EUVD-2026-34924

The Express Payment For Stripe plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'type' attribute of the stripe-express shortcode in versions up to, and including, 1.28.0. This is due to insufficient input sanitization and output escaping on the shortcode attribute value,...

CVE-2026-8893

The Express Payment For Stripe plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'type' attribute of the stripe-express shortcode in versions up to, and including, 1.28.0. This is due to insufficient input sanitization and output escaping on the shortcode attribute value,...

CVE-2026-8893

The Express Payment For Stripe plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'type' attribute of the stripe-express shortcode in versions up to, and including, 1.28.0. This is due to insufficient input sanitization and output escaping on the shortcode attribute value,...

CVE-2026-8893

The CVE-2026-8893 entry concerns the Express Payment For Stripe WordPress plugin. Affected: the [stripe-express] shortcode’s type attribute in versions up to and including 1.28.0. Root cause: insufficient input sanitization and output escaping, with the attribute value concatenated into an HTML a...

CVE-2026-8893 Express Payment For Stripe <= 1.28.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The Express Payment For Stripe plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'type' attribute of the stripe-express shortcode in versions up to, and including, 1.28.0. This is due to insufficient input sanitization and output escaping on the shortcode attribute value,...

CVE-2026-8893 Express Payment For Stripe <= 1.28.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The Express Payment For Stripe plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'type' attribute of the stripe-express shortcode in versions up to, and including, 1.28.0. This is due to insufficient input sanitization and output escaping on the shortcode attribute value,...

CVE-2026-8347

Concrete CMS 9.5.0 and below is vulnerable to IDOR + wrong-authorization-level in the Express association Reorder dialog. This can cause Cross-entity state tampering with view-only permission on one entry. To be affected, a website has to be using express and relying on express entity ordering. T...

CVE-2026-7881

Concrete CMS 9.5.0 and below is subject to Insecure Direct Object Reference IDOR in the Express Entry Detail block via the exEntryID parameter. This IDOR leads to unauthorized access to all Express form submissions. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.3...

CVE-2026-34899

Missing Authorization vulnerability in Eniture technology LTL Freight Quotes – Worldwide Express Edition allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects LTL Freight Quotes – Worldwide Express Edition: from n/a through 5.2.1...

CVE-2026-33808

Impact@fastify/express v4.0.4 and earlier fails to normalize URLs before passing them to Express middleware when Fastify router normalization options are enabled. This allows complete bypass of path-scoped authentication middleware via duplicate slashes when ignoreDuplicateSlashes is enabled, or...

WordPress Express Payment For Stripe plugin <= 1.28.0 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin Stripe Express versions = 1.28.0...

PT-2026-47071

Name of the Vulnerable Software and Affected Versions Express Payment For Stripe versions prior to 1.28.1 Description The plugin is subject to Stored Cross-Site Scripting, a flaw where malicious scripts are permanently stored on the target server. The issue occurs within the register shortcode...

ROOT-APP-NPM-CVE-2020-15084 CVE-2020-15084 in @rootio/express-jwt - Patched by Root

Root has patched CVE-2020-15084 in the @rootio/express-jwt package for Root:npm. Multiple fixed versions available...

ROOT-APP-NPM-CVE-2024-43796 CVE-2024-43796 in @rootio/express - Patched by Root

Root has patched CVE-2024-43796 in the @rootio/express package for Root:npm. Multiple fixed versions available...

ROOT-APP-NPM-CVE-2024-29041 CVE-2024-29041 in @rootio/express - Patched by Root

Root has patched CVE-2024-29041 in the @rootio/express package for Root:npm. Multiple fixed versions available...

Malicious Package

Overview express-denv is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

Linux Distros Unpatched Vulnerability : CVE-2026-46141

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - powerpc/xive: fix kmemleak caused by incorrect chipdata lookup The kmemleak reports the following memory leak: Unreferenced object 0xc0000002a7fbc640 size 64:...

CVE-2026-10719 Open Seachest/Seachest NVMe show Format Descriptors Vulnerability

Out of bounds write in openSeaChest’s --showSupportedFormats in Seagate’s openSeaChest v25.05.3 on all supported platforms allows for writing 1 extra byte outside of allocated memory which sets a value to 1 via a maliciously crafted NVMe device with a bogus value in the namespace FLBAS byte...

CVE-2026-46141

A flaw was found in the Linux kernel's powerpc/xive interrupt controller. This vulnerability, identified as a kernel memory leak kmemleak, occurs when allocating Message Signaled Interrupts eXtended MSI-X vectors for NVMe devices. Due to an incorrect lookup of interrupt data, the xiveirqdata...

EUVD-2026-32864

In the Linux kernel, the following vulnerability has been resolved: scsi: mpt3sas: Limit NVMe request size to 2 MiB The HBA firmware reports NVMe MDTS values based on the underlying drive capability. However, because the driver allocates a fixed 4K buffer for the PRP list, accommodating at most 5...