994 matches found
CVE-2026-58411
ChurchCRM (open-source church management system) Vulnerability: Prior to version 7.4.0, a Reflected XSS was identified due to insufficient output encoding of user-controlled request parameter names and values. The application reflects attacker-controlled input into JavaScript string contexts and ...
CVE-2026-1667
The SEO Plugin by Squirrly SEO plugin for WordPress is vulnerable to Arbitrary Post Creation and Stored Cross-Site Scripting in all versions up to, and including, 14.0.0 due to a leak of an API token and insufficient input sanitization and output escaping. This makes it possible for unauthenticat...
CVE-2026-12428 Blocks for ACF Fields <= 1.6.2 - Missing Authorization to Authenticated (Author+) Arbitrary ACF Field Value Disclosure via 'id' Parameter
The Blocks for ACF Fields plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the getallvalues function in the /wp-json/acf-field-blocks/v1/values REST endpoint in versions up to, and including, 1.6.2. The permissioncallback only verifies the...
CVE-2026-10570
The Sympl Repeater for ACF and Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via ACF repeater field values in all versions up to, and including, 2.3. This is due to insufficient input sanitization and output escaping in the symparfereplacecontent function, which uses...
CVE-2026-10570 Sympl Repeater for ACF and Elementor <= 2.3 - Authenticated (Author+) Stored Cross-Site Scripting via ACF Repeater Field Values
The Sympl Repeater for ACF and Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via ACF repeater field values in all versions up to, and including, 2.3. This is due to insufficient input sanitization and output escaping in the symparfereplacecontent function, which uses...
CVE-2026-48958
An improper access check allows unauthorized users to create custom fields via webservices endpoints...
CVE-2026-48958 Joomla! Core - [20260712] - Incorrect Access Control in com_fields webservice endpoints
An improper access check allows unauthorized users to create custom fields via webservices endpoints...
EUVD-2026-42068
An improper access check allows unauthorized users to create custom fields via webservices endpoints...
CVE-2026-48958 Joomla! Core - [20260712] - Incorrect Access Control in com_fields webservice endpoints
An improper access check allows unauthorized users to create custom fields via webservices endpoints...
CVE-2026-48958
In Joomla! Core, the CVE-2026-48958 issue is due to improper access control in the com_fields webservice endpoints, enabling unauthorized users to create custom fields via web services. Affected versions include Joomla! 4.0.x (before 5.4.7) and 6.0.x (before 6.1.2). The underlying impact is eleva...
CVE-2026-48958
An improper access check allows unauthorized users to create custom fields via webservices endpoints...
CVE-2026-53647
FOSSBilling is a free, open-source billing and client management system. In versions 0.5.3 through 0.7.2, the Guest serviceapikey/getinfo API endpoint is accessible without authentication. Any caller with a valid API key can retrieve all custom configuration parameters custom fields stored in the...
PT-2026-56231
Name of the Vulnerable Software and Affected Versions Joomla! Core affected versions not specified Description An improper access check allows unauthorized users to create custom fields through webservices endpoints. This issue occurs within the com fields component. Recommendations At the moment...
Joomla 4.0.x < 5.4.7 / 6.0.x < 6.1.2 Joomla 6.1.2 & 5.4.7 Security & Bugfix Release (5955-joomla-6-1-2-5-4-7-security-bugfix-release)
According to its self-reported version, the instance of Joomla! running on the remote web server is 4.0.x prior to 5.4.7 or 6.0.x prior to 6.1.2. It is, therefore, affected by a vulnerability. - An improper access check allows unauthorized users to create custom fields via webservices endpoints...
CVE-2026-53647 FOSSBilling vulnerable to unauthenticated API key configuration disclosure via guest Serviceapikey get_info endpoint
FOSSBilling is a free, open-source billing and client management system. In versions 0.5.3 through 0.7.2, the Guest serviceapikey/getinfo API endpoint is accessible without authentication. Any caller with a valid API key can retrieve all custom configuration parameters custom fields stored in the...
CVE-2026-53647 FOSSBilling vulnerable to unauthenticated API key configuration disclosure via guest Serviceapikey get_info endpoint
FOSSBilling is a free, open-source billing and client management system. In versions 0.5.3 through 0.7.2, the Guest serviceapikey/getinfo API endpoint is accessible without authentication. Any caller with a valid API key can retrieve all custom configuration parameters custom fields stored in the...
CVE-2026-53647
CVE-2026-53647 affects FOSSBilling 0.5.3–0.7.2 where the Guest serviceapikey/get_info endpoint is accessible without authentication. An unauthenticated caller with a valid API key can retrieve all custom_* fields stored in the key’s database record, potentially exposing pricing tiers, feature fla...
EUVD-2026-36933
Contributor Arbitrary File Deletion in Meta Box – WordPress Custom Fields Framework = 5.11.1 versions...
CVE-2026-39468
Contributor Arbitrary File Deletion in Meta Box – WordPress Custom Fields Framework = 5.11.1 versions...
CVE-2026-39468 WordPress Meta Box – WordPress Custom Fields Framework plugin <= 5.11.1 - Arbitrary File Deletion vulnerability
Contributor Arbitrary File Deletion in Meta Box – WordPress Custom Fields Framework = 5.11.1 versions...