CVE-2026-6127 Elementor Website Builder <= 4.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via REST API

The Elementor Website Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the elementordata meta field in versions up to, and including, 4.0.4. This is due to insufficient input sanitization when processing form-encoded REST API requests. The plugin registers the...

WordPress plugin Elementor Website Builder 跨站脚本漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. WordPres...

Jupyter Notebook Vulnerable to Authentication Token Theft via CommandLinker XSS

Impact A stored Cross-Site Scripting XSS vulnerability in Jupyter Notebook allows attackers to steal authentication tokens from users who open malicious notebook files and interact with elements that the attacker can make look indistinguishable from legitimate controls single click interaction. T...

WordPress plugin Complianz – GDPR/CCPA Cookie Consent 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. There is...

PT-2026-35885

Name of the Vulnerable Software and Affected Versions Complianz – GDPR/CCPA Cookie Consent versions prior to 7.4.6 Description Unauthorized data access is possible due to the REST API endpoint "/wp-json/complianz/v1/consent-area/post id/block id" using return true as the permission callback, whic...

Cross-origin Data Exfiltration

Glances is vulnerable to Cross-origin Data Exfiltration. The vulnerability is due to the REST API /api/4/ being exposed without authentication and configured with a permissive CORS policy Access-Control-Allow-Origin: , allowing malicious websites to access and exfiltrate sensitive system...

Server-Side Template Injection (SSTI)

getkirby/cms is vulnerable to Server-Side Template Injection SSTI. The vulnerability is due to improper enforcement of page status permissions during page creation through the REST API, which allows an attacker to create published pages directly and bypass the intended editorial workflow...

CVE-2026-40099

Kirby is an open-source content management system. Kirby's user permissions control which user role is allowed to perform specific actions to content models in the CMS. These permissions are defined for each role in the user blueprint site/blueprints/users/.... It is also possible to customize th...

Kirby 安全漏洞

Kirby is a set of open-source content management systems based on files. Versions of Kirby prior to 4.9.0 and 5.4.0 have security vulnerabilities. These vulnerabilities stem from the fact that the changeStatus permission does not take effect during page creation. This could allow authenticated...

CVE-2026-34839

Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.4, the Glances web server exposes a REST API /api/4/ that is accessible without authentication and allows cross-origin requests from any origin due to a permissive CORS policy Access-Control-Allow-Origin: . This...

CVE-2026-34839

Summary: Glances before v4.5.4 exposes the REST API under /api/4/* without authentication and with a permissive CORS policy (Access-Control-Allow-Origin: *), enabling cross-origin requests to read extensive system data. Affected endpoint examples include /api/4/all, which returns process lists, h...

MAL-2026-2832 Malicious code in ixosrestinterface (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 e2fe4fe4fa9a0b286aec54345ba951ff46306f88ef7f106fa1bd2496e34c7898 Installing the package or importing the module exfiltrates basic information about the host, and the package has no other purpose. --- Category: PROBABLYPENTES...

CVE-2026-3595

The Riaxe Product Customizer plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.1.2. This is due to the plugin registering a REST API route at POST /wp-json/InkXEProductDesignerLite/customer/deletecustomer without a permissioncallback, causing...

CVE-2026-40104

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 1.8-rc-1, 17.0.0-rc-1 and 17.5.0-rc-1 and prior include a resource exhaustion vulnerability in REST API endpoints such as...

Schneider Electric PowerChute Serial Shutdown 路径遍历漏洞

Schneider Electric PowerChute Serial Shutdown is a UPS management, normal shutdown and energy management software from Schneider Electric, France. A path traversal vulnerability exists in Schneider Electric PowerChute Serial Shutdown, which can be exploited by an attacker to cause a web...

CVE-2026-1830

The CVE concerns the WordPress plugin Quick Playground (version range: all up to 1.3.1). The vulnerability arises from insufficient authorization checks on REST API endpoints that expose a sync code and permit arbitrary file uploads, enabling unauthenticated Remote Code Execution . Attackers coul...

WordPress plugin Quick Playground 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. WordPres...

WordPress Riaxe Product Customizer plugin <= 2.4 - Unauthenticated Sensitive Information Disclosure via '/orders' REST API Endpoint vulnerability

Unauthenticated Sensitive Information Disclosure via '/orders' REST API Endpoint vulnerability discovered by Kai Aizen in WordPress Plugin Riaxe Product Customizer versions = 2.4...

CVE-2026-5632

CVE-2026-5632 concerns assafelovic gpt-researcher (versions up to 3.4.3) where the HTTP REST API Endpoint has a missing authentication issue in a manipulated request. The vulnerability is remote, with PROOF-OF-CONCEPT exploitation and a CVSS base score in the MEDIUM-HIGH range across CVSS version...

Enhancing REST API Fuzzing with Access Policy Violation Checks and Injection Attacks

Due to their widespread use in industry, several techniques have been proposed in the literature to fuzz REST APIs. Existing fuzzers for REST APIs have been focusing on detecting crashes e.g., 500 HTTP server error status code. However, security vulnerabilities can have major drastic consequences...