CVE-2026-13331 Groundhogg <= 4.5.5 - Authenticated (Marketer+) SQL Injection via 'search' Parameter

The Groundhogg — CRM, Newsletters, and Marketing Automation plugin for WordPress is vulnerable to generic SQL Injection via the 'search' parameter in all versions up to, and including, 4.5.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the...

CVE-2026-57667

Sales Representative SQL Injection in Groundhogg = 4.5 versions...

CVE-2026-56055

Subscriber PHP Object Injection in RealHomes = 4.5.3 versions...

CVE-2026-54832

Unauthenticated Broken Access Control in Gutenverse Companion = 2.5.0 versions...

EUVD-2026-39671

Sales Representative SQL Injection in Groundhogg = 4.5 versions...

EUVD-2026-39756

Unauthenticated Cross Site Request Forgery CSRF in Real Estate 7 = 3.5.9 versions...

CVE-2026-57641 WordPress Real Estate 7 theme <= 3.5.9 - Cross Site Request Forgery (CSRF) vulnerability

Unauthenticated Cross Site Request Forgery CSRF in Real Estate 7 = 3.5.9 versions...

EUVD-2026-39724

Unauthenticated Cross Site Scripting XSS in WoodMart = 8.5.3 versions...

EUVD-2026-39710

Subscriber PHP Object Injection in RealHomes = 4.5.3 versions...

EUVD-2026-39674

Unauthenticated SQL Injection in Real Estate 7 = 3.5.9 versions...

WordPress Groundhogg plugin <= 4.5 - SQL Injection vulnerability

SQL Injection vulnerability discovered by Baikuya in WordPress Plugin Groundhogg versions = 4.5...

WordPress WP Job Portal plugin <= 2.5.2 - SQL Injection vulnerability

SQL Injection vulnerability discovered by hhhai in WordPress Plugin WP Job Portal versions = 2.5.2...

EUVD-2026-39615

The Groundhogg — CRM, Newsletters, and Marketing Automation plugin for WordPress is vulnerable to generic SQL Injection via the 'after' parameter in all versions up to, and including, 4.5.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the...

EUVD-2026-38387

MessagePack-CSharp: ASP.NET Core MessagePackInputFormatter defaults to TrustedData for HTTP request bodies...

CVE-2026-46607

CVE-2026-46607 describes an insecure deserialization vulnerability in Glances, where a version-check cache file (~/.cache/glances/glances-version.db) is loaded with pickle without validation. An attacker with write access to the cache path can introduce a malicious pickle and achieve arbitrary co...

CVE-2026-49506

Dell Wyse Management Suite, versions prior to WMS 5.5 HF1, contain an Improper Limitation of a Pathname to a Restricted Directory 'Path Traversal' vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to Remote Code Execution...

CVE-2026-41120

CVE-2026-41120 affects Dell Wyse Management Suite prior to 5.5 HF1. The vulnerability is described as an Acceptance of Extraneous Untrusted Data With Trusted Data, enabling a low-privilege, remote attacker to potentially achieve Remote Code Execution. The connected sources indicate the fix is ava...

CVE-2026-49506

Dell Wyse Management Suite before version 5.5 HF1 is affected by CVE-2026-49506: an improper limitation of a pathname to a restricted directory (path traversal) could allow a high-privilege attacker with remote access to achieve remote code execution. Affected product: Dell Wyse Management Suite;...

CVE-2026-47733

Rocket.Chat CVE-2026-47733 affects the ImageElement in packages/gazzodown prior to 8.5.0, where user-controlled src values are inserted into and without protocol sanitization. An authenticated user can post markdown images with a javascript: URL that, on older browsers, could execute arbitrary ...

CVE-2026-9643

WP Meta SEO for WordPress insert(). This allows injection of arbitrary scripts that execute when an administrator visits the 404 & Redirects admin page (/wp-admin/admin.php?page=metaseo_broken_link). Exploitation details are not provided beyond the generic flow; no fixes, mitigations, or exploita...