ProcessWire CMS version 3.0.255 and prior contain a server-side request forgery vulnerability in the admin panel's 'Add Module From URL' feature that allows authenticated administrators to supply arbitrary URLs to the module download parameter, causing the server to issue outbound HTTP requests to attacker-controlled internal or external hosts. Attackers can exploit differentiable error messages returned by the server to perform reliable internal network port scanning, host enumeration across RFC-1918 ranges, and potential access to cloud instance metadata endpoints.
The 3D FlipBook - PDF Embedder, PDF Flipbook Viewer, Flipbook Image Gallery plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the send_post_pages_json() function in all versions up to, and including, 1.16.17. This makes it possible for unauthenticated attackers to retrieve flipbook page metadata for draft, private and password-protected flipbooks.
During an internal security assessment, a potential vulnerability was discovered in Lenovo Diagnostics and the HardwareScanAddin used in Lenovo Vantage that, during installation or when using hardware scan, could allow a local authenticated user to perform an arbitrary file write with elevated privileges.
An authorization bypass exists in OAuth2 Proxy as part of the `email_domain` enforcement option. An attacker may be able to authenticate with an email claim such as `attacker@evil.com@company.com` and satisfy an allowed domain check for `company.com`, even though the claim is not a valid email address. The issue **ONLY** affects deployments that rely on `email_domain` restrictions and accept email claim values from identity providers or claim mappings that do not strictly enforce normal email syntax. The practical risk ONLY exists in self-hosted or custom OIDC environments and federated setups where unexpected claim values can reach oauth2-proxy. Standard hosted providers that enforce valid email formatting ARE NOT effected. Users should upgrade to `v7.15.2` or later once available. The most effective workaround is to ensure the configured identity provider cannot emit malformed or attacker-controlled email claim values.
Weblate is a web based localization tool. In versions prior to 5.17, the translation memory API exposed unintended endpoints, which in turn didn't perform proper access control. This issue has been fixed in version 5.17. If developers are unable to update immediately, they can disable this feature as the CDN add-on is not enabled by default.
Mattermost versions 10.11.x through 10.11.12, 11.3.x through 11.3.2, 11.4.x through 11.4.2, and 11.5.0 fail to validate CSRF tokens on authentication endpoints, allowing remote attackers to update a targeted user's authentication method by tricking them into visiting a malicious page. The attack requires user interaction (UI:R) and results in high confidentiality and integrity impact, but no public exploit or CISA KEV confirmation has been identified at the time of analysis.
In Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.10, and 9.3.11, and Splunk Cloud Platform versions below 10.4.2603.0, 10.3.2512.6, 10.2.2510.10, 10.1.2507.20, 10.0.2503.13, and 9.3.2411.127, a user who holds a role that contains the high-privilege capability `edit_user`could create a specially crafted username that includes a null byte or a non-UTF-8 percent-encoded byte due to improper input validation.<br><br>This could lead to inconsistent conversion of usernames into a proper format for storage and account management inconsistencies, such as being unable to edit or delete affected users.
JavaScript is vulnerable to prototype pollution in Mafintosh's protocol-buffers-schema Version 3.6.0, where an attacker may alter the application logic, bypass security checks, cause a DoS or achieve remote code execution.
Multiple vulnerabilities in Cisco Unity Connection could allow an authenticated, remote attacker to download arbitrary files from an affected system. To exploit these vulnerabilities, the attacker must have valid administrative credentials. These vulnerabilities are due to improper sanitization of user input to the web-based management interface. An attacker could exploit these vulnerabilities by sending a crafted HTTPS request. A successful exploit could allow the attacker to download arbitrary files from an affected system.
Multiple vulnerabilities in Cisco Unity Connection could allow an authenticated, remote attacker to download arbitrary files from an affected system. To exploit these vulnerabilities, the attacker must have valid administrative credentials. These vulnerabilities are due to improper sanitization of user input to the web-based management interface. An attacker could exploit these vulnerabilities by sending a crafted HTTPS request. A successful exploit could allow the attacker to download arbitrary files from an affected system.
A flaw was found in FFmpeg. A remote attacker could exploit this vulnerability by providing a specially crafted MPEG-PS/VOB media file containing a malicious DVD subtitle stream. This vulnerability is caused by a signed integer overflow in the DVD subtitle parser's fragment reassembly bounds checks, leading to a heap out-of-bounds write. Successful exploitation can result in a denial of service (DoS) due to an application crash, and potentially lead to arbitrary code execution.
