Reflected XSS in Copyparty before version 1.20.9 allows unauthenticated attackers to inject malicious scripts through the setck URL parameter, potentially enabling session hijacking or credential theft from affected users. The vulnerability requires user interaction to click a crafted link but can be exploited remotely without authentication. A patch is available in version 1.20.9 and later.
Improper output encoding in Svelte versions prior to 5.53.5 allows attackers to inject malicious HTML and execute arbitrary JavaScript in user browsers through unescaped error messages returned by the transformError function. An attacker who can control error content can exploit this XSS vulnerability to compromise application security and user data. A patch is available in version 5.53.5 and later.
The discourse-policy plugin in Discourse prior to versions 2025.12.2, 2026.1.1, and 2026.2.0 fails to verify user permissions when processing policy actions, allowing authenticated users to accept or reject policies on posts they cannot access in private categories or private messages. Attackers can exploit this authorization bypass to manipulate policies on restricted content and enumerate post IDs with policies through error message differences. The vulnerability requires authentication but affects the confidentiality and integrity of policy-protected discussions.
Improper neutralization of input in Checkmk versions 2.4.0 before 2.4.0p22, and 2.3.0 before 2.3.0p43 allows an attacker that can manipulate a host's check output to inject malicious JavaScript into the Synthetic Monitoring HTML logs, which can then be accessed via a crafted phishing link. [CVSS 5.4 MEDIUM]
The Data Explorer plugin in Discourse prior to versions 2025.12.2, 2026.1.1, and 2026.2.0 fails to properly enforce access controls, allowing any authenticated user to execute arbitrary SQL queries against unprotected queries, including system-level queries. This affects all installations with the Data Explorer plugin enabled and permits authenticated attackers to access or modify sensitive data without proper authorization. No patch is currently available, though administrators can mitigate the issue by explicitly setting group permissions on queries or disabling the plugin.
A reflected Cross-Site Scripting (XSS) vulnerability exists in the register.php backend script of PuneethReddyHC Event Management System 1.0. [CVSS 5.4 MEDIUM]
Cross-site scripting (XSS) in PcVue's OAuth error page (versions 12.0.0-16.3.3) allows remote attackers to inject malicious scripts by tricking users into authenticating with a crafted client ID, potentially compromising the WebVue, WebScheduler, TouchVue, and SnapVue components. An attacker can exploit this to steal session tokens or perform actions on behalf of affected users. No patch is currently available.
PcVue versions 15.0.0 through 16.3.3 are vulnerable to HTTP Host header injection in the WebClient and WebScheduler authentication endpoints, allowing unauthenticated remote attackers to manipulate server behavior and potentially conduct phishing or cache poisoning attacks. The vulnerability affects the /Authentication/ExternalLogin, /Authentication/AuthorizationCodeCallback, and /Authentication/Logout endpoints, with the ability to inject malicious payloads that could lead to information disclosure or data modification. Currently no patch is available for this medium-severity issue.
PcVue versions 12.0.0 through 16.3.3 use the deprecated OAuth Resource Owner Password Credentials flow in their web services, enabling remote attackers to steal user credentials without authentication or user interaction. The vulnerability affects WebVue, WebScheduler, TouchVue, and Snapvue components and carries a high severity rating with no patch currently available.
Fleet's Android MDM Pub/Sub endpoint fails to authenticate requests prior to version 4.80.1, allowing unauthenticated attackers to remotely trigger device unenrollment and remove Android devices from management. The vulnerability has limited impact, affecting only device management continuity without providing access to Fleet itself or device data. Organizations running vulnerable versions should upgrade immediately or disable Android MDM until patching is possible.
PcVue versions 12.0.0 through 16.3.3 lack origin validation on WebSocket connections in the GraphicalData service, enabling cross-site WebSocket hijacking attacks against authenticated users. An attacker can trick a logged-in user into visiting a malicious site to compromise the confidentiality and integrity of their PcVue session. No patch is currently available for this medium-severity vulnerability.
