| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| The Frontend File Manager Plugin WordPress plugin through 23.6 does not properly verify ownership of every targeted post before permanent deletion, allowing authenticated users with author-level access and above to permanently delete arbitrary posts and pages. When the Frontend File Manager Plugin WordPress plugin through 23.6's "Allow guest uploads" setting is enabled by an administrator, the same deletion primitive becomes reachable by unauthenticated users. |
| Unauthenticated remote information disclosure vulnerability in Ollama's model quantization engine allows an attacker to read and exfiltrate the server's heap memory, potentially leading to sensitive data exposure, further compromise, and stealthy persistence. |
| Mattermost Plugins versions <=11.6 10.18.11 11.3.6 11.6.5.0 fail to sanitize error responses from the OpenAI API before logging, which allows a user with access to server logs or support packets to obtain a valid or partially reconstructable OpenAI API key via inspection of mattermost.log entries generated during authentication failures. Mattermost Advisory ID: MMSA-2026-00609 |
| Unauthenticated Broken Access Control in User Registration <= 5.2.2 versions. |
| Subscriber Sensitive Data Exposure in Site Reviews <= 8.0.11 versions. |
| Unauthenticated Cross Site Scripting (XSS) in weMail <= 2.1.2 versions. |
| Contributor Cross Site Scripting (XSS) in StatCounter <= 2.1.1 versions. |
| Contributor SQL Injection in wpForo Forum <= 3.0.9 versions. |
| Contributor SQL Injection in Gallery <= 4.7.8 versions. |
| Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, the previewFileFromExecution endpoint (GET /api/v1/{tenant}/executions/{executionId}/file/preview) contains an access control bypass that allows any authenticated user to read output files from any other execution within the same tenant, bypassing execution-level and namespace-level isolation. This vulnerability is fixed in 1.0.45 and 1.3.21. |
| Contributor Broken Access Control in Nelio Content <= 4.3.4 versions. |
| Contributor Cross Site Scripting (XSS) in Magazine Blocks <= 1.8.3 versions. |
| Administrator Arbitrary File Upload in TemplateSpare <= 4.2.0 versions. |
| Contributor SQL Injection in Contest Gallery <= 30.0.0 versions. |
| Budibase is an open-source low-code platform. Prior to 3.39.9, authenticated users with automation permissions can bypass Budibase's SSRF blacklist through DNS rebinding. The outbound fetch flow validates a hostname against the blacklist before the request is sent, but the actual socket connection later performs a separate DNS lookup through node-fetch. Since the validated IPs are never pinned to the connection, an attacker-controlled hostname can return a public IP during validation and a private/internal IP during the real connection. This results in a non-blind SSRF primitive against internal services reachable from the Budibase host, including loopback, RFC1918 ranges, and cloud metadata endpoints. This vulnerability is fixed in 3.39.9. |
| An integer overflow in the PSD parser compnent of FastStone Image Viewer v8.3 allows attackers to execute arbitrary code or cause a Denial of Service (DoS) via supplying a crafted PSD file. |
| Teable's v2 REST API controller lacks @Permissions metadata on ORPC endpoints, allowing any authenticated user to bypass authorization checks. Attackers can read table schemas, create tables, and modify or delete records across bases and tables via endpoints like GET /api/v2/tables/get and POST /api/v2/tables/updateRecords. |
| Subscriber Insecure Direct Object References (IDOR) in SupportCandy <= 3.4.6 versions. |
| Unauthenticated SQL Injection in GeoDirectory <= 2.8.162 versions. |
| Unauthenticated Cross Site Scripting (XSS) in Responsive Lightbox <= 2.7.6 versions. |
