Archives

A missing capability check in a LearnPress REST route lets anyone harvest curriculum HTML, quiz questions and their correct answers without logging in.

A directory traversal flaw in ThinkPHP’s template engine allows unauthenticated users to pull arbitrary files, including configuration secrets, straight from disk.

A path-traversal flaw in ThinkPHP’s File template driver lets unauthenticated attackers include arbitrary files and execute embedded PHP. Proof-of-concept code is public and exploitation requires only the ability to upload a file.

All Parse Server releases before 8.5.0-alpha.5 accept the `explain` flag on any query, even when no master key is provided. That single flag exposes index definitions, execution time estimates and other metadata that make privilege-escalation and performance-degradation attacks much easier.

Unauthenticated SQL injection in a widely installed WordPress events plugin lets attackers exfiltrate data through crafted search requests. Updating to version 6.15.10 closes the hole.

lighttpd 1.4.80 merges disallowed HTTP trailer fields into the request header block. Attackers can abuse the flaw for header smuggling that bypasses access controls or poisons backend requests.

A flaw in Wazuh’s expression-matching routine lets a rogue or already-compromised agent read past the end of a heap buffer on the manager. While the bug stops short of code execution, it can leak log data or configuration secrets that help attackers move laterally.

All LearnPress versions up to 4.2.9.3 register an admin-only REST endpoint with a permissive permission callback. Any Internet user can drop or create indexes on arbitrary database tables, including wp_options, and grind a site to a halt.

A flaw in the Repeatable Fieldset component lets anyone send a crafted form submission that Ninja Forms unserializes. If a gadget chain exists on the site, the attacker can pivot to remote code execution without logging in.

A logic error in the password-reset flow of PrestaShop Back Office lets anyone enumerate administrator accounts and harvest their email addresses. A simple loop over numeric IDs is all that is required.

Netty 4.1.124.Final and 4.2.0.Alpha3 through 4.2.4.Final accept an LF on its own as the terminator for chunk extensions. A single byte is enough to desynchronise upstream and backend parsers, letting attackers smuggle hidden requests through proxy chains.

A template-handling flaw in ThinkPHP 3.2.5 lets remote users include and run server-side files without authentication, leading to full remote code execution.

For more than a decade ModSecurity has sat between Apache and the open internet. A subtle error in its error-handling path lets attackers override the Content-Type header after a parsing failure, resulting in plain-text leakage of protected scripts and reliable cross-site scripting in every version up to 2.9.11.

A flaw in ThinkPHP 5.1 lets unauthenticated attackers include arbitrary files, pivoting to full code execution on the web server. Because ThinkPHP backs many Chinese-language CMS and e-commerce platforms, the blast radius is wide.

A design flaw in OAuth2-Proxy versions up to 7.10.0 means the skip_auth_routes option is applied to the full URL, not just the path. By adding crafty query parameters an attacker can bypass authentication completely.

The admin-side user list in Piwigo up to 13.8.0 passes two search parameters directly to MySQL. A single quote is enough to dump the photo gallery’s user table or modify it, and a public proof of concept is already on GitHub.

A flaw in the longstanding pingback feature exposes the titles of unpublished WordPress content to the internet. An attacker needs nothing more than access to xmlrpc.php to enumerate every confidential headline.

A header-mismatch in Next.js 15.3.0-15.3.2 and Vercel CLI 41.4.1-42.2.0 lets browsers or intermediate CDNs cache React Server Component streams where HTML was expected, breaking pages and opening the door to response-smuggling tricks.

A forgotten BeanShell test servlet inside Yonyou UFIDA NC up to 6.5 lets unauthenticated users inject Java code and run operating-system commands. Although the framework is popular mainly in mainland China, many ERP deployments expose the vulnerable endpoint to the internet.

Mounting PreResources or PostResources outside the root path lets attackers reach files through an alternate URL that ignores security constraints, undermining Java web application access control.

When vBulletin runs on PHP 8.1 or later, a change in the Reflection API breaks the application’s access controls. Unauthenticated attackers can call protected controller methods, a primitive that has already been chained to remote code execution in the wild.

Actualizer versions below 1.2.0 hard-code the OpenSSL -passwd option for root and alpha accounts, producing fast SHA-512 hashes that modern GPUs can brute-force in hours. Upgrading to 1.2.0 and resetting both passwords replaces the insecure hashes with Yescrypt.

A logic flaw in the popular Relevanssi search plugin lets anyone craft time-based SQL queries through public search parameters. The bug leaks or modifies WordPress data without needing an account.

Versions of the fastapi-guard authentication library prior to 2.0.0 trust the X-Forwarded-For header without proper validation. A single crafted request is enough to bypass IP allow-lists and poison audit logs.

A logic error in Erlang/OTP's SSH server lets anyone run remote commands before authentication finishes. Because many networking appliances embed Erlang, the blast radius spans far beyond developer machines.

A missing price check in Event Tickets up to 5.26.5 lets anyone create orders for paid tickets through the plugin’s “free commerce” REST endpoint. Site owners lose revenue and occupancy control, while attackers walk in for nothing.