Keep getting calls from questionable numbers? Meet Scam Number Check

Have you ever gotten a phone call and had a gut feeling that those random digits looked extra suspicious? It happens to millions of people every day. While many people have trained themselves to ignore such calls, they still pose a threat across the US. In fact, scammers stole more than $21 billi...

Scammers pretending to be Microsoft had help from US executives

A pop-up appears on your computer, warning of a virus. You call the "Microsoft technician" in the pop-up message, and they explain that they need remote access to fix it. Most of us know this script by now. It's a scam, operated by people intent on siphoning money from your account. A court case...

Malicious code in celonix-otp-react (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector df58532b5edb3f7a5ad9734a7f4fa46f062c0f220d578db42a223188d078d9bb The package presents itself as a React OTP component, but its only exported widget hardcodes a single Firebase Realtime Database URL...

report-anonymizer

🛡️ Report Anonymizer Local LLM anonymizer for penetration-t...

CVE-2026-40174

Masa CMS CSRF in user address management (cUsers.updateAddress) affects versions 7.5.2 and earlier. An attacker can lure a logged-in administrator into submitting forged requests to add, modify, or delete user address records (including emails and phone numbers), potentially altering contact info...

CVE-2026-40174 Masa CMS CSRF in user address management allows unauthorized address changes

Masa CMS is a content management system forked from Mura CMS. In versions 7.5.2 and earlier, the cUsers.updateAddress function does not properly validate anti-CSRF tokens for user address management operations. An attacker can induce a logged-in administrator to submit a forged request that adds,...

CVE-2026-33736

Chamilo LMS prior to version 2.0.0-RC.3 is affected by an Insecure Direct Object Reference (IDOR) vulnerability that allows any authenticated user (including ROLE_STUDENT) to enumerate all platform users and retrieve personal information (email, phone, roles) via GET /api/users, potentially expos...

CVE-2026-34759

OneUptime is an open-source monitoring and observability platform. Prior to version 10.0.42, multiple notification API endpoints are registered without authentication middleware, while sibling endpoints in the same codebase correctly use ClusterKeyAuthorization.isAuthorizedServiceMiddleware. Thes...

CVE-2026-34759 OneUptime: Unauthenticated notification API endpoints - financial abuse via phone number purchase, service disruption, and SMTP credential exposure

OneUptime is an open-source monitoring and observability platform. Prior to version 10.0.42, multiple notification API endpoints are registered without authentication middleware, while sibling endpoints in the same codebase correctly use ClusterKeyAuthorization.isAuthorizedServiceMiddleware. Thes...

CVE-2025-10734

The ReviewX – WooCommerce Product Reviews with Multi-Criteria, Reminder Emails, Google Reviews, Schema & More plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.2.12 via the syncedData function. This makes it possible for unauthenticated...

CVE-2025-10734

The CVE-2025-10734 entry documents a vulnerability in the ReviewX – WooCommerce Product Reviews with Multi-Criteria, Reminder Emails, Google Reviews, Schema & More WordPress plugin (up to v2.2.12). The issue arises from the syncedData function, enabling unauthenticated attackers to extract sensit...

CVE-2025-10731

The ReviewX – WooCommerce Product Reviews with Multi-Criteria, Reminder Emails, Google Reviews, Schema & More plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.2.12 via the allReminderSettings function. This makes it possible for...

CVE-2026-2720 Hr Press Lite <= 1.0.2 - Missing Authorization to Authenticated (Subscriber+) Sensitive Employee Information Exposure

The Hr Press Lite plugin for WordPress is vulnerable to unauthorized access of sensitive employee data due to a missing capability check on the hrp-fetch-employees AJAX action in all versions up to, and including, 1.0.2. This makes it possible for authenticated attackers, with Subscriber-level...

CVE-2026-1980

The WPBookit plugin for WordPress is vulnerable to unauthorized data disclosure due to a missing authorization check on the 'getcustomerlist' route in all versions up to, and including, 1.0.8. This makes it possible for unauthenticated attackers to retrieve sensitive customer information includin...

CVE-2026-1980

The WPBookit plugin for WordPress is vulnerable to unauthorized data disclosure due to a missing authorization check on the 'getcustomerlist' route in all versions up to, and including, 1.0.8. This makes it possible for unauthenticated attackers to retrieve sensitive customer information includin...

CVE-2026-1980

CVE-2026-1980 refers to the WPBookit WordPress plugin, affecting versions up to 1.0.8. Root cause: missing authorization on the get_customer_list route, enabling unauthenticated attackers to disclose sensitive customer data (names, emails, phone numbers, dates of birth, gender). Impact: unauthori...

PT-2026-22859

The WPBookit plugin for WordPress is vulnerable to unauthorized data disclosure due to a missing authorization check on the 'get customer list' route in all versions up to, and including, 1.0.8. This makes it possible for unauthenticated attackers to retrieve sensitive customer information...

CVE-2026-1833

The WaMate Confirm – Order Confirmation plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 2.0.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with...

CVE-2026-1833

CVE-2026-1833 describes a vulnerability in the WordPress WaMate Confirm – Order Confirmation plugin (versions

CVE-2026-1833 WaMate Confirm <= 2.0.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Phone Number Blocking/Unblocking

The WaMate Confirm – Order Confirmation plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 2.0.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with...