Out of bounds read in Skia in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted file. (Chromium security severity: Medium)
The Eleganzo theme for WordPress is vulnerable to arbitrary directory deletion due to insufficient path validation in the akd_required_plugin_callback function in all versions up to, and including, 1.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete arbitrary directories on the server, including the WordPress root directory.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Emarket-design YouTube Showcase allows Stored XSS.This issue affects YouTube Showcase: from n/a through 3.5.1.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Zahlan Categories Images categories-images allows DOM-Based XSS.This issue affects Categories Images: from n/a through <= 3.3.1.
Mattermost versions 10.11.x through 10.11.12, 11.3.x through 11.3.2, 11.4.x through 11.4.2, and 11.5.0 fail to enforce atomic consumption of guest magic link tokens, allowing unauthenticated attackers to establish multiple concurrent authenticated sessions from a single valid magic link. This enables unauthorized access and potential information disclosure without requiring additional credentials or user interaction beyond intercepting or obtaining the link.
The `access_key` and `connection_string` connection properties were not marked as sensitive names in secrets masker. This means that user with read permission could see the values in Connection UI, as well as when Connection was accidentaly logged to logs, those values could be seen in the logs. Azure Service Bus used those properties to store sensitive values. Possibly other providers could be also affected if they used the same fields to store sensitive data. If you used Azure Service Bus connection with those values set or if you have other connections with those values storing sensitve values, you should upgrade Airflow to 3.2.0.
Stored Cross-Site Scripting in WP Circliful plugin for WordPress up to version 1.2 allows authenticated attackers with Contributor-level access to inject arbitrary HTML and JavaScript via insufficiently sanitized shortcode attributes in [circliful] and [circliful_direct] shortcodes. The vulnerability exists in the circliful_shortcode() and circliful_direct_shortcode() functions, which concatenate user input directly into HTML attributes without escaping. When a user visits a page containing the injected shortcode, the malicious script executes in their browser. No public exploit code or active exploitation in the wild has been confirmed at time of analysis.
{ url: trim(url), // User-controlled, no validation method, headers, params, timeout, ...(method.toLowerCase() !== 'get' && data != null ? { data: transformer ? await transformer(data) : data } : {}), }); ``` The `url` at line 98 comes directly from user workflow configuration with only whitespace trimming. **`packages/plugins/@nocobase/plugin-action-custom-request/src/server/actions/send.ts` lines 172-198:** ```typescript const axiosRequestConfig = { baseURL: ctx.origin, ...options, url: getParsedValue(url, variables), // User-controlled via template headers: { ... }, params: getParsedValue(arrayToObject(params), variables), data: getParsedValue(toJSON(data), variables), }; const res = await axios(axiosRequestConfig); // No IP validation ``` - No `request-filtering-agent` or SSRF library (confirmed via grep across entire codebase) - No private IP range filtering - No cloud metadata endpoint blocking - No URL scheme validation - No DNS rebinding protection 1. Authenticated user creates a workflow with HTTP Request node 2. Sets URL to `http://169.254.169.254/latest/meta-data/iam/security-credentials/` 3. Triggers the workflow 4. Server fetches AWS metadata and returns IAM credentials in workflow execution logs Alternatively via Custom Request action: 1. Create custom request with URL `http://127.0.0.1:5432` or `http://10.0.0.1:8080/admin` 2. Execute the action 3. Server makes request to internal service - **Cloud metadata theft**: AWS/GCP/Azure credentials via metadata endpoints - **Internal network access**: Scan and interact with services on private IP ranges - **Database access**: Connect to localhost databases (PostgreSQL, Redis, etc.) - **Authentication required**: Yes (authenticated user), but any workspace member can create workflows
Stored cross-site scripting in Power Charts Lite WordPress plugin versions up to 0.1.0 allows authenticated contributors and above to inject arbitrary JavaScript into pages via the 'id' parameter of the [pc] shortcode. The vulnerability exists because the plugin extracts user-supplied shortcode attributes, directly concatenates them into HTML class attributes without sanitization, and then decodes HTML entities, creating a persistent XSS payload that executes for all users viewing the affected page. No active exploitation has been confirmed, but the attack requires only standard WordPress contributor permissions and no additional complexity.
Stored cross-site scripting in WM JqMath WordPress plugin up to version 1.3 allows authenticated contributors and above to inject arbitrary JavaScript via the 'style' shortcode attribute, which executes in the browsers of all users viewing affected pages. The vulnerability stems from direct concatenation of unsanitized user input into HTML without proper escaping (missing esc_attr() calls). CVSS 6.4 reflects moderate risk with scope change; no public exploit code or active KEV status identified at time of analysis.
