CVE-2026-10216

A vulnerability was detected in unitedbyai droidclaw up to 0.5.3. The affected element is an unknown function of the file server/src/routes/pairing.ts of the component claim Endpoint. The manipulation results in improper restriction of excessive authentication attempts. The attack may be launched...

Nginx-UI: Authenticated settings disclosure exposes node.secret and enables trusted-node authentication abuse, backup exfiltration, and restore-based nginx-ui state rollback

An authenticated user can call GET /api/settings and retrieve sensitive configuration values, including node.secret. The same node.secret is accepted by AuthRequired through the X-Node-Secret header or nodesecret query parameter, causing the request to be treated as authenticated via the...

CVE-2026-42220

Nginx UI (nginx-ui) prior to version 2.3.8 exposes a vulnerability where an authenticated user can call GET /api/settings to retrieve sensitive values, including node.secret. The node.secret is accepted by AuthRequired() via the X-Node-Secret header (or node_secret query parameter), allowing the ...

Breaking the code: Multi-stage ‘code of conduct’ phishing campaign leads to AiTM token compromise

In this article 1. Multi-step social engineering campaign leading to credential theft 2. Mitigation and protection guidance 3. Microsoft Defender detections 4. Hunting queries 5. Indicators of compromise Phishing campaigns continue to improve sophistication and refinement in blending social...

CVE-2026-41232

Froxlor is open source server administration software. Prior to version 2.3.6, in EmailSender::add, the domain ownership validation for full email sender aliases uses the wrong array index when splitting the email address, passing the local part instead of the domain to...

CVE-2026-3614

The AcyMailing plugin for WordPress is vulnerable to privilege escalation in all versions From 9.11.0 up to, and including, 10.8.1 due to a missing capability check on the wpajaxacymailingrouter AJAX handler. This makes it possible for authenticated attackers, with Subscriber-level access and...

CVE-2026-5465

The Booking for Appointments and Events Calendar – Amelia plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.1.3. This is due to the UpdateProviderCommandHandler failing to validate changes to the externalId field when a Provider Employe...

CVE-2026-25406

Authentication Bypass Using an Alternate Path or Channel vulnerability in Themeum Tutor LMS Pro tutor-pro allows Authentication Abuse.This issue affects Tutor LMS Pro: from n/a through = 3.9.4...

CVE-2026-32497

Weak Authentication vulnerability in PickPlugins User Verification user-verification allows Authentication Abuse.This issue affects User Verification: from n/a through = 2.0.45...

EUVD-2026-15843

Weak Authentication vulnerability in PickPlugins User Verification user-verification allows Authentication Abuse.This issue affects User Verification: from n/a through = 2.0.45...

EUVD-2026-15717

Authentication Bypass Using an Alternate Path or Channel vulnerability in Themeum Tutor LMS Pro tutor-pro allows Authentication Abuse.This issue affects Tutor LMS Pro: from n/a through = 3.9.4...

EUVD-2026-15677

Authentication Bypass Using an Alternate Path or Channel vulnerability in azzaroco Ultimate Membership Pro indeed-membership-pro allows Authentication Abuse.This issue affects Ultimate Membership Pro: from n/a through = 13.7...

EUVD-2026-15635

Authentication Bypass Using an Alternate Path or Channel vulnerability in Wasiliy Strecker / ContestGallery developer Contest Gallery contest-gallery allows Authentication Abuse.This issue affects Contest Gallery: from n/a through = 28.1.2.2...

EUVD-2026-15610

Authentication Bypass Using an Alternate Path or Channel vulnerability in ThimPress LearnPress Sepay Payment learnpress-sepay-payment allows Authentication Abuse.This issue affects LearnPress Sepay Payment: from n/a through = 4.0.0...

EUVD-2026-15555

Authentication Bypass Using an Alternate Path or Channel vulnerability in Dokan, Inc. Dokan dokan-lite allows Authentication Abuse.This issue affects Dokan: from n/a through = 4.2.4...

CVE-2026-32497

Weak Authentication vulnerability in PickPlugins User Verification user-verification allows Authentication Abuse.This issue affects User Verification: from n/a through = 2.0.45...

CVE-2026-27049

Authentication Bypass Using an Alternate Path or Channel vulnerability in NooTheme Jobica Core jobica-core allows Authentication Abuse.This issue affects Jobica Core: from n/a through = 1.4.2...

CVE-2026-25406

Authentication Bypass Using an Alternate Path or Channel vulnerability in Themeum Tutor LMS Pro tutor-pro allows Authentication Abuse.This issue affects Tutor LMS Pro: from n/a through = 3.9.4...

CVE-2026-32497 WordPress User Verification plugin <= 2.0.45 - Email Verification Bypass vulnerability

Weak Authentication vulnerability in PickPlugins User Verification user-verification allows Authentication Abuse.This issue affects User Verification: from n/a through = 2.0.45...

CVE-2026-32497

CVE-2026-32497 affects the WordPress plugin User Verification . The vulnerability is a weak authentication issue that enables authentication abuse via an email verification bypass in versions up to and including 2.0.45 (range: n/a through 2.0.45). Multiple sources corroborate the flaw and list th...