Acorzo1983

#11595of 53,630
23.7Total CVSS
Vulnerabilities · 3
High
3
PT-2026-30243
7.2
2026-04-03
Piwigo · Piwigo · CVE-2026-27834
Piwigo is an open source photo gallery application for the web. Prior to version 16.3.0, a SQL Injection vulnerability exists in the pwg.users.getList Web Service API method. The filter parameter is directly concatenated into a SQL query without proper sanitization, allowing authenticated administrators to execute arbitrary SQL commands. This issue has been patched in version 16.3.0.
PT-2026-21371
7.7
2026-02-21
Wallos · Wallos · CVE-2026-27479
**Name of the Vulnerable Software and Affected Versions** Wallos versions 4.6.0 and below **Description** Wallos is a self-hostable personal subscription tracker susceptible to a Server-Side Request Forgery (SSRF) issue in the subscription and payment logo/icon upload functionality. The application validates the IP address of a provided URL, but allows HTTP redirects, enabling an attacker to bypass IP validation and access internal resources, including cloud instance metadata endpoints. The `getLogoFromUrl()` function uses `FILTER FLAG NO PRIV RANGE | FILTER FLAG NO RES RANGE` to validate the URL, but the cURL request is configured with `CURLOPT FOLLOWLOCATION = true` and `CURLOPT MAXREDIRS = 3`, allowing redirects without re-validation of the destination IP. **Recommendations** Update to version 4.6.1 or later.
PT-2026-21370
8.8
2026-01-01
Unknown · Zoneminder · CVE-2026-27470
**Name of the Vulnerable Software and Affected Versions** ZoneMinder versions 1.36.37 and below ZoneMinder versions 1.37.61 through 1.38.0 **Description** ZoneMinder is a free, open source closed-circuit television software application. A second-order SQL Injection issue exists in the `web/ajax/status.php` file within the `getNearEvents()` function. Event field values, specifically `Name` and `Cause`, are initially stored securely using parameterized queries. However, these values are later retrieved and directly concatenated into SQL `WHERE` clauses without proper escaping, allowing for potential exploitation. An authenticated user with Events edit and view permissions can leverage this to execute arbitrary SQL queries. **Recommendations** ZoneMinder versions 1.36.37 and below: At the moment, there is no information about a newer version that contains a fix for this vulnerability. ZoneMinder versions 1.37.61 through 1.38.0: At the moment, there is no information about a newer version that contains a fix for this vulnerability.