CVE-2026-13331 Groundhogg <= 4.5.5 - Authenticated (Marketer+) SQL Injection via 'search' Parameter

The Groundhogg — CRM, Newsletters, and Marketing Automation plugin for WordPress is vulnerable to generic SQL Injection via the 'search' parameter in all versions up to, and including, 4.5.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the...

CVE-2026-13331

The affected software is the Groundhogg WordPress plugin (CRM, Newsletters, and Marketing Automation). It is vulnerable to a generic SQL Injection via the 'search' parameter in all versions up to and including 4.5.5 , caused by insufficient escaping of the user-supplied value and inadequate prepa...

EUVD-2026-39928

The Groundhogg — CRM, Newsletters, and Marketing Automation plugin for WordPress is vulnerable to generic SQL Injection via the 'search' parameter in all versions up to, and including, 4.5.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the...

EUVD-2026-39487

pnpm: stage download writes outside its destination directory via manifest name/version traversal...

EUVD-2026-39484

pnpm: Project env lockfile can short-circuit package-manager resolution and execute lockfile-selected pnpm bytes...

EUVD-2026-38067

Subsonic API: any authenticated user can delete or read any other user's playlist IDOR...

EUVD-2026-39483

pnpm: Repository-controlled configDependencies can select a pacquet native install engine...

EUVD-2026-36601

Nezha Monitoring: Unbounded WebSocket Streams — Resource Exhaustion DoS...

EUVD-2026-36598

Nezha Monitoring: Pre-auth path traversal via /dashboard.. prefix confusion leaks jwtsecretkey...

EUVD-2026-36600

Nezha Monitoring: Stored future DDNS profile ID allows unauthorized use of another user's DDNS profile context...

EUVD-2026-36599

Nezha Monitoring: Authenticated users can claim the dashboard Host through NAT and preempt all dashboard routing...

EUVD-2026-39492

pnpm Vulnerable to Arbitrary File Write/Delete via Malicious Patch File Path Traversal...

EUVD-2026-38060

js-toml vulnerable to CPU exhaustion via On^2 BigInt construction on radix-prefixed integer literals...

EUVD-2026-38036

PhpWeasyPrint vulnerable to arbitrary file deletion at shutdown via public $temporaryFiles...

EUVD-2026-31686

Hackney has an infinite loop on non-token byte at start of an Alt-Svc entry...

EUVD-2026-38016

Streamable HTTP mode exposes LINE Desktop read/send tools without MCP authentication...

EUVD-2026-38048

php-weasyprint: shell command injection via configurable WeasyPrint binary path due to inverted isexecutable guard mirror of KnpLabs/snappy GHSA-vpr4-p6fq-85jc...

CVE-2026-50136

Budibase is an open-source low-code platform. Prior to 3.39.3, the application server exposes an unauthenticated endpoint that generates S3 PutObject presigned URLs using credentials stored in a workspace datasource. The route is protected only by the recaptcha middleware and does not require...

EUVD-2026-37950

Relyra SAML SignatureValue not cryptographically verified - authentication bypass...

EUVD-2026-37943

deepstream is vulnerable to prototype pollution...