๐จ CVE-2026-1692
A missing origin validation in WebSockets vulnerability affects the GraphicalData web services used by the WebVue, WebScheduler, TouchVue and SnapVue features of PcVue in version 12.0.0 through 16.3.3 included. It might allow a remote attacker to lure a successfully authenticated user to a malicious website.
This vulnerability only affects the following two endpoints: GraphicalData/js/signalR/connect and GraphicalData/js/signalR/reconnect.
๐@cveNotify
A missing origin validation in WebSockets vulnerability affects the GraphicalData web services used by the WebVue, WebScheduler, TouchVue and SnapVue features of PcVue in version 12.0.0 through 16.3.3 included. It might allow a remote attacker to lure a successfully authenticated user to a malicious website.
This vulnerability only affects the following two endpoints: GraphicalData/js/signalR/connect and GraphicalData/js/signalR/reconnect.
๐@cveNotify
PcVue
Security Bulletins | PcVue
Stay informed with the latest PcVue security bulletins. Review updates, patches, and advisories to keep your system protected and up to date.
๐จ CVE-2026-1693
The OAuth grant type Resource Owner Password Credentials (ROPC) flow is still used by the werbservices used by the WebVue, WebScheduler, TouchVue and Snapvue features of PcVue in version 12.0.0 through 16.3.3 included despite being deprecated. It might allow a remote attacker to steal user credentials.
๐@cveNotify
The OAuth grant type Resource Owner Password Credentials (ROPC) flow is still used by the werbservices used by the WebVue, WebScheduler, TouchVue and Snapvue features of PcVue in version 12.0.0 through 16.3.3 included despite being deprecated. It might allow a remote attacker to steal user credentials.
๐@cveNotify
PcVue
Security Bulletins | PcVue
Stay informed with the latest PcVue security bulletins. Review updates, patches, and advisories to keep your system protected and up to date.
๐จ CVE-2026-1694
HTTP headers are added by the default configuration of IIS and ASP.net, and are not removed at the deployment phase of the webservices used by the WebVue, WebScheduler, TouchVue and SnapVue features of PcVue in version 12.0.0 through 16.3.3 included. It unnecessarily exposes sensitive information about the server configuration.
๐@cveNotify
HTTP headers are added by the default configuration of IIS and ASP.net, and are not removed at the deployment phase of the webservices used by the WebVue, WebScheduler, TouchVue and SnapVue features of PcVue in version 12.0.0 through 16.3.3 included. It unnecessarily exposes sensitive information about the server configuration.
๐@cveNotify
PcVue
Security Bulletins | PcVue
Stay informed with the latest PcVue security bulletins. Review updates, patches, and advisories to keep your system protected and up to date.
๐จ CVE-2026-1696
Some HTTP security headers are not properly set by the web server when sending responses to the client application.
๐@cveNotify
Some HTTP security headers are not properly set by the web server when sending responses to the client application.
๐@cveNotify
PcVue
Security Bulletins | PcVue
Stay informed with the latest PcVue security bulletins. Review updates, patches, and advisories to keep your system protected and up to date.
๐จ CVE-2026-29771
Netmaker makes networks with WireGuard. Prior to version 1.2.0, the /api/server/shutdown endpoint allows termination of the Netmaker server process via syscall.SIGINT. This allows any user to repeatedly shut down the server, causing cyclic denial of service with approximately 3-second restart intervals. This issue has been patched in version 1.2.0.
๐@cveNotify
Netmaker makes networks with WireGuard. Prior to version 1.2.0, the /api/server/shutdown endpoint allows termination of the Netmaker server process via syscall.SIGINT. This allows any user to repeatedly shut down the server, causing cyclic denial of service with approximately 3-second restart intervals. This issue has been patched in version 1.2.0.
๐@cveNotify
GitHub
Denial of Service via Server Shutdown Endpoint
The /api/server/shutdown endpoint allows termination of the Netmaker server process via syscall.SIGINT. This allows any user to repeatedly shut down the server, causing cyclic denial of service wit...
๐จ CVE-2026-29195
Netmaker makes networks with WireGuard. Prior to version 1.5.0, the user update handler (PUT /api/users/{username}) lacks validation to prevent an admin-role user from assigning the super-admin role during account updates. While the code correctly blocks an admin from assigning the admin role to another user, it does not include an equivalent check for the super-admin role. This issue has been patched in version 1.5.0.
๐@cveNotify
Netmaker makes networks with WireGuard. Prior to version 1.5.0, the user update handler (PUT /api/users/{username}) lacks validation to prevent an admin-role user from assigning the super-admin role during account updates. While the code correctly blocks an admin from assigning the admin role to another user, it does not include an equivalent check for the super-admin role. This issue has been patched in version 1.5.0.
