CVE-2026-28782 Craft has a Permission Bypass and IDOR in Duplicate Entry Action

Craft is a content management system CMS. Prior to 5.9.0-beta.1 and 4.17.0-beta.1, the "Duplicate" entry action does not properly verify if the user has permission to perform this action on the specific target elements. Even with only "View Entries" permission where the "Duplicate" action is...

CVE-2026-28781

Craft is a content management system CMS. Prior to 4.17.0-beta.1 and 5.9.0-beta.1, the entry creation process allows for Mass Assignment of the authorId attribute. A user with "Create Entries" permission can inject the authorIds or authorId parameter into the POST request, which the backend...

MINI-MF4V-W29F-8WF8

Bulletin has no description...

MINI-WM46-XW29-WMRH

Bulletin has no description...

MINI-WHF4-WHJC-WJP4

Bulletin has no description...

MINI-W92W-M898-M396

Bulletin has no description...

MINI-M764-P56F-53J6

Bulletin has no description...

CVE-2026-1651 Email Subscribers & Newsletters <= 5.9.16 - Authenticated (Administrator+) SQL Injection via 'workflow_ids' Parameter

The Email Subscribers by Icegram Express plugin for WordPress is vulnerable to SQL Injection via the 'workflowids' parameter in all versions up to, and including, 5.9.16 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This...

Craft CMS 安全漏洞

Craft CMS is an open-source content management system developed by Craft CMS. Versions prior to Craft CMS 5.9.0-beta.2 and 4.17.0-beta.2 contained security vulnerabilities. These vulnerabilities stemmed from the actionSendActivationEmail endpoint, which was exposed to unverified users and lacked...

PT-2026-22943

A technique has been identified that adapts a known port-stealing method to Wi-Fi environments that use multiple BSSIDs. By leveraging the relationship between BSSIDs and their associated virtual ports, an attacker could potentially bypass inter-BSSID isolation controls. Successful exploitation m...

Fedora 42 : cef (2026-a48b5f36ec)

The remote Fedora 42 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2026-a48b5f36ec advisory. Update to cef-145.0.25 + chromium 145.0.7632.75 CVE-2026-1861: Heap buffer overflow in libvpx CVE-2026-1862: Type Confusion in V8 CVE-2026-2313: Use...

OpenClaw's commands.allowFrom sender authorization accepted conversation identifiers via ctx.From

Summary commands.allowFrom is documented as a sender authorization allowlist for commands/directives, but command authorization could include ctx.From conversation identity as a sender candidate. When commands.allowFrom contained conversation-like identifiers for example Discord channel: or...

GHSA-2CH6-X3G4-7759 OpenClaw's commands.allowFrom sender authorization accepted conversation identifiers via ctx.From

Summary commands.allowFrom is documented as a sender authorization allowlist for commands/directives, but command authorization could include ctx.From conversation identity as a sender candidate. When commands.allowFrom contained conversation-like identifiers for example Discord channel: or...

OpenClaw has a Discord `allowFrom` slug-collision authorization bypass

OpenClaw supports Discord allowlists using either user IDs or names/tags. Name/tag matching depends on slug normalization, so different user tags can collide to the same slug and unintentionally satisfy a name-based allowlist entry. Affected Packages / Versions - Package: openclaw npm - Affected...

Craft CMS has Permission Bypass and IDOR in Duplicate Entry Action

Description The "Duplicate" entry action does not properly verify if the user has permission to perform this action on the specific target elements. Even with only "View Entries" permission where the "Duplicate" action is restricted in the UI, a user can bypass this restriction by sending a direc...

CVE-2025-58402

The CGM CLININET application uses direct, sequential object identifiers "MessageID" without proper authorization checks. By modifying the parameter in the GET request, an attacker can access messages and attachments belonging to other users...

CVE-2026-20435

In preloader, there is a possible read of device unique identifiers due to a logic error. This could lead to local information disclosure, if an attacker has physical access to the device, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID:...

Security update for govulncheck-vulndb

This update for govulncheck-vulndb fixes the following issues: Update to version 0.0.20260226T182644 2026-02-26T18:26:44Z jscPED-11136 Go CVE Numbering Authority IDs added or updated with aliases: GO-2025-4259 CVE-2025-13767 GHSA-fmqf-pmcm-8cx9 GO-2025-4260 CVE-2025-64641 GHSA-vww6-79rv-3j4x...

CVE-2026-1566

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to privilege escalation via password reset in all versions up to, and including, 5.2.7. This is due to the plugin allowing users with a LatePoint Agent role, who are creating new customers to se...

PT-2026-22951

Name of the Vulnerable Software and Affected Versions Craft versions prior to 5.9.0-beta.1 Craft versions prior to 4.17.0-beta.1 Description Craft is a content management system CMS. A flaw exists where the "Duplicate" entry action does not properly verify user permissions for specific target...