CVE-2026-11614

The Xpro Addons — 140+ Widgets for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'customattributes' parameter in all versions up to, and including, 1.7.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

CVE-2026-11614 Xpro Addons <= 1.7.2 - Authenticated (Author+) Stored Cross-Site Scripting via 'custom_attributes' Parameter of Multiple Widgets

The Xpro Addons — 140+ Widgets for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'customattributes' parameter in all versions up to, and including, 1.7.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated...

CVE-2026-11614

Technical details (affected versions, root cause, exploit specifics) are not publicly available in the provided documents. Monitor for updates.

PT-2026-52122

Name of the Vulnerable Software and Affected Versions ATEN Unizon affected versions not specified Description A directory traversal flaw exists in the uploadSSL method, where the system fails to properly validate user-supplied paths before performing file operations. This allows authenticated...

CVE-2026-47385

NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, an authenticated user with base-create permission can attach a SQLite source pointing at an arbitrary file on the NocoDB host, including NocoDB's own internal databases. The SQLite client and the base/integration creat...

CVE-2026-46553

NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, the upload-by-URL path did not enforce NCATTACHMENTFIELDSIZE against either the remote file's advertised Content-Length or the decoded length of a data: URI, allowing an authenticated user to bypass the configured...

CVE-2026-23513

FOSSBilling is a free, open-source billing and client management system. In versions 0.7.2 and prior, a query-construction flaw in client list endpoints allowed authenticated clients to bypass tenant scoping and retrieve other clients’ data. Details In ServiceTransaction::getSearchQuery and...

CVE-2026-11807

A missing authorization vulnerability was found in the Event-Driven Ansible EDA websocket API. The /api/eda/ws/ansible-rulebook endpoint does not verify user permissions when processing Worker messages. Any authenticated user can send a forged message with an arbitrary activationid to receive...

CVE-2026-56120

Affected software: OpenRemote before 1.25.0.Vulnerability: insecure direct object reference (IDOR) in the bulk alarm deletion endpoint.Root cause: removeAlarms() in AlarmResourceImpl.java omits realm-scoping validation in the JPA query, enabling any user with alarm-write permissions to enumerate ...

CVE-2026-46548

NocoDB (CVE-2026-46548 ) exhibits an SSRF protection bypass in the notification webhook plugins for Slack, Discord, Mattermost, and Teams. Root cause: in the affected code paths, the httpAgent/httpsAgent were incorrectly placed in the request body of axios.post instead of the config argument, all...

CVE-2026-46553

CVE-2026-46553 affects NocoDB prior to 2026.04.1, where the upload-by-URL path did not enforce NC_ATTACHMENT_FIELD_SIZE against the remote file’s Content-Length or the decoded length of a data: URI. This allowed an authenticated user with upload permissions to bypass the configured per-file size ...

CVE-2026-46553 NocoDB: Attachment Size Limit Bypass via Upload-by-URL

NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, the upload-by-URL path did not enforce NCATTACHMENTFIELDSIZE against either the remote file's advertised Content-Length or the decoded length of a data: URI, allowing an authenticated user to bypass the configured...

CVE-2026-46551 NocoDB: Missing File Size Enforcement in Upload-by-URL Allows Denial of Service via Disk Exhaustion

NocoDB is software for building databases as spreadsheets. Prior to 2026.04.4, the uploadViaURL path in the v1/v2 attachment API did not enforce NCATTACHMENTFIELDSIZE against the remote content-length or against the response stream. An authenticated user Editor+ could direct the server to downloa...

CVE-2026-46551

CVE-2026-46551 affects NocoDB’s v1/v2 attachment API upload-by-url. Before 2026.04.4, the uploadViaURL path did not enforce NC_ATTACHMENT_FIELD_SIZE against the remote content-length or response stream. The HEAD probe read content-length but wasn’t compared to the limit, and storageAdapter.fileCr...

CVE-2026-47383

NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, an authenticated commenter could store HTML in row comments that executed as script when other users hovered over the comment in the expanded form view. The comment write paths persisted the raw comment body with no...

CVE-2026-47385 NocoDB: Path Traversal via SQLite Source Filename

NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, an authenticated user with base-create permission can attach a SQLite source pointing at an arbitrary file on the NocoDB host, including NocoDB's own internal databases. The SQLite client and the base/integration creat...

CVE-2025-64105 FOSSBilling: IDOR Vulnerability in Support Ticket Creation

FOSSBilling is a billing and client management system that automates invoicing, payments, and communication for online service businesses. Versions 0.6.21 through 0.7.2 are vulnerable to IDOR through the support ticket creation workflow. By manipulating relid when reltype=order, an authenticated...

CVE-2025-64105

FOSSBilling is a billing and client management system that automates invoicing, payments, and communication for online service businesses. Versions 0.6.21 through 0.7.2 are vulnerable to IDOR through the support ticket creation workflow. By manipulating relid when reltype=order, an authenticated...

CVE-2026-53929

NocoDB (pre-2026.05.1) is affected by a Stored Cross-Site Scripting vulnerability when NC_SECURE_ATTACHMENTS=true. An authenticated uploader could deliver .html or .svg attachments that the browser renders inline from the NocoDB origin due to a header-key casing mismatch (ResponseContentDispositi...

CVE-2026-11807

A missing authorization vulnerability was found in the Event-Driven Ansible EDA websocket API. The /api/eda/ws/ansible-rulebook endpoint does not verify user permissions when processing Worker messages. Any authenticated user can send a forged message with an arbitrary activationid to receive...