199 matches found
EUVD-2026-43164
The W3 Total Cache plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 2.9.4 via the setupSources function. This makes it possible for unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive...
CVE-2026-59892
OpenTelemetry JavaScript is the OpenTelemetry JavaScript client. Prior to 2.9.0, @opentelemetry/propagator-jaeger decodes incoming uber-trace-id and uberctx- HTTP header values with decodeURIComponent without handling decode errors, allowing an unauthenticated remote attacker to send a malformed...
CVE-2026-59892 OpenTelemetry JavaScript: Denial of service in `JaegerPropagator` via unhandled exception on a malformed header
OpenTelemetry JavaScript is the OpenTelemetry JavaScript client. Prior to 2.9.0, @opentelemetry/propagator-jaeger decodes incoming uber-trace-id and uberctx- HTTP header values with decodeURIComponent without handling decode errors, allowing an unauthenticated remote attacker to send a malformed...
WordPress Brook theme <= 2.9.0 - Local File Inclusion vulnerability
Local File Inclusion vulnerability discovered by João Pedro S Alcântara Kinorth in WordPress Theme Brook versions = 2.9.0...
CVE-2026-57353
Subscriber Broken Access Control in Link Whisper Premium = 2.9.0 versions...
CVE-2026-57353 WordPress Link Whisper Premium plugin <= 2.9.0 - Broken Access Control vulnerability
Subscriber Broken Access Control in Link Whisper Premium = 2.9.0 versions...
CVE-2026-57341
Unauthenticated Insecure Direct Object References IDOR in Colissimo Officiel : Méthodes de livraison pour WooCommerce = 2.9.0 versions...
CVE-2026-47214 Docling: Unsafe URI and Path Handling in HTML Backend
Docling simplifies document processing by parsing diverse formats and providing integrations with the generative AI ecosystem. Prior to 2.94.0, the HTML backend has unsafe URI and path handling. This vulnerability is fixed in 2.94.0...
CVE-2026-39595
Author Broken Access Control in W3 Total Cache = 2.9.1 versions...
CVE-2026-49778 WordPress WPFunnels Pro plugin <= 2.9.4 - Cross Site Scripting (XSS) vulnerability
Unauthenticated Cross Site Scripting XSS in WPFunnels Pro = 2.9.4 versions...
CVE-2026-49766
CVE-2026-49766 affects the WordPress plugin WP User Manager (versions ≤ 2.9.16). The vulnerability is described as an Arbitrary File Deletion issue reported for subscribers. The available metrics indicate a CRITICAL impact (CVSS 3.1: 9.9; NETWORK attack vector; LOW privileges required; no user in...
PT-2026-48371
Name of the Vulnerable Software and Affected Versions QuMagie versions prior to 2.9.0 Description A missing authorization issue allows remote attackers to access unauthorized data or perform unauthorized actions. Recommendations Update to version 2.9.0 or later...
CVE-2026-5831
A security flaw has been discovered in Agions taskflow-ai up to 2.1.8. This impacts an unknown function of the file src/mcp/server/handlers.ts of the component terminalexecute. Performing a manipulation results in os command injection. The attack is possible to be carried out remotely. Upgrading ...
CVE-2026-45413
MaxKB is an open-source AI assistant for enterprise. Prior to 2.9.1, user passwords are stored using unsalted MD5 hashes, making them trivially crackable via rainbow tables or GPU-accelerated brute force hashcat. This vulnerability is fixed in 2.9.1...
PT-2026-47074
Name of the Vulnerable Software and Affected Versions WP User Manager – User Profile Builder & Membership versions prior to 2.9.18 Description The plugin is susceptible to Local File Inclusion, a condition where an application includes files on a local server unexpectedly. This occurs through the...
GHSA-RXV8-25V2-QMQ8 React Router vulnerable to Denial of Service via reflected user input in single-fetch
A DoS vulnerability exists in the React Router v7 Framework Mode, as well as Remix v2.9.0+ with Single Fetch enabled. In some scenarios the underlying serialization algorithm can become a bottleneck when encoding specific types of data into server responses. Please upgrade to React Router v7.14.0...
Arbitrary Command Injection
Overview launch-editor is a launch editor from node.js Affected versions of this package are vulnerable to Arbitrary Command Injection due to improper sanitization of the file argument on Windows systems. An attacker can execute arbitrary commands by supplying a specially crafted filename as the...
CVE-2026-45413 MaxKB: Unsalted MD5 Password Hashing
MaxKB is an open-source AI assistant for enterprise. Prior to 2.9.1, user passwords are stored using unsalted MD5 hashes, making them trivially crackable via rainbow tables or GPU-accelerated brute force hashcat. This vulnerability is fixed in 2.9.1...
Astra Linux – Vulnerability in libxml2
The parser.c file in libxml2 before version 2.9.5 does not prevent infinite recursion in parameter entities...
Astra Linux – Vulnerability in ModSecurity-Apache
ModSecurity is an open-source, cross-platform Web Application Firewall WAF engine for Apache, IIS, and Nginx. Versions prior to 2.9.10 contain a denial-of-service vulnerability similar to GHSA-859r-vvv8-rm8r/CVE-2025-47947. The sanitiseArg and sanitizeArg – it’s the same action, just a alias...