CVE-2026-6397

The Sticky plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the cvmh-sticky shortcode readmoretext attribute in versions up to and including 2.5.6. This is due to insufficient input sanitization and output escaping in the cvmhstickyfrontrender function — the readmoretext...

CVE-2026-45344

LinkAce is a self-hosted archive to collect website links. Prior to 2.5.6, the setup database configuration flow on uninitialized LinkAce instances accepts attacker-controlled database credential fields and writes them back into .env without escaping. A remote attacker who can reach the setup...

CVE-2026-45344 LinkAce: Setup database password newline injection enables pre-auth RCE on uninitialized instances

LinkAce is a self-hosted archive to collect website links. Prior to 2.5.6, the setup database configuration flow on uninitialized LinkAce instances accepts attacker-controlled database credential fields and writes them back into .env without escaping. A remote attacker who can reach the setup...

CVE-2026-48971

Missing Authorization vulnerability in WebToffee Product Import Export for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Product Import Export for WooCommerce: from n/a through 2.5.6...

CVE-2026-48971

CVE-2026-48971 affects the WordPress plugin WordPress Product Import Export for WooCommerce (WebToffee) up to version 2.5.6. The issue is a Missing Authorization/Broken Access Control vulnerability due to incorrectly configured access control levels, enabling an attacker to exploit over the netwo...

CVE-2026-48971 WordPress Product Import Export for WooCommerce plugin <= 2.5.6 - Broken Access Control vulnerability

Missing Authorization vulnerability in WebToffee Product Import Export for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Product Import Export for WooCommerce: from n/a through 2.5.6...

WordPress Product Import Export for WooCommerce plugin <= 2.5.6 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Legion Hunter in WordPress Plugin Product Import Export for WooCommerce versions = 2.5.6...

CVE-2026-6397 Sticky <= 2.5.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'readmoretext' Shortcode Attribute

The Sticky plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the cvmh-sticky shortcode readmoretext attribute in versions up to and including 2.5.6. This is due to insufficient input sanitization and output escaping in the cvmhstickyfrontrender function — the readmoretext...

EUVD-2026-31017

The Sticky plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the cvmh-sticky shortcode readmoretext attribute in versions up to and including 2.5.6. This is due to insufficient input sanitization and output escaping in the cvmhstickyfrontrender function — the readmoretext...

CVE-2026-44338

PraisonAI ships a legacy Flask API server with authentication disabled by default in versions 2.5.6 through before 4.6.34. The root cause is APIServer.check_auth() short-circuiting when AUTH_ENABLED is False, allowing unauthenticated access to /agents and triggering the agents.yaml workflow via /...

EUVD-2026-20332

Missing Authorization vulnerability in ProWCPlugins Product Price by Formula for WooCommerce product-price-by-formula-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Product Price by Formula for WooCommerce: from n/a through = 2.5.6...

CVE-2026-39662 WordPress Product Price by Formula for WooCommerce plugin <= 2.5.6 - Broken Access Control vulnerability

Missing Authorization vulnerability in ProWCPlugins Product Price by Formula for WooCommerce product-price-by-formula-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Product Price by Formula for WooCommerce: from n/a through = 2.5.6...

CVE-2026-39662

Missing Authorization vulnerability in ProWCPlugins Product Price by Formula for WooCommerce product-price-by-formula-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Product Price by Formula for WooCommerce: from n/a through = 2.5.6...

CVE-2026-27396 WordPress Directory Pro plugin <= 2.5.6 - Broken Access Control vulnerability

Missing Authorization vulnerability in e-plugins Directory Pro directory-pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Directory Pro: from n/a through = 2.5.6...

PT-2026-23264

Missing Authorization vulnerability in e-plugins Directory Pro directory-pro allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Directory Pro: from n/a through = 2.5.6...

CVE-2026-3292

A security vulnerability has been detected in jizhiCMS up to 2.5.6. Affected is the function findAll in the library frphp/lib/Model.php of the component Batch Interface. The manipulation of the argument data leads to sql injection. The attack is possible to be carried out remotely. The exploit ha...

PT-2026-20264

Name of the Vulnerable Software and Affected Versions jizhicms version 2.5.6 Description The software contains a SQL Injection issue in the 'Article/deleteAll' and 'Extmolds/deleteAll' functionalities. The issue is triggered through the data parameter. Recommendations Update to a newer version th...

CVE-2025-70397

jizhicms 2.5.6 is vulnerable to SQL Injection in Article/deleteAll and Extmolds/deleteAll via the data parameter...

CVE-2026-22864

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Before 2.5.6, a prior patch aimed to block spawning Windows batch/shell files by returning an error when a spawned path’s extension matched .bat or .cmd. That check performs a case-sensitive comparison against lowercase literals and...

CVE-2026-22864

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Before 2.5.6, a prior patch aimed to block spawning Windows batch/shell files by returning an error when a spawned path’s extension matched .bat or .cmd. That check performs a case-sensitive comparison against lowercase literals and...