EUVD-2026-38674

The SearchPlus plugin for WordPress is vulnerable to unauthorized modification and deletion of data in versions up to, and including, 1.7.1. This is due to a missing capability check and missing nonce validation on the searchplussavetokenactioncallback and searchplusresettokenactioncallback...

EUVD-2026-38673

The 24liveblog - live blog tool plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the updatelb24token AJAX function in versions up to, and including, 2.2. The handler only verifies the 'lb24' nonce which is generated and localized to any...

EUVD-2026-38668

The Assistio plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check and missing nonce verification on the assistioplugindeleteassistiosettings function in versions up to, and including, 1.1.2. This makes it possible for authenticated attackers,...

CVE-2026-12094

The CVE describes a vulnerability in the Advanced Contact Form 7 - Compact DB plugin for WordPress (versions delete() on the wp_cf7cdb_data table, using an attacker-supplied integer ID. This allows unauthenticated attackers to delete arbitrary contact form submission entries by enumerating primar...

EUVD-2026-38661

The WP Forms Connector plugin for WordPress is vulnerable to SQL Injection via the 'order' parameter of the /wp-json/wp/v3/post/list REST endpoint in versions up to and including 1.8. This is due to insufficient escaping on the user-supplied 'order' parameter read directly from $GET'order' into...

CVE-2026-5818

Incorrect check of function return value in Caliptra Core Runtime Firmware ActivateFirmwareCmd::activatefw modules allows bypass of Caliptra Core's verification of the MCU FW during a hitless update. This issue affects Core Runtime Firmware: from 2.0.0 through 2.0.1, 2.1.0...

PT-2026-51681

Name of the Vulnerable Software and Affected Versions SearchPlus versions prior to 1.7.2 Description The SearchPlus plugin for WordPress allows unauthenticated users to modify or delete stored data. This occurs because the searchplus save token action callback and searchplus reset token action...

PT-2026-51795

Name of the Vulnerable Software and Affected Versions Jenkins GitHub Branch Source Plugin versions prior to 1967.1969.v205fd594c821 Description A missing permission check allows attackers with Overall/Read permission to obtain the URLs of GitHub Enterprise servers configured in the global plugin...

PT-2026-52106

Name of the Vulnerable Software and Affected Versions chrome-devtools-mcp versions 0.24.0 through 1.0.9 Description A workspace-boundary bypass exists because the McpContext.validatePath function fails to canonicalize symbolic links when checking if a path falls under configured root paths. This...

PT-2026-51680

Name of the Vulnerable Software and Affected Versions Assistio versions prior to 1.1.3 Description The Assistio plugin for WordPress allows authenticated users with Subscriber-level access and above to perform unauthorized data modification. This occurs because the assistio plugin delete assistio...

PT-2026-52118

Name of the Vulnerable Software and Affected Versions Rocket.Chat versions prior to 8.5.1 Rocket.Chat versions prior to 8.4.4 Rocket.Chat versions prior to 8.3.6 Rocket.Chat versions prior to 8.2.6 Rocket.Chat versions prior to 8.1.6 Rocket.Chat versions prior to 8.0.7 Rocket.Chat versions prior ...

PT-2026-51675

Name of the Vulnerable Software and Affected Versions SignUp & SignIn plugin for WordPress versions prior to 1.0.1 Description The SignUp & SignIn plugin for WordPress contains an authentication bypass that allows unauthenticated attackers to take over any account, including administrator account...

PT-2026-51693

Name of the Vulnerable Software and Affected Versions WP Forms Connector versions prior to 1.9 Description An issue exists where unauthenticated attackers can execute additional SQL queries to extract sensitive information from the database. This occurs via the /wp-json/wp/v3/post/list REST...

PT-2026-51814

Name of the Vulnerable Software and Affected Versions Jenkins Assembla Plugin versions prior to 1.5 Description A missing permission check allows users with Overall/Read permission to force the system to connect to an arbitrary URL using a specified username and password. Recommendations Update...

PT-2026-52084

Name of the Vulnerable Software and Affected Versions Gogs versions prior to 0.14.4 Description An authenticated user can watch a private repository without having the necessary access permissions. This occurs because the access check in the Watch API handler is inverted, specifically within the...

PT-2026-51671

Name of the Vulnerable Software and Affected Versions Advanced Contact Form 7 - Compact DB versions prior to 1.0.1 Description Unauthenticated attackers can delete arbitrary contact form submission entries stored in the wp cf7cdb data table. This occurs because the cf7cdb ajax delete user functio...

PT-2026-52090

Name of the Vulnerable Software and Affected Versions FOSSBilling versions prior to 0.8.0 Description FOSSBilling exposes a guest API endpoint '/api/guest/staff/create' designed for initial administrator bootstrap. A flawed guard check using the is countable function on a value that returns a Mod...

CSRF vulnerability and missing permission check in contrast-continuous-application-security

contrast-continuous-application-security 3.11 and earlier does not perform a permission check in an HTTP endpoint that tests the connection to a Contrast TeamServer. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using an attacker-specified username, AP...

CSRF vulnerability and missing permission check in zdevops

zdevops 1.1.3.50.ve350c9b450b1 and earlier does not perform a permission check in an HTTP endpoint implementing a connection test. This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method,...

PT-2026-51677

Name of the Vulnerable Software and Affected Versions Welcome Software Publishing versions prior to 0.0.32 Description The plugin is subject to an Arbitrary Options Update issue caused by a missing capability check in the nc setOption function, which is exposed through the 'nc.setOption' XML-RPC...