Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: nodejs-requirejs (UTSA-2026-021492)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-021492 advisory. jrburke requirejs v2.3.6 was discovered to contain a prototype pollution via the function s.contexts..configure. This vulnerability allows attackers to execute...

CVE-2026-41233

Froxlor is open source server administration software. Prior to version 2.3.6, in Domains.add, the adminid parameter is accepted from user input and used without validation when the calling reseller does not have the customersseeall permission. This allows a reseller to attribute newly created...

CVE-2026-41228

Froxlor is open source server administration software. Prior to version 2.3.6, the Froxlor API endpoint Customers.update and Admins.update does not validate the deflanguage parameter against the list of available language files. An authenticated customer can set deflanguage to a path traversal...

CVE-2026-41232

Froxlor is open source server administration software. Prior to version 2.3.6, in EmailSender::add, the domain ownership validation for full email sender aliases uses the wrong array index when splitting the email address, passing the local part instead of the domain to...

EUVD-2026-25186

Froxlor is open source server administration software. Prior to version 2.3.6, in EmailSender::add, the domain ownership validation for full email sender aliases uses the wrong array index when splitting the email address, passing the local part instead of the domain to...

CVE-2026-41232 Froxlor has an Email Sender Alias Domain Ownership Bypass via Wrong Array Index that Allows Cross-Customer Email Spoofing

Froxlor is open source server administration software. Prior to version 2.3.6, in EmailSender::add, the domain ownership validation for full email sender aliases uses the wrong array index when splitting the email address, passing the local part instead of the domain to...

EUVD-2026-25178

Froxlor is open source server administration software. Prior to version 2.3.6, PhpHelper::parseArrayToString writes string values into single-quoted PHP string literals without escaping single quotes. When an admin with changeserversettings permission adds or updates a MySQL server via the API, t...

CVE-2026-41228

Froxlor prior to 2.3.6 is vulnerable to Local File Inclusion via the API parameter def_language used by Customers.update/Admins.update. An authenticated user can set def_language to a path traversal payload, which is stored and later used to require a file, resulting in arbitrary PHP code executi...

PT-2026-34635

Froxlor is open source server administration software. Prior to version 2.3.6, DataDump.add constructs the export destination path from user-supplied input without passing the $fixed homedir parameter to FileDir::makeCorrectDir, bypassing the symlink validation that was added to all other...

CVE-2026-39614 WordPress JW Player for WordPress plugin <= 2.3.6 - Broken Access Control vulnerability

Missing Authorization vulnerability in ilGhera JW Player for WordPress jw-player-7-for-wp allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JW Player for WordPress: from n/a through = 2.3.6...

PT-2026-31179

Missing Authorization vulnerability in ilGhera JW Player for WordPress jw-player-7-for-wp allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JW Player for WordPress: from n/a through = 2.3.6...

CVE-2026-2503

The ElementCamp plugin for WordPress is vulnerable to time-based SQL Injection via the 'metaquerycompare' parameter in the 'tcgselect2searchpost' AJAX action in all versions up to, and including, 2.3.6. This is due to the user-supplied compare value being placed as an SQL operator in the query...

WordPress ElementCamp plugin <= 2.3.6 - Authenticated (Author+) SQL Injection via 'meta_query[compare]' Parameter vulnerability

Authenticated Author+ SQL Injection via 'metaquerycompare' Parameter vulnerability discovered by Itthidej Aramsri Boeing777 in WordPress Plugin ElementCamp versions = 2.3.6...

CVE-2026-2503

The ElementCamp plugin for WordPress is vulnerable to time-based SQL Injection via the 'metaquerycompare' parameter in the 'tcgselect2searchpost' AJAX action in all versions up to, and including, 2.3.6. This is due to the user-supplied compare value being placed as an SQL operator in the query...

CVE-2026-2503

CVE-2026-2503 describes a time-based SQL Injection in the ElementCamp WordPress plugin through the meta_query[compare] parameter used by the tcg_select2_search_post AJAX action, affecting all versions up to 2.3.6. The vulnerability arises because the user-supplied compare value is used as an SQL ...

CVE-2025-68844

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in DaleAB Membee Login membees-member-login-widget allows Reflected XSS.This issue affects Membee Login: from n/a through = 2.3.6...

CVE-2025-63057

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Roxnor Wp Ultimate Review wp-ultimate-review allows DOM-Based XSS.This issue affects Wp Ultimate Review: from n/a through = 2.3.7...

CVE-2025-63057 WordPress Wp Ultimate Review plugin <= 2.3.7 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Roxnor Wp Ultimate Review wp-ultimate-review allows DOM-Based XSS.This issue affects Wp Ultimate Review: from n/a through = 2.3.7...

CVE-2025-63057

CVE-2025-63057 refers to a DOM-based XSS in the WordPress plugin WP Ultimate Review (Roxnor) affecting versions from and including up to 2.3.7. The vulnerability arises from improper input neutralization during web page generation, enabling cross-site scripting on pages rendered by the plugin. Pu...

PT-2025-50057

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Roxnor Wp Ultimate Review wp-ultimate-review allows DOM-Based XSS.This issue affects Wp Ultimate Review: from n/a through = 2.3.6...