| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| Quanos SCHEMA ST4 on-premises contains a local privilege escalation vulnerability in the Client Update Service. The update service runs as NT AUTHORITY\SYSTEM and exposes a .NET Remoting interface over a named pipe without sufficient access controls or authorization. A local authenticated low-privileged user can connect to the interface and invoke privileged update methods such as Update(). This allows arbitrary file write and delete operations with SYSTEM privileges and can be used to achieve local privilege escalation. |
| Unauthenticated Local File Inclusion in Uppercase < 1.2.2 versions. |
| Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Cargo RD Cargo Shipping Location for WooCommerce allows Blind SQL Injection.
This issue affects Cargo Shipping Location for WooCommerce: from n/a through 5.6. |
| Subscriber Privilege Escalation in SMS Alert Order Notifications <= 3.9.4 versions. |
| A flaw was found in vLLM, an open-source library for large language model inference. This vulnerability arises from improper handling of image metadata, specifically EXIF orientation and PNG transparency (tRNS) data, during image processing. When images are converted to RGB, transparency information may be implicitly discarded or remapped, leading to unexpected rendering of transparent pixels and distortion of input content. This can result in the model misinterpreting image content, potentially affecting the integrity of processed data. |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Themify Folo allows Reflected XSS.
This issue affects Themify Folo: from n/a through 1.9.6. |
| Unauthenticated Local File Inclusion in Snow Club <= 1.1 versions. |
| Unauthenticated Local File Inclusion in Etude <= 1.6 versions. |
| Unauthenticated PHP Object Injection in ShiftUp <= 1.3 versions. |
| Unauthenticated Local File Inclusion in Kastell <= 2.0 versions. |
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in StylemixThemes Motors allows PHP Local File Inclusion.
This issue affects Motors: from n/a through 1.4.109. |
| Deserialization of Untrusted Data vulnerability in EMV Creatify allows Object Injection.
This issue affects Creatify: from n/a through 1.5. |
| Unauthenticated PHP Object Injection in Konsept <= 1.9 versions. |
| Unauthenticated SQL Injection in JetEngine <= 3.8.10.1 versions. |
| Unauthenticated Broken Authentication in SMS Alert Order Notifications <= 3.9.3 versions. |
| Subscriber Sensitive Data Exposure in PushEngage – Web Push Notifications, eCommerce Automation & Chat Widget <= 4.2.3 versions. |
| Unauthenticated SQL Injection in WP eMember < v10.9.4 versions. |
| Missing Authorization vulnerability in Jegstudio Startupzy startupzy allows Exploiting Incorrectly Configured Access Control Security Levels.
This issue affects Startupzy: from n/a through 1.1.1. |
| Unauthenticated Broken Authentication in WooCommerce Dropshipping <= 5.2.4 versions. |
| Unauthenticated Cross Site Scripting (XSS) in Profile Builder Pro <= 3.15.0 versions. |
