redhat-certification does not properly restrict files that can be download through the /download page. A remote attacker may download any file accessible by the user running httpd.
Buffer overflow in H2O version 2.2.2 and earlier allows remote attackers to cause a denial-of-service in the server via unspecified vectors.
Path Traversal and Unrestricted File Upload exists in the Ninja Forms plugin before 3.0.23 for WordPress (when the Uploads add-on is activated). This allows an attacker to traverse the file system to access files and execute code via the includes/fields/upload.php (aka upload/submit page) name and tmp_name parameters.
The contact-form-plugin plugin before 4.0.2 for WordPress has XSS.