Attackers Actively Exploiting Critical Vulnerability in Burst Statistics Plugin

On May 13th, 2026, we publicly disclosed a critical Authentication Bypass vulnerability in Burst Statistics, a WordPress plugin with 200,000 active installations. This vulnerability can be leveraged by unauthenticated attackers, with knowledge of an administrator username, to impersonate that...

Osclass Security Advisory 3.4.1 - Local File Inclusion

A directory traversal vulnerability in OSClass before 3.4.2 allows remote attackers to read arbitrary files via a .. dot dot in the file parameter in a render action to oc-admin/index.php. id: CVE-2014-6308 info: name: Osclass Security Advisory 3.4.1 - Local File Inclusion author: daffainfo...

CVE-2026-43618

Rsync version 3.4.2 and prior contain an integer overflow vulnerability in the compressed-token decoder where a 32-bit signed counter is not checked for overflow, allowing a malicious sender to trigger an overflow that causes the receiver process to read and return data from outside the intended...

net/rsync -- multiple vulnerabilities

The rsync project reports: Six CVEs are fixed in this release. All six are assigned by VulnCheck as CNA. Affected versions are 3.4.2 and earlier in every case. In addition to the six CVE fixes, this release adds defence-in-depth hardening on several adjacent paths: bounded wire-supplied counts an...

Improper Removal of Sensitive Information Before Storage or Transfer

Overview Affected versions of this package are vulnerable to Improper Removal of Sensitive Information Before Storage or Transfer in the HideSecretData function that fails to mask predictedLive argument for --server-side-diff command. An attacker can extract last-applied-configuration which may...

EUVD-2026-30768

A flaw has been found in opensourcepos Open Source Point of Sale up to 3.4.2. Impacted is the function Login of the file app/Models/Employee.php of the component Employee Login. This manipulation causes use of weak hash. Remote exploitation of the attack is possible. The attack is considered to...

CVE-2026-8802

A vulnerability was detected in opensourcepos Open Source Point of Sale up to 3.4.2. This issue affects the function getPicThumb of the file app/Controllers/Items.php. The manipulation of the argument picfilename results in path traversal. The attack may be launched remotely. The patch is...

Open Source Point of Sale 加密问题漏洞

Open Source Point of Sale is an open-source sales point system based on the Open Source Point of Sale framework. Versions of Open Source Point of Sale 3.4.2 and earlier had encryption-related vulnerabilities. These vulnerabilities stemmed from a function in the Employee Login component called...

Exploit for CVE-2026-8181

CVE-2026-8181 — Burst Statistics Authentication Bypass to Admi...

200,000 WordPress Sites at Risk from Critical Authentication Bypass Vulnerability in Burst Statistics Plugin

On May 8, 2026, PRISM, Wordfence Threat Intelligence’s autonomous vulnerability research platform, discovered a critical Authentication Bypass vulnerability in Burst Statistics, a WordPress plugin with more than 200,000 active installations. The vulnerability was introduced in the code on April 2...

Security Bulletin: IBM Quantum Safe Remediator is affected by multiple vulnerabilities

Summary The vulnerabilities are found in the dependent open source libraries used in IBM Quantum Safe Remediator code base. IBM Quantum Safe Remediator has addressed these vulnerabilities by updating the libraries versions. Vulnerability Details CVEID:CVE-2026-33228 DESCRIPTION: flatted is a...

PT-2026-36931

Name of the Vulnerable Software and Affected Versions CodeCanyon Perfex CRM versions prior to 3.4.2 Description An authorization bypass exists in the Tenant Handler component within the Clients::project function of the application/controllers/Clients.php file. A remote attacker can exploit this b...

PT-2026-36932

Name of the Vulnerable Software and Affected Versions CodeCanyon Perfex CRM versions prior to 3.4.2 Description A flaw in the Admin Kanban Endpoint allows for remote SQL injection, which is a technique where malicious SQL statements are inserted into entry fields for execution. The issue exists...

CVE-2026-4090 Inquiry cart <= 3.4.2 - Cross-Site Request Forgery via Settings Form

The Inquiry Cart plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.4.2. This is due to missing nonce verification in the rdicsettingspage function when processing settings form submissions. This makes it possible for unauthenticated attackers...

EUVD-2026-20172

Missing Authorization vulnerability in Jordy Meow AI Engine Pro ai-engine-pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AI Engine Pro: from n/a through 3.4.2...

CVE-2026-39506

Missing Authorization vulnerability in Jordy Meow AI Engine Pro ai-engine-pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AI Engine Pro: from n/a through 3.4.2...

WordPress plugin AI Engine (Pro) 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be added t...

PT-2026-31135

Missing Authorization vulnerability in Jordy Meow AI Engine Pro ai-engine-pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AI Engine Pro: from n/a through 3.4.2...

PT-2026-30586

Name of the Vulnerable Software and Affected Versions SDL image affected versions not specified Description The SDL image library has an issue where pixel index values from decoded XCF tile data are used directly as colormap indices without validation against the colormap size. A crafted .xcf fil...

CLEANSTART-2026-SY28275 Security fixes for CVE-2025-0913, CVE-2025-4673, CVE-2025-47907, CVE-2026-24051, CVE-2026-25679, CVE-2026-26958, CVE-2026-27139, CVE-2026-27142, CVE-2026-33186, ghsa-2464-8j7c-4cjm, ghsa-9h8m-3fm2-qjrq, ghsa-fw7p-63qq-7hpr, ghsa-p77j-4mvh-x3m3 applied in versions: 3.3.2-r0, 3.3.3-r3, 3.3.3-r4, 3.4.2-r0

Multiple security vulnerabilities affect the kyverno-policy-reporter-fips package. These issues are resolved in later releases. See references for individual vulnerability details...