π¨ CVE-2026-3487
A vulnerability was found in itsourcecode College Management System 1.0. This issue affects some unknown processing of the file /admin/class-result.php. Performing a manipulation of the argument course_code results in sql injection. The attack can be initiated remotely. The exploit has been made public and could be used.
π@cveNotify
A vulnerability was found in itsourcecode College Management System 1.0. This issue affects some unknown processing of the file /admin/class-result.php. Performing a manipulation of the argument course_code results in sql injection. The attack can be initiated remotely. The exploit has been made public and could be used.
π@cveNotify
GitHub
itsourcecode College Management System V1.0 SQL Injection Vulnerability Β· Issue #8 Β· ltranquility/cve_submit
itsourcecode College Management System V1.0 SQL Injection Vulnerability NAME OF AFFECTED PRODUCT(S) College Management System Vendor Homepage https://itsourcecode.com/free-projects/php-project/coll...
π¨ CVE-2025-54236
Adobe Commerce versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by an Improper Input Validation vulnerability. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality, and integrity impact to high. Exploitation of this issue does not require user interaction.
π@cveNotify
Adobe Commerce versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by an Improper Input Validation vulnerability. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality, and integrity impact to high. Exploitation of this issue does not require user interaction.
π@cveNotify
Adobe
Adobe Security Bulletin
Security Updates Available for Adobe Commerce | APSB25-88
π¨ CVE-2026-27946
ZITADEL is an open source identity management platform. Prior to versions 4.11.1 and 3.4.7, a vulnerability in Zitadel's self-management capability allowed users to mark their email and phone as verified without going through an actual verification process. The patch in versions 4.11.1 and 3.4.7 resolves the issue by requiring the correct permission in case the verification flag is provided and only allows self-management of the email address and/or phone number itself. If an upgrade is not possible, an action (v2) could be used to prevent setting the verification flag on the own user.
π@cveNotify
ZITADEL is an open source identity management platform. Prior to versions 4.11.1 and 3.4.7, a vulnerability in Zitadel's self-management capability allowed users to mark their email and phone as verified without going through an actual verification process. The patch in versions 4.11.1 and 3.4.7 resolves the issue by requiring the correct permission in case the verification flag is provided and only allows self-management of the email address and/or phone number itself. If an upgrade is not possible, an action (v2) could be used to prevent setting the verification flag on the own user.
π@cveNotify
GitHub
Users Can Self-Verify Email/Phone via UpdateHumanUser API
### Summary
A vulnerability in Zitadel's self-management capability allowed users to mark their email and phone as verified without going through an actual verification process.
### Impac...
A vulnerability in Zitadel's self-management capability allowed users to mark their email and phone as verified without going through an actual verification process.
### Impac...
π¨ CVE-2026-27901
Svelte performance oriented web framework. Prior to version 5.53.5, the contents of `bind:innerText` and `bind:textContent` on `contenteditable` elements were not properly escaped. This could enable HTML injection and Cross-Site Scripting (XSS) if rendering untrusted data as the binding's initial value on the server. Version 5.53.5 fixes the issue.
π@cveNotify
Svelte performance oriented web framework. Prior to version 5.53.5, the contents of `bind:innerText` and `bind:textContent` on `contenteditable` elements were not properly escaped. This could enable HTML injection and Cross-Site Scripting (XSS) if rendering untrusted data as the binding's initial value on the server. Version 5.53.5 fixes the issue.
π@cveNotify
GitHub
Merge commit from fork Β· sveltejs/svelte@0df5abc
* fix: escape `innerText` and `textContent` bindings of `contenteditable`
* fix: better if else structure
* fix: better if else structure
π¨ CVE-2026-27902
Svelte performance oriented web framework. Prior to version 5.53.5, errors from `transformError` were not correctly escaped prior to being embedded in the HTML output, causing potential HTML injection and XSS if attacker-controlled content is returned from `transformError`. Version 5.53.5 fixes the issue.
π@cveNotify
Svelte performance oriented web framework. Prior to version 5.53.5, errors from `transformError` were not correctly escaped prior to being embedded in the HTML output, causing potential HTML injection and XSS if attacker-controlled content is returned from `transformError`. Version 5.53.5 fixes the issue.
π@cveNotify
GitHub
Merge commit from fork Β· sveltejs/svelte@0298e97
* fix: sanitize `transformError` values prior to embedding in HTML comments
* did a little dumb
* did a little dumb
π¨ CVE-2026-28423
Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.11 and 6.4.0, when Glide image manipulation is used in insecure mode (which is not the default), the image proxy can be abused by an unauthenticated user to make the server send HTTP requests to arbitrary URLsβeither via the URL directly or via the watermark feature. That can allow access to internal services, cloud metadata endpoints, and other hosts reachable from the server. This has been fixed in 5.73.11 and 6.4.0.
