Unknown · CVSS Not scored
Insecure Permissions vulnerability in JumpServer GPLv3 v.3.8.0 allows a remote attacker to execute arbitrary code via bypassing the command filtering function. NOTE: this is disputed because command filtering is not intended to restrict what code can be run by authorized users who are allowed to execute files.
Published Nov 28, 2023 · Updated Jul 9, 2026
Unknown · CVSS Not scored
An issue in TOTOlink A3700R v.9.1.2u.6134_B20201202 allows a local attacker to execute arbitrary code via the setTracerouteCfg function.
Published Nov 20, 2023 · Updated Jul 9, 2026
Unknown · CVSS Not scored
An heap overflow vulnerability was discovered in Bytecode alliance wasm-micro-runtime v.1.2.3 allows a remote attacker to cause a denial of service via the wasm_loader_prepare_bytecode function in core/iwasm/interpreter/wasm_loader.c.
Published Nov 22, 2023 · Updated Jul 9, 2026
Unknown · CVSS Not scored
PyPinkSign v0.5.1 uses a non-random or static IV for Cipher Block Chaining (CBC) mode in AES encryption. This vulnerability can lead to the disclosure of information and communications.
Published Nov 16, 2023 · Updated Jul 9, 2026
Critical · CVSS 9.8
An issue in lmxcms v.1.41 allows a remote attacker to execute arbitrary code via a crafted script to the admin.php file.
Published Nov 2, 2023 · Updated Jul 9, 2026
Unknown · CVSS Not scored
Sangoma Technologies FreePBX before cdr 15.0.18, 16.0.40, 15.0.16, and 16.0.17 was discovered to contain an access control issue via a modified parameter value, e.g., changing extension=self to extension=101.
Published Nov 2, 2023 · Updated Jul 9, 2026
Medium · CVSS 6.1
Cross Site Scripting vulnerability in Wonder CMS v.3.2.0 thru v.3.4.2 allows a remote attacker to execute arbitrary code via a crafted script uploaded to the installModule component.
Published Nov 7, 2023 · Updated Jul 9, 2026
Unknown · CVSS Not scored
Zumtobel Netlink CCD Onboard 3.74 - Firmware 3.80 was discovered to contain a command injection vulnerability via the NetHostname parameter.
Published Nov 29, 2023 · Updated Jul 9, 2026
Unknown · CVSS Not scored
Zumtobel Netlink CCD Onboard 3.74 - Firmware 3.80 was discovered to contain hardcoded credentials for the Administrator account.
Published Nov 29, 2023 · Updated Jul 9, 2026
Unknown · CVSS Not scored
Zumtobel Netlink CCD Onboard v3.74 - Firmware v3.80 was discovered to contain a buffer overflow via the component NetlinkWeb::Information::SetDeviceIdentification.
Published Nov 29, 2023 · Updated Jul 5, 2026
High · CVSS 7.5
joaquimserafim/json-web-token is a javascript library use to interact with JSON Web Tokens (JWT) which are a compact URL-safe means of representing claims to be transferred between two parties. Versions prior to 4.0.0 are vulnerable to a JWT algorithm confusion attack. On line 86 of the 'index.js' file, the algorithm to use for verifying the signature of the JWT token is taken from the JWT token, which at that point is still unverified and thus shouldn't be trusted. To exploit this vulnerability, an attacker needs to craft a malicious JWT token containing the HS256 algorithm, signed with the public RSA key of the victim application. This attack will only work against this library is the RS256 algorithm is in use, however it is a best practice to use that algorithm. Version 4.0.0 fixes the issue.
Published Nov 17, 2023 · Updated Jun 8, 2026
Low · CVSS 3.1
An issue has been discovered in GitLab EE with Advanced Search affecting all versions from 13.9 to 16.3.6, 16.4 prior to 16.4.2 and 16.5 prior to 16.5.1 that could allow a denial of service in the Advanced Search function by chaining too many syntax operators.
Published Nov 6, 2023 · Updated Jun 4, 2026
Medium · CVSS 5.5
Multiple vulnerabilities in Cisco Secure Client Software, formerly AnyConnect Secure Mobility Client, could allow an authenticated, local attacker to cause a denial of service (DoS) condition on an affected system. These vulnerabilities are due to an out-of-bounds memory read from Cisco Secure Client Software. An attacker could exploit these vulnerabilities by logging in to an affected device at the same time that another user is accessing Cisco Secure Client on the same system, and then sending crafted packets to a port on that local host. A successful exploit could allow the attacker to crash the VPN Agent service, causing it to be unavailable to all users of the system. To exploit these vulnerabilities, the attacker must have valid credentials on a multi-user system.