๐@cveNotify
GitHub
Release v1.5.0 ยท gravitl/netmaker
Netmaker v1.5.0 Release Notes ๐
๐ Whatโs New
๐ Just-In-Time Access (beta)
Time-limited, on-demand network access: users request access, admins approve or deny, and grants expire automatically.
...
๐ Whatโs New
๐ Just-In-Time Access (beta)
Time-limited, on-demand network access: users request access, admins approve or deny, and grants expire automatically.
...
๐จ CVE-2026-30956
OneUptime is a solution for monitoring and managing online services. Prior to 10.0.21, a lowโprivileged user can bypass authorization and tenant isolation in OneUptime v10.0.20 and earlier by sending a forged is-multi-tenant-query header together with a controlled projectid header. Because the server trusts this client-supplied header, internal permission checks in BasePermission are skipped and tenant scoping is disabled. This allows attackers to access project data belonging to other tenants, read sensitive User fields via nested relations, leak plaintext resetPasswordToken, and reset the victimโs password and fully take over the account. This results in crossโtenant data exposure and full account takeover. This vulnerability is fixed in 10.0.21.
๐@cveNotify
OneUptime is a solution for monitoring and managing online services. Prior to 10.0.21, a lowโprivileged user can bypass authorization and tenant isolation in OneUptime v10.0.20 and earlier by sending a forged is-multi-tenant-query header together with a controlled projectid header. Because the server trusts this client-supplied header, internal permission checks in BasePermission are skipped and tenant scoping is disabled. This allows attackers to access project data belonging to other tenants, read sensitive User fields via nested relations, leak plaintext resetPasswordToken, and reset the victimโs password and fully take over the account. This results in crossโtenant data exposure and full account takeover. This vulnerability is fixed in 10.0.21.
๐@cveNotify
GitHub
Release 10.0.21 ยท OneUptime/oneuptime
Commit Messages
fix(logs): restructure LogsViewerToolbar layout for improved readability (fed52fe)
fix(logs): restructure LogsViewerToolbar layout for improved readability (fed52fe)
๐จ CVE-2026-30957
OneUptime is a solution for monitoring and managing online services. Prior to 10.0.21, OneUptime Synthetic Monitors allow a low-privileged authenticated project user to execute arbitrary commands on the oneuptime-probe server/container. The root cause is that untrusted Synthetic Monitor code is executed inside Node's vm while live host-realm Playwright browser and page objects are exposed to it. A malicious user can call Playwright APIs on the injected browser object and cause the probe to spawn an attacker-controlled executable. This is a server-side remote code execution issue. It does not require a separate vm sandbox escape. This vulnerability is fixed in 10.0.21.
๐@cveNotify
OneUptime is a solution for monitoring and managing online services. Prior to 10.0.21, OneUptime Synthetic Monitors allow a low-privileged authenticated project user to execute arbitrary commands on the oneuptime-probe server/container. The root cause is that untrusted Synthetic Monitor code is executed inside Node's vm while live host-realm Playwright browser and page objects are exposed to it. A malicious user can call Playwright APIs on the injected browser object and cause the probe to spawn an attacker-controlled executable. This is a server-side remote code execution issue. It does not require a separate vm sandbox escape. This vulnerability is fixed in 10.0.21.
๐@cveNotify
GitHub
Release 10.0.21 ยท OneUptime/oneuptime
Commit Messages
fix(logs): restructure LogsViewerToolbar layout for improved readability (fed52fe)
fix(logs): restructure LogsViewerToolbar layout for improved readability (fed52fe)
๐จ CVE-2026-30958
OneUptime is a solution for monitoring and managing online services. Prior to 10.0.21, an unauthenticated path traversal in the /workflow/docs/:componentName endpoint allows reading arbitrary files from the server filesystem. The componentName route parameter is concatenated directly into a file path passed to res.sendFile() in orker/FeatureSet/Workflow/Index.ts with no sanitization or authentication middleware. This vulnerability is fixed in 10.0.21.
๐@cveNotify
OneUptime is a solution for monitoring and managing online services. Prior to 10.0.21, an unauthenticated path traversal in the /workflow/docs/:componentName endpoint allows reading arbitrary files from the server filesystem. The componentName route parameter is concatenated directly into a file path passed to res.sendFile() in orker/FeatureSet/Workflow/Index.ts with no sanitization or authentication middleware. This vulnerability is fixed in 10.0.21.
๐@cveNotify
GitHub
Release 10.0.21 ยท OneUptime/oneuptime
Commit Messages
fix(logs): restructure LogsViewerToolbar layout for improved readability (fed52fe)
fix(logs): restructure LogsViewerToolbar layout for improved readability (fed52fe)
๐จ CVE-2026-30959
OneUptime is a solution for monitoring and managing online services. The resend-verification-code endpoint allows any authenticated user to trigger a verification code resend for any UserWhatsApp record by ID. Ownership is not validated (unlike the verify endpoint). This affects the UserWhatsAppAPI.ts endpoint and the UserWhatsAppService.ts service.
