CVE-2026-45722

Nextcloud is an open source content collaboration platform. From versions 0.9.0 to before 0.9.7, and 1.0.0 to before 1.0.2, a missing sanitization in the Tables app allowed a user with access to the tables app to perform a limited SQL injection in the ORDER BY statement of a query. Compared to...

Excel MCP Server path traversal vulnerability

Excel MCP Server is an Excel and CSV file reading/writing/analysis tool developed by ishayoyo as a personal project. Versions of Excel MCP Server 1.0.2 and earlier contained a path traversal vulnerability. This vulnerability stemmed from incorrect handling of the filePath/outputPath parameters in...

CVE-2026-45137 Anchor: Program<'info, System> is not properly validated

Anchor is a framework providing several convenient developer tools for writing Solana programs. From 1.0.0 to before 1.0.2, an logic error causes anchor programs to accept any program id when requiring the system program id, causing false assumptions resulting in potential arbitrary cpi in progra...

CVE-2026-45137

Summary: CVE-2026-45137 affects Anchor (Solana programs) where Program validation fails due to using Pubkey::default() as a sentinel, causing System and () to be treated equivalently and allowing any executable program in place of the system program. Impact: potential arbitrary CPI or payment byp...

EUVD-2026-32665

Anchor is a framework providing several convenient developer tools for writing Solana programs. From 1.0.0 to before 1.0.2, an logic error causes anchor programs to accept any program id when requiring the system program id, causing false assumptions resulting in potential arbitrary cpi in progra...

EUVD-2026-32083

The Easy Prism Syntax Highlighter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'code' and 'c' shortcode in versions up to, and including, 1.0.2. This is due to insufficient input sanitization and output escaping on user supplied shortcode attributes in the...

WordPress plugin Easy Prism Syntax Highlighter 跨站脚本漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...

CVE-2026-44214

CVE-2026-44214 concerns eventsource-encoder where unsanitized event and id fields can inject SSE line terminators, enabling forged SSE fields/messages. Affects versions prior to 1.0.2; patch released in 1.0.2 that validates/escapes those fields. Public advisories (GHSA, OSV, CVS) describe the imp...

CVE-2026-44214 eventsource-encoder: SSE event injection via unsanitized event and id fields

eventsource-encoder encodes events as well-formed EventSource/Server Sent Event SSE messages. Prior to 1.0.2, eventsource-encoder does not sanitize the event or id fields of an EventSourceMessage before serializing them. An attacker who controls either field can inject arbitrary Server-Sent Event...

EUVD-2026-31968

eventsource-encoder encodes events as well-formed EventSource/Server Sent Event SSE messages. Prior to 1.0.2, eventsource-encoder does not sanitize the event or id fields of an EventSourceMessage before serializing them. An attacker who controls either field can inject arbitrary Server-Sent Event...

CVE-2026-44214

eventsource-encoder encodes events as well-formed EventSource/Server Sent Event SSE messages. Prior to 1.0.2, eventsource-encoder does not sanitize the event or id fields of an EventSourceMessage before serializing them. An attacker who controls either field can inject arbitrary Server-Sent Event...

WordPress Easy Prism Syntax Highlighter plugin <= 1.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Gilang - DJ in WordPress Plugin Easy Prism Syntax Highlighter versions = 1.0.2...

eventsource-encoder 注入漏洞

eventsource-encoder is a server-side event encoding tool developed by Espen Hovlandsdal. Versions of eventsource-encoder prior to 1.0.2 contained an injection vulnerability. This vulnerability stemmed from the lack of cleanup of event or ID fields during serialization of EventSourceMessage. An...

CVE-2026-2518

The FastX theme for WordPress is vulnerable to unauthorized limited plugin installation and activation due to missing capability checks on the 'ultpinstallcallback' and 'ultpactivatecallback' functions in all versions up to, and including, 1.0.2. This makes it possible for authenticated attackers...

CVE-2026-2518

The CVE-2026-2518 entry concerns the WordPress FastX theme. The vulnerability is due to missing capability checks in two callbacks, ultp_install_callback and ultp_activate_callback, affecting all versions up to and including 1.0.2. This allows authenticated attackers with Subscriber-level access ...

WordPress plugin FastX theme 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. There ar...

PT-2026-42722

Name of the Vulnerable Software and Affected Versions FastX theme for WordPress versions prior to 1.0.3 Description The FastX theme for WordPress allows authenticated attackers with Subscriber-level access or higher to install and activate the PostX plugin. This is caused by missing capability...

WordPress Account Switcher plugin <= 1.0.2 - Authenticated (Subscriber+) Authentication Bypass to Privilege Escalation vulnerability

Authenticated Subscriber+ Authentication Bypass to Privilege Escalation vulnerability discovered by Ren Voza in WordPress Plugin Account Switcher versions = 1.0.2...

CVE-2026-6456 Account Switcher <= 1.0.2 - Authenticated (Subscriber+) Authentication Bypass to Privilege Escalation

The Account Switcher plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.0.2. This is due to the rememberLogin REST API endpoint using a loose comparison != instead of !== for secret validation at app/RestAPI.php:111, combined with no validation that...

Amazon Linux 2023 : PackageKit, PackageKit-command-not-found, PackageKit-cron (ALAS2023-2026-1639)

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2026-1639 advisory. PackageKit is a a D-Bus abstraction layer that allows the user to manage packages in a secure way using a cross-distro, cross-architecture API. PackageKit between and including versions 1.0.2 and 1.3.4...