DNS rebinding in WeKnora's web_fetch tool allows authenticated attackers to bypass URL validation and access internal resources and private IP addresses on the server through malicious domains that resolve differently during validation versus execution. Public exploit code exists for this vulnerability, and versions prior to 0.3.0 are affected with no patch currently available. An attacker could leverage this to access sensitive local services and exfiltrate data from the affected system.
Reflected cross-site scripting (XSS) in Wallos password reset functionality before version 4.6.2 allows unauthenticated attackers to inject malicious scripts by manipulating token and email parameters that are output without sanitization. Public exploit code exists for this vulnerability, affecting self-hosted instances of Wallos. A patch is available in version 4.6.2 and later.
Defuddle versions prior to 0.9.0 fail to properly escape image attributes in HTML processing, allowing attackers to inject malicious event handlers through specially crafted alt text containing quote characters. Public exploit code exists for this cross-site scripting vulnerability. The vulnerability affects all users of Defuddle before version 0.9.0, and a patch is available.
Remote denial of service in cpp-httplib prior to version 0.37.0 allows unauthenticated attackers to crash server processes by submitting HTTP POST requests with maliciously crafted RFC 5987 filename* parameters that trigger catastrophic backtracking in the regex parser. The vulnerability exploits the recursive stack-based implementation of libstdc++'s regex engine, causing uncontrolled stack growth and stack overflow. Public exploit code exists for this vulnerability.
WeKnora's document import feature is vulnerable to Server-Side Request Forgery through HTTP redirects, allowing unauthenticated remote attackers to bypass URL validation controls and access internal services despite backend protections against private IPs and metadata endpoints. The vulnerability affects WeKnora versions prior to 0.2.12 when deployed in Docker environments, where host.docker.internal addresses are not blocked. Public exploit code exists and no patch is currently available.
Unsanitized attachment filenames in eml_parser prior to version 2.0.1 enable path traversal attacks, allowing attackers to write files outside the intended output directory when the example extraction script processes malicious emails. Organizations using the vulnerable example code or similar attachment handling logic are at risk of unauthorized file writes that could overwrite critical files or introduce malicious content. Public exploit code exists for this vulnerability, and a patch is available in version 2.0.1 and later.
Checkmate versions prior to 3.4.0 allow unauthenticated attackers to retrieve unpublished status pages and internal monitoring data through the GET /api/v1/status-page/:url endpoint due to missing authentication checks. Public exploit code exists for this information disclosure vulnerability, enabling remote attackers to access sensitive server hardware, uptime, and incident details without credentials. No patch is currently available for affected deployments.
The /api/health/detailed endpoint in mcp-memory-service prior to version 10.21.0 discloses sensitive system information including OS details, Python version, CPU configuration, memory metrics, and database paths to unauthenticated network users when anonymous access is enabled. Public exploit code exists for this information disclosure vulnerability, which affects deployments using the default 0.0.0.0 network binding. A patch is available in version 10.21.0 to restrict endpoint access and redact sensitive data.
Unauthenticated Server-Side Request Forgery in Homarr versions before 1.54.0 enables remote attackers to initiate arbitrary outbound HTTP requests from the server, potentially accessing internal network resources and private IP ranges. Public exploit code exists for this vulnerability. The issue is resolved in version 1.54.0 and later.
Unauthenticated attackers can query the integration.all endpoint in Homarr prior to version 1.54.0 to enumerate all configured integrations and expose sensitive metadata including internal service URLs and integration details. Public exploit code exists for this information disclosure vulnerability. The vulnerability is patched in version 1.54.0 and later.
Weknora versions up to 0.3.0 is affected by authorization bypass through user-controlled key (CVSS 5.3).
Wallos prior to version 4.6.2 contains an authorization bypass allowing authenticated users to delete avatar files belonging to other users due to missing ownership verification on the avatar deletion endpoint. An attacker with valid credentials can enumerate or guess other users' avatar filenames to remove their files. Public exploit code exists for this vulnerability, and a patch is available in version 4.6.2 and later.
Wallos versions prior to 4.6.2 contain a server-side request forgery (SSRF) vulnerability in the webhook notification testing function that fails to restrict requests to private IP ranges, allowing authenticated attackers to read internal server responses. Public exploit code exists for this vulnerability. The vulnerability affects Wallos and has been patched in version 4.6.2.
Netmaker versions prior to 1.5.0 fail to properly validate role assignments in the user update API endpoint, allowing authenticated admin users to escalate their privileges to super-admin. An attacker with admin credentials can exploit this authorization bypass to gain unrestricted access to the platform. No patch is currently available for affected installations.
Stored XSS in the WordPress Consensus Embed plugin through version 1.6 allows authenticated contributors and above to inject malicious scripts into pages via insufficiently sanitized shortcode attributes. When users visit affected pages, the injected scripts execute in their browsers, potentially compromising session data or performing unauthorized actions. No patch is currently available for this vulnerability.