๐@cveNotify
OneUptime is a solution for monitoring and managing online services. The resend-verification-code endpoint allows any authenticated user to trigger a verification code resend for any UserWhatsApp record by ID. Ownership is not validated (unlike the verify endpoint). This affects the UserWhatsAppAPI.ts endpoint and the UserWhatsAppService.ts service.
๐@cveNotify
GitHub
Release 10.0.21 ยท OneUptime/oneuptime
Commit Messages
fix(logs): restructure LogsViewerToolbar layout for improved readability (fed52fe)
fix(logs): restructure LogsViewerToolbar layout for improved readability (fed52fe)
๐จ CVE-2026-3483
An exposed dangerous method in Ivanti DSM before version 2026.1.1 allows a local authenticated attacker to escalate their privileges.
๐@cveNotify
An exposed dangerous method in Ivanti DSM before version 2026.1.1 allows a local authenticated attacker to escalate their privileges.
๐@cveNotify
๐จ CVE-2026-1965
libcurl can in some circumstances reuse the wrong connection when asked to do
an Negotiate-authenticated HTTP or HTTPS request.
libcurl features a pool of recent connections so that subsequent requests can
reuse an existing connection to avoid overhead.
When reusing a connection a range of criterion must first be met. Due to a
logical error in the code, a request that was issued by an application could
wrongfully reuse an existing connection to the same server that was
authenticated using different credentials. One underlying reason being that
Negotiate sometimes authenticates *connections* and not *requests*, contrary
to how HTTP is designed to work.
An application that allows Negotiate authentication to a server (that responds
wanting Negotiate) with `user1:password1` and then does another operation to
the same server also using Negotiate but with `user2:password2` (while the
previous connection is still alive) - the second request wrongly reused the
same connection and since it then sees that the Negotiate negotiation is
already made, it just sends the request over that connection thinking it uses
the user2 credentials when it is in fact still using the connection
authenticated for user1...
The set of authentication methods to use is set with `CURLOPT_HTTPAUTH`.
Applications can disable libcurl's reuse of connections and thus mitigate this
problem, by using one of the following libcurl options to alter how
connections are or are not reused: `CURLOPT_FRESH_CONNECT`,
`CURLOPT_MAXCONNECTS` and `CURLMOPT_MAX_HOST_CONNECTIONS` (if using the
curl_multi API).
๐@cveNotify
libcurl can in some circumstances reuse the wrong connection when asked to do
an Negotiate-authenticated HTTP or HTTPS request.
libcurl features a pool of recent connections so that subsequent requests can
reuse an existing connection to avoid overhead.
When reusing a connection a range of criterion must first be met. Due to a
logical error in the code, a request that was issued by an application could
wrongfully reuse an existing connection to the same server that was
authenticated using different credentials. One underlying reason being that
Negotiate sometimes authenticates *connections* and not *requests*, contrary
to how HTTP is designed to work.
An application that allows Negotiate authentication to a server (that responds
wanting Negotiate) with `user1:password1` and then does another operation to
the same server also using Negotiate but with `user2:password2` (while the
previous connection is still alive) - the second request wrongly reused the
same connection and since it then sees that the Negotiate negotiation is
already made, it just sends the request over that connection thinking it uses
the user2 credentials when it is in fact still using the connection
authenticated for user1...
The set of authentication methods to use is set with `CURLOPT_HTTPAUTH`.
Applications can disable libcurl's reuse of connections and thus mitigate this
problem, by using one of the following libcurl options to alter how
connections are or are not reused: `CURLOPT_FRESH_CONNECT`,
`CURLOPT_MAXCONNECTS` and `CURLMOPT_MAX_HOST_CONNECTIONS` (if using the
curl_multi API).
๐@cveNotify
๐จ CVE-2026-3783
When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer
performs a redirect to a second URL, curl could leak that token to the second
hostname under some circumstances.
If the hostname that the first request is redirected to has information in the
used .netrc file, with either of the `machine` or `default` keywords, curl
would pass on the bearer token set for the first host also to the second one.
๐@cveNotify
When an OAuth2 bearer token is used for an HTTP(S) transfer, and that transfer
performs a redirect to a second URL, curl could leak that token to the second
hostname under some circumstances.
If the hostname that the first request is redirected to has information in the
used .netrc file, with either of the `machine` or `default` keywords, curl
would pass on the bearer token set for the first host also to the second one.
๐@cveNotify
๐จ CVE-2026-3784
curl would wrongly reuse an existing HTTP proxy connection doing CONNECT to a
server, even if the new request uses different credentials for the HTTP proxy.
The proper behavior is to create or use a separate connection.
๐@cveNotify
curl would wrongly reuse an existing HTTP proxy connection doing CONNECT to a
server, even if the new request uses different credentials for the HTTP proxy.
