1213 matches found
WP Go Maps < 10.0.10 - Unauthenticated Marker Information Disclosure
WP Go Maps WordPress plugin 10.0.10 contains an information disclosure vulnerability caused by lack of approval-state filtering on the public single-marker REST endpoint, letting unauthenticated users access unapproved marker records including PII and geographic coordinates, exploit requires no...
CVE-2026-15159
The Ninja Forms - Excel Export plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.3.6 via the 'spreadsheetexportformid' parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, wit...
CVE-2026-15159 Ninja Forms - Excel Export <= 3.3.6 - Insecure Direct Object Reference to Authenticated (Subscriber+) Sensitive Data Disclosure via 'spreadsheet_export_form_id' Parameter
The Ninja Forms - Excel Export plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.3.6 via the 'spreadsheetexportformid' parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, wit...
CVE-2026-15159
The Ninja Forms - Excel Export plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.3.6 via the 'spreadsheetexportformid' parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, wit...
Schools Alert Management Script - Arbitrary File Read
Schools Alert Management Script is susceptible to an arbitrary file read vulnerability via the f parameter in img.php, aka absolute path traversal. id: CVE-2018-12054 info: name: Schools Alert Management Script - Arbitrary File Read author: wisnupramoedya severity: high description: Schools Alert...
MAL-2026-10764 Malicious code in syft-acp-atoms (npm)
The syft-acp-atoms package was published to the npm registry by user 'ada8877' maintainer email [email protected] as part of a dependency-confusion / reconnaissance campaign. The package name mimics the 'syft-acp' internal/private package naming convention an ACP component library of a target...
CVE-2026-58408
ChurchCRM is an open-source church management system. Prior to version 7.4.0, a low-privileged user can bypass the /admin/export UI and exfiltrate the entire member directory. The POST /CSVCreateFile.php endpoint generates and streams a CSV containing the full Personally Identifiable Information...
CVE-2026-58408 ChurchCRM : Broken Access Control in `CSVCreateFile.php` Allows Low-Privileged Users to Export All Members' PII
ChurchCRM is an open-source church management system. Prior to version 7.4.0, a low-privileged user can bypass the /admin/export UI and exfiltrate the entire member directory. The POST /CSVCreateFile.php endpoint generates and streams a CSV containing the full Personally Identifiable Information...
CVE-2026-15574
A flaw was found in the vllm-orchestrator-gateway component. The system's production binary logs all incoming authorization headers and full chat payloads, which may contain personally identifiable information PII and secrets, to persistent logs. This sensitive data, including bearer tokens and...
CVE-2026-15574
The CVE-2026-15574 issue affects the vllm-orchestrator-gateway component, where the production binary logs incoming authorization headers and full chat payloads, potentially exposing PII, secrets, bearer tokens, and conversation content. This data exposure arises from a hard-coded debug/default l...
CVE-2026-11869
The WP DSGVO Tools GDPR WordPress plugin before 3.1.40 does not perform an authorization check on the immediate-processing path of its data subject access request feature, allowing unauthenticated attackers to generate and download the full personal-data export including name, postal address, pho...
CVE-2026-11869 WP DSGVO Tools (GDPR) < 3.1.40 - Unauthenticated Sensitive Information Disclosure via Subject Access Request
The WP DSGVO Tools GDPR WordPress plugin before 3.1.40 does not perform an authorization check on the immediate-processing path of its data subject access request feature, allowing unauthenticated attackers to generate and download the full personal-data export including name, postal address, pho...
CVE-2026-11869
The CVE concerns WP DSGVO Tools (GDPR) WordPress plugin prior to 3.1.40. A missing authorization check on the immediate-processing path of the data subject access request feature allows unauthenticated attackers to generate and download the full personal-data export (name, postal address, phone n...
PT-2026-56808
Name of the Vulnerable Software and Affected Versions AcyMailing versions prior to 10.11.1 Description An unauthenticated SQL injection flaw exists in the AcyMailing component for Joomla. This issue allows a remote attacker to execute crafted SQL queries to gain unauthorized access to the databas...
CVE-2026-56226
Capgo Cap-go/capgo before 12.128.2 exposes the Supabase PostgREST RPC function public.getorgsv6userid uuid, which is SECURITY DEFINER and granted to the anon role, allowing unauthenticated access. Because the function accepts a caller-supplied user UUID without verifying it matches the...
Malicious code in tme-xca (npm)
The tme-xca package was published to the npm registry by user 'click2ai' maintainer email [email protected] as part of a dependency-confusion / reconnaissance campaign. The package name mimics the internal/private package naming convention of a target organization a 'tme' Travel Mall /...
Malicious code in @logdna-web/shared (npm)
The @logdna-web/shared package was published to the npm registry by user 'click2ai' maintainer email [email protected] as part of a dependency-confusion / reconnaissance campaign. The package name mimics the internal/private package naming convention of a target organization the @logdna-w...
Malicious code in @idms-corp/auth-ui (npm)
The @idms-corp/auth-ui package was published to the npm registry by user 'click2ai' maintainer email [email protected] as part of a dependency-confusion / reconnaissance campaign. The package name mimics the internal/private package naming convention of a target organization the @idms-cor...
Malicious code in @logdna-web/styles (npm)
The @logdna-web/styles package was published to the npm registry by user 'click2ai' maintainer email [email protected] as part of a dependency-confusion / reconnaissance campaign. The package name mimics the internal/private package naming convention of a target organization the @logdna-w...
MAL-2026-10222 Malicious code in @flex-ng/filter-pipe (npm)
The @flex-ng/filter-pipe package was published to the npm registry by user 'click2ai' maintainer email [email protected] as part of a dependency-confusion / reconnaissance campaign. The package name mimics the internal/private package naming convention of a target organization the @flex-n...