Published Nov 22, 2023 · Updated Jun 2, 2026
Low · CVSS 3.7
An issue has been discovered in GitLab CE/EE affecting all versions starting from 16.0 before 16.3.6, all versions starting from 16.4 before 16.4.2, and all versions starting from 16.5.0 before 16.5.1 which have the `super_sidebar_logged_out` feature flag enabled. Affected versions with this default-disabled feature flag enabled may unintentionally disclose GitLab version metadata to unauthorized actors.
Published Nov 6, 2023 · Updated Jun 2, 2026
High · CVSS 8.1
An issue has been discovered in GitLab EE affecting all versions starting from 15.3 prior to 16.2.8, 16.3 prior to 16.3.5, and 16.4 prior to 16.4.1. Code owner approval was not removed from merge requests when the target branch was updated.
Published Nov 9, 2023 · Updated Jun 2, 2026
Critical · CVSS 9.8
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Veon Computer Service Tracking Software allows SQL Injection.
This issue affects Service Tracking Software: before crm 2.0.
Published Nov 22, 2023 · Updated May 22, 2026
Critical · CVSS 9.8
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Veribilim Software Computer Veribase allows SQL Injection.
This issue affects Veribase: through 20231123.
NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
Published Nov 23, 2023 · Updated May 22, 2026
Critical · CVSS 9.8
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Medart Health Services Medart Notification Panel allows SQL Injection.
This issue affects Medart Notification Panel: through 20231123.
NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
Published Nov 23, 2023 · Updated May 22, 2026
Medium · CVSS 6.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in KC Group E-Commerce Software allows Reflected XSS.
This issue affects E-Commerce Software: through 20231123.
NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
Published Nov 23, 2023 · Updated May 21, 2026
High · CVSS 7.5
Exposure of Private Personal Information to an Unauthorized Actor vulnerability in Botanik Software Pharmacy Automation allows Retrieve Embedded Sensitive Data.
This issue affects Pharmacy Automation: before 2.1.133.0.
Published Nov 22, 2023 · Updated May 20, 2026
Medium · CVSS 5.4
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in DECE Software Geodi allows Stored XSS.
This issue affects Geodi: before 8.0.0.27396.
Published Nov 22, 2023 · Updated May 20, 2026
High · CVSS 7.1
Improper Enforcement of Behavioral Workflow vulnerability in DECE Software Geodi allows Functionality Bypass.
This issue affects Geodi: before 8.0.0.27396.
Published Nov 22, 2023 · Updated May 20, 2026
High · CVSS 7.5
Path Traversal: '/../filedir' vulnerability in Neutron IP Camera allows Absolute Path Traversal.
This issue affects IP Camera: before b1130.1.0.1.
Published Nov 23, 2023 · Updated May 20, 2026
High · CVSS 7.5
Incorrect Use of Privileged APIs vulnerability in ESKOM Computer e-municipality module allows Collect Data as Provided by Users.
This issue affects e-municipality module: before v.105.
Published Nov 28, 2023 · Updated May 20, 2026
High · CVSS 7.5
Incorrect Use of Privileged APIs vulnerability in ESKOM Computer e-municipality module allows Collect Data as Provided by Users.
This issue affects e-municipality module: before v.105.
Published Nov 28, 2023 · Updated May 20, 2026
High · CVSS 8.8
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Univera Computer System Panorama allows Command Injection.
This issue affects Panorama: before 8.0.
Published Nov 28, 2023 · Updated May 20, 2026
Unknown · CVSS Not scored
In the Linux kernel, the following vulnerability has been resolved:
bpf: support non-r10 register spill/fill to/from stack in precision tracking
Use instruction (jump) history to record instructions that performed
register spill/fill to/from stack, regardless if this was done through
read-only r10 register, or any other register after copying r10 into it
*and* potentially adjusting offset.
To make this work reliably, we push extra per-instruction flags into
instruction history, encoding stack slot index (spi) and stack frame
number in extra 10 bit flags we take away from prev_idx in instruction
history. We don't touch idx field for maximum performance, as it's
checked most frequently during backtracking.
This change removes basically the last remaining practical limitation of
precision backtracking logic in BPF verifier. It fixes known
deficiencies, but also opens up new opportunities to reduce number of
verified states, explored in the subsequent patches.
