CVE-2026-8898 Events In City <= 3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The Events In City plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'org-events' shortcode in versions up to, and including, 3.0. This is due to insufficient input sanitization and output escaping on user supplied attributes such as 'organizerid', 'width', 'height',...

CVE-2026-8898

CVE-2026-8898 concerns the WordPress plugin Events In City with versions up to and including 3.0. The vulnerability is a Stored Cross-Site Scripting issue arising from insufficient input sanitization and output escaping in the org_event_scode() function, where user-supplied shortcode attributes (...

CVE-2026-8450

creationtimestamp| type| source ---|---|--- 2026-05-27 05:17:43+00:00| seen| https://bsky.app/profile/infosec.skyfleet.blue/post/3mmsqxmuwt222 2026-05-27 06:00:28+00:00| seen| https://infosec.exchange/users/offseq/statuses/116645011565190190 2026-05-27 06:00:29+00:00| seen|...

CVE-2026-2253

creationtimestamp| type| source ---|---|--- 2026-05-27 05:00:12+00:00| seen| https://bsky.app/profile/thehackerwire.bsky.social/post/3mmspyb5e7w2e 2026-05-27 05:14:06+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mmsqr6mndi2i 2026-05-27 07:01:06+00:00| seen|...

CVE-2026-46740

creationtimestamp| type| source ---|---|--- 2026-05-27 00:27:28+00:00| seen| https://bsky.app/profile/infosec.skyfleet.blue/post/3mmsaqmimy72u 2026-05-27 00:58:47+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mmscime3hs2q...

PT-2026-43530

The Events In City plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'org-events' shortcode in versions up to, and including, 3.0. This is due to insufficient input sanitization and output escaping on user supplied attributes such as 'organizer id', 'width', 'height',...

PT-2026-44123

Name of the Vulnerable Software and Affected Versions Toolbox affected versions not specified Description The software is susceptible to DNS rebinding attacks when using Server-Sent Events SSE under specification v2024-11-05. This occurs because the SSE initialization handler retains a hardcoded...

WordPress plugin Events In City 跨站脚本漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. In...

CVE-2026-44214

eventsource-encoder encodes events as well-formed EventSource/Server Sent Event SSE messages. Prior to 1.0.2, eventsource-encoder does not sanitize the event or id fields of an EventSourceMessage before serializing them. An attacker who controls either field can inject arbitrary Server-Sent Event...

CVE-2026-44214 eventsource-encoder: SSE event injection via unsanitized event and id fields

eventsource-encoder encodes events as well-formed EventSource/Server Sent Event SSE messages. Prior to 1.0.2, eventsource-encoder does not sanitize the event or id fields of an EventSourceMessage before serializing them. An attacker who controls either field can inject arbitrary Server-Sent Event...

CVE-2026-44214

eventsource-encoder encodes events as well-formed EventSource/Server Sent Event SSE messages. Prior to 1.0.2, eventsource-encoder does not sanitize the event or id fields of an EventSourceMessage before serializing them. An attacker who controls either field can inject arbitrary Server-Sent Event...

CVE-2026-44214 eventsource-encoder: SSE event injection via unsanitized event and id fields

eventsource-encoder encodes events as well-formed EventSource/Server Sent Event SSE messages. Prior to 1.0.2, eventsource-encoder does not sanitize the event or id fields of an EventSourceMessage before serializing them. An attacker who controls either field can inject arbitrary Server-Sent Event...

CVE-2026-44214

CVE-2026-44214 concerns eventsource-encoder where unsanitized event and id fields can inject SSE line terminators, enabling forged SSE fields/messages. Affects versions prior to 1.0.2; patch released in 1.0.2 that validates/escapes those fields. Public advisories (GHSA, OSV, CVS) describe the imp...

EUVD-2026-31968

eventsource-encoder encodes events as well-formed EventSource/Server Sent Event SSE messages. Prior to 1.0.2, eventsource-encoder does not sanitize the event or id fields of an EventSourceMessage before serializing them. An attacker who controls either field can inject arbitrary Server-Sent Event...

Permissive Cross-domain Policy with Untrusted Domains

Overview Affected versions of this package are vulnerable to Permissive Cross-domain Policy with Untrusted Domains via the SSE event server process. An attacker can access sensitive live filename streams by opening a cross-origin EventSource connection from a third-party page, allowing unauthoriz...

WordPress Events In City plugin <= 3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Gilang - DJ in WordPress Plugin Events In City versions = 3.0...

CVE-2026-46431

Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, the SSE event server's Access-Control-Allow-Origin response header was hardcoded to the wildcard regardless of the caller's Origin. Because EventSource does not preflight and does not send cookies, the wildcard is sufficient ...

CVE-2026-46430

Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, the SSE event server bound to 0.0.0.0:5553 on Linux/macOS by default because the platform-dependent host default in engine/flags.go:39-46 set host = "" for non-Windows, and utils.JoinHostPort"", ":5553" resolves to ":5553"...

CVE-2026-46431

Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, the SSE event server's Access-Control-Allow-Origin response header was hardcoded to the wildcard regardless of the caller's Origin. Because EventSource does not preflight and does not send cookies, the wildcard is sufficient ...

CVE-2026-46431 Algernon: Auto-refresh SSE event server sets Access-Control-Allow-Origin: *

Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, the SSE event server's Access-Control-Allow-Origin response header was hardcoded to the wildcard regardless of the caller's Origin. Because EventSource does not preflight and does not send cookies, the wildcard is sufficient ...