CVE-2026-9710 Themeco Cornerstone < 7.8.8 (Premium, bundled with X Theme) - Subscriber+ Arbitrary User Password Hash Disclosure

The Cornerstone WordPress plugin before 7.8.8 does not enforce capability checks on one of its CSS-preview request handlers, and exposes the nonce needed to call it to every logged-in user on any wp-admin page, allowing any authenticated user to evaluate dynamic content tokens against arbitrary...

CVE-2026-46748

A vulnerability has been identified in SINEC INS All versions V1.0 SP2 Update 6. The affected system includes a binary that is configured with the capdacoverride capability. This capability allows the process to bypass file system permission checks, resulting in unrestricted file system access...

CVE-2026-46748

A vulnerability has been identified in SINEC INS All versions V1.0 SP2 Update 6. The affected system includes a binary that is configured with the capdacoverride capability. This capability allows the process to bypass file system permission checks, resulting in unrestricted file system access...

CVE-2026-44475

CVE-2026-44475 affects Ella Core (private 5G core). Prior to version 1.10.0, the PathSwitchRequest handling does not verify UE Security Capabilities against locally stored values, allowing a malicious gNB to overwrite a UE’s security capabilities with arbitrary values via a crafted PathSwitchRequ...

CVE-2026-8832 WPCode <= 2.3.5 - Authenticated (Author+) Remote Code Execution via CPT Capability Bypass via XML-RPC wp.newPost

The WPCode - Insert Headers and Footers + Custom Code Snippets - WordPress Code Manager plugin for WordPress is vulnerable to Remote Code Execution in versions up to, and including, 2.3.5 This is due to the 'wpcode' custom post type being registered without a custom capabilitytype or capability...

EUVD-2026-23358

The Kubio plugin for WordPress is vulnerable to Arbitrary File Upload in versions up to and including 2.7.2. This is due to insufficient capability checks in the kubiorestpreinsertimportassets function, which is hooked to the restpreinsertposttype filter for posts, pages, templates, and template...

CVE-2026-1992

The ExactMetrics – Google Analytics Dashboard for WordPress plugin is vulnerable to Insecure Direct Object Reference in versions 8.6.0 through 9.0.2. This is due to the storesettings method in the ExactMetricsOnboarding class accepting a user-supplied triggeredby parameter that is used instead of...

CVE-2025-14386

The Search Atlas SEO – Premier SEO Plugin for One-Click WP Publishing & Integrated AI Optimization plugin for WordPress is vulnerable to authentication bypass due to a missing capability check on the 'generatessourl' and 'validatessotoken' functions in versions 2.4.4 to 2.5.12. This makes it...

EUVD-2012-2346

Malware in sbrugna...

EUVD-2012-5399

Malware in sbrugna...

EUVD-2013-0296

Malware in sbrugna...

EUVD-2022-2237

Malicious code in bioql PyPI...

Linux Distros Unpatched Vulnerability : CVE-2022-0985

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Insufficient capability checks could allow users with the moodle/site:uploadusers capability to delete users, without having the necessary moodle/user:delete...

CVE-2025-6366

The Event List plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 2.0.4. This is due to the plugin not properly validating a user's capabilities prior to updating their profile in the elupdateprofile function. This makes it possible for authenticated...

CVE-2025-25500

An issue in CosmWasm prior to v2.2.0 allows attackers to bypass capability restrictions in blockchains by exploiting a lack of runtime capability validation. This allows attackers to deploy a contract without capability enforcement, and execute unauthorized actions on the blockchain...

CVE-2024-6621

The RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wprssactivatefeedsource' and 'wprsspausefeedsource' functions in all versions up to, and including, 4.23.11...

PT-2024-15071 · WordPress · Wp Customer Area

Name of the Vulnerable Software and Affected Versions: WP Customer Area WordPress plugin versions prior to 8.2.1 Description: The issue arises from the plugin not properly validating users' capabilities in some of its AJAX actions. This allows malicious users to edit other users' account addresse...

SUSE CVE-2010-0007

net/bridge/netfilter/ebtables.c in the ebtables module in the netfilter framework in the Linux kernel before 2.6.33-rc4 does not require the CAPNETADMIN capability for setting or modifying rules, which allows local users to bypass intended access restrictions and configure arbitrary network-traff...

CVE-2017-17092

wp-includes/functions.php in WordPress before 4.9.1 does not require the unfilteredhtml capability for upload of .js files, which might allow remote attackers to conduct XSS attacks via a crafted file...

Capability Bypass

Moodle is vulnerable to capability bypass. Authenticated attackers can bypass the mod/lti:view capability because it is only checked at a course level rather than the activity level...