π@cveNotify
Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.11 and 6.4.0, when Glide image manipulation is used in insecure mode (which is not the default), the image proxy can be abused by an unauthenticated user to make the server send HTTP requests to arbitrary URLsβeither via the URL directly or via the watermark feature. That can allow access to internal services, cloud metadata endpoints, and other hosts reachable from the server. This has been fixed in 5.73.11 and 6.4.0.
π@cveNotify
GitHub
Release v5.73.11 Β· statamic/cms
This release contains a potentially breaking change for the sake of security.
What's fixed
Antlers hardening (Breaking: See PR for upgrade notes) #14092 by @jasonvarga
External Glide URL valid...
What's fixed
Antlers hardening (Breaking: See PR for upgrade notes) #14092 by @jasonvarga
External Glide URL valid...
π¨ CVE-2026-28424
Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.11 and 6.4.0, user email addresses were included in responses from the user fieldtypeβs data endpoint for control panel users who did not have the "view users" permission. This has been fixed in 5.73.11 and 6.4.0.
π@cveNotify
Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.11 and 6.4.0, user email addresses were included in responses from the user fieldtypeβs data endpoint for control panel users who did not have the "view users" permission. This has been fixed in 5.73.11 and 6.4.0.
π@cveNotify
GitHub
Release v5.73.11 Β· statamic/cms
This release contains a potentially breaking change for the sake of security.
What's fixed
Antlers hardening (Breaking: See PR for upgrade notes) #14092 by @jasonvarga
External Glide URL valid...
What's fixed
Antlers hardening (Breaking: See PR for upgrade notes) #14092 by @jasonvarga
External Glide URL valid...
π¨ CVE-2026-28425
Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.11 and 6.4.0, an authenticated control panel user with access to Antlers-enabled inputs may be able to achieve remote code execution in the application context. That can lead to full compromise of the application, including access to sensitive configuration, modification or exfiltration of data, and potential impact on availability. Exploitation is only possible where Antlers runs on user-controlled contentβfor example, content fields with Antlers explicitly enabled (requiring permission to configure fields and to edit entries), built-in config that supports Antlers such as Forms email notification settings (requiring configuration permission), or third-party addons that add Antlers-enabled fields to entries (for example, the SEO Pro addon). In each case the attacker must have the relevant control panel permissions. This has been fixed in 5.73.11 and 6.4.0. Users of addons that depend on Statamic should ensure that after updating they are running a patched Statamic version.
π@cveNotify
Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.11 and 6.4.0, an authenticated control panel user with access to Antlers-enabled inputs may be able to achieve remote code execution in the application context. That can lead to full compromise of the application, including access to sensitive configuration, modification or exfiltration of data, and potential impact on availability. Exploitation is only possible where Antlers runs on user-controlled contentβfor example, content fields with Antlers explicitly enabled (requiring permission to configure fields and to edit entries), built-in config that supports Antlers such as Forms email notification settings (requiring configuration permission), or third-party addons that add Antlers-enabled fields to entries (for example, the SEO Pro addon). In each case the attacker must have the relevant control panel permissions. This has been fixed in 5.73.11 and 6.4.0. Users of addons that depend on Statamic should ensure that after updating they are running a patched Statamic version.
π@cveNotify
GitHub
Release v5.73.11 Β· statamic/cms
This release contains a potentially breaking change for the sake of security.
What's fixed
Antlers hardening (Breaking: See PR for upgrade notes) #14092 by @jasonvarga
External Glide URL valid...
What's fixed
Antlers hardening (Breaking: See PR for upgrade notes) #14092 by @jasonvarga
External Glide URL valid...
π¨ CVE-2026-28426
Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.11 and 6.4.0, stored XSS vulnerability in svg and icon related components allow authenticated users with appropriate permissions to inject malicious JavaScript that executes when viewed by higher-privileged users. This has been fixed in 5.73.11 and 6.4.0.
π@cveNotify
Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.11 and 6.4.0, stored XSS vulnerability in svg and icon related components allow authenticated users with appropriate permissions to inject malicious JavaScript that executes when viewed by higher-privileged users. This has been fixed in 5.73.11 and 6.4.0.
π@cveNotify
GitHub
Release v5.73.11 Β· statamic/cms
This release contains a potentially breaking change for the sake of security.
What's fixed
Antlers hardening (Breaking: See PR for upgrade notes) #14092 by @jasonvarga
External Glide URL valid...