The DA Media GigList WordPress plugin up to version 1.9.0 contains stored cross-site scripting (XSS) in its shortcode functionality due to improper input validation, allowing authenticated contributors and above to inject malicious scripts that execute for all users viewing affected pages. This vulnerability requires valid WordPress account credentials but no user interaction to exploit, enabling persistent code injection across the site.
Stored XSS in the Hammas Calendar WordPress plugin through version 1.5.11 allows authenticated contributors and above to inject malicious scripts via the 'apix' parameter in the 'hp-calendar-manage-redirect' shortcode due to inadequate input sanitization. When users access pages containing the injected payload, the scripts execute in their browsers, potentially leading to session hijacking, credential theft, or malware distribution. No patch is currently available.
Stored XSS in the Show YouTube video WordPress plugin through improper sanitization of the 'syv' shortcode attributes allows authenticated users with contributor-level permissions to inject malicious scripts into pages. When other users view affected pages, the injected scripts execute in their browsers, potentially compromising sessions or stealing sensitive data. No patch is currently available for versions up to 1.1.
Infomaniak Connect for OpenID (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).
Media Library Alt Text Editor (WordPress plugin) is affected by cross-site scripting (xss) (CVSS 6.4).
The MyQtip WordPress plugin through version 2.0.5 contains a stored cross-site scripting vulnerability in its shortcode handler that fails to properly sanitize user-supplied attributes. Authenticated users with contributor-level permissions or higher can inject malicious scripts that execute in the browsers of visitors viewing affected pages. No patch is currently available for this vulnerability.
Stored cross-site scripting in the WordPress Wueen plugin through version 0.2.0 allows authenticated users with contributor-level permissions to inject malicious scripts via the wueen-blocket shortcode due to inadequate input validation. Injected scripts execute in the browsers of any user viewing affected pages, potentially enabling session hijacking, credential theft, or defacement. No patch is currently available.
Reflected XSS in CM Custom Reports plugin for WordPress (versions up to 1.2.7) allows unauthenticated attackers to inject malicious scripts through inadequately sanitized 'date_from' and 'date_to' parameters. An attacker can exploit this by tricking users into clicking malicious links, causing arbitrary scripts to execute in their browsers with access to sensitive data or session information. No patch is currently available.
DOM-based XSS in the RSS Aggregator plugin for WordPress (versions up to 5.0.11) allows unauthenticated attackers to execute arbitrary JavaScript in an administrator's browser session by exploiting missing origin validation in postMessage handlers. An attacker can craft a malicious website that tricks an admin into visiting it, sending crafted payloads that bypass the plugin's unsafe URL handling in admin-shell.js. This affects all WordPress installations running the vulnerable plugin versions without authentication requirements.
The DisallowedRawHtml extension in PHP Commonmark (league/commonmark) versions prior to 2.8.1 can be bypassed by injecting whitespace characters between HTML tag names and closing brackets, allowing malicious scripts to pass sanitization filters and execute in user browsers. Applications relying solely on this extension to sanitize untrusted markdown input are vulnerable to cross-site scripting attacks, though those using additional HTML sanitizers are unaffected. No patch is currently available for affected versions.
Tool name collision in WeKnora's MCP client integration allows remote attackers with network access to register malicious tools that overwrite legitimate ones, enabling prompt injection attacks and potential data exfiltration. An attacker exploiting this vulnerability can redirect LLM execution to steal system prompts and context data, or execute arbitrary tools with the privileges of authenticated users. This affects WeKnora versions prior to 0.3.0.
Parse Server versions prior to 8.6.9 and 9.5.0-alpha.9 fail to enforce file access control triggers on the metadata endpoint, allowing unauthenticated attackers to retrieve sensitive file metadata that should be restricted. This bypass occurs because beforeFind and afterFind triggers are not invoked when accessing file metadata, circumventing security gates intended to protect file information. Affected organizations using Parse Server without the patched versions face unauthorized disclosure of file metadata.
Stored cross-site scripting in Zikestor SKS8310-8X firmware versions 1.04.B07 and earlier allows authenticated users to inject malicious scripts via the System Name field, which execute when other administrators view the configuration. The lack of proper output encoding enables attackers with login credentials to compromise the security of administrative sessions viewing the affected switch settings.
Parse Server versions 9.3.1-alpha.3 through 9.5.0-alpha.9 allow unauthenticated attackers to bypass GraphQL introspection restrictions by nesting __type queries within inline fragments, enabling unauthorized schema reconnaissance. An attacker can exploit this to enumerate available types and fields in the GraphQL API despite the graphQLPublicIntrospection control being disabled. The vulnerability affects Parse Server deployments running on Node.js and has been patched in version 9.5.0-alpha.10.
WeKnora versions prior to 0.2.12 suffer from inadequate tenant isolation in database queries, permitting any authenticated user to access sensitive data from other tenants including API keys, model configurations, and private messages. The vulnerability affects multi-tenant deployments where account-level access controls fail to prevent cross-tenant data exfiltration. No patch is currently available for affected versions.