The WooCommerce Photo Reviews plugin for WordPress versions up to 1.4.4 fails to properly sanitize user input in HTML contexts, enabling attackers to inject malicious scripts that execute in victims' browsers. This stored cross-site scripting vulnerability allows unauthenticated attackers to deface content or steal sensitive information from site visitors. No patch is currently available for this vulnerability.
The Discourse poll plugin voters endpoint fails to validate post visibility permissions, enabling unauthenticated attackers to enumerate poll voter details across any post in affected instances. This information disclosure affects Discourse versions prior to 2025.12.2, 2026.1.1, and 2026.2.0, with no workaround available until patching. No patch is currently available for earlier versions.
Unauthenticated attackers can delete arbitrary user accounts on WordPress sites running the User Registration & Membership plugin through version 5.1.2 due to insufficient validation of the member_id parameter in the register_member function. This IDOR vulnerability specifically targets newly registered accounts marked with the urm_user_just_created meta flag. No patch is currently available.
NetExec's spider_plus module prior to version 1.5.1 fails to sanitize path traversal characters in SMB share filenames, allowing remote attackers to write or overwrite arbitrary files on Linux systems when the DOWNLOAD feature is enabled. The vulnerability requires user interaction to trigger the malicious SMB share crawl and currently has no available patch. Organizations using NetExec should disable the DOWNLOAD=true option as a temporary mitigation.
PcVue versions 12.0.0 through 16.3.3 lack Secure and SameSite cookie attributes in the GraphicalData web services and WebClient application, enabling attackers to intercept session cookies over unencrypted connections and perform cross-site request forgery attacks. This vulnerability affects organizations using the affected PcVue versions and could allow unauthorized actions on behalf of authenticated users. No patch is currently available for this medium-severity issue.
The Terraform Provider for Linode prior to version 3.9.0 exposes sensitive credentials including passwords and API tokens in debug logs when debug logging is explicitly enabled. Authenticated attackers with access to these logs through CI/CD pipelines, log aggregation systems, or shared debug output can extract exposed secrets. This vulnerability requires an authenticated user and debug logging activation, making it exploitable primarily in environments where logging is intentionally enabled for troubleshooting.
Kibana's AI Inference Anonymization Engine contains a ReDoS (Regular Expression Denial of Service) vulnerability that allows authenticated high-privilege users to crash the service through maliciously crafted input. An attacker with administrative credentials can trigger exponential regex backtracking to render the system unavailable, though no patch is currently available.
Bitnami Sealed Secrets improperly validates user-supplied annotations during secret rotation, allowing authenticated attackers to escalate secret scope from namespace-wide or strict constraints to cluster-wide. An attacker can inject a malicious annotation into the rotation request to obtain a rotated secret accessible across any namespace, potentially enabling lateral movement and unauthorized access to sensitive credentials throughout the cluster.
Discourse's posts_nearby function fails to properly filter whispered posts based on user permissions, allowing authenticated users with high privileges to view confidential whispers intended only for specific recipients. The vulnerability stems from inadequate post-type filtering that bypasses guardian-based access controls. No patch is currently available for affected versions prior to 2025.12.2, 2026.1.1, and 2026.2.0.
Audiobookshelf Mobile App versions up to 0.12.0 is affected by cross-site scripting (xss) (CVSS 4.8).
The TP2WP Importer plugin for WordPress contains a stored cross-site scripting vulnerability in the attachment importer settings that allows authenticated administrators to inject malicious scripts through the 'Watched domains' textarea due to inadequate input sanitization and output escaping. When other users access the affected settings page, the injected scripts execute in their browsers, potentially allowing administrators to perform unauthorized actions or steal sensitive data. The vulnerability affects all versions up to and including 1.1 with no patch currently available.
Stored XSS in WP Social Meta plugin through 1.0.1 allows authenticated administrators to inject malicious scripts into WordPress admin settings that execute for all users viewing affected pages, impacting multi-site installations and configurations with disabled unfiltered_html. The vulnerability requires high administrative privileges and complex exploitation conditions, making practical attacks unlikely despite network accessibility.