Stored cross-site scripting in Coachific Shortcode plugin for WordPress versions up to 1.0 allows authenticated attackers with Contributor-level access to inject arbitrary JavaScript into pages via the 'userhash' shortcode attribute. The plugin sanitizes input with sanitize_text_field() but fails to apply JavaScript-specific escaping before interpolating the value into a script tag, enabling persistent XSS attacks visible to all page visitors. EPSS score of 6.4 reflects moderate real-world risk constrained by the requirement for authenticated contributor access and user interaction.
Stored Cross-Site Scripting in VI: Include Post By WordPress plugin up to version 0.4.200706 allows authenticated contributors and above to inject arbitrary JavaScript via the 'class_container' shortcode attribute, which executes in the browsers of any user viewing affected pages. The vulnerability stems from insufficient input sanitization and output escaping on user-supplied shortcode parameters. No public exploit code or active exploitation has been reported; however, the low attack complexity and broad scope of impact (affecting all site visitors) make this a moderate-priority issue for WordPress installations using this plugin.
Signature verification bypass in Bouncy Castle BC-JAVA (bcpkix module versions 1.49-1.83) allows remote unauthenticated attackers to forge cryptographic signatures by submitting empty signature sequences that are incorrectly accepted as valid by the draft CompositeVerifier implementation. This critical flaw (CVSS 4.0: 10.0) enables complete subversion of digital signature trust chains, potentially allowing authentication bypass, code signing forgery, and man-in-the-middle attacks against Java ap
A vulnerability in the Desktop Agent functionality of Cisco Webex Contact Center could have allowed an unauthenticated, remote attacker to conduct cross-site scripting attacks. Cisco has addressed this vulnerability in the Cisco Webex Contact Center service, and no customer action is needed. This vulnerability existed because HTML and script content was not properly handled. Prior to this vulnerability being addressed, an attacker could have exploited this vulnerability by persuading a user to follow a malicious link. A successful exploit could have allowed the attacker to steal sensitive information from the browser, including authentication and session information.
A vulnerability in the web-based management interface of Cisco Unity Connection could allow an unauthenticated, remote attacker to conduct a reflected XSS attack against a user of the interface. This vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by persuading a user to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information.
Cross-site scripting (XSS) in ApostropheCMS 4.28.0 and sanitize-html 2.17.1 allows remote attackers to bypass HTML tag filtering and inject arbitrary tags through entity-encoded payloads in textarea and option elements. A regression in the sanitize-html parser incorrectly assumes htmlparser2 does not decode entities within non-text elements, causing encoded HTML to be decoded and written directly to output without sanitization. Exploitation requires non-default configurations where textarea or option tags are in the allowedTags list, commonly found in form builders, and user interaction to submit form content. No active exploitation has been identified at time of analysis, but the vulnerability is trivial to exploit once configuration conditions are met.
Cross-Site Request Forgery (CSRF) in OPEN-BRAIN plugin for WordPress versions up to 0.5.0 allows unauthenticated attackers to inject malicious web scripts by tricking site administrators into clicking a malicious link, due to missing nonce verification in the func_page_main() settings form handler. With a CVSS score of 6.1 and network-level attack surface requiring only user interaction, this vulnerability affects any WordPress installation using the affected plugin. No public exploit code or active exploitation has been confirmed at time of analysis.
A flaw was found in GIMP. This vulnerability, a buffer overflow in the `file-seattle-filmworks` plugin, can be exploited when a user opens a specially crafted Seattle Filmworks file. A remote attacker could leverage this to cause a denial of service (DoS), leading to the plugin crashing and potentially impacting the stability of the GIMP application.
Cross-Site Request Forgery (CSRF) in Product Pricing Table by WooBeWoo plugin for WordPress allows unauthenticated attackers to inject arbitrary web scripts or delete pricing tables by tricking site administrators into clicking a malicious link, exploiting missing nonce validation in the updateLabel() and remove() functions across all versions up to and including 1.1.0. No public exploit code identified at time of analysis, but the vulnerability requires only user interaction (UI:R) and has a network attack vector, making it moderately exploitable in real-world scenarios.
A vulnerability in the CLI of Cisco Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC) could allow an authenticated, local attacker with administrative privileges to perform a command injection attack on the underlying operating system and elevate privileges to root. This vulnerability is due to insufficient validation of user supplied input. An attacker could exploit this vulnerability by providing crafted input to a specific CLI command. A successful exploit could allow the attacker to elevate their privileges to root on the underlying operating system.
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in HashThemes Mini Ajax Cart for WooCommerce allows Stored XSS.This issue affects Mini Ajax Cart for WooCommerce: from n/a through 1.3.4.
