BIT-KIBANA-2026-33462 Path Traversal in Kibana Leading to Unauthorized Deletion of User Accounts

A path traversal vulnerability was identified in Kibana's dashboard management functionality. An authenticated user with limited permissions could create a dashboard with a specially crafted identifier. When an administrator subsequently attempts to delete this dashboard through the Kibana...

BIT-ELK-2026-33462 Path Traversal in Kibana Leading to Unauthorized Deletion of User Accounts

A path traversal vulnerability was identified in Kibana's dashboard management functionality. An authenticated user with limited permissions could create a dashboard with a specially crafted identifier. When an administrator subsequently attempts to delete this dashboard through the Kibana...

CVE-2026-33462

A path traversal vulnerability was identified in Kibana's dashboard management functionality. An authenticated user with limited permissions could create a dashboard with a specially crafted identifier. When an administrator subsequently attempts to delete this dashboard through the Kibana...

EUVD-2026-32737

The Easy Updates Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'paged' parameter in versions up to, and including, 9.0.20 This is due to insufficient input sanitization and output escaping in the pagination function. This makes it possible for attackers to...

PT-2026-44210

The PeachPay — Payments & Express Checkout for WooCommerce supports Stripe, PayPal, Square, Authorize.net, NMI plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.120.46. This is due to missing or incorrect nonce validation on the peachpay stri...

PT-2026-43574

The WP Promoter plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts...

CVE-2026-6864

The CBX 5 Star Rating & Review plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page' parameter in all versions up to, and including, 1.0.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...

PT-2026-42537

Concrete CMS 9.5.0 and below does not validate a CSRF token before processing requests to /dashboard/extend/update/do update/. The do update method in concrete/controllers/single page/dashboard/extend/update.php checks only canInstallPackages before executing upgradeCoreData and upgrade on the...

CVE-2026-7437

The AzonPost plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the editposhidden parameter in all versions up to, and including, 1.3. This is due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary...

EUVD-2026-27203

The DX Sources plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.1. This is due to missing or incorrect nonce validation on the settingspagebuild function. This makes it possible for unauthenticated attackers to trick a logged-in...

CVE-2026-2737

A vulnerability exists in Progress Flowmon versions prior to 12.5.8 and 13.0.6, whereby an administrator who clicks a malicious link provided by an attacker may inadvertently trigger unintended actions within their authenticated web session...

EUVD-2026-14181

The loginregister plugin for WordPress is vulnerable to Cross-Site Request Forgery to Stored Cross-Site Scripting in all versions up to, and including, 1.2.0. This is due to missing nonce validation on the settings page and insufficient input sanitization and output escaping on the...

PT-2026-26811

The login register plugin for WordPress is vulnerable to Cross-Site Request Forgery to Stored Cross-Site Scripting in all versions up to, and including, 1.2.0. This is due to missing nonce validation on the settings page and insufficient input sanitization and output escaping on the 'login regist...

EUVD-2025-208367

An administrator may attempt to block all traffic by configuring a pass filter with an empty table. However, in UBR, an empty list does not enforce any restrictions and allows all network traffic to pass unfiltered...

PT-2026-24029

An administrator may attempt to block all networks by specifying "" or "all" as the network identifier. However, these values are not supported and do not trigger any validation error. Instead, they are silently interpreted as network 0 which results in no networks being blocked at all...

CVE-2025-15376 Stopwords for comments <= 1.1 - Missing Authorization to Cross-Site Request Forgery

The Stopwords for comments plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing nonce validation on the 'setstopwordsforcomments' and 'deletestopwordsforcomments' functions. This makes it possible for unauthenticated...

P5 FNIP-8x16A 跨站请求伪造漏洞

The P5 FNIP-8x16A is an Ethernet relay controller from P5 UK. A cross-site request forgery vulnerability exists in the P5 FNIP-8x16A version 1.0.20, which stems from susceptibility to a cross-site request forgery attack that could result in performing administrative operations such as adding an...

OpenBMCS 跨站请求伪造漏洞

OpenBMCS is a building management and control system from OpenBMCS Australia. A cross-site request forgery vulnerability exists in OpenBMCS version 2.4, which stems from a cross-site request forgery issue in the sendFeedback.php endpoint that could lead to the execution of an administrator action...

CVE-2025-12578

The Reuters Direct plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.0.0. This is due to missing or incorrect nonce validation on the the 'class-reuters-direct-settings.php' page. This makes it possible for unauthenticated attackers to reset...

EUVD-2025-60950

The YSlider plugin for WordPress is vulnerable to Cross-Site Request Forgery to Stored Cross-Site Scripting in all versions up to, and including, 1.1. This is due to missing nonce verification on the content configuration page and insufficient input sanitization and output escaping. This makes it...