2550 matches found
Formidable Form Builder < 2.05.03 - Unauthenticated Information Disclosure
The Formidable Form Builder plugin for WordPress is vulnerable to Sensitive Data Exposure in versions up to, and including, 2.05.03 via the frmformspreview AJAX action. This makes it possible for unauthenticated attackers to export all of the form entries for a given form. id: CVE-2017-20194 info...
CVE-2026-45313 Sandboxie-Plus: Sandboxie APC Injection Sandbox Escape
Sandboxie-Plus is an open source sandbox-based isolation software for Windows. Prior to 1.17.6, GuiServer::WndHookRegisterSlave in Sandboxie/core/svc/GuiServer.cpp stores attacker-supplied hthread and hproc fields from a GUIWNDHOOKREGISTER request without validating that the thread belongs to the...
CVE-2026-49853
Tornado before 6.5.6 exposed an Authorization header across cross-origin redirects in SimpleAsyncHTTPClient: when following 3xx redirects, the client shallow-copies the request and rewrites the URL without clearing Authorization (and related) headers if the origin changes. The issue is fixed in T...
CVE-2026-62392
CVE-2026-62392 is an OS Command Injection vulnerability in Apache Kylin, affecting versions 4 through 5.0.3. The issue arises when the backend API may pass job configuration parameters to the OS command line, allowing potentially unauthorized command execution. The vulnerability is rated with hig...
kernel: net: atm: fix crash due to unvalidated vcc pointer in sigd_send()
A flaw was found in the Linux kernel's Asynchronous Transfer Mode ATM networking component. A local attacker, by acting as a malicious signaling daemon, could send a specially crafted message containing an unvalidated pointer. This unvalidated pointer would be directly used by the kernel, leading...
kernel: net: atm: fix crash due to unvalidated vcc pointer in sigd_send()
A flaw was found in the Linux kernel's Asynchronous Transfer Mode ATM networking component. A local attacker, by acting as a malicious signaling daemon, could send a specially crafted message containing an unvalidated pointer. This unvalidated pointer would be directly used by the kernel, leading...
CVE-2026-12103
The Wallet for WooCommerce plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.6.4. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with...
CVE-2026-12103
CVE-2026-12103 affects the Wallet for WooCommerce WordPress plugin (
CVE-2026-3552
The SurfLink - Ultimate Link Manager plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the ajaximport410 function in all versions up to 2.6.0. This is due to a missing capability check currentusercan and missing nonce verification...
EUVD-2026-43134
The AI Chatbot & Workflow Automation by AIWU plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.4.12. This is due to missing capability checks and nonce verification on AJAX actions registered under both wpajax and wpajaxnopriv hooks, as the base...
PT-2026-57398
Name of the Vulnerable Software and Affected Versions AI Chatbot & Workflow Automation by AIWU versions prior to 1.4.13 Description The plugin contains a missing authorization flaw resulting from the absence of capability checks and nonce verification on AJAX actions registered under wp ajax and ...
CVE-2026-22660 FlaskBB Logic Flaw Authorization Group Deletion via Bulk AJAX Endpoint
FlaskBB through 2.2.0, fixed in commit a5da9a5, contains a logic flaw vulnerability that allows authenticated administrators to delete all built-in authorization groups by exploiting a type mismatch in the bulk delete protection check. The bulk AJAX endpoint in the management views compares...
CVE-2026-9857 Invoice123 <= 1.7.0 - Missing Authorization to Authenticated (Subscriber+) Setting Modification via s123_submit_api_key & s123_submit_invoice_settings AJAX actions
The Invoice123 plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.7.0. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access...
CVE-2026-1946
The GW AI Website Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the gwaiwebugravitywritedisconnecthandler function in all versions up to, and including, 1.0.1. This makes it possible for authenticated attackers, with...
CVE-2026-9838 ICS Calendar <= 12.0.9 - Reflected Cross-Site Scripting via 'htmltagtitle' Parameter
The ICS Calendar plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'htmltagtitle' parameter in all versions up to, and including, 12.0.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary...
CVE-2026-12276 LA-Studio Element Kit for Elementor < 1.6.1 - Unauthenticated Open Registration
The LA-Studio Element Kit for Elementor WordPress plugin before 1.6.1 does not check whether user registration is enabled on the site before creating an account through one of its unauthenticated AJAX actions, allowing unauthenticated attackers to register new accounts even when registration has...
[SECURITY] Fedora 44 Update: c-ares-1.34.7-1.fc44
c-ares is a C library that performs DNS requests and name resolves asynchronously. c-ares is a fork of the library named 'ares', written by Greg Hudson at MIT...
EUVD-2026-42161
The Widget Logic Visual plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.52 via the widgetlogicvisualcheckvisibility function. This is due to missing capability check and nonce verification on the widget-logic-update-conditional-tags AJAX action...
CVE-2026-25271
Memory Corruption when processing asynchronous input parameters due to improper handling of modified values between check and use...
EUVD-2026-41933
Memory Corruption when processing asynchronous input parameters due to improper handling of modified values between check and use...