Unauthenticated attackers can modify arbitrary custom event fields in the MDJM Event Management plugin for WordPress through versions 1.7.8.1 due to insufficient capability checks in the custom fields controller. This allows remote deletion of custom event data without requiring valid credentials or user interaction. No patch is currently available for this medium-severity vulnerability.
Unauthenticated attackers can retrieve rendered HTML content from private, draft, and password-protected reusable blocks in the Greenshift plugin for WordPress (versions up to 12.8.3) due to missing authorization checks in an AJAX handler combined with exposed nonce values. The vulnerability allows an attacker to specify arbitrary post IDs and bypass post status validation to access sensitive block content. No patch is currently available for this medium-severity information disclosure vulnerability.
SQL injection in WordPress Community Events plugin up to version 1.5.8 allows authenticated administrators to extract sensitive database information through malicious CSV file uploads exploiting inadequately sanitized venue name fields. The vulnerability requires high-level privileges and manual interaction but poses a significant confidentiality risk to WordPress installations using this plugin. No patch is currently available.
Stored XSS in MailArchiver plugin for WordPress versions up to 4.4.0 allows authenticated administrators to inject malicious scripts through insufficiently sanitized admin settings, affecting multi-site installations and those with disabled unfiltered_html. Attackers with admin privileges can execute arbitrary JavaScript that persists and triggers when other users access affected pages. No patch is currently available.
Stored XSS in WordPress Stock Ticker plugin through version 3.26.1 allows authenticated administrators to inject malicious scripts into admin settings that execute for other users viewing affected pages. The vulnerability requires administrator privileges and only impacts multi-site WordPress installations or those with unfiltered_html disabled. No patch is currently available.
Stored XSS in LotekMedia Popup Form plugin for WordPress through version 1.0.6 allows administrators to inject malicious scripts into popup settings due to improper input sanitization. When site visitors view pages containing the affected popup, the injected scripts execute in their browsers, potentially compromising user sessions or stealing sensitive data. A patch is not currently available.
Stored XSS in the Carta Online WordPress plugin through version 2.13.0 allows authenticated administrators to inject malicious scripts into admin settings that execute for other users accessing affected pages. The vulnerability requires administrator privileges and only impacts WordPress multisite installations or those with unfiltered_html disabled. No patch is currently available.
{network} or GET /api/nodes/{network} endpoints that lack proper output filtering. This vulnerability affects Netmaker and its integrated WireGuard deployments, with no patch currently available for affected versions.
Unauthorized message deletion in ProfileGrid WordPress plugin versions up to 5.9.8.1 allows authenticated subscribers and above to delete arbitrary messages from any user due to missing capability checks in the pg_delete_msg() function. An attacker can exploit this by sending a crafted request with a valid message ID to remove messages without proper authorization. No patch is currently available for this vulnerability.
The Guardian News Feed WordPress plugin through version 1.2 lacks CSRF protections on its settings update function, allowing unauthenticated attackers to modify plugin configuration including API credentials through social engineering. Site administrators can be tricked into clicking a malicious link that silently changes settings with their authenticated session. No patch is currently available.
Font Pairing Preview For Landing Pages (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).
WordPress True Ranker plugin versions up to 2.2.9 lack proper CSRF protections on the account disconnection function, enabling unauthenticated attackers to disconnect an administrator's True Ranker account by tricking them into clicking a malicious link. An attacker exploiting this vulnerability could disrupt SEO monitoring capabilities for affected sites without requiring authentication or special privileges.
Purchase Button For Affiliate Link (WordPress plugin) is affected by cross-site request forgery (csrf) (CVSS 4.3).
The ProfileGrid WordPress plugin through version 5.9.8.2 lacks nonce validation on membership request management functions, allowing unauthenticated attackers to forge requests that approve or deny group membership through social engineering of site administrators. An attacker can exploit this CSRF vulnerability to manipulate group membership status by tricking an admin into clicking a malicious link. No patch is currently available for this medium-severity vulnerability.
The HUMN-1 AI Website Scanner & Human Certification plugin for WordPress through version 0.0.3 fails to validate user permissions on the winston_disconnect AJAX function, allowing authenticated Subscriber-level users to disconnect the plugin's API credentials. This capability check bypass enables authenticated attackers to disrupt the plugin's functionality by resetting its API connection settings without proper authorization.
The WP Frontend Profile WordPress plugin through version 1.3.8 lacks CSRF protections on the update_action function, enabling unauthenticated attackers to manipulate user registration approvals or rejections by deceiving administrators into clicking malicious links. This allows attackers to perform unauthorized account management actions without authentication, potentially disrupting legitimate user onboarding processes. No patch is currently available for this vulnerability.
Karapace versions before 6.0.0 contain a path traversal vulnerability in the backup restoration functionality that allows attackers to read arbitrary files from the system by crafting malicious backup files. Organizations using Karapace's backup/restore feature with untrusted backup sources are at risk, with the actual impact limited by the file permissions of the Karapace process. No patch is currently available, requiring users to restrict backup sources or disable the backup functionality until version 6.0.0 is released.