Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 1.0.0 to before version 2.0.14, cross-site GET request can trigger stored cron commands on a victim's agents. This issue has been patched in version 2.0.14.

@hulumi/drift: Drift classifier fails open on adapter errors and over-promotes Mixed verdicts

@hulumi/baseline: AccountFoundation audit-delivery S3 bucket could be silently weakened

@hulumi/policies has a HULUMI-H5 bypass via decoy sibling resources targeting a different bucket

@hulumi/policies bypasses policy packs with a forged Pulumi-URN logical name

@hulumi/policies bypasses IAM-role policy checks when the role trusts multiple OIDC providers

Slate Digital Connect 1.37.0 for macOS installs a privileged helper tool, com.slatedigital.connect.privileged.helper.tool, which exposes the XPC service com.slatedigital.connect.privileged.helper.tool2. The helper validates connecting XPC clients by obtaining the client's process identifier and...

Slate Digital Connect 1.37.0 for macOS installs a privileged helper tool, com.slatedigital.connect.privileged.helper.tool, which exposes the XPC service com.slatedigital.connect.privileged.helper.tool2. The helper validates connecting XPC clients by checking only the subject.OU value of the client&#...

The Newsletters plugin for WordPress is vulnerable to time-based SQL Injection via the ‘wpmlsubscriber_id’ parameter in all versions up to, and including, 4.13 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it pos...

The Anti-Spam by CleanTalk. Spam protection WordPress plugin before 6.79 does not properly sanitize content within a custom shortcode used in its email-encoding feature, allowing unauthenticated attackers to inject arbitrary web scripts into approved comments that will execute when any user (includi...

The Xstore WordPress theme before 9.7.3 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection

A local privilege escalation vulnerability was found in the ansible.posix authorized_key module. The module's keyfile() function uses os.chown() instead of os.lchown() and opens files without O_NOFOLLOW when managing SSH authorized keys. An unprivileged local user can pre-stage symbolic links i...

A buffer overflow vulnerability has been reported to affect File Station 5. If a remote attacker gains a user account, they can then exploit the vulnerability to modify memory or crash processes. We have already fixed the vulnerability in the following version: File Station 5 5.5.6.5208 and later

A missing authorization vulnerability has been reported to affect QuMagie. The remote attackers can then exploit the vulnerability to access unauthorized data or perform unauthorized actions. We have already fixed the vulnerability in the following version: QuMagie 2.9.0 and later

An incorrect authorization vulnerability has been reported to affect File Station 6. If a remote attacker gains a user account, they can then exploit the vulnerability to bypass intended access restrictions. We have already fixed the vulnerability in the following version: File Station 5 5.5.6.5243...

A command injection vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to execute arbitrary commands. We have already fixed the vulnerability in the following versions: QTS 5....

A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the follow...

A command injection vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to execute arbitrary commands. We have already fixed the vulnerability in the following versions: QTS 5....

A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following versions: QTS 5.2.9.3410 build 20...

An integer overflow or wraparound vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to compromise the security of the system. We have already fixed the vulnerability in the f...