8.8
CVE-2019-25260 - OXID eShop 6.3.4 - 'sorting' SQL Injection
OXID eShop versions 6.x prior to 6.3.4 contains a SQL injection vulnerability in the 'sorting' parameter that allows attackers to insert malicious database content. Attackers can exploit the vulnerability by manipulating the sorting parameter to inject PHP code into the database and execute arbitraβ¦
5.3
CVE-2026-1811 - bolo-blog bolo-solo Filename BackupService.java importFromMarkdown path traversal
A flaw has been found in bolo-blog bolo-solo up to 2.6.4. This affects the function importFromMarkdown of the file src/main/java/org/b3log/solo/bolo/prop/BackupService.java of the component Filename Handler. Executing a manipulation of the argument File can lead to path traversal. The attack may beβ¦
9.3
CVE-2026-1341 - Missing Authentication for Critical Function in Avation Light Engine Pro
Avation Light Engine Pro exposes its configuration and control interface without any authentication or access control.
7.5
CVE-2026-25223 - Fastify's Content-Type header tab character allows body validation bypass
Fastify is a fast and low overhead web framework, for Node.js. Prior to version 5.7.2, a validation bypass vulnerability exists in Fastify where request body validation schemas specified by Content-Type can be completely circumvented. By appending a tab character (\t) followed by arbitrary content β¦
3.7
CVE-2026-25224 - Fastify Vulnerable to DoS via Unbounded Memory Allocation in sendWebStream
Fastify is a fast and low overhead web framework, for Node.js. Prior to version 5.7.3, a denial-of-service vulnerability in Fastifyβs Web Streams response handling can allow a remote client to exhaust server memory. Applications that return a ReadableStream (or Response with a Web Stream body) via β¦
10
CVE-2026-25510 - CI4MS Vulnerable to Remote Code Execution (RCE) via Arbitrary File Creation and Save in File Editor
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.28.5.0, an authenticated user with file editor permissions can achieve Remote Code Execution (RCE) by leveraging the file creation and savβ¦
5.3
CVE-2026-25509 - CI4MS Vulnerable to User Email Enumeration via Password Reset Flow
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.28.5.0, the authentication implementation in CI4MS is vulnerable to email enumeration. An unauthenticated attacker can determine whether aβ¦
9.3
CVE-2026-25150 - Prototype Pollution via FormData Processing in Qwik City
Qwik is a performance focused javascript framework. Prior to version 1.19.0, a prototype pollution vulnerability exists in the formToObj() function within @builder.io/qwik-city middleware. The function processes form field names with dot notation (e.g., user.name) to create nested objects, but failβ¦
5.3
CVE-2026-25148 - Qwik SSR XSS via Unsafe Virtual Node Serialization
Qwik is a performance focused javascript framework. Prior to version 1.19.0, a Cross-Site Scripting vulnerability in Qwik.js' server-side rendering virtual attribute serialization allows a remote attacker to inject arbitrary web scripts into server-rendered pages via virtual attributes. Successful β¦
5.9
CVE-2026-25151 - Qwik City has a CSRF Protection Bypass via Content-Type Header Validation
Qwik is a performance focused javascript framework. Prior to version 1.19.0, Qwik Cityβs server-side request handler inconsistently interprets HTTP request headers, which can be abused by a remote attacker to circumvent form submission CSRF protections using specially crafted or multi-valued Contenβ¦