| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| Unauthenticated remote information disclosure vulnerability in Ollama's model quantization engine allows an attacker to read and exfiltrate the server's heap memory, potentially leading to sensitive data exposure, further compromise, and stealthy persistence. |
| Mattermost Plugins versions <=11.6 10.18.11 11.3.6 11.6.5.0 fail to sanitize error responses from the OpenAI API before logging, which allows a user with access to server logs or support packets to obtain a valid or partially reconstructable OpenAI API key via inspection of mattermost.log entries generated during authentication failures. Mattermost Advisory ID: MMSA-2026-00609 |
| Unauthenticated Broken Access Control in User Registration <= 5.2.2 versions. |
| Subscriber Sensitive Data Exposure in Site Reviews <= 8.0.11 versions. |
| Unauthenticated Cross Site Scripting (XSS) in weMail <= 2.1.2 versions. |
| Contributor Cross Site Scripting (XSS) in StatCounter <= 2.1.1 versions. |
| Contributor SQL Injection in wpForo Forum <= 3.0.9 versions. |
| Contributor SQL Injection in Gallery <= 4.7.8 versions. |
| Contributor Broken Access Control in Nelio Content <= 4.3.4 versions. |
| Contributor Cross Site Scripting (XSS) in Magazine Blocks <= 1.8.3 versions. |
| Administrator Arbitrary File Upload in TemplateSpare <= 4.2.0 versions. |
| Contributor SQL Injection in Contest Gallery <= 30.0.0 versions. |
| An integer overflow in the PSD parser compnent of FastStone Image Viewer v8.3 allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via supplying a crafted PSD file. |
| Subscriber Insecure Direct Object References (IDOR) in SupportCandy <= 3.4.6 versions. |
| Unauthenticated SQL Injection in GeoDirectory <= 2.8.162 versions. |
| Unauthenticated Cross Site Scripting (XSS) in Responsive Lightbox <= 2.7.6 versions. |
| Subscriber Arbitrary File Upload in Quform <= 2.23.0 versions. |
| Unauthenticated Arbitrary File Deletion in ShortPixel Adaptive Images <= 3.11.4 versions. |
| Notepad++ is a free and open-source source code editor. Prior to 8.9.6.1, a local process in the same interactive Windows session can send a malformed WM_COPYDATA message to Notepad++ using the COPYDATA_FULL_CMDLINE path. The handler appears to process COPYDATASTRUCT.lpData as an unbounded NUL-terminated wchar_t* instead of enforcing COPYDATASTRUCT.cbData. This vulnerability is fixed in 8.9.6.1. |
| Notepad++ is a free and open-source source code editor. Prior to 8.9.6.1, the <GUIConfig name="commandLineInterpreter"> tag in config.xml is read by NppXml::value() (Parameters.cpp:6430) and stored in _nppGUI._commandLineInterpreter without any validation, whitelist, or digital signature check. When the user triggers IDM_FILE_OPEN_CMD (File → Open Containing Folder → cmd), NppCommands.cpp:228 creates a Command object with this value and calls run(), which invokes ShellExecute (RunDlg.cpp:221) with the attacker-controlled string as the executable path. This vulnerability is fixed in 8.9.6.1. |