LDAP injection in Bouncy Castle BC-JAVA bcprov module (versions 1.49 through 1.83) allows remote unauthenticated attackers to manipulate LDAP queries via specially crafted input to LDAPStoreHelper.java, enabling complete compromise of confidentiality, integrity, and availability across security boundaries. This critical vulnerability (CVSS 10.0) affects a widely deployed cryptographic library used throughout the Java ecosystem. No active exploitation confirmed (not in CISA KEV), but the attack r
A flaw was found in GIMP. A remote attacker could exploit an integer overflow vulnerability in the FITS image loader by providing a specially crafted FITS file. This integer overflow leads to a zero-byte memory allocation, which is then subjected to a heap buffer overflow when processing pixel data. Successful exploitation could result in a denial of service (DoS) or potentially arbitrary code execution.
A flaw was found in GIMP. Processing a specially crafted PVR image file with large dimensions can lead to a denial of service (DoS). This occurs due to a stack-based buffer overflow and an out-of-bounds read in the PVR image loader, causing the application to crash. Systems that process untrusted PVR image files are affected.
A flaw was found in the System Security Services Daemon (SSSD). The pam_passkey_child_read_data() function within the PAM passkey responder fails to properly handle raw bytes received from a pipe. Because the data is treated as a NUL-terminated C string without explicit termination, it results in an out-of-bounds read when processed by functions like snprintf(). A local attacker could potentially trigger this vulnerability by initiating a crafted passkey authentication request, causing the SSSD PAM responder to crash, resulting in a local Denial of Service (DoS).
A vulnerability in the CLI of Cisco ThousandEyes Enterprise Agent could allow an authenticated, local attacker with low privileges to overwrite arbitrary files on the local system of an affected device. This vulnerability is due to improper access controls on files that are on the local file system of an affected device. An attacker could exploit this vulnerability by placing a symbolic link in a specific location on the local file system. A successful exploit could allow the attacker to bypass file system permissions and overwrite arbitrary files on the affected device.
Arbitrary WordPress action execution in Avada (Fusion) Builder plugin versions up to 3.15.1 allows authenticated attackers with Subscriber-level access to invoke unvalidated WordPress action hooks via the Dynamic Data feature, potentially enabling privilege escalation, file inclusion, denial of service, or remote code execution depending on available hooks in the WordPress installation. The vulnerability stems from the `output_action_hook()` function accepting user-controlled input without authorization checks. No public exploit code or active exploitation has been confirmed at time of analysis.
A flaw was found in KubeVirt's Role-Based Access Control (RBAC) evaluation logic. The authorization mechanism improperly truncates subresource names, leading to incorrect permission evaluations. This allows authenticated users with specific custom roles to gain unauthorized access to subresources, potentially disclosing sensitive information or performing actions they are not permitted to do. Additionally, legitimate users may be denied access to resources.
ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain a stored cross-site scripting vulnerability in the @apostrophecms/color-field module, where color values prefixed with -- bypass TinyColor validation intended for CSS custom properties, and the launder.string() call performs only type coercion without stripping HTML metacharacters. These unsanitized values are then concatenated directly into <style> tags both in per-widget style elements rendered for all visitors and in the global stylesheet rendered for editors, with the output marked as safe HTML. An editor can inject a value which closes the style tag and executes arbitrary JavaScript in the browser of every visitor to any page containing the affected widget. This enables mass session hijacking, cookie theft, and privilege escalation to administrative control if an admin views draft content. This issue has been fixed in version 4.29.0.
{ '&': '&', '<': '<', '>': '>', // MISSING: '"': '"' // MISSING: "'": ''' }; ``` **Affected code files**: - `assets/js/plugins/KimaiEscape.js:24-38` - incomplete escape function - `assets/js/forms/KimaiTeamForm.js:77,86` - replacement + innerHTML - `templates/macros/widgets.html.twig:126` - `title="{{ tooltip }}"` in avatar macro - `templates/form/blocks.html.twig:104` - `{{ widgets.avatar('__INITIALS__', '__COLOR__', '__DISPLAY__') }}` [poc.zip](https://github.com/user-attachments/files/26537515/poc.zip) Please extract the uploaded compressed file before proceeding 1. ./setup.sh 2. ./poc_xss.sh <img width="751" height="155" alt="스크린샷 2026-04-07 오후 9 06 27" src="https://github.com/user-attachments/assets/c09a23fb-f60b-49dd-9018-8c723e35b4c4" /> - Stored XSS: payload persists in the database (user alias field) - Privilege escalation: ROLE_USER injects XSS that executes in ROLE_ADMIN/ROLE_SUPER_ADMIN browser session
Istio is an open platform to connect, manage, and secure microservices. In versions 1.25.0 through 1.27.8, 1.28.0 through 1.28.5, 1.29.0, and 1.29.1, the serviceAccounts and notServiceAccounts fields in AuthorizationPolicy incorrectly interpret dots (.) as a regular expression matcher. Because . is a valid character in a service account name, an AuthorizationPolicy ALLOW rule targeting a service account such as cert-manager.io also matches cert-manager-io, cert-managerXio, etc. A DENY rule targeting the same name fails to block those variants. Fixes are available in versions 1.29.2, 1.28.6, and 1.27.9.
