WordPress ARMember Premium – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup plugin <= 7.3.1 - Authenticated (Subscriber+) SQL Injection vulnerability

Authenticated Subscriber+ SQL Injection vulnerability discovered by h0xilo in WordPress Plugin ARMember Premium versions = 7.3.1...

PT-2026-46068

Name of the Vulnerable Software and Affected Versions Active IQ Config Advisor version 6.7.3 Description Hard-coded credentials exist within the software, which could allow an authenticated attacker with low privileges to perform unauthorized AutoSupport operations. Recommendations At the moment,...

EUVD-2026-34005

The ARMember Premium plugin for WordPress is vulnerable to SQL Injection via the 'order' parameter of the 'armdirectorypagingaction' AJAX action in all versions up to, and including, 7.3.1. This is due to insufficient escaping on the user-supplied 'order' and 'orderby' parameters and the lack of...

PT-2026-43980

Name of the Vulnerable Software and Affected Versions IBM i versions 7.3 through 7.6 Description A denial-of-service issue exists in the Integrated Language Environment ILE compiler due to uncontrolled recursion. An authenticated attacker can trigger this by compiling specially crafted source cod...

WeGIA 安全漏洞

WeGIA is a network manager for a welfare organization developed by Nilson Lazarin. Versions of WeGIA prior to 3.7.3 contained security vulnerabilities. These vulnerabilities stemmed from the use of a salted SHA-256 hash algorithm in login and password change processes, which could lead to rainbow...

WordPress JobCareer theme <= 7.3 - Arbitrary File Deletion vulnerability

Arbitrary File Deletion vulnerability discovered by Denver Jackson in WordPress Theme JobCareer versions = 7.3...

EUVD-2026-30175

CubeCart is an ecommerce software solution. Prior to 6.7.3, an admin with documents edit permission can save raw into the Invoice Editor. The next time any admin clicks Print on any order, the rendered template is written to files/print..php. files/.htaccess ships an explicit allow from all...

PT-2026-40814

Name of the Vulnerable Software and Affected Versions CubeCart versions prior to 6.7.3 Description An administrator with documents edit permission can save raw PHP code into the Invoice Editor. When any administrator clicks Print on an order, the rendered template is written to files/print..php...

CVE-2026-44547

ChurchCRM is an open-source church management system. From 7.2.0 to 7.2.2, The fix for CVE-2026-4058 is incomplete. The hardening commit was merged and then silently stripped from src/api/routes/public/public-user.php by an unrelated PR before any 7.2.x tag was cut. Every shipped 7.2.x release...

CVE-2026-44548

CVE-2026-44548 affects ChurchCRM up to version 7.3.1. A top-level cross-site GET navigation from an attacker-controlled page to FundRaiserDelete.php, PropertyTypeDelete.php, or NoteDelete.php can cause a logged-in user with the relevant role to silently delete records, including cascaded property...

CVE-2026-44547

CVE-2026-44547 affects ChurchCRM 7.2.0–7.2.2, where an incomplete fix for CVE-2026-4058 left the public login path exploitable. The hardening commit was merged but silently stripped from src/api/routes/public/public-user.php before any 7.2.x tag was cut, so all 7.2.x releases remain vulnerable. T...

EUVD-2026-29884

ChurchCRM is an open-source church management system. From 7.2.0 to 7.2.2, The fix for CVE-2026-4058 is incomplete. The hardening commit was merged and then silently stripped from src/api/routes/public/public-user.php by an unrelated PR before any 7.2.x tag was cut. Every shipped 7.2.x release...

CVE-2026-42288 ChurchCRM: Incomplete fix for CVE-2026-39337: Unauthenticated RCE in Setup Wizard via unsanitized DB_PASSWORD

ChurchCRM is an open-source church management system. Prior to 7.3.2, The fix for CVE-2026-39337 is incomplete. The pre-authentication remote code execution vulnerability in ChurchCRM's setup wizard via unsanitized DBPASSWORD remains fully exploitable This vulnerability is fixed in 7.3.2...

CVE-2026-42288 ChurchCRM: Incomplete fix for CVE-2026-39337: Unauthenticated RCE in Setup Wizard via unsanitized DB_PASSWORD

ChurchCRM is an open-source church management system. Prior to 7.3.2, The fix for CVE-2026-39337 is incomplete. The pre-authentication remote code execution vulnerability in ChurchCRM's setup wizard via unsanitized DBPASSWORD remains fully exploitable This vulnerability is fixed in 7.3.2...

EUVD-2026-29876

ChurchCRM is an open-source church management system. Prior to 7.3.2, The fix for CVE-2026-39337 is incomplete. The pre-authentication remote code execution vulnerability in ChurchCRM's setup wizard via unsanitized DBPASSWORD remains fully exploitable This vulnerability is fixed in 7.3.2...

Apple iOS和Apple iPadOS 安全漏洞

Apple iOS and Apple iPadOS are products of the American company Apple. Apple iOS is an operating system developed for mobile devices. Apple iPadOS is an operating system for iPad tablets. There were security vulnerabilities in versions prior to Apple iOS 18.7.3, iPadOS 18.7.3, iOS 26.2, and iPadO...

PT-2026-40463

ChurchCRM is an open-source church management system. From 7.2.0 to 7.2.2, The fix for CVE-2026-4058 is incomplete. The hardening commit was merged and then silently stripped from src/api/routes/public/public-user.php by an unrelated PR before any 7.2.x tag was cut. Every shipped 7.2.x release...

CVE-2026-42160

Data Space Portal is an open-source Software as a Service SaaS solution designed to streamline Dataspace management. From version 2.1.1 to before version 7.3.2, there is insufficient authorization in the dataspace-portal backend regarding self-registered "PENDING" organization / user accounts. Th...

GHSA-C6WJ-9VCJ-75PJ Wagtail has improper permission handling when comparing revisions

Impact A CMS user without the ability to edit a page could access revisions of the page through the revision compare view if they knew the primary key of two revisions. This could potentially result in disclosure of sensitive information. Patches Patched versions have been released as Wagtail 7.0...

CVE-2026-42160

Data Space Portal is an open-source Software as a Service SaaS solution designed to streamline Dataspace management. From version 2.1.1 to before version 7.3.2, there is insufficient authorization in the dataspace-portal backend regarding self-registered "PENDING" organization / user accounts. Th...