CVE-2026-29613

OpenClaw versions prior to 2026.2.12 contain a vulnerability in the BlueBubbles optional plugin webhook handler in which it authenticates requests based solely on loopback remoteAddress without validating forwarding headers, allowing bypass of configured webhook passwords. When the gateway operat...

CVE-2026-28450

OpenClaw versions prior to 2026.2.12 with the optional Nostr plugin enabled expose unauthenticated HTTP endpoints at /api/channels/nostr/:accountId/profile and /api/channels/nostr/:accountId/profile/import that allow reading and modifying Nostr profiles without gateway authentication. Remote...

WordPress Community Events plugin <= 1.5.8 - Authenticated (Administrator+) SQL Injection via 'ce_venue_name' CSV Field vulnerability

Authenticated Administrator+ SQL Injection via 'cevenuename' CSV Field vulnerability discovered by Bee - FPT University in WordPress Plugin Community Events versions = 1.5.8...

CVE-2026-2429

The Community Events plugin for WordPress is vulnerable to SQL Injection via the 'cevenuename' CSV field in the onsavechangesvenues function in all versions up to, and including, 1.5.8. This is due to insufficient escaping on the user-supplied CSV data and lack of sufficient preparation on the...

CVE-2026-2429 Community Events <= 1.5.8 - Authenticated (Administrator+) SQL Injection via 'ce_venue_name' CSV Field

The Community Events plugin for WordPress is vulnerable to SQL Injection via the 'cevenuename' CSV field in the onsavechangesvenues function in all versions up to, and including, 1.5.8. This is due to insufficient escaping on the user-supplied CSV data and lack of sufficient preparation on the...

CVE-2026-2429

The CVE-2026-2429 entry concerns the WordPress Community Events plugin. It describes an SQL Injection vulnerability via the ce_venue_name field in the on_save_changes_venues function, affecting all versions up to 1.5.8. The issue stems from insufficient escaping of user-supplied CSV data and inad...

CVE-2026-2429 Community Events <= 1.5.8 - Authenticated (Administrator+) SQL Injection via 'ce_venue_name' CSV Field

The Community Events plugin for WordPress is vulnerable to SQL Injection via the 'cevenuename' CSV field in the onsavechangesvenues function in all versions up to, and including, 1.5.8. This is due to insufficient escaping on the user-supplied CSV data and lack of sufficient preparation on the...

WordPress plugin Community Events SQL注入漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. Versions...

CVE-2026-23925

creationtimestamp| type| source ---|---|--- 2026-03-06 12:04:46+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mgfbhyyrfi2y 2026-03-06 13:10:27+00:00| seen| https://bsky.app/profile/o2cloud.bsky.social/post/3mgff5gsmiy2q...

CVE-2026-28464

creationtimestamp| type| source ---|---|--- 2026-03-06 11:20:28+00:00| seen| https://bsky.app/profile/thehackerwire.bsky.social/post/3mgf6yrensm2c 2026-03-06 11:21:03+00:00| seen| https://bsky.app/profile/thehackerwire.bsky.social/post/3mgf6zrj7ni2u...

BIT-LIBPYTHON-2026-2297 SourcelessFileLoader does not use io.open_code()

The import hook in CPython that handles legacy .pyc files SourcelessFileLoader is incorrectly handled in FileLoader a base class and so does not use io.opencode to read the .pyc files. sys.audit handlers for this audit event therefore do not fire...

CVE-2026-29052

The Calendar module for HumHub enables users to create one-time or recurring events, manage attendee invitations, and efficiently track all scheduled activities. Prior to version 1.8.11, a Stored Cross-Site Scripting XSS vulnerability in the Event Types of the HumHub Calendar module impacts users...

CVE-2026-29058

creationtimestamp| type| source ---|---|--- 2026-03-06 07:30:27+00:00| seen| https://infosec.exchange/users/offseq/statuses/116181056039411131 2026-03-06 07:30:30+00:00| seen| https://bsky.app/profile/offseq.bsky.social/post/3mges5jxeml2u 2026-03-06 08:04:29+00:00| seen|...

Malicious Package

Overview @captivateiq/events is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

CVE-2026-28682 Gokapi: Data Leak in Upload Status Stream

Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, the upload status SSE implementation on /uploadStatus publishes global upload state to any authenticated listener and includes fileid values that are not scoped to the requesting...

CVE-2026-28682 Gokapi: Data Leak in Upload Status Stream

Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, the upload status SSE implementation on /uploadStatus publishes global upload state to any authenticated listener and includes fileid values that are not scoped to the requesting...

CVE-2026-28682

Gokapi CVE-2026-28682 affects the self-hosted file sharing server Gokapi prior to 2.2.3. The vulnerability lies in the upload status SSE implementation for /uploadStatus, which previously published the global upload state to any authenticated listener and included file_id values not scoped to the...

CVE-2026-29085

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.12.4, when using streamSSE in Streaming Helper, the event, id, and retry fields were not validated for carriage return \r or newline \n characters. Because the SSE protocol uses line breaks as...

CVE-2026-21536

creationtimestamp| type| source ---|---|--- 2026-03-06 01:30:30+00:00| seen| https://bsky.app/profile/offseq.bsky.social/post/3mge5ztlfhz2h 2026-03-06 01:30:30+00:00| seen| https://infosec.exchange/users/offseq/statuses/116179640530916616 2026-03-06 01:54:07+00:00| seen|...

Linux Distros Unpatched Vulnerability : CVE-2026-2297

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - The import hook in CPython that handles legacy .pyc files SourcelessFileLoader is incorrectly handled in FileLoader a base class and so does not use io.opencode...