parameter. [CVSS 6.4 MEDIUM]
Foscam Video Management System 1.1.6.6 contains a buffer overflow vulnerability in the UID field that allows local attackers to crash the application by supplying an excessively long string. [CVSS 6.2 MEDIUM]
phpMoAdmin 1.1.5 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the newdb parameter. [CVSS 6.1 MEDIUM]
phpMoAdmin 1.1.5 contains a stored cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the collection parameter. [CVSS 6.1 MEDIUM]
Fiverr Clone Script 1.2.2 contains a cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the keyword parameter. [CVSS 6.1 MEDIUM]
Leafkit versions up to 1.4.1 contains a vulnerability that allows attackers to XSS if there is a leaf variable in the attribute that is user controlled (CVSS 6.1).
OrientDB 3.0.17 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by submitting crafted JSON payloads to the document endpoint. [CVSS 6.1 MEDIUM]
Reflected cross-site scripting in LibreNMS versions 25.12.0 and earlier allows unauthenticated remote attackers to inject malicious scripts via the email field, potentially compromising user sessions and enabling credential theft or malware distribution. Public exploit code exists for this vulnerability, and affected organizations should upgrade to version 26.2.0 or later immediately.
OpenClaw versions prior to 2026.2.15 contain a stored XSS vulnerability in the Control UI where unsanitized assistant identity values (name/avatar) are injected into inline script tags, allowing authenticated attackers with high privileges to break out of the script context and execute arbitrary JavaScript. Public exploit code exists for this vulnerability. The issue has been remediated in version 2026.2.15 through removal of inline scripts and implementation of a restrictive Content Security Policy.
SQL injection in SourceCodester Simple Responsive Tourism Website 1.0 allows unauthenticated remote attackers to manipulate the Username parameter during registration, potentially enabling data exfiltration, modification, or denial of service. Public exploit code exists for this vulnerability, and no patch is currently available.
A weakness has been identified in Fujian Smart Integrated Management Platform System versions up to 7.5. contains a security vulnerability (CVSS 7.3).
SQL injection in Fujitsu Smart Integrated Management Platform System version 7.5 and earlier allows unauthenticated remote attackers to execute arbitrary SQL queries via the DeviceIDS parameter in the XAccessPermissionPlus.ashx endpoint. Public exploit code exists for this vulnerability, enabling potential database compromise and unauthorized data access. No patch is currently available.
OpenSourcePOS 3.4.1 allows authenticated attackers to execute arbitrary SQL commands through unsanitized concatenation of the currency_symbol configuration parameter into dynamic database queries. An attacker with administrative privileges can exploit this second-order SQL injection to access or manipulate sensitive data. Public exploit code exists for this vulnerability, and no patch is currently available.
Stored XSS in LibreNMS versions 26.1.1 and below allows authenticated administrators to inject malicious scripts through unsanitized port group names, which execute when other users view the affected port group. Public exploit code exists for this vulnerability. The issue is resolved in version 26.2.0.
Stored XSS in LibreNMS versions 26.1.1 and below allows authenticated administrators to inject malicious scripts through unsanitized device group names, which execute when other users view the group management interface. Public exploit code exists for this vulnerability, affecting LibreNMS deployments across multiple supported platforms. The vulnerability has been patched in version 26.2.0.
Stored XSS in Flare file sharing platform versions 1.7.0 and below allows authenticated attackers to execute arbitrary JavaScript by uploading malicious SVG or HTML files that execute when viewed in raw mode, potentially enabling session hijacking or data theft. The vulnerability stems from insufficient file content validation and sanitization during upload. Public exploit code exists; upgrade to version 1.7.1 or later to remediate.
OrientDB 3.0.17 GA Community Edition contains cross-site request forgery vulnerabilities that allow attackers to perform unauthorized actions by crafting malicious requests to endpoints like /database/, /command/, and /document/. [CVSS 4.3 MEDIUM]
Stored XSS in LibreNMS Alert Rules allows authenticated administrators to inject malicious scripts that execute when other users view the Alert Rules page, affecting versions 25.12.0 and below. Public exploit code exists for this vulnerability, though exploitation requires high-level administrative privileges and user interaction. The vulnerability has been patched in version 26.2.0.
Remote code execution in Deciso OPNsense's backup functionality allows authenticated network-adjacent attackers to execute arbitrary commands with root privileges through insufficient input validation in the diag_backup.php file. An attacker with valid credentials can inject malicious commands into backup filename parameters to achieve code execution on the affected system. No patch is currently available for this vulnerability.
Svelte versions prior to 5.51.5 improperly enumerate prototype chain properties during server-side rendering attribute spreading, allowing polluted Object.prototype properties to inject unexpected attributes into SSR output or cause rendering errors. This vulnerability affects applications using SSR where the prototype chain has been previously manipulated, though client-side rendering is unaffected. The issue requires prototype pollution as a precondition but can lead to information disclosure or denial of service in vulnerable SSR environments.
Booked scheduling software versions 3.0.0 and earlier contain an authentication bypass flaw that allows authenticated users to abuse alternate authentication paths or channels to gain unauthorized access. An attacker with valid credentials could exploit this vulnerability to escalate privileges or access restricted functionality without proper authorization. No patch is currently available for affected installations.
