575776 matches found
CVE-2026-15013
Technical details are not publicly available in the provided documents. Monitor for updates.
CVE-2026-15458
CVE-2026-15458 affects the WordPress SEO Booster plugin up to version 7.3.1. The vulnerability is a SQL Injection in the sort_field parameter caused by insufficient escaping and an inadequately prepared SQL query. It requires authenticated access at Administrator level or higher, and could allow ...
CVE-2026-12941
The MultiVendorX plugin for WordPress (WooCommerce Multivendor) ≤ 5.0.9 is vulnerable to a generic SQL Injection via the order_by parameter. Root cause: insufficient escaping of user input and lack of proper query preparation. Attack requires an authenticated user with subscriber-level access; vi...
CVE-2026-12753
The CVE-2026-12753 entry concerns the WordPress plugin “Advance Product Search- Voice & Ajax Search for WooCommerce” and its insecure handling of user input in the parameters 's' and 'match'. Affected versions are up to and including 1.4.4. The root cause is insufficient escaping and lack of prop...
CVE-2026-15336
The CVE describes a vulnerability in the Catch Themes Demo Import plugin for WordPress (versions up to and including 3.3). The root cause is in catch_themes_demo_import_activate_plugin(), which is hooked on admin_init when the activate_plugin parameter is present and calls Plugin_Upgrader::instal...
CVE-2026-13005
The CVE concerns the MxChat – AI Chatbot & Content Generation for WordPress plugin for WordPress. Affected: all versions up to 3.2.10. Vulnerability: Stored Cross-Site Scripting via the intro_message admin setting due to insufficient input sanitization and output escaping. Privileged context: aut...
CVE-2026-1609
CVE-2026-1609 affects Keycloak: when the JWT authorization grant preview feature is enabled and a user is disabled, Keycloak may not validate the user’s disabled status during JWT grant processing. A remote, low-privilege attacker can present an assertion token from an external IdP to obtain a JW...
EUVD-2026-44841
A flaw was found in Keycloak. When the JSON Web Token JWT authorization grant preview feature is enabled and a user account is disabled, Keycloak fails to validate the user’s disabled status during JWT authorization grant processing. A remote attacker with low privileges can exploit this improper...
CVE-2026-3842
CVE-2026-3842 affects QEMU (hyperf/syndbg path) where a missing mapped-length guard after calling cpu_physical_memory_map() enables a local attacker inside a guest VM to perform an out-of-bounds write. The root cause is that cpu_physical_memory_map() can return a shorter length than expected, tri...
CVE-2026-23538
The CVE affects Feast: Feast Feature Server /ws/chat accepts unauthenticated, persistent WebSocket connections. An attacker can open many concurrent connections to exhaust memory, CPU, and file descriptors, causing DoS. Affected software: Feast (Python SDK context cited by SNYK for Feast >=0.1...
EUVD-2026-44838
A vulnerability was identified in the Feast Feature Server's /ws/chat endpoint that allows remote attackers to establish persistent WebSocket connections without any authentication. By opening a large number of simultaneous connections, an attacker can exhaust server resources—such as memory, CPU...
The vulnerability of the Directum RX ECM system, related to deficiencies in access control, allows a perpetrator to compromise data integrity.
The vulnerability of the Directum RX ECM system is related to deficiencies in access control. Exploiting this vulnerability could allow a remote attacker to compromise data integrity...
The vulnerability of the MmMapIoSpace() function in the ThrottleBlood.sys driver allows a hacker to escalate their privileges, execute arbitrary code, or cause a service failure.
The vulnerability of the MmMapIoSpace function in the ThrottleBlood.sys driver, as part of the ThrottleStop utility, is related to open IOCTLs with insufficient access control. Exploiting this vulnerability could allow an attacker to enhance their privileges, execute arbitrary code, or cause...
CVE-2026-54458
CVE-2026-54458 (AVideo YPTSocket XSS) affects WWBN’s AVideo with the YPTSocket plugin (versions prior to 29.0). The vulnerability is an unauthenticated stored DOM XSS: getWebSocket.json.php issues a signed WebSocket token; MessageSQLiteV2::onOpen reads webSocketSelfURI and page_title from the Web...
CVE-2026-55445
Qinglong vulnerability CVE-2026-55445: Before 2.20.1, the init guard in back/loaders/express.ts checked /api/user/init but not /open/user/init. After a subsequent rewrite of /open/* to /api/$1 (post-auth), an unauthenticated attacker could issue PUT /open/user/init to reset the administrator cred...
CVE-2026-55234
Wekan (open source Kanban on Meteor) has a cross-board write flaw in versions before 9.37. The DDP update allow rules in server/permissions/cards.js, server/permissions/lists.js, and server/permissions/swimlanes.js validate only the stored boardId and do not verify a new boardId in the update mod...
CVE-2026-52892
Summary: CVE-2026-52892 affects Wekan, an open‑source Kanban app built on Meteor. Before version 9.32, REST handlers in server/models/customFields.js checked read‑level access (Authentication.checkBoardAccess) for mutating custom-field routes, instead of write‑level access (Authentication.checkBo...
CVE-2026-50182
Summary (CVE-2026-50182) WWBN AVideo (API + YouTubeAPI + Layout plugins) is affected. Versions prior to 29.0 contain an unauthenticated Reflected XSS via the $_GET['search'] parameter used in the YouTubeAPI gallery pagination. The payload is injected into the hrefs of the previous/next page links...
CVE-2026-62361
CVE-2026-62361 affects listmonk prior to version 6.2.0. The vulnerability arises in the GET /api/subscribers/export endpoint, which injects a user-controlled query parameter into QuerySubscribersForExport without calling validateQueryTables, unlike GET /api/subscribers. An authenticated user with...
CVE-2026-62312
CVE-2026-62312 affects 9Router, an AI router & token saver. Before v0.5.2, an authenticated remote attacker can achieve arbitrary code execution on the host by abusing a Host header bypass of localhost-only routes in combination with unvalidated MCP plugin arguments passed to child_process.spawn(...