There are only three differences in selftests' BPF object files
according to veristat, all in the positive direction (less states).
File Program Insns (A) Insns (B) Insns (DIFF) States (A) States (B) States (DIFF)
-------------------------------------- ------------- --------- --------- ------------- ---------- ---------- -------------
test_cls_redirect_dynptr.bpf.linked3.o cls_redirect 2987 2864 -123 (-4.12%) 240 231 -9 (-3.75%)
xdp_synproxy_kern.bpf.linked3.o syncookie_tc 82848 82661 -187 (-0.23%) 5107 5073 -34 (-0.67%)
xdp_synproxy_kern.bpf.linked3.o syncookie_xdp 85116 84964 -152 (-0.18%) 5162 5130 -32 (-0.62%)
Note, I avoided renaming jmp_history to more generic insn_hist to
minimize number of lines changed and potential merge conflicts between
bpf and bpf-next trees.
Notice also cur_hist_entry pointer reset to NULL at the beginning of
instruction verification loop. This pointer avoids the problem of
relying on last jump history entry's insn_idx to determine whether we
already have entry for current instruction or not. It can happen that we
added jump history entry because current instruction is_jmp_point(), but
also we need to add instruction flags for stack access. In this case, we
don't want to entries, so we need to reuse last added entry, if it is
present.
Relying on insn_idx comparison has the same ambiguity problem as the one
that was fixed recently in [0], so we avoid that.
[0] https://patchwork.kernel.org/project/netdevbpf/patch/20231110002638.4168352-3-andrii@kernel.org/
Published Nov 5, 2024 · Updated May 17, 2026
Medium · CVSS 4.3
The brcm80211 component in the Linux kernel through 6.5.10 has a brcmf_cfg80211_detach use-after-free in the device unplugging (disconnect the USB by hotplug) code. For physically proximate attackers with local access, this "could be exploited in a real world scenario." This is related to brcmf_cfg80211_escan_timeout_worker in drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c.
Published Nov 3, 2023 · Updated May 12, 2026
Medium · CVSS 4.3
An out-of-bounds read vulnerability was found in the NVMe-oF/TCP subsystem in the Linux kernel. This issue may allow a remote attacker to send a crafted TCP packet, triggering a heap-based buffer overflow that results in kmalloc data being printed and potentially leaked to the kernel ring buffer (dmesg).
Published Nov 16, 2023 · Updated May 12, 2026
Medium · CVSS 5.3
Issue summary: Generating excessively long X9.42 DH keys or checking
excessively long X9.42 DH keys or parameters may be very slow.
Impact summary: Applications that use the functions DH_generate_key() to
generate an X9.42 DH key may experience long delays. Likewise, applications
that use DH_check_pub_key(), DH_check_pub_key_ex() or EVP_PKEY_public_check()
to check an X9.42 DH key or X9.42 DH parameters may experience long delays.
Where the key or parameters that are being checked have been obtained from
an untrusted source this may lead to a Denial of Service.
While DH_check() performs all the necessary checks (as of CVE-2023-3817),
DH_check_pub_key() doesn't make any of these checks, and is therefore
vulnerable for excessively large P and Q parameters.
Likewise, while DH_generate_key() performs a check for an excessively large
P, it doesn't check for an excessively large Q.
An application that calls DH_generate_key() or DH_check_pub_key() and
supplies a key or parameters obtained from an untrusted source could be
vulnerable to a Denial of Service attack.
DH_generate_key() and DH_check_pub_key() are also called by a number of
other OpenSSL functions. An application calling any of those other
functions may similarly be affected. The other functions affected by this
are DH_check_pub_key_ex(), EVP_PKEY_public_check(), and EVP_PKEY_generate().
Also vulnerable are the OpenSSL pkey command line application when using the
"-pubcheck" option, as well as the OpenSSL genpkey command line application.
The OpenSSL SSL/TLS implementation is not affected by this issue.
The OpenSSL 3.0 and 3.1 FIPS providers are not affected by this issue.
Published Nov 6, 2023 · Updated May 12, 2026
High · CVSS 8.8
Cross-Site Request Forgery (CSRF) vulnerability in ThemeKraft TK Google Fonts GDPR Compliant plugin <= 2.2.11 versions.
Published Nov 6, 2023 · Updated Apr 29, 2026
Medium · CVSS 5.9
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Premio Chaty chaty allows DOM-Based XSS.This issue affects Chaty: from n/a through <= 3.1.2.