OpenClaw versions 2026.1.12 through 2026.2.13 contain a path traversal vulnerability in the browser download helper that allows authenticated users with CLI access or valid gateway RPC tokens to write files outside the intended temporary downloads directory. An attacker with these credentials can exploit unsanitized output paths to place arbitrary files on the system. Version 2026.2.13 and later contain the fix.
OpenClaw versions prior to 2026.2.15 allow authenticated administrators to write files outside the skill installation directory due to insufficient validation of the targetDir parameter during skill installation. An admin user could exploit this path traversal vulnerability to place malicious files in arbitrary locations on the system. A patch is available in version 2026.2.15 and later.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in desertthemes NewsMash newsmash allows Stored XSS.This issue affects NewsMash: from n/a through <= 1.0.71. [CVSS 6.5 MEDIUM]
LiteSpeed Technologies LiteSpeed Cache litespeed-cache is affected by cross-site scripting (xss) (CVSS 6.5).
ahachat AhaChat Messenger Marketing ahachat-messenger-marketing contains a security vulnerability (CVSS 6.5).
Missing authorization controls in the tychesoftwares Print Invoice & Delivery Notes plugin for WooCommerce (versions up to 5.8.0) allow unauthenticated attackers to manipulate access control settings and modify invoice or delivery note data. The vulnerability affects WordPress sites running this plugin and could result in unauthorized data modification. A patch is not currently available.
Missing Authorization vulnerability in sendy Sendy sendy allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sendy: from n/a through <= 3.4.2. [CVSS 6.5 MEDIUM]
vgdevsolutions Checkout Gateway for IRIS checkout-gateway-iris is affected by missing authorization (CVSS 6.5).
Missing Authorization vulnerability in Leadpages Leadpages leadpages allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Leadpages: from n/a through <= 1.1.3. [CVSS 6.5 MEDIUM]
Passionate Brains Advanced WC Analytics advance-wc-analytics is affected by missing authorization (CVSS 6.5).
Missing Authorization vulnerability in Passionate Brains GA4WP: Google Analytics for WordPress ga-for-wp allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects GA4WP: Google Analytics for WordPress: from n/a through <= 2.10.0. [CVSS 6.5 MEDIUM]
Missing Authorization vulnerability in Niaj Morshed LC Wizard ghl-wizard allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects LC Wizard: from n/a through <= 2.1.1. [CVSS 6.5 MEDIUM]
Addonify Addonify Floating Cart For WooCommerce addonify-floating-cart is affected by missing authorization (CVSS 6.5).
Missing Authorization vulnerability in Addonify Addonify - WooCommerce Wishlist addonify-wishlist allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Addonify - WooCommerce Wishlist: from n/a through <= 2.0.15. [CVSS 6.5 MEDIUM]
Missing Authorization vulnerability in Addonify Addonify – Compare Products For WooCommerce addonify-compare-products allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Addonify – Compare Products For WooCommerce: from n/a through <= 1.1.17. [CVSS 6.5 MEDIUM]
Missing Authorization vulnerability in ConveyThis ConveyThis conveythis-translate allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ConveyThis: from n/a through <= 269.5. [CVSS 6.5 MEDIUM]
Missing Authorization vulnerability in Vito Peleg Atarim atarim-visual-collaboration allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Atarim: from n/a through <= 4.2.1. [CVSS 6.5 MEDIUM]
sunshinephotocart Sunshine Photo Cart sunshine-photo-cart is affected by missing authorization (CVSS 6.5).
knitpay UPI QR Code Payment Gateway for WooCommerce upi-qr-code-payment-for-woocommerce is affected by missing authorization (CVSS 6.5).
Missing Authorization vulnerability in Arya Dhiratara Optimize More! – Images optimize-more-images allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Optimize More! [CVSS 6.5 MEDIUM]
Missing Authorization vulnerability in uixthemes Konte konte allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Konte: from n/a through <= 2.4.6. [CVSS 6.5 MEDIUM]
Authenticated attackers can traverse directory restrictions in Mitchell Bennis Simple File List versions up to 6.1.15 to read files outside intended directories, requiring valid credentials but no user interaction. This path traversal vulnerability impacts confidentiality but not system integrity or availability, with no patch currently available.
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in 100plugins Open User Map open-user-map allows Path Traversal.This issue affects Open User Map: from n/a through <= 1.4.16. [CVSS 6.5 MEDIUM]
OpenClaw versions prior to 2026.2.14 allow authenticated users to read arbitrary files from the Gateway host through path traversal in the browser tool's upload functionality. An attacker with valid Gateway credentials and browser tool permissions can supply absolute or traversal paths to bypass file access restrictions and access sensitive files. This vulnerability requires authentication and browser tool enablement but presents a high confidentiality risk to affected deployments.
Inadequate access control in weDevs Subscribe2 plugin version 10.44 and earlier permits unauthenticated attackers to bypass authorization checks and gain unauthorized access to restricted functionality. An attacker can exploit misconfigured security levels to perform actions they should not be permitted to execute, potentially exposing sensitive subscriber data or modifying plugin settings. No patch is currently available.
Tanium Interact logs sensitive information that authenticated users can access, potentially exposing confidential data through log file inspection. The vulnerability requires valid credentials and does not allow modification or service disruption, limiting its impact to information disclosure.
Tanium addressed an insertion of sensitive information into log file vulnerability in Trends. [CVSS 6.5 MEDIUM]