Stored XSS in the WordPress Custom Logo plugin through version 2.2 allows authenticated administrators to inject malicious scripts into admin settings that execute for other users. This affects multi-site WordPress installations and single-site setups where unfiltered_html is disabled, requiring high-privilege attacker access but enabling persistent script injection across affected pages.
Discourse versions prior to 2025.12.2, 2026.1.1, and 2026.2.0 contain an authorization bypass that allows authenticated users to escalate ordinary topics to site-wide notices or banners by manipulating request parameters, circumventing administrative controls. This vulnerability affects any Discourse instance where regular users should not have the ability to create global announcements. No patch is currently available, and administrators should review recent banner and notice changes for unauthorized modifications until updating.
FTP command injection in GVfs backend allows remote attackers to execute arbitrary FTP commands by embedding CRLF sequences in crafted file paths, potentially leading to unauthorized access or code execution. The vulnerability requires user interaction and affects systems utilizing the FTP GVfs backend for file operations. A patch is available to remediate this input validation weakness.
Insecure Direct Object References in Discourse ReviewableNotesController allow category moderation group members to create or delete notes on any reviewable in the system regardless of moderation scope when category group moderation is enabled. This authorization bypass affects Discourse versions prior to 2025.12.2, 2026.1.1, and 2026.2.0, enabling users to manipulate moderation records outside their assigned categories. No patch is currently available.
GVfs FTP backend clients blindly trust server-provided IP addresses and ports during passive mode connections, enabling malicious FTP servers to conduct network reconnaissance and probe for open ports from the client's network perspective. The vulnerability requires user interaction but poses a confidentiality risk to network topology information. A patch is available to address this trust validation issue.
Weblate versions prior to 5.16.1 fail to properly restrict API access to addon data, allowing authenticated users to enumerate and access all addons across every project and component in the system. An attacker with valid credentials can query the REST API endpoints to retrieve sensitive addon information that should be scoped to their assigned permissions. This information disclosure vulnerability is fixed in version 5.16.1.
Packistry versions prior to 0.13.0 fail to validate token expiration in the RepositoryAwareController::authorize() function, allowing attackers with expired deploy tokens to maintain unauthorized access to repository endpoints and package metadata. An authenticated attacker can leverage an expired token with valid abilities to interact with Composer APIs and potentially download or access sensitive package information. This vulnerability affects self-hosted Packistry deployments and has been patched in version 0.13.0.
Zitadel versions 2.31.0 through 3.4.6 and 4.10.x accept truncated opaque OIDC access tokens as valid when shortened to 80 characters, allowing attackers to bypass token validation and gain unauthorized access to protected resources. This affects deployments using the v2 token format where the symmetric encryption scheme fails to properly validate token length, enabling token forgery or reuse attacks.
Stored XSS in Audiobookshelf Mobile App prior to version 0.12.0-beta allows authenticated users with library modification privileges to inject malicious JavaScript through metadata, enabling arbitrary code execution within victim users' browsers and WebViews. Successful exploitation could lead to session hijacking, data theft, and unauthorized access to native device APIs. A patch is available in version 0.12.0-beta and later.
Heap buffer over-read in ImageMagick and Magick.NET's DJVU image handler allows local attackers to read out-of-bounds memory through integer truncation in stride calculations. An attacker can trigger this vulnerability by supplying a malicious DJVU file, potentially leading to information disclosure or application crashes. Updates are available for ImageMagick versions 7.1.2-15, 6.9.13-40 and later.
Magick.NET and ImageMagick versions before 7.1.2-15 and 6.9.13-40 are vulnerable to heap buffer over-read when processing low-resolution images with the wavelet-denoise filter, allowing local attackers to read sensitive memory. This out-of-bounds read could expose confidential information from adjacent heap memory with no possibility of code execution or denial of service. A patch is available for affected users.