PT-2026-49432

Subscriber Broken Access Control in Amelia = 2.2 versions...

PT-2026-49365

Unauthenticated Broken Access Control in Event Tickets Manager for WooCommerce = 1.5.3 versions...

PT-2026-49473

Unauthenticated Broken Access Control in Contact Form by WPForms = 1.10.0.4 versions...

CVE-2026-50885

CVE-2026-50885 concerns Sismics Docs (Teedy) with version v1.11, where an incorrect access control flaw in the share-based read endpoints enables unauthorized attackers to access sensitive endpoints via a crafted request. The related advisories consistently describe limited information about root...

CVE-2026-36670

CVE-2026-36670: Time-based blind SQL injection in the OpenSIPS Control Panel (opensips-cp) alias_management module before version 9.3.3. Authenticated attackers can leverage the table parameter in alias_management.php to execute arbitrary SQL. Connected sources confirm the affected component is O...

CVE-2026-50875

Incorrect access control in the /form/webhooks/webhook endpoint of Deck9 Input v2.0.1 allows authenticated attackers to arbitrarily modify or delete another tenant's webhook via a crafted request...

PT-2026-49327

Incorrect access control in the webhook management component of Project Firefly III v6.5.9 allows attackers to scan internal resources via a crafted POST request...

VulnCheck KEV: CVE-2026-48969

Subscriber Broken Access Control in Really Simple SSL = 9.5.9 versions...

PT-2026-49481

Unauthenticated Broken Access Control in Montonio for WooCommerce = 10.1.2 versions...

PT-2026-49393

Subscriber Broken Access Control in Motors 1.4.107 versions...

PT-2026-49357

Unauthenticated Broken Access Control in Essential Addons for Elementor 6.6.0 versions...

PT-2026-49356

Unauthenticated Broken Access Control in User Registration = 5.1.2 versions...

PT-2026-49409

Unauthenticated Broken Access Control in Tutor LMS = 3.9.7 versions...

PT-2026-49420

Unauthenticated Broken Access Control in WP Event SOlution = 4.1.8 versions...

PT-2026-49167

A security flaw has been discovered in medkey-org medkey up to fc09b7ba9441ff590b72d428d5380834216b09ed. Impacted is the function actionGetPatientById of the file appmodulesmedicalportrestcontrollersPatientController.php of the component HTTP REST API. The manipulation of the argument ID results ...

PT-2026-49326

Incorrect access control in the share-based read endpoints of Sismics Docs Teedy v1.11 allow unauthorized attackers to access sensitive endpoints via a crafted request...

LiteSpeed cPanel Plugin UNIX Symbolic Link (Symlink) Following Vulnerability

LiteSpeed cPanel plugin contains a UNIX symbolic link Symlink following vulnerability that could allow a user with FTP or web shell access on a shared hosting server running CloudLinux/CageFS...

CVE-2026-50884

CVE-2026-50884 affects statping-ng v0.93.0. Description: incorrect access control may allow attackers to escalate privileges to Administrator and access sensitive components. Documents list no public patch/version to mitigate or confirm exploitation details; no explicit root-cause technical speci...

CVE-2026-50875

CVE-2026-50875 affects Deck9 Input v2.0.1: the /{form}/webhooks/{webhook} endpoint has incorrect access control, enabling authenticated attackers to modify or delete another tenant’s webhook via a crafted request. CVSS 3.1 base score 8.1 (HIGH): Network, Low attack complexity, Privileges required...

EUVD-2026-36657

LiteSpeed cPanel plugin before 2.4.8 as distributed in LiteSpeed WHM PlugIn before 5.3.2.0 mishandles symlinks provided by a user with FTP or web shell access on a shared hosting server running CloudLinux/CageFS, as exploited in the wild in May 2026...