CVE-2026-42661

Custom role Path Traversal in WP Customer Area = 8.3.4 versions...

CVE-2026-42639

Unauthenticated SQL Injection in GD Rating System = 3.6.2 versions...

CVE-2026-42651

Subscriber Broken Access Control in Classified Listing = 5.3.9 versions...

CVE-2026-40798

Unauthenticated SQL Injection in wpForo Forum = 3.0.4 versions...

CVE-2026-40794

Subscriber Broken Access Control in myCred = 3.0.3 versions...

CVE-2026-40732

Unauthenticated Cross Site Scripting XSS in Notification for Telegram = 3.5 versions...

CVE-2026-39478

Contributor PHP Object Injection in Anti-Malware Security and Brute-Force Firewall = 4.23.87 versions...

CVE-2026-39471

Author PHP Object Injection in ShortPixel Image Optimizer = 6.4.3 versions...

CVE-2026-34901

Unauthenticated Privilege Escalation in iControlWP = 5.5.3 versions...

CVE-2026-27407

Editor Privilege Escalation in AI Engine = 3.4.9 versions...

CVE-2026-34898

Unauthenticated Broken Access Control in Event Tickets Manager for WooCommerce = 1.5.3 versions...

CVE-2026-23970

Unauthenticated Cross Site Scripting XSS in Redirection for Contact Form 7 = 3.2.8 versions...

CVE-2025-68851

Unauthenticated Cross Site Scripting XSS in Okay Toolkit = 2.3 versions...

EUVD-2026-36459

Netty HTTP/3 QPACK Blocked Streams Memory Exhaustion...

Netty HTTP/3 QPACK Blocked Streams Memory Exhaustion

Summary A memory exhaustion vulnerability in the Netty HTTP/3 codec allows the creation of an infinite number of blocked streams, which can cause OOM error. Details The vulnerability exists in io.netty.handler.codec.http3.QpackDecodershouldWaitForDynamicTableUpdates: If a client sends a header...

CVE-2026-48714 i18next-http-middleware missingKeyHandler does not reject keys whose segments contain prototype-polluting names

i18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. In versions prior to 3.9.7, the missingKeyHandler blocked the literal request-body keys proto, constructor, and prototype added in 3.9.3, see GHSA-5fgg-jcpf-8jjw, but did not...

EUVD-2026-36887

Unauthenticated PHP Object Injection in Integration for Contact Form 7 HubSpot = 1.3.7 versions...

CVE-2026-49061 WordPress WPC Product Options for WooCommerce plugin <= 3.2.1 - Arbitrary File Download vulnerability

Unauthenticated Arbitrary File Download in WPC Product Options for WooCommerce = 3.2.1 versions...

EUVD-2026-36865

Unauthenticated Cross Site Scripting XSS in Funnel Builder by FunnelKit = 3.15.0.2 versions...

EUVD-2026-36862

Subscriber Privilege Escalation in Amelia = 2.3 versions...