CVE Vulnerabilities - 16 April 2026

A vulnerability in Froxlor allows resellers to attribute domains to other admins, potentially exhausting another admin's domain quota. This can happen when a reseller creates a domain for another admi...

A security weakness in TP-Link Archer C7 routers (models v5 and v5.8) makes it possible for hackers with access to network traffic to guess or crack the admin password, giving them control over the ro...

### Summary Flowise introduced SSRF protections through a centralized HTTP security wrapper (`httpSecurity.ts`) that implements deny-list validation and IP pinning logic. However, multiple tool impl...

Sensitive OAuth credentials can be accessed by anyone, putting organizations at risk of unauthorized access. This vulnerability allows unauthorized users to retrieve full SSO configurations, including...

If an attacker knows an organization ID, they can access sensitive login information, including passwords and security codes, without needing a password. This is a security risk because it allows unau...

Summary The unaccess handler (controller/unaccess.go) contains a logical error in its ownership guard: when a frontend record has environment_id = NULL (the marker for admin-created global frontends),...

Older versions of Silverstripe Framework allow unauthorized access to images, potentially compromising security. This issue has been fixed in versions 2.4.5 and 3.1.3. Developers should update to the ...

Using Fastify Static versions 8.0.0 through 9.1.0 and directory listing enabled, an attacker can see the names of files and directories outside your website's designated area. This is a security risk ...

The Fluent Forms plugin for WordPress has a security flaw that allows unauthorized users to change the payment status of pending submissions. This could allow attackers to trick people into thinking a...

The PostX plugin for WordPress allows attackers to change how many times posts are shared, even if they're private or in draft mode. This could be used to manipulate post popularity or spread misinfor...

The Riaxe Product Customizer plugin for WordPress has a security flaw that allows anyone to delete any user account, including administrators, without needing a password. This could lead to a site bei...

Versions of the Basic Google Maps Placemarks plugin for WordPress up to 1.10.7 are vulnerable to unauthorized changes to maps. This means anyone can modify map settings without permission. To fix this...

LangSmith SDK's streaming output can expose sensitive LLM results if output redaction is enabled. This happens because the redaction controls don't apply to streaming token events. If you're using Lan...

The LangSmith SDK's output redaction feature doesn't work for streaming output, allowing sensitive information to be stored in LangSmith. This means that any data streamed from a Large Language Model ...

LangSmith SDK's output redaction controls don't apply to streaming token events, which can leak sensitive data. This affects both JavaScript and Python SDKs. To protect sensitive data, review your usa...

DOMPurify, a library used to sanitize user input in web applications, has a bug that allows certain tags to be added to the output even if they are supposed to be forbidden. This can happen when both ...

### Summary Saltcorn validates the post-login `dest` parameter with a string check that only blocks `:/` and `//`. Because all WHATWG-compliant browsers normalise backslashes (`\`) to forward slashes ...

If an attacker has physical access to a Dell computer, they may be able to bypass the password protection and gain unauthorized access to the system. This is a concern because it means someone could p...

Authenticated users can create a malicious link on a wger page that can steal user data or perform actions as other users when viewed by anyone, including unauthenticated visitors. This is a high-risk...

Istio's internal service request feature can leak sensitive data to Envoy proxies if an internal service is used as a JWT key source. This happens when Istio makes an unauthenticated request to the in...

A configuration mistake in Istio's authentication settings can allow sensitive data to be shared with Envoy proxies. This happens when a specific setting is used to point to an internal service withou...

If a malicious XLS file is processed, it could potentially leak sensitive information and allow an attacker to bypass security protections. This affects ONLYOFFICE DocumentServer before version 9.3.0....

A software bug in Froxlor allows any authenticated customer to send emails pretending to be from other customers' email addresses. This is a security risk because it could be used to send spam or phis...

Froxlor, a web hosting control panel, has a security flaw that lets one customer send emails as another customer's email addresses. This happens when a customer adds a full email address as an allowed...

Valtimo's inbox feature logs sensitive information in logs, making it accessible to people with logging access or admin permissions. This could lead to unauthorized access to personal data. To resolve...