What's fixed
Antlers hardening (Breaking: See PR for upgrade notes) #14092 by @jasonvarga
External Glide URL valid...
π¨ CVE-2025-59785
Improper validation of API end-point in 2N Access Commander version 3.4.2 and prior allows attacker to bypass password policy for backup file encryption.
This vulnerability can only be exploited after authenticating with administrator privileges.
π@cveNotify
Improper validation of API end-point in 2N Access Commander version 3.4.2 and prior allows attacker to bypass password policy for backup file encryption.
This vulnerability can only be exploited after authenticating with administrator privileges.
π@cveNotify
π¨ CVE-2025-59786
2N Access Commander version 3.4.2 and prior improperly invalidates session tokens, allowing multiple session cookies to remain active after logout in web application.
π@cveNotify
2N Access Commander version 3.4.2 and prior improperly invalidates session tokens, allowing multiple session cookies to remain active after logout in web application.
π@cveNotify
π¨ CVE-2025-12543
A flaw was found in the Undertow HTTP server core, which is used in WildFly, JBoss EAP, and other Java applications. The Undertow library fails to properly validate the Host header in incoming HTTP requests.As a result, requests containing malformed or malicious Host headers are processed without rejection, enabling attackers to poison caches, perform internal network scans, or hijack user sessions.
π@cveNotify
A flaw was found in the Undertow HTTP server core, which is used in WildFly, JBoss EAP, and other Java applications. The Undertow library fails to properly validate the Host header in incoming HTTP requests.As a result, requests containing malformed or malicious Host headers are processed without rejection, enabling attackers to poison caches, perform internal network scans, or hijack user sessions.
π@cveNotify
π¨ CVE-2025-64999
Improper neutralization of input in Checkmk versions 2.4.0 before 2.4.0p22, and 2.3.0 before 2.3.0p43 allows an attacker that can manipulate a host's check output to inject malicious JavaScript into the Synthetic Monitoring HTML logs, which can then be accessed via a crafted phishing link.
π@cveNotify
Improper neutralization of input in Checkmk versions 2.4.0 before 2.4.0p22, and 2.3.0 before 2.3.0p43 allows an attacker that can manipulate a host's check output to inject malicious JavaScript into the Synthetic Monitoring HTML logs, which can then be accessed via a crafted phishing link.
π@cveNotify
Checkmk
Werk #19238: Fix cross-site scripting (XSS) vulnerability in HTML logs of Synthetic Monitoring test services
The Checkmk UI renders the HTML logs of Synthetic Monitoring test services.
This functionality was vulnerable to cross-site scripting attacks via dedicated phishing links
This functionality was vulnerable to cross-site scripting attacks via dedicated phishing links
π¨ CVE-2025-64427
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.5.0 and prior, due to insufficient validation or restriction of target URLs, an authenticated local user can craft requests that target internal IP addresses (e.g., 127.0.0.1, localhost, or private network ranges). This allows the attacker to interact with internal HTTP/HTTPS services that are not intended to be exposed externally or to local users. No known patch is publicly available.
π@cveNotify
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.5.0 and prior, due to insufficient validation or restriction of target URLs, an authenticated local user can craft requests that target internal IP addresses (e.g., 127.0.0.1, localhost, or private network ranges). This allows the attacker to interact with internal HTTP/HTTPS services that are not intended to be exposed externally or to local users. No known patch is publicly available.
π@cveNotify
GitHub
Server-Side Request Forgery (SSRF)
### Summary
Due to insufficient validation or restriction of target URLs, an authenticated local user can craft requests that target internal IP addresses (e.g., 127.0.0.1, localhost, or private n...
Due to insufficient validation or restriction of target URLs, an authenticated local user can craft requests that target internal IP addresses (e.g., 127.0.0.1, localhost, or private n...
π¨ CVE-2026-28286
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.5.2-beta3, the application enforces restrictions in the frontend/UI to prevent users from creating files or folders in internal OS paths. However, when interacting directly with the API, the restrictions are bypass-able. By sending a crafted request targeting paths like /etc, /usr, or other sensitive system directories, the API successfully creates files or directories in locations where normal users should have no write access. This indicates that the API does not properly validate the target path, allowing unauthorized operations on critical system directories. No known patch is publicly available.
π@cveNotify
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.5.2-beta3, the application enforces restrictions in the frontend/UI to prevent users from creating files or folders in internal OS paths. However, when interacting directly with the API, the restrictions are bypass-able. By sending a crafted request targeting paths like /etc, /usr, or other sensitive system directories, the API successfully creates files or directories in locations where normal users should have no write access. This indicates that the API does not properly validate the target path, allowing unauthorized operations on critical system directories. No known patch is publicly available.
