CVE-2026-31873 Unhead has a Bypass of URI Scheme Sanitization in makeTagSafe via Case-Sensitivity

Unhead is a document head and template manager. Prior to 2.1.11, The link.href check in makeTagSafe safe.ts uses String.includes, which is case-sensitive. Browsers treat URI schemes case-insensitively. DATA:text/css,... is the same as data:text/css,... to the browser, but 'DATA:...'.includes'data...

CVE-2026-31860 Unhead has a XSS bypass in `useHeadSafe` via attribute name injection and case-sensitive protocol check

Unhead is a document head and template manager. Prior to 2.1.11, useHeadSafe can be bypassed to inject arbitrary HTML attributes, including event handlers, into SSR-rendered tags. This is the composable that Nuxt docs recommend for safely handling user-generated content. The acceptDataAttrs...

unhead 跨站脚本漏洞

unhead is a document header and template manager developed by UnJS. Versions of unhead prior to 2.1.11 contained a cross-site scripting vulnerability. This vulnerability stemmed from the link.href check being case-sensitive, which could allow attackers to inject arbitrary CSS for UI masking or da...

CVE-2026-2861

A vulnerability was detected in Foswiki up to 2.1.10. The affected element is an unknown function of the component Changes/Viewfile/Oops. The manipulation results in information disclosure. It is possible to launch the attack remotely. The exploit is now public and may be used. Upgrading to versi...

CVE-2025-60045

Missing Authorization vulnerability in ThemeAtelier IDonatePro idonate-pro allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects IDonatePro: from n/a through = 2.1.11...

CVE-2025-60045 WordPress IDonatePro plugin <= 2.1.11 - Broken Access Control vulnerability

Missing Authorization vulnerability in ThemeAtelier IDonatePro idonate-pro allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects IDonatePro: from n/a through = 2.1.11...

CVE-2025-60045

CVE-2025-60045 describes a Missing Authorization vulnerability in the WordPress plugin IDonatePro (IDonate-pro) affecting versions up to 2.1.11. The root cause is lack of proper authorization checks allowing access to functionality not constrained by ACLs, i.e., a broken access control issue. The...

EUVD-2025-204140

Missing Authorization vulnerability in ThemeAtelier IDonatePro idonate-pro allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects IDonatePro: from n/a through = 2.1.11...

PT-2025-52106

Missing Authorization vulnerability in ThemeAtelier IDonatePro idonate-pro allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects IDonatePro: from n/a through = 2.1.11...

EUVD-2024-41464

Malicious code in bioql PyPI...

WordPress Blocksy Companion plugin <= 2.1.10 - Authenticated (Contributor+) Stored Cross-Site Scripting via blocksy_newsletter_subscribe Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via blocksynewslettersubscribe Shortcode vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin Blocksy Companion versions = 2.1.10...

CVE-2025-58642 WordPress LTL Freight Quotes – Day & Ross Edition Plugin <= 2.1.11 - PHP Object Injection Vulnerability

Deserialization of Untrusted Data vulnerability in enituretechnology LTL Freight Quotes – Day & Ross Edition ltl-freight-quotes-day-ross-edition allows Object Injection.This issue affects LTL Freight Quotes – Day & Ross Edition: from n/a through = 2.1.11...

CVE-2025-58642

CVE-2025-58642 corresponds to a Deserialization of Untrusted Data vulnerability in the WordPress plugin LTL Freight Quotes – Day & Ross Edition. Affected: Day & Ross Edition up to 2.1.11. Root cause: PHP object injection via untrusted data deserialization. Impact (as stated): high confidentiality...

PT-2025-35770

Name of the Vulnerable Software and Affected Versions: LTL Freight Quotes – Day & Ross Edition versions through 2.1.11 Description: Deserialization of untrusted data in LTL Freight Quotes – Day & Ross Edition allows object injection. Recommendations: At the moment, there is no information about a...

CVE-2024-45412

Yeti bridges the gap between CTI and DFIR practitioners by providing a Forensics Intelligence platform and pipeline. Remote user-controlled data tags can reach a Unicode normalization with a compatibility form NFKD. Under Windows, such normalization is costly in resources and may lead to denial o...

CVE-2024-38769

Missing Authorization vulnerability in Tyche Softwares Arconix Shortcodes allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Arconix Shortcodes: from n/a through 2.1.11...

PT-2024-28205 · Unknown · Arconix Shortcodes

Name of the Vulnerable Software and Affected Versions: Arconix Shortcodes versions 2.1.11 and earlier Description: The issue is related to a Missing Authorization vulnerability, which allows accessing functionality not properly constrained by Access Control Lists ACLs. Recommendations: For versio...

WordPress plugin Arconix Shortcodes 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plugin. A security vulnerability...

WordPress plugin WP Crowdfunding 跨站脚本漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a set of blogging platform developed using the PHP language. The platform supports setting up personal blog sites on servers with PHP and MySQL.WordPress plugin is an application plug-in. A cross-site...

CVE-2024-45412 Yeti affected by a Potential Denial of Service due to the One Milion Unicode characters attack

Yeti bridges the gap between CTI and DFIR practitioners by providing a Forensics Intelligence platform and pipeline. Remote user-controlled data tags can reach a Unicode normalization with a compatibility form NFKD. Under Windows, such normalization is costly in resources and may lead to denial o...