CVE-2026-5229

The Form Notify plugin for WordPress is vulnerable to Authentication Bypass in versions up to and including 1.1.10. This is due to the plugin trusting user-controlled cookie data to determine which WordPress account to authenticate after a LINE OAuth login. When LINE doesn't provide an email...

CVE-2026-5229

The Form Notify plugin for WordPress is vulnerable to an Authentication Bypass in versions up to 1.1.10 due to trusting user-controlled cookie data to select the WordPress account after a LINE OAuth login. If LINE omits an email address, the plugin uses the 'form_notify_line_email' cookie without...

CVE-2026-6551

The Timeline Blocks for Gutenberg plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'titleTag' attribute of the timeline-blocks/tb-timeline-blocks block in all versions up to, and including, 1.1.10 due to insufficient input sanitization and output escaping on user supplied...

PT-2026-35658

The Timeline Blocks for Gutenberg plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'titleTag' attribute of the timeline-blocks/tb-timeline-blocks block in all versions up to, and including, 1.1.10 due to insufficient input sanitization and output escaping on user supplied...

CVE-2026-41167

Jellystat is a free and open source Statistics App for Jellyfin. Prior to version 1.1.10, multiple API endpoints in Jellystat build SQL queries by interpolating unsanitized request-body fields directly into raw SQL strings. An authenticated user can inject arbitrary SQL via POST /api/getUserDetai...

EUVD-2026-15891

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in VillaTheme Abandoned Cart Recovery for WooCommerce woo-abandoned-cart-recovery allows Stored XSS.This issue affects Abandoned Cart Recovery for WooCommerce: from n/a through = 1.1.10...

CVE-2026-32526 WordPress Abandoned Cart Recovery for WooCommerce plugin <= 1.1.10 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in VillaTheme Abandoned Cart Recovery for WooCommerce woo-abandoned-cart-recovery allows Stored XSS.This issue affects Abandoned Cart Recovery for WooCommerce: from n/a through = 1.1.10...

CVE-2026-32526 WordPress Abandoned Cart Recovery for WooCommerce plugin <= 1.1.10 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in VillaTheme Abandoned Cart Recovery for WooCommerce woo-abandoned-cart-recovery allows Stored XSS.This issue affects Abandoned Cart Recovery for WooCommerce: from n/a through = 1.1.10...

CVE-2026-32526

CVE-2026-32526 affects the WordPress plugin VillaTheme Abandoned Cart Recovery for WooCommerce (woo-abandoned-cart-recovery), version range: = 1.1.11) or apply vendor-provided fixes where available. Documentation in connected sources consistently identifies this as a Stored XSS affecting the plug...

PT-2026-28040

Name of the Vulnerable Software and Affected Versions VillaTheme Abandoned Cart Recovery for WooCommerce versions through 1.1.10 Description The software contains an Improper Neutralization of Input During Web Page Generation issue, specifically a Cross-site Scripting condition. This allows for...

CVE-2026-29082 Kestra: Stored Cross-Site Scripting in Markdown File Preview

Kestra is an event-driven orchestration platform. In versions from 1.1.10 and prior, Kestra’s execution-file preview renders user-supplied Markdown .md with markdown-it instantiated as html:true and injects the resulting HTML with Vue’s v-html without sanitisation. At time of publication, there a...

kestra 跨站脚本漏洞

Kestra is an open-source workflow automation platform developed by Kestra. Versions of Kestra 1.1.10 and earlier had a cross-site scripting vulnerability. This vulnerability stemmed from the lack of cleanup when rendering Markdown formats provided by users, which could lead to cross-site scriptin...

PT-2026-23727

Kestra is an event-driven orchestration platform. In versions from 1.1.10 and prior, Kestra’s execution-file preview renders user-supplied Markdown .md with markdown-it instantiated as html:true and injects the resulting HTML with Vue’s v-html without sanitisation. At time of publication, there a...

EUVD-2026-9735

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in ThemeREX Vapester vapester allows PHP Local File Inclusion.This issue affects Vapester: from n/a through = 1.1.10...

EUVD-2026-9748

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in ThemeREX Ozisti ozisti allows PHP Local File Inclusion.This issue affects Ozisti: from n/a through = 1.1.10...

CVE-2026-28093

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in ThemeREX Ozisti ozisti allows PHP Local File Inclusion.This issue affects Ozisti: from n/a through = 1.1.10...

CVE-2026-28093

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in ThemeREX Ozisti ozisti allows PHP Local File Inclusion.This issue affects Ozisti: from n/a through = 1.1.10...

CVE-2026-28093

CVE-2026-28093 affects the WordPress theme ThemeREX Ozisti (Ozisti) for versions

CVE-2026-28077

CVE-2026-28077 is a Local File Inclusion vulnerability in the WordPress ThemeREX Vapester theme ( Vapester ) affecting versions up to 1.1.10. The issue is described as Improper Control of Filename for Include/Require Statement in PHP, i.e., a PHP Remote File Inclusion capability that effectively ...

CVE-2026-28077

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in ThemeREX Vapester vapester allows PHP Local File Inclusion.This issue affects Vapester: from n/a through = 1.1.10...