| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| Subscriber Cross Site Scripting (XSS) in ListingPro <= 2.9.11 versions. |
| Unauthenticated Insecure Direct Object References (IDOR) in Payment Gateway Based Fees and Discounts for WooCommerce <= 3.0.0 versions. |
| Subscriber PHP Object Injection in Uncanny Automator Pro <= 7.3.0.6 versions. |
| Unauthenticated SQL Injection in JetSmartFilters <= 3.8.3 versions. |
| Unauthenticated SQL Injection in JetEngine <= 3.8.10.2 versions. |
| Contributor Remote Code Execution (RCE) in Blocksy Companion Pro <= 2.1.45 versions. |
| Author Cross Site Scripting (XSS) in Featured Image <= 2.1 versions. |
| Administrator SQL Injection in WP All Import <= 4.0.1 versions. |
| Unauthenticated Insecure Direct Object References (IDOR) in Blocksy Companion Pro <= 2.1.46 versions. |
| Subscriber Broken Access Control in Email Marketing for WooCommerce by Omnisend <= 1.19.0 versions. |
| Subscriber Broken Access Control in MasterStudy LMS <= 3.7.30 versions. |
| Unauthenticated Cross Site Request Forgery (CSRF) in Real Estate 7 <= 3.5.9 versions. |
| newsletters_subscribers Broken Access Control in Newsletters <= 4.13 versions. |
| Subscriber Broken Access Control in Shoppable Images Lite <= 1.3 versions. |
| Unauthenticated Broken Access Control in Booking and Rental Manager <= 2.7.1 versions. |
| Contributor SQL Injection in Recipe Maker For Your Food Blog from Zip Recipes <= 8.2.7 versions. |
| A web page that contains unusual GPU shader code is loaded into the GPU compiler process and can trigger a write out-of-bounds write crash in the GPU shader compiler library. On certain platforms, when the compiler process has system privileges this could enable further exploits on the device.
An edge case using a very small value in GPU shader code can cause a segmentation fault in the GPU shader compiler due to am out-of-bounds write. |
| Unauthenticated remote information disclosure vulnerability in Ollama's model quantization engine allows an attacker to read and exfiltrate the server's heap memory, potentially leading to sensitive data exposure, further compromise, and stealthy persistence. |
| Kernel software installed and running inside a Host VM may post improper commands to the GPU Firmware to trigger a memory read or write outside the permitted range of memory for the host kernel.
Addresses passed to the GPU Firmware can be used by the Firmware for more privileged memory accesses than are permitted by the system. |
| A flaw was found in KubeVirt's network annotation generator. When a tenant creates a VirtualMachineInstance with a Multus network configuration, the supplied networkName value is written verbatim into the launcher pod's v1.multus-cni.io/default-network annotation without format validation or sanitization. The only admission check rejects empty strings; no DNS-1123 format validation, JSON detection, or special character rejection is performed. When the ExternalNetResourceInjection Beta feature gate is enabled (off by default, cluster-admin only), the NAD lookup that would otherwise catch malformed names is skipped by design. A tenant with kubevirt.io:edit permissions can inject a JSON-formatted NetworkSelectionElement array specifying an arbitrary namespace, NAD name, static IP address, and MAC address. Multus on the node parses this JSON and attaches the launcher pod to the specified network attachment in any namespace, enabling cross-namespace network access and IP/MAC impersonation on network segments normally segregated from tenant workloads. The ExternalNetResourceInjection feature gate was introduced in KubeVirt v1.8.0 (first shipped in OpenShift Virtualization 4.21). |