Missing Authorization vulnerability in Themeum Tutor LMS tutor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Tutor LMS: from n/a through <= 3.9.7.
A potential DLL hijacking vulnerability was reported in Lenovo Service Bridge that, under certain conditions, could allow a local authenticated user to execute code with elevated privileges.
ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain an authorization bypass vulnerability in the getRestQuery method of the @apostrophecms/piece-type module, where the method checks whether a MongoDB projection has already been set before applying the admin-configured publicApiProjection. An unauthenticated attacker can supply a project query parameter in the REST API request, which is processed by applyBuildersSafely before the permission check, pre-populating the projection state and causing the publicApiProjection to be skipped entirely. This allows disclosure of any field on publicly queryable documents that the administrator explicitly restricted from the public API, such as internal notes, draft content, or metadata. Exploitation is trivial, requiring only appending query parameters to a public URL with no authentication. This issue has been fixed in version 4.29.0.
A vulnerability in the authentication service feature of Cisco AsyncOS Software for Cisco Secure Web Appliance could allow an unauthenticated, remote attacker to bypass authentication policy requirements. This vulnerability is due to improper validation of user-supplied authentication input in HTTP requests. An attacker could exploit this vulnerability by sending HTTP requests that contain specific authentication requests to an affected device. A successful exploit could allow the attacker to bypass policy enforcement on the device. There is no direct impact to the Cisco Secure Web Appliance. However, as a result of exploiting this vulnerability, an attacker could send HTTP requests that should be restricted through the device.
A denial of service vulnerability exists when parsing crafted `multipart/form-data` requests with large preamble or epilogue sections. Two inefficient multipart parsing paths could be abused with attacker-controlled input. Before the first multipart boundary, the parser handled leading CR and LF bytes inefficiently while searching for the start of the first part. After the closing boundary, the parser continued processing trailing epilogue data instead of discarding it immediately. As a result, parsing time could grow with the size of crafted data placed before the first boundary or after the closing boundary. An attacker can send oversized malformed multipart bodies that consume excessive CPU time during request parsing, reducing request-handling capacity and delaying legitimate requests. This issue degrades availability but does not typically result in a complete denial of service for the entire application. Upgrade to version `0.0.26` or later, which skips ahead to the next boundary candidate when processing leading CR/LF data and immediately discards epilogue data after the closing boundary.
Remote attackers can manipulate payment amounts in Stripe and PayPal transactions through the MetForm Pro WordPress plugin by submitting arbitrary values in the 'mf-calculation' field, bypassing price validation. Versions up to 3.9.7 are affected; the plugin fails to recompute or validate user-submitted calculation fields against configured form prices, allowing unauthenticated attackers to reduce or alter payment amounts on vulnerable forms. No active exploitation has been publicly confirmed, though the attack requires minimal complexity and produces direct financial impact.
Unauthenticated attackers can bypass field-level authorization in Advanced Custom Fields (ACF) plugin versions up to 6.7.0 via AJAX endpoints that process user-supplied filter parameters without proper privilege checks, enabling disclosure of draft, private, and restricted post/page content that should be hidden by field configuration. The vulnerability affects any WordPress site with ACF installed and frontend forms exposed, requiring only network access and no user interaction. CVSS 5.3 reflects confidentiality impact with low attack complexity; no KEV status or public POC confirmed at analysis time.
ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain an authorization bypass vulnerability in the choices and counts query parameters of the REST API, where these query builders execute MongoDB distinct() operations that bypass the publicApiProjection restrictions intended to limit which fields are exposed publicly. The choices and counts parameters are processed via applyBuildersSafely before the projection is applied, and MongoDB's distinct operation does not respect projections, returning all distinct values directly. The results are returned in the API response without any filtering against publicApiProjection or removeForbiddenFields. An unauthenticated attacker can extract all distinct field values for any schema field type that has a registered query builder, including string, integer, float, select, boolean, date, slug, and relationship fields. Fields protected with viewPermission are similarly exposed, and the counts variant additionally reveals how many documents have each distinct value. Both the piece-type and page REST APIs are affected. This issue has been fixed in version 4.29.0.