CVE-2026-6565 Style Kits – Advanced Theme Styles for Elementor <= 2.5.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Kit Title

The Style Kits – Advanced Theme Styles for Elementor, Elementor Kits & Elementor Patterns plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the '/wp-json/agwp/v1/tokens/save' endpoint kit title parameter in versions up to, and including, 2.5.0 due to insufficient input...

RHSA-2026:13512 Red Hat Security Advisory: Red Hat Ansible Automation Platform 2.5 Product Security and Bug Fix Update

Bulletin has no description...

Astra Linux - уязвимость в ruby2.5

A vulnerability was discovered in Ruby. The Ruby interpreter is vulnerable to the Marvin Attack. This attack allows the attacker to decrypt previously encrypted messages or forge signatures by exchanging a large number of messages with the vulnerable service...

CVE-2026-40353

wger is a free, open-source workout and fitness manager. In versions 2.5 and below, the attributionlink property in AbstractLicenseModel constructs HTML by directly interpolating user-controlled license fields such as licenseauthor without escaping, and templates render the result using Django's...

CVE-2026-40340 libgphoto2 has OOB read in ptp_unpack_OI() in ptp-pack.c via malicious PTP ObjectInfo response

libgphoto2 is a camera access and control library. Versions up to and including 2.5.33 have an out-of-bounds read vulnerability in ptpunpackOI in camlibs/ptp2/ptp-pack.c lines 530–563. The function validates len PTPoiSequenceNumber i.e., len 48 but subsequently accesses offsets 48–56, up to 9 byt...

CVE-2026-40353

wger is a free, open-source workout and fitness manager. In versions 2.5 and below, the attributionlink property in AbstractLicenseModel constructs HTML by directly interpolating user-controlled license fields such as licenseauthor without escaping, and templates render the result using Django's...

EUVD-2025-209411

A vulnerability has been found in 1Panel-dev MaxKB up to 2.4.2. Impacted is an unknown function of the file ui/src/chat.ts of the component MdPreview. Such manipulation leads to cross site scripting. The attack can be executed remotely. The exploit has been disclosed to the public and may be used...

CVE-2026-33457

Livestatus injection in the prediction graph page in Checkmk 2.5.0b4, 2.4.0p26, and 2.3.0p47 allows an authenticated user to inject arbitrary Livestatus commands via a crafted service name parameter due to insufficient sanitization of the service description value...

PYSEC-2026-59

Emmett is a full-stack Python web framework designed with simplicity. From 2.5.0 to before 2.8.1, the RSGI static handler for Emmett's internal assets /emmett paths is vulnerable to path traversal attacks. An attacker can use ../ sequences eg /emmett/../rsgi/handlers.py to read arbitrary files...

CVE-2025-39666

CVE-2025-39666 affects Checkmk in multiple versions: 2.2.0 (EOL), 2.3.0 before 2.3.0p46, 2.4.0 before 2.4.0p25, and 2.5.0 beta before 2.5.0b3. A site user can escalate to root by manipulating files in the site context that are processed when the omd command is run by root. This yields a local pri...

CVE-2026-22324 WordPress Melania theme <= 2.5.0 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in ThemeREX Melania melania allows PHP Local File Inclusion.This issue affects Melania: from n/a through = 2.5.0...

CVE-2025-54001

Deserialization of Untrusted Data vulnerability in ThemeREX Classter classter allows Object Injection.This issue affects Classter: from n/a through = 2.5...

EUVD-2025-208299

Deserialization of Untrusted Data vulnerability in ThemeREX Classter classter allows Object Injection.This issue affects Classter: from n/a through = 2.5...

CVE-2026-22454

Deserialization of Untrusted Data vulnerability in ThemeREX Solaris solaris allows Object Injection.This issue affects Solaris: from n/a through = 2.5...

PT-2026-23196

Name of the Vulnerable Software and Affected Versions ThemeREX Solaris versions n/a through 2.5 Description The software contains a flaw due to deserialization of untrusted data, which allows for object injection. Recommendations At the moment, there is no information about a newer version that...

WordPress Solaris theme <= 2.5 - PHP Object Injection vulnerability

PHP Object Injection vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Theme Solaris versions = 2.5...

CVE-2025-47904

Download of Code Without Integrity Check vulnerability in Microchip Time Provider 4100 allows Malicious Manual Software Update.This issue affects Time Provider 4100: before 2.5...

CVE-2025-47904 Unsigned upgrade package

Download of Code Without Integrity Check vulnerability in Microchip Time Provider 4100 allows Malicious Manual Software Update.This issue affects Time Provider 4100: before 2.5...

CVE-2025-47904

CVE-2025-47904 affects Microchip Time Provider 4100. Root cause: missing integrity check during code download allows a malicious manual software update. Affected: Time Provider 4100 before version 2.5. Impact (per sources): potential compromise of software integrity and related systems during upg...

CVE-2026-26268

Cursor is a code editor built for programming with AI. Sandbox escape via writing .git configuration was possible in versions prior to 2.5. A malicious agent ie prompt injection could write to improperly protected .git settings, including git hooks, which may cause out-of-sandbox RCE next time th...