PT-2026-46147

libexpat before 2.8.2 lacks handler call depth tracking for calls to XML GetBuffer, XML Parse, XML ParseBuffer, XML ParserFree, or XML ParserReset from within handlers in cases of a policy violation. Thus, a use-after-free can occur,...

WordPress HT Contact Form plugin <= 2.8.2 - Unauthenticated Stored Cross-Site Scripting via File Upload Field vulnerability

Unauthenticated Stored Cross-Site Scripting via File Upload Field vulnerability discovered by Azril Fathoni kiseki - Heroes Cyber Security in WordPress Plugin HT Contact Form 7 versions = 2.8.2...

CVE-2026-7052

The HT Contact Form – Drag & Drop Form Builder for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'fileupload' parameter in all versions up to, and including, 2.8.2 due to insufficient input sanitization and output escaping. This makes it possible for...

CVE-2026-42728 WordPress HT Contact Form 7 plugin <= 2.8.2 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in HT Plugins HT Contact Form 7 ht-contactform allows Stored XSS.This issue affects HT Contact Form 7: from n/a through = 2.8.2...

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the sniff process. An attacker can cause the server to exhaust its memory resources by sending a specially crafted QUIC packet with a large crypto length after authenticating with ...

EUVD-2026-27169

The Loco Translate plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 2.8.2 via the fsReference AJAX route. This is due to the findSourceFile method normalizing user-supplied ref paths containing ../ directory traversal sequences without validating that the...

CVE-2026-4146

The Loco Translate plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘updatehref’ parameter in all versions up to, and including, 2.8.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary w...

CVE-2026-25358

Deserialization of Untrusted Data vulnerability in rascals Meloo meloo allows Object Injection.This issue affects Meloo: from n/a through 2.8.2...

CVE-2026-33347

league/commonmark is a PHP Markdown parser. From version 2.3.0 to before version 2.8.2, the DomainFilteringAdapter in the Embed extension is vulnerable to an allowlist bypass due to a missing hostname boundary assertion in the domain-matching regex. An attacker-controlled domain like...

@0dotxyz/p0-ts-sdk (>=2.1.1 <=2.2.0-alpha.4), @1stg/app-config (>=4.0.0 <=9.0.1) +2509 more potentially affected by CVE-2026-33532 via yaml (>=2.0.0 <=2.8.2)

yaml NPM version =2.0.0, =2.1.1, =4.0.0, =4.2.0, =6.0.0, =0.0.3, =1.0.0, =7.0.0, =0.1.0-alpha.1, =0.24.1-20230627140514, =0.25.1-20250326172337, =0.24.1-20230627140514, =3.25.5, =3.10.2-20230627150207, =3.14.1-20230608124329, =3.32.1 and more Source cves: CVE-2026-33532 Source advisory:...

EUVD-2026-15679

Deserialization of Untrusted Data vulnerability in rascals Meloo meloo allows Object Injection.This issue affects Meloo: from n/a through 2.8.2...

CVE-2026-25358

Deserialization of Untrusted Data vulnerability in rascals Meloo meloo allows Object Injection.This issue affects Meloo: from n/a through 2.8.2...

CVE-2026-25358 WordPress Meloo theme < 2.8.2 - PHP Object Injection vulnerability

Deserialization of Untrusted Data vulnerability in rascals Meloo meloo allows Object Injection.This issue affects Meloo: from n/a through 2.8.2...

CVE-2026-25358

The CVE-2026-25358 entry covers a PHP object-injection vulnerability in the WordPress Meloo theme, affecting Meloo versions prior to 2.8.2. Root cause: deserialization of untrusted data could lead to object injection. Impact as stated includes high confidentiality, integrity, and availability con...

PT-2026-27919

Name of the Vulnerable Software and Affected Versions rascals Meloo versions prior to 2.8.2 Description An issue exists in rascals Meloo related to the deserialization of untrusted data, which allows for object injection. The deserialization process does not properly validate the incoming data,...

WordPress plugin Meloo 代码问题漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...

UBUNTU-CVE-2026-33347

league/commonmark is a PHP Markdown parser. From version 2.3.0 to before version 2.8.2, the DomainFilteringAdapter in the Embed extension is vulnerable to an allowlist bypass due to a missing hostname boundary assertion in the domain-matching regex. An attacker-controlled domain like...

CVE-2026-33347

Summary: CVE-2026-33347 affects league/commonmark’s Embed extension DomainFilteringAdapter. A missing hostname boundary assertion in the domain-matching regex allows an attacker-controlled domain (e.g., youtube.com.evil) to bypass the allowlist, potentially treating untrusted content as allowed. ...

CVE-2026-33347 league/commonmark has an embed extension allowed_domains bypass

league/commonmark is a PHP Markdown parser. From version 2.3.0 to before version 2.8.2, the DomainFilteringAdapter in the Embed extension is vulnerable to an allowlist bypass due to a missing hostname boundary assertion in the domain-matching regex. An attacker-controlled domain like...

WordPress Meloo theme < 2.8.2 - PHP Object Injection vulnerability

PHP Object Injection vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Theme Meloo versions 2.8.2...