Cross-site Scripting (XSS)

Overview craftcms/cms is a content management system. Affected versions of this package are vulnerable to Cross-site Scripting XSS via unsanitized rendering of user-supplied input in settings names and field option labels within the checkbox.twig template. An attacker can execute arbitrary...

CVE-2026-1929

The Advanced Woo Labels plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.37. This is due to the use of calluserfuncarray with user-controlled callback and parameters in the getselectoptionvalues AJAX handler without an allowlist of permitted...

WordPress Advanced Woo Labels plugin <= 2.37 - Authenticated (Contributor+) Remote Code Execution via 'callback' Parameter vulnerability

Authenticated Contributor+ Remote Code Execution via 'callback' Parameter vulnerability discovered by Osvaldo Noe Gonzalez Del Rio Os - cyberdogzmarketing.com | krei.dev | ogbuilders.io in WordPress Plugin Advanced Woo Labels versions = 2.36...

EUVD-2026-8631

The Advanced Woo Labels plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.37. This is due to the use of calluserfuncarray with user-controlled callback and parameters in the getselectoptionvalues AJAX handler without an allowlist of permitted...

CVE-2026-1929

The Advanced Woo Labels plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.37. This is due to the use of calluserfuncarray with user-controlled callback and parameters in the getselectoptionvalues AJAX handler without an allowlist of permitted...

WordPress Advanced Woo Labels plugin <= 2.36 - Remote Code Execution (RCE) vulnerability

Remote Code Execution RCE vulnerability discovered by Trương Hữu Phúc truonghuuphuc in WordPress Plugin Advanced Woo Labels versions = 2.36...

CVE-2026-1929 Advanced Woo Labels <= 2.37 - Authenticated (Contributor+) Remote Code Execution via 'callback' Parameter

The Advanced Woo Labels plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.37. This is due to the use of calluserfuncarray with user-controlled callback and parameters in the getselectoptionvalues AJAX handler without an allowlist of permitted...

CVE-2026-1929 Advanced Woo Labels <= 2.37 - Authenticated (Contributor+) Remote Code Execution via 'callback' Parameter

The Advanced Woo Labels plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2.37. This is due to the use of calluserfuncarray with user-controlled callback and parameters in the getselectoptionvalues AJAX handler without an allowlist of permitted...

CVE-2026-1929

The CVE-2026-1929 entry describes a Remote Code Execution in the WordPress plugin Advanced Woo Labels (vulnerable up to and including 2.37). The issue arises in the AJAX handler (get_select_option_values) where the code calls call_user_func_array() with a user-controlled callback and parameters, ...

WordPress plugin Advanced Woo Labels 代码注入漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. Versions...

PT-2026-21888

Name of the Vulnerable Software and Affected Versions Advanced Woo Labels versions prior to 2.3 Description The Advanced Woo Labels plugin for WordPress is susceptible to Remote Code Execution due to the use of call user func array with user-controlled callback and parameters in the get select...

CVE-2026-25229 Gogs Authorization Bypass Allows Cross-Repository Label Modification

Gogs is an open source self-hosted Git service. Versions 0.13.4 and below have a broken access control vulnerability which allows authenticated users with write access to any repository to modify labels belonging to other repositories. The UpdateLabel function in the Web UI...

Authorization Bypass Through User-Controlled Key

Overview Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key in the UpdateLabel function. An attacker can modify labels belonging to other repositories by sending malicious requests to the /:username/:reponame/labels/edit endpoint. Remediation...

GHSA-CV22-72PX-F4GH Gogs has an Authorization Bypass Allows Cross-Repository Label Modification in Gogs

Summary A broken access control vulnerability in Gogs allows authenticated users with write access to any repository to modify labels belonging to other repositories. The UpdateLabel function in the Web UI internal/route/repo/issue.go fails to verify that the label being modified belongs to the...

Ubuntu 22.04 LTS / 24.04 LTS / 25.10 : GnuTLS vulnerabilities (USN-8043-1)

The remote Ubuntu 22.04 LTS / 24.04 LTS / 25.10 host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-8043-1 advisory. Tim Scheckenbach discovered that GnuTLS incorrectly handled malicious certificates containing a large number of name constraints and...

BIT-GITLAB-2026-1282 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in GitLab

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.6 before 18.6.6, 18.7 before 18.7.4, and 18.8 before 18.8.4 that could have allowed an authenticated user to inject malicious content into project labels titles...

USN-8043-1: GnuTLS vulnerabilities

Tim Scheckenbach discovered that GnuTLS incorrectly handled malicious certificates containing a large number of name constraints and subject alternative names. A remote attacker could possibly use this issue to cause GnuTLS to consume resources, resulting in a denial of service. CVE-2025-14831...

USN-8043-1 gnutls28 vulnerabilities

Tim Scheckenbach discovered that GnuTLS incorrectly handled malicious certificates containing a large number of name constraints and subject alternative names. A remote attacker could possibly use this issue to cause GnuTLS to consume resources, resulting in a denial of service. CVE-2025-14831...

CVE-2026-26188 Solspace Freeform plugin affected by Stored Cross-Site Scripting (XSS) in Freeform Craft Plugin CP UI (builder/integrations)

Solspace Freeform plugin for Craft CMS 5.x is a super flexible form-building tool. An authenticated, low-privilege user able to create/edit forms can inject arbitrary HTML/JS into the Craft Control Panel CP builder and integrations views. User-controlled form labels and integration metadata are...

CVE-2026-26069

Scraparr (Prometheus Exporter) prior to 3.0.2 is affected when Readarr integration is enabled and the exporter’s /metrics is exposed to outsiders. The Readarr API key could be exposed as the alias metric label value, under conditions: Readarr scraping enabled, no alias configured, /metrics public...