CVE-2026-36574

A DLL hijacking vulnerability in Wassimulator CactusViewer v2.3.0 enables local privilege escalation and arbitrary code execution via a crafted DLL. The provided documents specify the vulnerability class and affected version but do not detail the exact affected environments, deeper root-cause mec...

WordPress Fortius theme <= 2.3.0 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Theme Fortius versions = 2.3.0...

CVE-2026-45438

Missing Authorization vulnerability in WebToffee Smart Coupons for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Smart Coupons for WooCommerce: from n/a before 2.3.0...

CVE-2026-45438 WordPress Smart Coupons for WooCommerce plugin < 2.3.0 - Broken Access Control vulnerability

Missing Authorization vulnerability in WebToffee Smart Coupons for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Smart Coupons for WooCommerce: from n/a before 2.3.0...

CVE-2026-45438

CVE-2026-45438 affects the WordPress plugin Smart Coupons for WooCommerce : versions before 2.3.0. The issue is a Missing Authorization / Broken Access Control vulnerability where access control is incorrectly configured, allowing bypass of authorization checks and potential unauthorized actions....

WordPress Smart Coupons for WooCommerce plugin < 2.3.0 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by hhhai in WordPress Plugin Smart Coupons for WooCommerce versions 2.3.0...

Astra Linux - уязвимость в openexr

A heap-based buffer overflow vulnerability exists in Academy Software Foundation OpenEXR 2.3.0 in chunkOffsetReconstruction in ImfMultiPartInputFile.cpp that can cause a denial of service via a crafted EXR file...

Astra Linux - уязвимость в libcue

Libcue provides an API for parsing and extracting data from CUE sheets. Versions 2.2.1 and earlier are vulnerable to out-of-bounds array access. A user of the GNOME desktop environment can be exploited by downloading a CUE sheet from a malicious webpage. Since the file is saved to /Downloads, it...

WordPress Restrict – membership, site, content and user access restrictions for WordPress plugin <= 2.3.0 - Unauthenticated Reflected Cross-Site Scripting vulnerability

Unauthenticated Reflected Cross-Site Scripting vulnerability discovered by Asaf Mozes in WordPress Plugin Restrict versions = 2.3.0...

CVE-2026-40103

Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, Vikunja's scoped API token enforcement for custom project background routes is method-confused. A token with only projects.background can successfully delete a project background, while a token with only...

CVE-2026-35602

Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the Vikunja file import endpoint uses the attacker-controlled Size field from the JSON metadata inside the import zip instead of the actual decompressed file content length for the file size enforcement check. By...

CVE-2026-35600

Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, task titles are embedded directly into Markdown link syntax in overdue email notifications without escaping Markdown special characters. When rendered by goldmark and sanitized by bluemonday which allows and tags,...

CVE-2026-35601

Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the CalDAV output generator builds iCalendar VTODO entries via raw string concatenation without applying RFC 5545 TEXT value escaping. User-controlled task titles containing CRLF characters break the iCalendar propert...

CVE-2026-6141

The CVE-2026-6141 entry affects danielmiessler Personal_AI_Infrastructure up to version 2.3.0, targeting an unknown function in Skills/Parser/Tools/parse_url.ts. The vulnerability allows remote OS command injection via manipulation of that function. The exploit has been publicly disclosed, and a ...

CVE-2026-40103

Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, Vikunja's scoped API token enforcement for custom project background routes is method-confused. A token with only projects.background can successfully delete a project background, while a token with only...

CVE-2026-35596

Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the hasAccessToLabel function contains a SQL operator precedence bug that allows any authenticated user to read any label that has at least one task association, regardless of project access. Label titles, description...

CVE-2026-40103 Vikunja's Scoped API tokens with projects.background permission can delete project backgrounds

Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, Vikunja's scoped API token enforcement for custom project background routes is method-confused. A token with only projects.background can successfully delete a project background, while a token with only...

CVE-2026-35600

Vikunja prior to 2.3.0 is vulnerable to HTML Injection in overdue email notifications caused by embedding task titles directly in Markdown link syntax without escaping special characters. The task title is placed inside a Markdown link, which can break the link structure if it contains brackets, ...

CVE-2026-35599

Summary: CVE-2026-35599 affects Vikunja prior to version 2.3.0, where addRepeatIntervalToTime uses an O(n) loop to advance a date by RepeatAfter until it passes now. When a repeating task uses a 1-second interval and an old due_date, this can trigger billions of iterations, causing high CPU usage...

CVE-2026-35597 Vikunja Affected by TOTP Brute-Force Due to Non-Functional Account Lockout

Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the TOTP failed-attempt lockout mechanism is non-functional due to a database transaction handling bug. When a TOTP validation fails, the login handler in pkg/routes/api/v1/login.go calls HandleFailedTOTPAuth and then...