22587 matches found
CVE-2026-59674
CVE-2026-59674 affects openSUSE Tumbleweed surfacing a local privilege escalation in suricata packaging due to a symlink follow vulnerability in the post-install script. Connected details indicate the issue involves the libsuricata8 package (version 8.0.5-2.1 and earlier) and is fixed in 8.0.5-2....
Telaen => v1.3.1 - Open Redirect
Open Redirection Vulnerability in the redir.php script in Telaen before 1.3.1 allows remote attackers to redirect victims to arbitrary websites via a crafted URL. id: CVE-2013-2621 info: name: Telaen = v1.3.1 - Open Redirect author: ctflearner severity: medium description: | Open Redirection...
Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation By FunnelKit - Broken Access Control
The Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation By FunnelKit plugin for WordPress is vulnerable to unauthorized arbitrary plugin installation due to a missing capability check on the installoractivateaddonplugins function and a weak nonce hash in all...
DotCMS < 5.0.2 - Open Redirect
dotCMS before 5.0.2 contains multiple open redirect vulnerabilities via the html/common/forwardjs.jsp FORWARDURL parameter or the html/portlet/ext/common/pagepreviewpopup.jsp hostname parameter. An attacker can redirect a user to a malicious site and possibly obtain sensitive information, modify...
CirCarLife <4.3 - Improper Authentication
CirCarLife before 4.3 is susceptible to improper authentication. An internal installation path disclosure exists due to the lack of authentication for /html/repository.System. An attacker can obtain sensitive information, modify data, and/or execute unauthorized operations. id: CVE-2018-16668 inf...
Hunk Companion <= 1.8.4 - Arbitrary Plugin Installation
The Hunk Companion plugin for WordPress is vulnerable to unauthorized plugin installation/activation due to a missing capability check on the /wp-json/hc/v1/themehunk-import REST API endpoint in all versions up to, and including, 1.8.4. This makes it possible for unauthenticated attackers to...
ListingPro < 2.6.1 - Arbitrary Plugin Installation/Activation/Deactivation
The ListingPro - WordPress Directory & Listing Theme for WordPress is vulnerable to Arbitrary Plugin Installation, Activation and Deactivation in versions before 2.6.1. This is due to a missing capability check on the lpccaddonsactions function. This makes it possible for unauthenticated attacker...
CVE-2026-62194
OpenClaw versions 2026.5.20 before 2026.6.9 contain a privilege escalation vulnerability in plugin install commands that allows lower-trust callers to execute or persist actions beyond their intended authorization. Attackers can exploit misconfigured input paths or enabled features to escalate...
CVE-2026-62194
OpenClaw CVE-2026-62194 affects OpenClaw versions 2026.5.20 before 2026.6.9. Vulnerable: plugin install commands in the OpenClaw stack. Root cause: privilege escalation via misconfigured input paths or enabled features that let lower-trust callers execute/persist actions beyond their authorizatio...
CVE-2026-15516
A vulnerability was detected in MacCMS Pro up to 2022.1000.3005. Impacted is the function step5 of the file application/install/controller/Index.php of the component Installation Module. The manipulation results in authorization bypass. The attack may be launched remotely. The attack requires a...
CVE-2026-15516 MacCMS Pro Installation Index.php step5 authorization
A vulnerability was detected in MacCMS Pro up to 2022.1000.3005. Impacted is the function step5 of the file application/install/controller/Index.php of the component Installation Module. The manipulation results in authorization bypass. The attack may be launched remotely. The attack requires a...
EUVD-2026-43258
A vulnerability was detected in MacCMS Pro up to 2022.1000.3005. Impacted is the function step5 of the file application/install/controller/Index.php of the component Installation Module. The manipulation results in authorization bypass. The attack may be launched remotely. The attack requires a...
CVE-2026-15516
Technical details are not publicly available in the provided documents. Monitor for updates on CVE-2026-15516 for affected versions, impact, and remediation.
CVE-2026-11898
The White Label CMS plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 2.7.12 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permission...
CVE-2026-11591
CVE-2026-11591 affects the WordPress plugin Widgets for Google Reviews up to version 13.3. It is a Stored Cross‑Site Scripting (XSS) vulnerability triggered via admin settings, caused by insufficient input sanitization and output escaping in the parameters fomo-title and fomo-text . Exploitation ...
EUVD-2026-43002
The WordPress Infinite Scroll – Ajax Load More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 7.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...
Malicious code in stella-ai-cli (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 936d3c8bc6611b58f5321ba5aab651bb3d2db821d172816283ca04633be00863 The stella CLI shipped in bin/stella.js prompts users for their phone number and the WhatsApp verification code and POSTs both to a hardcoded bare-IP...
EUVD-2026-42864
The KiviCare – Clinic & Patient Management System EHR plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.4.0. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated...
CVE-2026-15331
A vulnerability was identified in zhayujie CowAgent up to 2.1.0. The affected element is the function addurl/addpackage of the file agent/skills/service.py of the component Skill Installation Handler. The manipulation of the argument Name leads to path traversal. The attack may be initiated...
CVE-2026-15283 WPvivid Backup for MainWP <= 0.9.33 - Authenticated (Admin+) Stored Cross-Site Scripting
The WPvivid Backup for MainWP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 0.9.33 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level...