Netty HTTP/3 QPACK Blocked Streams Memory Exhaustion

Summary A memory exhaustion vulnerability in the Netty HTTP/3 codec allows the creation of an infinite number of blocked streams, which can cause OOM error. Details The vulnerability exists in io.netty.handler.codec.http3.QpackDecodershouldWaitForDynamicTableUpdates: If a client sends a header...

CVE-2026-48714 i18next-http-middleware missingKeyHandler does not reject keys whose segments contain prototype-polluting names

i18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. In versions prior to 3.9.7, the missingKeyHandler blocked the literal request-body keys proto, constructor, and prototype added in 3.9.3, see GHSA-5fgg-jcpf-8jjw, but did not...

EUVD-2026-36887

Unauthenticated PHP Object Injection in Integration for Contact Form 7 HubSpot = 1.3.7 versions...

CVE-2026-49061 WordPress WPC Product Options for WooCommerce plugin <= 3.2.1 - Arbitrary File Download vulnerability

Unauthenticated Arbitrary File Download in WPC Product Options for WooCommerce = 3.2.1 versions...

EUVD-2026-36865

Unauthenticated Cross Site Scripting XSS in Funnel Builder by FunnelKit = 3.15.0.2 versions...

EUVD-2026-36862

Subscriber Privilege Escalation in Amelia = 2.3 versions...

EUVD-2026-36849

Unauthenticated Cross Site Scripting XSS in MW WP Form = 5.1.3 versions...

EUVD-2026-36836

Subscriber Cross Site Scripting XSS in Modula Image Gallery = 2.14.23 versions...

CVE-2026-42661 WordPress WP Customer Area plugin <= 8.3.4 - Path Traversal vulnerability

Custom role Path Traversal in WP Customer Area = 8.3.4 versions...

CVE-2026-42658 WordPress Classified Listing plugin <= 5.3.8 - Cross Site Scripting (XSS) vulnerability

Unauthenticated Cross Site Scripting XSS in Classified Listing = 5.3.8 versions...

CVE-2026-42658

The CVE-2026-42658 entry concerns the WordPress Classified Listing plugin, affected versions

EUVD-2026-36823

Unauthenticated Cross Site Scripting XSS in Classified Listing = 5.3.8 versions...

EUVD-2026-36819

Subscriber Broken Access Control in Classified Listing = 5.3.9 versions...

CVE-2026-42651 WordPress Classified Listing plugin <= 5.3.9 - Broken Access Control vulnerability

Subscriber Broken Access Control in Classified Listing = 5.3.9 versions...

EUVD-2026-36815

Unauthenticated SQL Injection in GD Rating System = 3.6.2 versions...

EUVD-2026-36816

Unauthenticated Broken Access Control in Classified Listing = 5.3.8 versions...

EUVD-2026-36807

Unauthenticated SQL Injection in wpForo Forum = 3.0.4 versions...

CVE-2026-39441 WordPress Feed KuantoKusta for WooCommerce – Free plugin <= 5.3 - SQL Injection vulnerability

Unauthenticated SQL Injection in Feed KuantoKusta for WooCommerce – Free = 5.3 versions...

CVE-2025-68851

CVE-2025-68851 refers to the WordPress Okay Toolkit plugin (&lt;= 2.3) and describes an unauthenticated Reflected Cross-Site Scripting (XSS) vulnerability. The vulnerability was identified by Skalucy. The provided documents do not specify the exact vulnerable input, affected product version(s) be...

CVE-2025-68049

CVE-2025-68049 affects the WordPress bunny.net plugin, version up to 2.3.6, with a Broken Access Control flaw. The CVSS 3.1 base metrics indicate Low impact to confidentiality, integrity, and availability, and a network attack vector with low privileges required and no user interaction. The provi...