CVE-2026-11776

The CVE covers the WordPress plugin Form Maker by 10Web (Mobile‑Friendly Drag & Drop Contact Form Builder). The vulnerability is a generic SQL Injection in the handling of the groupids parameter, in all versions up to and including 1.15.43, due to insufficient escaping of user input and lack of p...

CVE-2026-11777

Form Maker by 10Web (WordPress) 導插件 Form Maker, versions up to 1.15.43, is vulnerable to a generic SQL Injection via the name parameter due to insufficient escaping and lack of prepared statements. The vulnerability allows an authenticated attacker with administrator-level access to append additi...

CVE-2026-9860 Offload, AI & Optimize with Cloudflare Images <= 1.10.2 - Authenticated (Author+) Remote Code Execution via 'api-key' / 'account-id' Parameters in cf_images_do_setup AJAX Action

The Offload, AI & Optimize with Cloudflare Images plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1.10.2 via the 'account-id' parameter parameter. This is due to insufficient privilege enforcement on the cfimagesdosetup AJAX handler, which require...

CVE-2026-11777 Form Maker by 10Web <= 1.15.43 - Authenticated (Administrator+) SQL Injection via 'name' Parameter

The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to generic SQL Injection via the 'name' parameter in all versions up to, and including, 1.15.43 due to insufficient escaping on the user supplied parameter and lack of sufficient...

CVE-2026-12407 E2Pdf <= 1.32.26 - Missing Authorization to Authenticated (Custom+) Arbitrary Option Update / Privilege Escalation via 'screen_action' Parameter

The E2Pdf – Export Pdf Tool for WordPress plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 1.32.26. This is due to the screenaction function lacking a dedicated capability check and nonce verification — when invoked via the ?action=screen routing path...

CVE-2026-10023

The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.0.3 via the changeorderstatus, addordernote, deleteordernote,...

CVE-2026-10023 Dokan: AI Powered WooCommerce Multivendor Marketplace Solution <= 5.0.3 - Insecure Direct Object Reference to Authenticated (Custom+) Arbitrary Order Modification via Multiple AJAX Handlers

The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.0.3 via the changeorderstatus, addordernote, deleteordernote,...

CVE-2026-10023

Dok an: AI Powered WooCommerce Marketplace Solution

EUVD-2026-37803

In SignalRGB versions prior to 1.3.7.0, the \.\SignalIo device object is created without an explicit SDDL security descriptor and without FILEDEVICESECUREOPEN. This results in overly permissive default access control, allowing any authenticated local user to obtain a handle to the device and issu...

PT-2026-50704

Name of the Vulnerable Software and Affected Versions GAO Electronic Protest Docketing System EPDS affected versions not specified CBCA Electronic Docketing System EDS affected versions not specified Description The U.S. Government Accountability Office GAO Electronic Protest Docketing System EPD...

PT-2026-50661

Name of the Vulnerable Software and Affected Versions MCP Toolbox for Databases affected versions not specified Description An authenticated authorization bypass occurs due to missing scope enforcement in older protocol handlers. While the 2025-11-25 protocol version handler correctly enforces...

Linux Distros Unpatched Vulnerability : CVE-2026-12528

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A flaw was found in 389 Directory Server in the aclpnormalizeacltxt function of aclparse.c. A malformed ACI Access Control Instruction string can trigger...

PT-2026-50797

Name of the Vulnerable Software and Affected Versions Hashgraph Guardian versions prior to 3.5.0 commit ba8c566 Description A stored cross-site scripting issue exists where authenticated users with the STANDARD REGISTRY role can inject malicious scripts. This occurs by submitting a crafted...

Devolutions Remote Desktop Manager <= 2026.2.7 Command Injection (DEVO-2026-0018)(CVE-2026-12161)

The version of Devolutions Remote Desktop Manager installed on the remote host is 2025.2.7 or earlier. It is, therefore, affected by a command injection vulnerability: - Improper input validation in the SSH Elevate Shell feature in Devolutions Remote Desktop Manager 2026.2.7 allows an authenticat...

PT-2026-50790

Name of the Vulnerable Software and Affected Versions deepstream versions prior to 10.0.5 Description A Prototype Pollution issue exists in the server, which allows clients and backend services to synchronize data, send messages, and make remote procedure calls RPCs at scale. Prototype Pollution...

Devolutions Server <= 2026.1.21 / 2026.2.0 <= 2026.2.5 Multiple Vulnerabilities (DEVO-2026-0017)

The version of Devolutions Server installed on the remote host is prior or equal to 2026.1.21 or 2026.2.0 prior or equal to 2026.2.5. It is, therefore, affected by multiple vulnerabilities, including: - Improper access control in PAM account discovery results in Devolutions Server 2026.2.5,...

CVE-2026-9678

A flaw was found in Undici. The cache interceptor in shared-cache mode incorrectly classifies certain responses as cacheable due to improper handling of whitespace-padded Cache-Control header field names. This vulnerability allows an unauthenticated attacker to access authenticated user data from...

CVE-2026-48759

TypeBot is a chatbot builder tool. Versions 3.15.2 and below have an Insecure Direct Object Reference vulnerability through cross-workspace Theme Template modification and deletion. The handleSaveThemeTemplate and handleDeleteThemeTemplate handlers validate that the authenticated user is a...

CVE-2026-8049

In SignalRGB versions prior to 1.3.7.0, the \.\SignalIo device object is created without an explicit SDDL security descriptor and without FILEDEVICESECUREOPEN. This results in overly permissive default access control, allowing any authenticated local user to obtain a handle to the device and issu...

CVE-2026-49133

Typemill before 2.24.0 contains a path traversal vulnerability that allows authenticated attackers with Author-level privileges to read arbitrary files outside the content directory by supplying traversal sequences in the path query parameter passed to Storage::getFile with an empty folder...