PhoenixStorybook: Unbounded atom creation from LiveView event params (atom-table DoS)

Summary An attacker who can deliver psb-assign, psb-toggle, psb-set-theme, upper-tab-navigation, lower-tab-navigation, playground-change, or playground-toggle LiveView events to a mounted Phoenix Storybook playground can flood the BEAM atom table with attacker-controlled strings, permanently...

CVE-2026-45447

creationtimestamp| type| source ---|---|--- 2026-06-09 13:57:29+00:00| seen| https://bsky.app/profile/xeiaso.net/post/3mnue2z4hbv2v 2026-06-09 14:00:28+00:00| seen| https://bsky.app/profile/cadey.pony.social.ap.brid.gy/post/3mnue3epkwyc2 2026-06-09 14:48:37+00:00| seen|...

WordPress Events Calendar for GeoDirectory plugin <= 2.3.28 - Authenticated (Subscriber+) Privilege Escalation vulnerability

Authenticated Subscriber+ Privilege Escalation vulnerability discovered by Mitchell in WordPress Plugin Events Calendar for GeoDirectory versions = 2.3.28...

CVE-2026-11616

The CVE pertains to the WordPress plugin Events Calendar for GeoDirectory, affected in versions up to and including 2.3.28. The root cause is an ajax_ayi_action() path that applies strip_tags(esc_sql()) without an allow-list to attacker-controlled POST values, forwarding them to update_ayi_data()...

CVE-2026-11616 Events Calendar for GeoDirectory <= 2.3.28 - Authenticated (Subscriber+) Privilege Escalation

The Events Calendar for GeoDirectory plugin for WordPress is vulnerable to Privilege Escalation in versions up to and including 2.3.28. This is due to the ajaxayiaction handler only applying striptagsescsql — with no allow-list — to the attacker-controlled $POST'type' and $POST'postid' values...

CVE-2026-11616 Events Calendar for GeoDirectory <= 2.3.28 - Authenticated (Subscriber+) Privilege Escalation

The Events Calendar for GeoDirectory plugin for WordPress is vulnerable to Privilege Escalation in versions up to and including 2.3.28. This is due to the ajaxayiaction handler only applying striptagsescsql — with no allow-list — to the attacker-controlled $POST'type' and $POST'postid' values...

PT-2026-47711

Name of the Vulnerable Software and Affected Versions The Events Calendar for GeoDirectory plugin for WordPress versions prior to 2.3.29 Description Authenticated attackers with Subscriber-level access or higher can elevate their privileges to Administrator. This occurs because the ajax ayi actio...

WordPress plugin Events Calendar for GeoDirectory 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. There is...

CVE-2026-50131

creationtimestamp| type| source ---|---|--- 2026-06-08 14:57:55+00:00| seen| https://bsky.app/profile/fedify.hollo.social.ap.brid.gy/post/3mnrwxyyvdir2 2026-06-08 15:09:05+00:00| seen| https://bsky.app/profile/hollo.hollo.social.ap.brid.gy/post/3mnrxlz2slhe2 2026-06-09 02:30:30+00:00| seen|...

WordPress The Events Calendar plugin 6.15.12-6.16.2 - SQL Injection vulnerability

SQL Injection vulnerability discovered by vtim in WordPress Plugin The Events Calendar versions 6.15.12-6.16.2...

CVE-2026-11489

creationtimestamp| type| source ---|---|--- 2026-06-08 06:00:30+00:00| seen| https://bsky.app/profile/offseq.bsky.social/post/3mnqyx67zan2p 2026-06-08 06:00:30+00:00| seen| https://infosec.exchange/users/offseq/statuses/116712959372246973 2026-06-08 07:37:17+00:00| seen|...

kernel: wifi: brcmfmac: validate bsscfg indices in IF events

A flaw was found in the Linux kernel's brcmfmac Wi-Fi driver. This vulnerability occurs because the driver fails to properly validate bsscfg indices in interface IF events. An attacker could exploit this by sending a specially crafted IF event with an invalid bsscfg index, which could lead to an...

CVE-2026-6420

creationtimestamp| type| source ---|---|--- 2026-06-07 16:49:08+00:00| seen| https://bsky.app/profile/ferramentaslinux.bsky.social/post/3mnpmpzrvus2z 2026-06-07 16:49:09+00:00| seen| https://bsky.app/profile/ferramentaslinux.bsky.social/post/3mnpmq3br4s2z...

EUVD-2026-34954

The WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in versions up to and including 1.10.0.1. This is due to the PayPal Commerce webhook endpoint processing unauthenticat...

PT-2026-47131

Name of the Vulnerable Software and Affected Versions WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More versions prior to 1.10.0.2 Description The plugin is subject to insufficient verification of data authenticity. The PayPal Commerce webhook endpoint...

CVE-2026-7525

The My Calendar – Accessible Event Manager plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.7.9. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers,...

CVE-2026-5167

The Masteriyo LMS – Online Course Builder for eLearning, LMS & Education plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in versions up to and including 2.1.7. This is due to insufficient webhook signature verification in the handlewebhook function. The...

CVE-2026-5600

A new API endpoint introduced in pretix 2025 that is supposed to return all check-in events of a specific event in fact returns all check-in events belonging to the respective organizer. This allows an API consumer to access information for all other events under the same organizer, even those th...

CVE-2026-49140

Nanobot prior to version 0.2.1 contains a denial of service vulnerability in the Matrix channel media download handler that allows authenticated room members to exhaust process memory and bandwidth by sending media events with missing or invalid size metadata. Attackers can send multiple concurre...

CVE-2026-46430

Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, the SSE event server bound to 0.0.0.0:5553 on Linux/macOS by default because the platform-dependent host default in engine/flags.go:39-46 set host = "" for non-Windows, and utils.JoinHostPort"", ":5553" resolves to ":5553"...