Published Nov 22, 2023 · Updated Apr 29, 2026
Medium · CVSS 6.5
Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Apollo13Themes Apollo13 Framework Extensions plugin <= 1.9.0 versions.
Published Nov 8, 2023 · Updated Apr 29, 2026
High · CVSS 7.1
Unauth. Stored Cross-Site Scripting (XSS) vulnerability in gVectors Team Comments — wpDiscuz plugin <= 7.6.11 versions.
Published Nov 6, 2023 · Updated Apr 29, 2026
Unknown · CVSS Not scored
Auth. (author+) Stored Cross-Site Scripting (XSS) vulnerability in simonpedge Slide Anything – Responsive Content / HTML Slider and Carousel plugin <= 2.4.9 versions.
Published Nov 7, 2023 · Updated Apr 29, 2026
High · CVSS 8.8
Cross-Site Request Forgery (CSRF) leading to a Stored Cross-Site Scripting (XSS) vulnerability in Nazmul Hossain Nihal Login Screen Manager plugin <= 3.5.2 versions.
Published Nov 6, 2023 · Updated Apr 29, 2026
High · CVSS 7.6
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in RedNao Donations Made Easy – Smart Donations allows SQL Injection.This issue affects Donations Made Easy – Smart Donations: from n/a through 4.0.12.
Published Nov 6, 2023 · Updated Apr 29, 2026
Medium · CVSS 4.3
Cross-Site Request Forgery (CSRF) vulnerability in ReCorp Export WP Page to Static HTML/CSS plugin <= 2.1.9 versions.
Published Nov 10, 2023 · Updated Apr 29, 2026
High · CVSS 7.1
Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in FLOWFACT WP Connector plugin <= 2.1.7 versions.
Published Nov 8, 2023 · Updated Apr 29, 2026
Medium · CVSS 6.5
Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in D. Relton Medialist plugin <= 1.3.9 versions.
Published Nov 8, 2023 · Updated Apr 29, 2026
Medium · CVSS 6.5
Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in Bright Plugins Pre-Orders for WooCommerce plugin <= 1.2.13 versions.
Published Nov 6, 2023 · Updated Apr 29, 2026
High · CVSS 8.8
Improper Neutralization of Formula Elements in a CSV File vulnerability in WPOmnia KB Support.This issue affects KB Support: from n/a through 1.5.84.
Published Nov 7, 2023 · Updated Apr 29, 2026
Medium · CVSS 5.3
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Exactly WWW EWWW Image Optimizer. It works only when debug.log is turned on.This issue affects EWWW Image Optimizer: from n/a through 7.2.0.
Published Nov 30, 2023 · Updated Apr 29, 2026
Critical · CVSS 9.8
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in biztechc Copy or Move Comments allows SQL Injection.This issue affects Copy or Move Comments: from n/a through 5.0.4.
Published Nov 6, 2023 · Updated Apr 29, 2026
Unknown · CVSS Not scored
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Daniel Söderström / Sidney van de Stouwe Subscribe to Category allows SQL Injection.This issue affects Subscribe to Category: from n/a through 2.7.4.
Published Nov 6, 2023 · Updated Apr 29, 2026
High · CVSS 7.2
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Themesgrove Onepage Builder allows SQL Injection.This issue affects Onepage Builder: from n/a through 2.4.1.
Published Nov 3, 2023 · Updated Apr 29, 2026
High · CVSS 7.6
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Demonisblack demon image annotation allows SQL Injection.This issue affects demon image annotation: from n/a through 5.1.
Published Nov 3, 2023 · Updated Apr 29, 2026
High · CVSS 7.6
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in IT Path Solutions PVT LTD Contact Form to Any API allows SQL Injection.This issue affects Contact Form to Any API: from n/a through 1.1.2.
Published Nov 3, 2023 · Updated Apr 29, 2026
High · CVSS 8.8
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in bPlugins LLC Icons Font Loader allows SQL Injection.This issue affects Icons Font Loader: from n/a through 1.1.2.
Published Nov 6, 2023 · Updated Apr 29, 2026
Critical · CVSS 9.8
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Creative Solutions Contact Form Generator : Creative form builder for WordPress allows SQL Injection.This issue affects Contact Form Generator : Creative form builder for WordPress: from n/a through 2.6.0.
Published Nov 6, 2023 · Updated Apr 29, 2026