The proper behavior is to create or use a separate connection.
๐@cveNotify
๐จ CVE-2026-3805
When doing a second SMB request to the same host again, curl would wrongly use
a data pointer pointing into already freed memory.
๐@cveNotify
When doing a second SMB request to the same host again, curl would wrongly use
a data pointer pointing into already freed memory.
๐@cveNotify
๐จ CVE-2020-36731
The Flexible Checkout Fields for WooCommerce plugin for WordPress is vulnerable to Unauthenticated Arbitrary Plugin Settings update, in addition to Stored Cross-Site Scripting in versions up to, and including, 2.3.1. This is due to missing authorization checks on the updateSettingsAction() function which is called via an admin_init hook, along with missing sanitization and escaping on the settings that are stored.
๐@cveNotify
The Flexible Checkout Fields for WooCommerce plugin for WordPress is vulnerable to Unauthenticated Arbitrary Plugin Settings update, in addition to Stored Cross-Site Scripting in versions up to, and including, 2.3.1. This is due to missing authorization checks on the updateSettingsAction() function which is called via an admin_init hook, along with missing sanitization and escaping on the settings that are stored.
๐@cveNotify
NinTechNet's updates and security announcements.
Zero-day vulnerability fixed in WordPress Flexible Checkout Fields for WooCommerce plugin.
The WordPress Flexible Checkout Fields for WooCommerce plugin, which has 20,000+ active installations, fixed a critical zero-day vulnerability affecting version 2.3.1 and below.
๐จ CVE-2023-32624
Cross-site scripting vulnerability in TS Webfonts for SAKURA 3.1.0 and earlier allows a remote unauthenticated attacker to inject an arbitrary script.
๐@cveNotify
Cross-site scripting vulnerability in TS Webfonts for SAKURA 3.1.0 and earlier allows a remote unauthenticated attacker to inject an arbitrary script.
๐@cveNotify
WordPress.org ๆฅๆฌ่ช
TS Webfonts for ใใใใฎใฌใณใฟใซใตใผใ
ใใใใฎใฌใณใฟใซใตใผใใงๆ ชๅผไผ็คพใขใชใตใฏๆไพใฎWebใใฉใณใ33ๆธไฝใ็กๆใงๅฉ็จใงใใใใฉใฐใคใณใงใใ
๐จ CVE-2024-37800
CodeProjects Restaurant Reservation System v1.0 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the Date parameter at index.php.
๐@cveNotify
CodeProjects Restaurant Reservation System v1.0 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the Date parameter at index.php.
๐@cveNotify
Source Code & Projects
Restaurant Reservation System In PHP With Source Code - Source Code & Projects
Looking for simple php projects? Download Restaurant Reservation System in PHP with source code at Source Code and Projects for free!
๐จ CVE-2024-11089
The Anonymous Restricted Content plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.6.5 via the WordPress core search feature. This makes it possible for unauthenticated attackers to extract sensitive data from posts that have been restricted to logged-in users.
๐@cveNotify
The Anonymous Restricted Content plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.6.5 via the WordPress core search feature. This makes it possible for unauthenticated attackers to extract sensitive data from posts that have been restricted to logged-in users.
๐@cveNotify
๐จ CVE-2026-1697
The Secure and SameSite attribute are missing in the GraphicalData web services and WebClient web app of PcVue in version 12.0.0 through 16.3.3 included.
๐@cveNotify
The Secure and SameSite attribute are missing in the GraphicalData web services and WebClient web app of PcVue in version 12.0.0 through 16.3.3 included.
๐@cveNotify
PcVue
Security Bulletins | PcVue
Stay informed with the latest PcVue security bulletins. Review updates, patches, and advisories to keep your system protected and up to date.
๐จ CVE-2026-1698
A HTTP Host header attack vulnerability affects WebClient and the WebScheduler web apps of PcVue in version 15.0.0 through 16.3.3 included, allowing a remote attacker to inject harmful payloads that manipulate server-side behavior.
This vulnerability only affects the endpoints /Authentication/ExternalLogin, /Authentication/AuthorizationCodeCallback and /Authentication/Logout
of the WebClient and WebScheduler web apps.
๐@cveNotify
A HTTP Host header attack vulnerability affects WebClient and the WebScheduler web apps of PcVue in version 15.0.0 through 16.3.3 included, allowing a remote attacker to inject harmful payloads that manipulate server-side behavior.
This vulnerability only affects the endpoints /Authentication/ExternalLogin, /Authentication/AuthorizationCodeCallback and /Authentication/Logout
of the WebClient and WebScheduler web apps.
๐@cveNotify
PcVue
Security Bulletins | PcVue
Stay informed with the latest PcVue security bulletins. Review updates, patches, and advisories to keep your system protected and up to date.