121011 matches found
CVE-2026-7523
The Alba Board plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.1.3. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access...
CVE-2026-46395
HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0, the hmacBase64 function in the HAXcms Node.js backend contains two critical cryptographic implementation errors that together allow any unauthenticated attacker to extract the system’s private signing ke...
CVE-2026-45746
Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. Prior to version 2.3.2, the File Manager functionality in Termix contains a critical Broken Access Control vulnerability due to improper validation of the sessionId parameter. The backend...
BIT-DJANGO-2026-8404 Potential exposure of private data via case-sensitive Cache-Control directives in UpdateCacheMiddleware
An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6. django.middleware.cache.UpdateCacheMiddleware in Django does not match Cache-Control response directives case-insensitively, which allows remote attackers to read responses that were incorrectly cached because their...
BIT-DJANGO-2026-48587 Potential exposure of private data via whitespace padding in Vary header
An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6. django.utils.cache.hasvaryheader in Django does not strip leading or trailing whitespace from Vary response header values before comparison, which allows remote attackers to read cached responses via requests to URLs whose...
BIT-DJANGO-2026-35193 Potential exposure of private data via missing Vary: Authorization in UpdateCacheMiddleware
An issue was discovered in Django 5.2 before 5.2.15 and 6.0 before 6.0.6. django.middleware.cache.UpdateCacheMiddleware in Django does not add Authorization to the Vary response header for requests bearing that header without Cache-Control: public, which allows remote attackers to read private...
CVE-2026-7665
The Essential Addons for Elementor – Popular Elementor Templates & Widgets plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 6.6.4 via the ajaxloadmore function due to insufficient restrictions on which posts can be included. This makes it possible f...
PrivateGPT < 0.5.0 - Open Redirect
An open redirect vulnerability exists in imartinez/privategpt version 0.5.0 due to improper handling of the 'file' parameter. This vulnerability allows attackers to redirect users to a URL specified by user-controlled input without proper validation or sanitization. id: CVE-2024-5936 info: name:...
Premium Addons for Elementor - Unauthenticated Information Disclosure
Premium Addons for Elementor plugin for WordPress version 4.11.53 and below contains an unauthenticated information disclosure vulnerability.The vulnerability exists due to a missing authorization check in the gettemplatecontent AJAX handler, allowing unauthenticated attackers to retrieve private...
WordPress Simple Job Board - Unauthorized Data Access
The Simple Job Board plugin for WordPress is vulnerable to unauthorized data access due to insufficient authorization checking in the fetchquickjob function in all versions up to and including 2.10.8. This makes it possible for unauthenticated attackers to fetch arbitrary posts, which can be...
WordPress 3D FlipBook <= 1.16.17 - Information Disclosure
WordPress 3D FlipBook - PDF Flipbook Viewer, Flipbook Image Gallery plugin versions = 1.16.17 contain a missing authorization vulnerability in multiple AJAX endpoints. The fb3dsendpostsin, fb3dsendpostpages, fb3dsendpostsinpages, fb3dsendpostsinfirstpage, and fb3dsendpostfirstpage handlers are...
My Calendar WordPress Plugin - Information Disclosure
My Calendar WordPress plugin = 3.7.6 contains an injection vulnerability caused by unvalidated user input passed to parsestr in mcajaxmcjsaction endpoint, letting unauthenticated attackers access or crash sites via switchtoblog, exploit requires WordPress Multisite or Single Site setup. id:...
EUVD-2026-34950
The Essential Addons for Elementor – Popular Elementor Templates & Widgets plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 6.6.4 via the ajaxloadmore function due to insufficient restrictions on which posts can be included. This makes it possible f...
CVE-2026-7665 Essential Addons for Elementor <= 6.6.4 - Missing Authorization to Unauthenticated Information Exposure via 'load_more' AJAX Handler
The Essential Addons for Elementor – Popular Elementor Templates & Widgets plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 6.6.4 via the ajaxloadmore function due to insufficient restrictions on which posts can be included. This makes it possible f...
CVE-2026-7665 Essential Addons for Elementor <= 6.6.4 - Missing Authorization to Unauthenticated Information Exposure via 'load_more' AJAX Handler
The Essential Addons for Elementor – Popular Elementor Templates & Widgets plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 6.6.4 via the ajaxloadmore function due to insufficient restrictions on which posts can be included. This makes it possible f...
CVE-2026-7665
The Essential Addons for Elementor – Popular Elementor Templates & Widgets plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 6.6.4 via the ajaxloadmore function due to insufficient restrictions on which posts can be included. This makes it possible f...
CVE-2026-7665
CVE-2026-7665 affects the WordPress plugin Essential Addons for Elementor (up to version 6.6.4). The issue arises in the ajax_load_more handler, with insufficient restrictions on which posts can be returned, enabling unauthenticated attackers to extract data from password-protected, private, or d...
CVE-2026-9008
The Page-list plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 6.2. This is due to the pagelistunqprfxextshortcode function the pagelistext / pagelistext shortcode accepting attacker-controlled poststatus, posttype, and showmetakey attributes and...
CVE-2026-9008 Page-list <= 6.2 - Missing Authorization to Authenticated (Contributor+) Sensitive Information Disclosure via Shortcode Attributes
The Page-list plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 6.2. This is due to the pagelistunqprfxextshortcode function the pagelistext / pagelistext shortcode accepting attacker-controlled poststatus, posttype, and showmetakey attributes and...
CVE-2026-9008
The Page-list plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 6.2. This is due to the pagelistunqprfxextshortcode function the pagelistext / pagelistext shortcode accepting attacker-controlled poststatus, posttype, and showmetakey attributes and...