π@cveNotify
GitHub
ZimaOS v1.5.2-beta3 - Unauthorized Creation of Files/Folders in Restricted System Directories via API
**Vulnerability Overview**
During testing, it was observed that the application enforces restrictions in the frontend/UI to prevent users from creating files or folders in internal OS paths.
Howe...
During testing, it was observed that the application enforces restrictions in the frontend/UI to prevent users from creating files or folders in internal OS paths.
Howe...
π¨ CVE-2026-2590
Improper
enforcement of the Disable password saving in vaults setting in the
connection entry component in Devolutions Remote Desktop Manager 2025.3.30 and earlier allows an authenticated user to persist credentials in vault entries,
potentially exposing sensitive information to other users, by creating
or editing certain connection types while password saving is disabled.
π@cveNotify
Improper
enforcement of the Disable password saving in vaults setting in the
connection entry component in Devolutions Remote Desktop Manager 2025.3.30 and earlier allows an authenticated user to persist credentials in vault entries,
potentially exposing sensitive information to other users, by creating
or editing certain connection types while password saving is disabled.
π@cveNotify
Devolutions
advisories
Stay informed with Devolutions' latest security advisories on vulnerabilities, threats, and incident responses to enhance your cybersecurity posture.
π¨ CVE-2026-3204
Improper
input validation in the error message page in Devolutions Server 2025.3.16 and earlier allows remote attackers to spoof the displayed error message via a specially crafted URL.
π@cveNotify
Improper
input validation in the error message page in Devolutions Server 2025.3.16 and earlier allows remote attackers to spoof the displayed error message via a specially crafted URL.
π@cveNotify
Devolutions
advisories
Stay informed with Devolutions' latest security advisories on vulnerabilities, threats, and incident responses to enhance your cybersecurity posture.
π¨ CVE-2026-28554
wpForo Forum 2.4.14 contains a missing authorization vulnerability that allows authenticated subscribers to approve or unapprove any forum post via the wpforo_approve_ajax AJAX handler. Attackers exploit the nonce-only check by submitting a valid nonce with an arbitrary post ID to bypass moderation controls entirely.
π@cveNotify
wpForo Forum 2.4.14 contains a missing authorization vulnerability that allows authenticated subscribers to approve or unapprove any forum post via the wpforo_approve_ajax AJAX handler. Attackers exploit the nonce-only check by submitting a valid nonce with an arbitrary post ID to bypass moderation controls entirely.
π@cveNotify
WordPress.org
wpForo Forum
Number one WordPress forum plugin. Full-fledged forum solution with modern and responsive forum design. Community builder WordPress forum plugin.
π¨ CVE-2026-28561
wpForo Forum 2.4.14 contains a stored cross-site scripting vulnerability that allows administrators to inject persistent JavaScript via forum description fields echoed without output escaping across multiple theme template files. On multisite installations or with a compromised admin account, attackers set a forum description containing HTML event handlers that execute when any user views the forum listing.
π@cveNotify
wpForo Forum 2.4.14 contains a stored cross-site scripting vulnerability that allows administrators to inject persistent JavaScript via forum description fields echoed without output escaping across multiple theme template files. On multisite installations or with a compromised admin account, attackers set a forum description containing HTML event handlers that execute when any user views the forum listing.
π@cveNotify
WordPress.org
wpForo Forum
Number one WordPress forum plugin. Full-fledged forum solution with modern and responsive forum design. Community builder WordPress forum plugin.
π¨ CVE-2026-28562
wpForo 2.4.14 contains an unauthenticated SQL injection vulnerability in Topics::get_topics() where the ORDER BY clause relies on ineffective esc_sql() sanitization on unquoted identifiers. Attackers exploit the wpfob parameter with CASE WHEN payloads to perform blind boolean extraction of credentials from the WordPress database.
π@cveNotify
wpForo 2.4.14 contains an unauthenticated SQL injection vulnerability in Topics::get_topics() where the ORDER BY clause relies on ineffective esc_sql() sanitization on unquoted identifiers. Attackers exploit the wpfob parameter with CASE WHEN payloads to perform blind boolean extraction of credentials from the WordPress database.
π@cveNotify
WordPress.org
wpForo Forum
Number one WordPress forum plugin. Full-fledged forum solution with modern and responsive forum design. Community builder WordPress forum plugin.
π¨ CVE-2026-27441
SEPPmail Secure Email Gateway before version 15.0.1 insufficiently neutralizes the PDF encryption password, allowing OS command execution.
π@cveNotify
SEPPmail Secure Email Gateway before version 15.0.1 insufficiently neutralizes the PDF encryption password, allowing OS command execution.
π@cveNotify