9273 matches found
CVE-2026-12165
The Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 30.0.2 via the RegistryUserRole parameter. This is due to the plugin's admin menu being registered at the editposts...
EUVD-2026-37656
Subscriber Arbitrary File Download in Woocommerce Book Price = 1.3 versions...
CVE-2025-60223 WordPress WPBot Pro Wordpress Chatbot plugin <= 13.6.5 - Arbitrary File Deletion vulnerability
Subscriber Arbitrary File Deletion in WPBot Pro Wordpress Chatbot = 13.6.5 versions...
CVE-2026-12165
CVE-2026-12165 affects the WordPress plugin “Contest Gallery” (versions
EUVD-2026-37586
The Contest Gallery – Upload & Vote Photos, Media, Sell with PayPal & Stripe plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 30.0.2 via the RegistryUserRole parameter. This is due to the plugin's admin menu being registered at the editposts...
Flowise < 3.0.1 - Remote Command Execution
The Custom MCPs feature is designed to execute OS commands, for instance, using tools like npx to spin up local MCP Servers. However, Flowise's inherent authentication and authorization model is minimal and lacks role-based access controls RBAC. Furthermore, in Flowise versions before 3.0.1 the...
HyperComments <= 1.2.2 - Arbitrary Options Update
The HyperComments plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the hcrequesthandler function in all versions up to, and including, 1.2.2. This makes it possible for unauthenticated attackers to...
Uncanny Automator <= 6.3.0.2 - Missing Authorization to Authenticated (Subscriber+) Privilege Escalation
The Uncanny Automator - Easy Automation, Integration, Webhooks & Workflow Builder Plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 6.3.0.2. This is due to addrole and userrole functions missing proper capability checks performed through the...
Github Enterprise Authenticated Remote Code Execution
An unsafe reflection vulnerability was identified in GitHub Enterprise Server that could lead to reflection injection. This vulnerability could lead to the execution of user-controlled methods and remote code execution. To exploit this bug, an actor would need to be logged into an account on the...
CVE-2025-69103
CVE-2025-69103 affects WordPress Brikk theme ≤ 3.0.0. According to the records, a Subscriber can cause Arbitrary Content Deletion. CVSS 3.1 base score 7.5 (HIGH) with NETWORK attack vector, Low attack complexity, no privileges required, no user interaction, availability impact. No root-cause deta...
CVE-2026-12398
A command injection vulnerability was found in galaxyng. The dogitcheckout function in the legacy role import API v1 interpolates unsanitized git ref names branch/tag names into shell commands executed via subprocess.run with shell=True. An authenticated user who controls a git repository can...
CVE-2025-14272
A security issue was identified in Pavilion due to improper authorization enforcement in API endpoints. This vulnerability can allow an unauthorized actor to execute privileged operations, including user/role management and other administrative actions...
CVE-2026-12398
A command injection vulnerability was found in galaxyng. The dogitcheckout function in the legacy role import API v1 interpolates unsanitized git ref names branch/tag names into shell commands executed via subprocess.run with shell=True. An authenticated user who controls a git repository can...
CVE-2026-12398 Galaxy_ng: shell injection in legacy role import via unsanitized git ref names
A command injection vulnerability was found in galaxyng. The dogitcheckout function in the legacy role import API v1 interpolates unsanitized git ref names branch/tag names into shell commands executed via subprocess.run with shell=True. An authenticated user who controls a git repository can...
CVE-2025-14272
A security issue was identified in Pavilion due to improper authorization enforcement in API endpoints. This vulnerability can allow an unauthorized actor to execute privileged operations, including user/role management and other administrative actions...
CVE-2025-14272 Rockwell Automation FactoryTalk Analytics PavilionX
A security issue was identified in Pavilion due to improper authorization enforcement in API endpoints. This vulnerability can allow an unauthorized actor to execute privileged operations, including user/role management and other administrative actions...
Exploit for CVE-2026-54596
CVE-2026-54596 - Authenticated SQL Injection via recurringinv...
EUVD-2025-210157
Custom role Insecure Direct Object References IDOR in Projectopia = 5.1.25.2 versions...
CVE-2026-42661
Custom role Path Traversal in WP Customer Area = 8.3.4 versions...
CVE-2025-59133
Custom role Insecure Direct Object References IDOR in Projectopia = 5.1.25.2 versions...