CVE-2026-6222 Forminator Forms <= 1.51.1 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Disclosure via 'forminator_action' Parameter

The Forminator Forms plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 1.51.1. This is due to the processRequest method in ForminatorAdminModuleEditPage admin/abstracts/class-admin-module-edit-page.php dispatching sensitive module-management actions —...

CVE-2026-35614

Frappe is a full-stack web application framework. Prior to 16.14.0 and 15.104.0, Frappe has a SQL injection in bulkupdate. This vulnerability is fixed in 16.14.0 and 15.104.0...

CVE-2026-39374 Plane IDOR: Cross-Project Issue Date Modification via Bulk Update Endpoint

Plane is an an open-source project management tool. Prior to 1.3.0, the IssueBulkUpdateDateEndpoint allows a project member ADMIN or MEMBER to modify the startdate and targetdate of ANY issue across the entire Plane instance, regardless of workspace or project membership. The endpoint fetches...

CVE-2026-39374 Plane IDOR: Cross-Project Issue Date Modification via Bulk Update Endpoint

Plane is an an open-source project management tool. Prior to 1.3.0, the IssueBulkUpdateDateEndpoint allows a project member ADMIN or MEMBER to modify the startdate and targetdate of ANY issue across the entire Plane instance, regardless of workspace or project membership. The endpoint fetches...

CVE-2026-39374

The CVE describes an IDOR-style flaw in Plane (open‑source project management tool) prior to version 1.3.0. The IssueBulkUpdateDateEndpoint lets a project member with ADMIN/MEMBER privileges modify start_date and target_date of ANY issue across the entire instance by fetching issues by ID without...

CVE-2026-35614

Frappe is a full-stack web application framework. Prior to 16.14.0 and 15.104.0, Frappe has a SQL injection in bulkupdate. This vulnerability is fixed in 16.14.0 and 15.104.0...

CVE-2026-35614

Frappe is a full-stack web application framework. Prior to 16.14.0 and 15.104.0, Frappe has a SQL injection in bulkupdate. This vulnerability is fixed in 16.14.0 and 15.104.0...

CVE-2026-35614 Frappe has a SQL injection in bulk_update

Frappe is a full-stack web application framework. Prior to 16.14.0 and 15.104.0, Frappe has a SQL injection in bulkupdate. This vulnerability is fixed in 16.14.0 and 15.104.0...

CVE-2026-35614 Frappe has a SQL injection in bulk_update

Frappe is a full-stack web application framework. Prior to 16.14.0 and 15.104.0, Frappe has a SQL injection in bulkupdate. This vulnerability is fixed in 16.14.0 and 15.104.0...

CVE-2026-35614

Frappe framework (full‑stack web app) contains a SQL injection in bulk_update prior to 16.14.0 and 15.104.0. The issue is fixed in 16.14.0 and 15.104.0. Patching affected installations to these versions or newer is recommended. The CVSS details in the record indicate high impact to confidentialit...

EUVD-2026-19792

Frappe is a full-stack web application framework. Prior to 16.14.0 and 15.104.0, Frappe has a SQL injection in bulkupdate. This vulnerability is fixed in 16.14.0 and 15.104.0...

PT-2026-31005

Plane is an an open-source project management tool. Prior to 1.3.0, the IssueBulkUpdateDateEndpoint allows a project member ADMIN or MEMBER to modify the start date and target date of ANY issue across the entire Plane instance, regardless of workspace or project membership. The endpoint fetches...

PT-2026-30922

Frappe is a full-stack web application framework. Prior to 16.14.0 and 15.104.0, Frappe has a SQL injection in bulk update. This vulnerability is fixed in 16.14.0 and 15.104.0...

Plane 安全漏洞

Plane is an open-source, self-hosted project planning tool developed by Plane OpenSource. Versions of Plane prior to 1.3.0 contained security vulnerabilities. These vulnerabilities stemmed from a lack of workspace or project filtering in the IssueBulkUpdateDateEndpoint, which could lead to...

Frappe SQL注入漏洞

Frappe is a web development framework based on Python and Mariadb, with integrated front-end pages, developed by the Indian company Frappe. Versions of Frappe prior to 16.14.0 and 15.104.0 have a SQL injection vulnerability. This vulnerability stems from the bulkupdate function, which has an SQL...

WordPress Set Bulk Post Categories plugin <= 1.1 - Cross-Site Request Forgery to Bulk Post Category Update vulnerability

Cross-Site Request Forgery to Bulk Post Category Update vulnerability discovered by Muhammad Nur Ibnu Hubab Ibnu - Pondok Teknologi in WordPress Plugin Set Bulk Post Categories versions = 1.1...

CVE-2025-13093

The Devs CRM – Manage tasks, attendance and teams all together plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the '/wp-json/devs-crm/v1/bulk-update' REST-API endpoint in all versions up to, and including, 1.1.8. This makes it possible...

EUVD-2025-203217

The Devs CRM – Manage tasks, attendance and teams all together plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the '/wp-json/devs-crm/v1/bulk-update' REST-API endpoint in all versions up to, and including, 1.1.8. This makes it possible...

CVE-2025-13093

The Devs CRM – Manage tasks, attendance and teams all together plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the '/wp-json/devs-crm/v1/bulk-update' REST-API endpoint in all versions up to, and including, 1.1.8. This makes it possible...

CVE-2025-13093 Devs CRM – Manage tasks, attendance and teams all together <= 1.1.8 - Missing Authorization to Unauthenticated Lead Tag Update

The Devs CRM – Manage tasks, attendance and teams all together plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the '/wp-json/devs-crm/v1/bulk-update' REST-API endpoint in all versions up to, and including, 1.1.8. This makes it possible...