CVE-2026-53736

CVE-2026-53736 affects the Easy Twitter Feeds WordPress plugin prior to 1.2.13. The issue is a cross-site request forgery in the duplicate_post action handler that lacks nonce verification. An attacker could entice an authenticated user to visit a crafted link that duplicates posts regardless of ...

CVE-2026-8940

The WP Meta Sort Posts plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.9. This is due to missing or incorrect nonce validation on the top-level included script in msp-options.php. This makes it possible for unauthenticated attackers to chan...

CVE-2026-8907

The WP-Ultimate-Map plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.1. This is due to missing nonce validation on the processinit function hooked to admininit, which saves plugin settings zoom-level, focus-lat, focus-lng, selplaces, selroutes v...

CVE-2026-8910

The WP Emoticon Rating plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web...

CVE-2026-7542

The Slider Revolution plugin for WordPress is vulnerable to Sensitive Information Disclosure in versions up to and including 7.0.10. This is due to three compounding design flaws: 1 the plugin leaks a valid backend AJAX nonce revslideractions to all authenticated users including Subscribers via t...

CVE-2026-8909

The WpMobi plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.0.3. This is due to missing or incorrect nonce validation on the handleSaveGeneralSettings function. This makes it possible for unauthenticated attackers to modify the plugin's...

CVE-2026-9185

The 6Storage Rentals plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to and including 2.22.0 via the userId parameter of the sixstoragegetuserinfo and sixstorageupdateprofile AJAX actions. This is due to the sixstoragegetUserInfo and...

CVE-2026-11603

The Product Filter Widget for Elementor plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via 'argsfilterFormArray' Parameter in all versions up to, and including, 1.0.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated...

CVE-2026-41000: WSS4J validation does not use configured replay cache

Wss4jSecurityInterceptor did not consistently wire Apache WSS4J ReplayCache instances into RequestData for validation-time checks. As a result, protections against replay of UsernameToken nonces and creation timestamps, Timestamp elements, and certain SAML one-time-use semantics could be...

PT-2026-48550

Easy Twitter Feeds before 1.2.13 contains a cross-site request forgery vulnerability in the duplicate post action handler that lacks nonce verification. Attackers can trick an authenticated user into visiting a crafted link that duplicates any post regardless of post type...

PT-2026-48553

Yoast Duplicate Post through 4.6 contains a cross-site request forgery vulnerability in the duplicate post dismiss notice handler, which verifies no nonce or capability. Attackers can trick any authenticated user into sending a request that sets the duplicate post show notice site option,...

Linux Distros Unpatched Vulnerability : CVE-2026-45445

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Issue summary: When an application drives an AES-OCB context through the public EVPCipher one-shot interface, the application-supplied initialisation vector IV ...

Missing Cryptographic Step

Overview Affected versions of this package are vulnerable to Missing Cryptographic Step in the AES-OCB provider when an application uses the EVPCipher interface. The handler silently discards the IV, so every message under a given key runs with the all-zero offset state, causing nonce reuse. If...

EUVD-2026-35489

Issue summary: When an application drives an AES-OCB context through the public EVPCipher one-shot interface, the application-supplied initialisation vector IV is silently discarded. Impact summary: Every message encrypted under the same key uses the same effective nonce regardless of the IV...

CVE-2026-45446

Issue summary: The implementations of AES-SIV RFC 5297 and AES-GCM-SIV RFC 8452 mishandle the authentication of AAD Additional Authenticated Data with an empty ciphertext allowing a forgery of such messages. Impact summary: An attacker can forge empty messages with arbitrary AAD to the victim's...

CVE-2026-45445

Issue summary: When an application drives an AES-OCB context through the public EVPCipher one-shot interface, the application-supplied initialisation vector IV is silently discarded. Impact summary: Every message encrypted under the same key uses the same effective nonce regardless of the IV...

ALPINE-CVE-2026-45445

Issue summary: When an application drives an AES-OCB context through the public EVPCipher one-shot interface, the application-supplied initialisation vector IV is silently discarded. Impact summary: Every message encrypted under the same key uses the same effective nonce regardless of the IV...

CVE-2026-45446 Incorrect Tag Processing for Empty Messages in AES-GCM-SIV and AES-SIV modes

Issue summary: The implementations of AES-SIV RFC 5297 and AES-GCM-SIV RFC 8452 mishandle the authentication of AAD Additional Authenticated Data with an empty ciphertext allowing a forgery of such messages. Impact summary: An attacker can forge empty messages with arbitrary AAD to the victim's...

CVE-2026-45445 AES-OCB IV Ignored on EVP_Cipher() Path

Issue summary: When an application drives an AES-OCB context through the public EVPCipher one-shot interface, the application-supplied initialisation vector IV is silently discarded. Impact summary: Every message encrypted under the same key uses the same effective nonce regardless of the IV...

CVE-2026-45445 AES-OCB IV Ignored on EVP_Cipher() Path

Issue summary: When an application drives an AES-OCB context through the public EVPCipher one-shot interface, the application-supplied initialisation vector IV is silently discarded. Impact summary: Every message encrypted under the same key uses the same effective nonce regardless of the IV...