Motors Car Dealer & Classified Ads <= 1.4.0 - Unauthenticated settings import/export

includes/options.php in the motors-car-dealership-classified-listings aka Motors - Car Dealer & Classified Ads plugin through 1.4.0 for WordPress allows unauthenticated options changes. id: CVE-2019-17228 info: name: Motors Car Dealer & Classified Ads = 1.4.0 - Unauthenticated settings...

WordPress OneTone theme <= 3.0.6 – Unauthenticated Options Changes

includes/theme-functions.php in the OneTone theme through 3.0.6 for WordPress allows unauthenticated options changes. id: CVE-2019-17230 info: name: WordPress OneTone theme = 3.0.6 – Unauthenticated Options Changes author: daffainfo severity: medium description: | includes/theme-functions.php in...

EUVD-2026-39951

The Product Specifications for WooCommerce plugin for WordPress is vulnerable to unauthorized modification, creation, and deletion of data in versions up to and including 0.8.9. This is due to a missing capability check and missing nonce verification in the invoke methods of the...

EUVD-2026-39932

The HD Quiz plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions 2.2.0 to 2.2.1. This is due to missing or incorrect nonce validation on the hdqvalidatenonce function. This makes it possible for unauthenticated attackers to delete or modify quizzes and questions, create ne...

CVE-2026-53019

A flaw was found in the Linux kernel's clock clk driver for Spacemit's ccumix component. An inverted condition within the ccumixtriggerfc function can cause the system to skip frequency change triggers. This can lead to kernel panics during CPU frequency scaling, resulting in a Denial of Service...

CVE-2026-55686

Summary of CVE-2026-55686 (Podman: WORKDIR symlink traversal) Affects Podman versions 3.0.0 through 5.7.0 where a container image run with a crafted WORKDIR path that contains a symlink can cause a host filesystem change: create a directory or modify ownership. Ownership modification is less like...

UBUNTU-CVE-2026-53277

In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: Take the SRCU lock for page table walks in fault injection and AT emulation walks1 and kvmwalknesteds2 expect to be called while holding kvm-srcu to guard against memslot changes. While this is generally the case,...

CVE-2026-43920 FOSSBilling: Unauthenticated update patcher endpoint allows remote maintenance execution

FOSSBilling is a free, open-source billing and client management system. In versions 0.5.4 through 0.7.2, the /run-patcher maintenance endpoint in FOSSBilling was accessible without authentication, which allowed unauthenticated remote users to trigger update patch routines that modify configurati...

CVE-2026-43920

CVE-2026-43920 affects FOSSBilling versions 0.5.4–0.7.2 where the unauthenticated /run-patcher endpoint allowed privileged maintenance operations (config migrations, DB schema changes including ALTER/DROP/UPDATE, filesystem deletions/renames, and cache clearing) to be executed without admin auth,...

CVE-2026-13201

A flaw was found in KubeVirt's safepath package used by virt-handler. The OpenAtNoFollow function uses OPATH|ONOFOLLOW to obtain a file descriptor to a path leaf, but downstream operations resolve the path via /proc/self/fd/N using link-following syscalls. When the leaf is a symlink, the kernel...

CVE-2026-57283

A flaw was found in Jenkins Pipeline: Groovy Plugin. This cross-site request forgery CSRF vulnerability allows attackers to instantiate types related to job or system configuration. This could enable unauthorized modifications to the Jenkins environment...

CVE-2026-13201 Kubevirt: virt-handler-rhel9: kubevirt: safepath symlink following in virt-handler enables notify socket hijacking and node-level vm disruption

A flaw was found in KubeVirt's safepath package used by virt-handler. The OpenAtNoFollow function uses OPATH|ONOFOLLOW to obtain a file descriptor to a path leaf, but downstream operations resolve the path via /proc/self/fd/N using link-following syscalls. When the leaf is a symlink, the kernel...

CVE-2026-13201

A flaw was found in KubeVirt's safepath package used by virt-handler. The OpenAtNoFollow function uses OPATH|ONOFOLLOW to obtain a file descriptor to a path leaf, but downstream operations resolve the path via /proc/self/fd/N using link-following syscalls. When the leaf is a symlink, the kernel...

CVE-2026-1840

The CVE concerns Hubbell Aclara Metrum Cellular Web Interface, where unauthorized access arises from missing authentication on critical system functions. This allows attackers to alter essential configuration settings, trigger system restarts, and potentially disrupt device communications. CISA a...

EUVD-2026-39058

The Aclara Metrum Cellular Web Interface is vulnerable to unauthorized access due to the absence of authentication controls on critical system functions. This weakness exposes essential configuration settings, allowing attackers to alter operational parameters and trigger system restarts without...

CVE-2026-1840 Missing authentication for critical function in Hubbell Aclara Metrum Cellular Web Interface

The Aclara Metrum Cellular Web Interface is vulnerable to unauthorized access due to the absence of authentication controls on critical system functions. This weakness exposes essential configuration settings, allowing attackers to alter operational parameters and trigger system restarts without...

CVE-2026-53049

CVE-2026-53049 affects the Linux kernel GFS2 component. The root cause is that gfs2_logd() called log-flushing routines (gfs2_ail1_start(), gfs2_ail1_wait(), gfs2_ail1_empty()) without holding sdp-&gt;sd_log_flush_lock, exposing a risk of race conditions with concurrent transactions. The patch in...

CVE-2026-8905

The Osiris Signature Banner plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.5. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious...

CVE-2026-6292

The MP Customize Login Page plugin for WordPress is vulnerable to Cross-Site Request Forgery CSRF in all versions up to and including 1.0. This is due to a completely broken nonce validation in the entermpclploginoptions function, which contains an inverted check if wpverifynonce... return false;...

EUVD-2026-38636

Fortra File Integrity Monitoring FIM, formerly Tripwire Enterprise, versions prior to 9.4.0 may assign incorrect or elevated effective permissions to users created by the tetool import command while FIM is running, particularly when the import also creates or changes roles or role-permission...