129 matches found
CVE-2026-27890
Firebird is an open-source relational database management system. In versions prior to 5.0.4, 4.0.7 and 3.0.14, when processing CNCTspecificdata segments during authentication, the server assumes segments arrive in strictly ascending order. If segments arrive out of order, the Array class's grow...
CVE-2026-4109
The Eventin – Events Calendar, Event Booking, Ticket & Registration AI Powered plugin for WordPress is vulnerable to unauthorized access of data due to a improper capability check on the getitempermissionscheck function in all versions up to, and including, 4.1.8. This makes it possible for...
CVE-2026-4109 Eventin – Events Calendar, Event Booking, Ticket & Registration (AI Powered) <= 4.1.8 Missing Authorization to Authenticated (Subscriber+) Order Information Exposure
The Eventin – Events Calendar, Event Booking, Ticket & Registration AI Powered plugin for WordPress is vulnerable to unauthorized access of data due to a improper capability check on the getitempermissionscheck function in all versions up to, and including, 4.1.8. This makes it possible for...
CVE-2026-4109 Eventin – Events Calendar, Event Booking, Ticket & Registration (AI Powered) <= 4.1.8 Missing Authorization to Authenticated (Subscriber+) Order Information Exposure
The Eventin – Events Calendar, Event Booking, Ticket & Registration AI Powered plugin for WordPress is vulnerable to unauthorized access of data due to a improper capability check on the getitempermissionscheck function in all versions up to, and including, 4.1.8. This makes it possible for...
EUVD-2026-22231
The Eventin – Events Calendar, Event Booking, Ticket & Registration AI Powered plugin for WordPress is vulnerable to unauthorized access of data due to a improper capability check on the getitempermissionscheck function in all versions up to, and including, 4.1.8. This makes it possible for...
CVE-2026-4109
The Eventin – Events Calendar, Event Booking, Ticket & Registration AI Powered plugin for WordPress is vulnerable to unauthorized access of data due to a improper capability check on the getitempermissionscheck function in all versions up to, and including, 4.1.8. This makes it possible for...
EUVD-2026-22073
Craft Commerce has an unauthenticated information disclosure that can leak some customer order data on anonymous payments...
GHSA-3VXG-X5F8-F5QF Craft Commerce has an unauthenticated information disclosure that can leak some customer order data on anonymous payments
Summary PaymentsController::actionPay discloses some order data to unauthenticated users when an order number is provided and the email check fails during an anonymous payment. The JSON error response includes the serialized order object order, which contains some sensitive fields such as custome...
PT-2026-32605
The Eventin – Events Calendar, Event Booking, Ticket & Registration AI Powered plugin for WordPress is vulnerable to unauthorized access of data due to a improper capability check on the get item permissions check function in all versions up to, and including, 4.1.8. This makes it possible for...
WordPress plugin Eventin – Events Calendar, Event Booking, Ticket & Registration 安全漏洞
WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...
CVE-2026-32270
Craft Commerce is an ecommerce platform for Craft CMS. In versions 4.0.0 through 4.10.2 and 5.0.0 through 5.5.4, the PaymentsController::actionPay discloses some order data to unauthenticated users when an order number is provided and the email check fails during an anonymous payment. The JSON...
CVE-2026-32270
Craft Commerce is an ecommerce platform for Craft CMS. In versions 4.0.0 through 4.10.2 and 5.0.0 through 5.5.4, the PaymentsController::actionPay discloses some order data to unauthenticated users when an order number is provided and the email check fails during an anonymous payment. The JSON...
CVE-2026-32270 Craft Commerce: Unauthenticated information disclosure in `commerce/payments/pay` can leak some customer order data on anonymous payments
Craft Commerce is an ecommerce platform for Craft CMS. In versions 4.0.0 through 4.10.2 and 5.0.0 through 5.5.4, the PaymentsController::actionPay discloses some order data to unauthenticated users when an order number is provided and the email check fails during an anonymous payment. The JSON...
CVE-2026-32270 Craft Commerce: Unauthenticated information disclosure in `commerce/payments/pay` can leak some customer order data on anonymous payments
Craft Commerce is an ecommerce platform for Craft CMS. In versions 4.0.0 through 4.10.2 and 5.0.0 through 5.5.4, the PaymentsController::actionPay discloses some order data to unauthenticated users when an order number is provided and the email check fails during an anonymous payment. The JSON...
CVE-2026-32270
The CVE affects Craft Commerce (Craft CMS) where PaymentsController::actionPay leaks order data to unauthenticated users when an order number is provided and the email check fails during an anonymous payment. In affected versions 4.0.0–4.10.2 and 5.0.0–5.5.4, the JSON error response includes the ...
Craft Commerce 安全漏洞
Craft Commerce is an e-commerce platform derived from the open-source Craft CMS. Vulnerabilities exist in versions 4.0.0 to 4.10.2, as well as 5.0.0 to 5.5.4 of Craft Commerce. These vulnerabilities stem from the PaymentsController::actionPay function, which allows order data to be disclosed to...
PT-2026-32511
Name of the Vulnerable Software and Affected Versions Craft Commerce versions prior to 4.11.0 Craft Commerce versions prior to 5.6.0 Description The actionPay function in the 'PaymentsController' discloses order data to unauthenticated users. This occurs when an order number is provided and the...
CVE-2026-3594 Riaxe Product Customizer <= 2.4 - Unauthenticated Sensitive Information Disclosure via '/orders' REST API Endpoint
The Riaxe Product Customizer plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.4 via the '/wp-json/InkXEProductDesignerLite/orders' REST API endpoint. The endpoint is registered with 'permissioncallback' set to 'returntrue', meaning no...
CVE-2026-3594 Riaxe Product Customizer <= 2.4 - Unauthenticated Sensitive Information Disclosure via '/orders' REST API Endpoint
The Riaxe Product Customizer plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.4 via the '/wp-json/InkXEProductDesignerLite/orders' REST API endpoint. The endpoint is registered with 'permissioncallback' set to 'returntrue', meaning no...
WordPress plugin Riaxe Product Customizer 信息泄露漏洞
WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. The...