Popup by Supsystic < 1.10.9 - Subscriber Email Addresses Disclosure

The Popup by Supsystic WordPress plugin before 1.10.9 does not have any authentication and authorisation in an AJAX action, allowing unauthenticated attackers to call it and get the email addresses of subscribed users id: CVE-2022-0424 info: name: Popup by Supsystic 1.10.9 - Subscriber Email...

Mail Mint < 1.19.5 - Unauthenticated Email Disclosure

Mail Mint WordPress plugin 1.19.5 contains an information disclosure vulnerability caused by lack of authorization in a REST API endpoint, letting unauthenticated users retrieve email addresses of blog users, exploit requires no authentication. id: CVE-2026-2025 info: name: Mail Mint 1.19.5 -...

EUVD-2026-38237

The vulnerability arises when the system fails to properly validate the 'email' field during the authentication process, allowing unverified or fake email addresses to be accepted. This lack of validation enables the creation of user accounts with fake email addresses, facilitating the mass...

Integrate Google Drive <= 1.5.3 - Information Disclosure

File Manager for Google Drive - Integrate Google Drive with WordPress plugin for WordPress = 1.5.3 contains sensitive information exposure caused by improper protection of the getlocalizedata function, letting unauthenticated attackers extract Google OAuth credentials and account email addresses,...

CVE-2019-25762

CVE-2019-25762 affects Joomla! component JoomProject 1.1.3.2. The vulnerability is an information disclosure via the projects endpoint, where unauthenticated attackers can query index.php with option=com_jpprojects&view=projects&tmpl=component&format=json to retrieve user IDs, names, and email ad...

CVE-2026-12111 Appointment Booking Calendar <= 1.4.01 - Authenticated (Contributor+) Sensitive Information Exposure via 'id' Parameter

The Appointment Booking Calendar plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 1.4.01. This is due to insufficient authorization and missing per-calendar ownership checks in the cpabcappointmentscalendarload2 function, which is reachable vi...

VRChat says reported data breach never happened

A data breach notice has been filed with the Maine Attorney General, saying more than 2.4 million users of VRChat have had their data breached. The question is, was it VRChat who filed the breach notice, or did someone pretending to represent the company post it instead? On Reddit, a VRChat...

CVE-2026-8589

GitLab EE is affected by CVE-2026-8589 due to improper sanitization of user-supplied input in certain group setting fields. This could allow an authenticated user to add unauthorized email addresses to another user’s account. Affected versions are 13.1.4 before 18.10.8, 18.11 before 18.11.5, and ...

CVE-2025-9484

GitLab has remediated an issue in GitLab EE affecting all versions from 16.6 before 18.8.9, 18.9 before 18.9.5, and 18.10 before 18.10.3 that under certain circumstances could have allowed an authenticated user to have access to other users' email addresses via certain GraphQL queries...

EUVD-2026-34266

A vulnerability in the MISP dashboard widgets allowed an authenticated user to manipulate the fields option and influence which fields were returned by the New Users and New Organisations widgets. In some cases, requesting a field set that became empty after validation or redaction could cause th...

ITPison OMICARD EDM 安全漏洞

ITPison OMICARD EDM is a high-speed electronic newspaper EDM marketing distribution system developed by the Chinese company ITPison. ITPison OMICARD EDM has a security vulnerability that stems from insecure direct object references. This vulnerability could allow unauthorized remote attackers to...

PT-2026-46238

Name of the Vulnerable Software and Affected Versions MISP affected versions not specified Description An issue in the dashboard widgets allows an authenticated user to manipulate the fields option to influence the data returned by the New Users and New Organisations widgets. When a requested fie...

CVE-2026-40102 Plane: ORM Field Reference Injection via `segment` Parameter in Saved Analytics

Plane is an open-source project management tool. In versions 1.3.0 and below, SavedAnalyticEndpoint passes the user-controlled segment query parameter directly to a Django F expression without validation unlike the regular AnalyticsEndpoint, which checks against an allowlist, causing ORM Field...

CVE-2026-7385

The Decent Comments WordPress plugin before 3.0.2 does not restrict access to comment author email addresses and post author email addresses via its REST API endpoint, allowing unauthenticated attackers to enumerate registered user email addresses...

CVE-2026-5776 Email Encoder < 2.4.7 - Unauthenticated Stored XSS

The Email Encoder WordPress plugin before 2.4.7 does not escape email addresses retrieved via user input, allowing unauthenticated attackers to perform Stored XSS attacks...

Stolen Canvas data was “returned” after hacker agreement, Instructure says

The Instructure/Canvas data breach that has dominated cybersecurity coverage recently has reached a new stage. Millions of students had personal data stolen, with extortion group ShinyHunters claiming credit for the data breach and applying extra pressure for their ransom demands by bothering...

CVE-2026-42499

Pathological inputs could cause DoS through consumePhrase when parsing an email address according to RFC 5322...

CVE-2026-40174 Masa CMS CSRF in user address management allows unauthorized address changes

Masa CMS is a content management system forked from Mura CMS. In versions 7.5.2 and earlier, the cUsers.updateAddress function does not properly validate anti-CSRF tokens for user address management operations. An attacker can induce a logged-in administrator to submit a forged request that adds,...

CVE-2026-40174

Masa CMS CSRF in user address management (cUsers.updateAddress) affects versions 7.5.2 and earlier. An attacker can lure a logged-in administrator into submitting forged requests to add, modify, or delete user address records (including emails and phone numbers), potentially altering contact info...

EUVD-2026-26790

The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.3.1 via the '/dokan/v1/stores/id/reviews' REST API endpoint. This is due to the 'preparereviewsforresponse' method...