Plane is open-source project management software. Versions prior to 0.23 have insecure permissions in UserSerializer that allows users to change fields that are meant to be read-only, such as email. T...

Discourse Policy plugin gives the ability to confirm users have seen or done something. Prior to version 0.1.1, if there was a policy posted to a public topic that was tied to a private group then the...

In Sherpa Orchestrator 141851, multiple time-based blind SQL injections can be performed by an authenticated user. This affects api/gui/asset/list, /api/gui/files/export/csv/, /api/gui/files/list, /ap...

A security vulnerability was discovered in Moodle that allows anyone to duplicate existing tours without needing to log in due to a lack of protection against cross-site request forgery (CSRF) attacks...

The Newsletter WordPress plugin before 8.7.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even...

The SureForms WordPress plugin before 1.4.4 does not sanitise and escape some of its Form settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks ...

The SureForms WordPress plugin before 1.4.4 does not sanitise and escape some of its Form settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks ...

The WP Maps WordPress plugin before 4.7.2 does not sanitise and escape some of its Map settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks eve...

The WP Maps WordPress plugin before 4.7.2 does not sanitise and escape some of its Map settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks eve...

AutoGPT is a platform that allows users to create, deploy, and manage continuous artificial intelligence agents that automate complex workflows. The AutoGPT Platform's WebSocket API transmitted node e...

Vulnerability in the Oracle Solaris product of Oracle Systems (component: Pluggable authentication module). The supported version that is affected is 11. Easily exploitable vulnerability allows low pr...

Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 10.10.0 and prior to version 11.5.0, a suspended user can use the token generated in session auth m...

The WhatsApp cloud service before late 2024 did not block certain crafted PDF content that can defeat a sandbox protection mechanism and consequently allow remote access to messaging applications by t...

Shearwater SecurEnvoy SecurAccess Enrol before 9.4.515 is intended to disable accounts that have had more than 10 failed authentication attempts, but instead allows hundreds of failed authentication a...

Under certain conditions, an SSRF vulnerability in SAP CRM and SAP S/4HANA (Interaction Center) allows an attacker with low privileges to access restricted information. This flaw enables the attacker ...

Improper Neutralization of Special Elements Used in a Template Engine vulnerability in Apache OFBiz. This issue affects Apache OFBiz: from 18.12.17 before 18.12.18. It's a regression between 18.12.17 ...

A buffer overflow vulnerability was discovered in TP-Link TL-WR841ND V11 via the 'gw' parameter at /userRpm/WanDynamicIpV6CfgRpm.htm. This vulnerability allows attackers to cause a Denial of Service (...

OpenProject is open-source, web-based project management software. In versions prior to 15.2.1, the application fails to properly sanitize user input before displaying it in the Group Management secti...

Adobe Commerce versions 2.4.8-beta1, 2.4.7-p3, 2.4.6-p8, 2.4.5-p10, 2.4.4-p11 and earlier are affected by an Improper Access Control vulnerability that could result in a Security feature bypass allowi...

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation Mediawiki - GlobalBlocking Extension allows Retrieve Embedded Sensitive Data. This issue briefly impact...

EDK2 contains a vulnerability in BIOS where a user may cause an Integer Overflow or Wraparound by network means. A successful exploitation of this vulnerability may lead to denial of service.

Mattermost versions 10.x <= 10.2 fail to accurately reflect missing settings, which allows confusion for admins regarding a Calls security-sensitive configuration via incorrect UI reporting.

The GDPR Cookie Compliance WordPress plugin before 4.15.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting...

The GDPR Cookie Compliance WordPress plugin before 4.15.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting...