WordPress Entrepreneur - Booking for Small Businesses WordPress Theme theme <= 3.1.3 - PHP Object Injection vulnerability

WordPress Entrepreneur - Booking for Small Businesses WordPress Theme theme = 3.1.3 - PHP Object Injection vulnerability discovered by 0xd4rk5id3 in WordPress Theme Entrepreneur - Booking for Small Businesses WordPress Theme versions = 3.1.3...

CVE-2026-41511

OpenMcdf is a fully .NET / C library to manipulate Compound File Binary File Format files, also known as Structured Storage. Prior to version 3.1.3, OpenMcdf does not detect cycles in the directory entry red-black tree of a Compound File Binary CFB document. A crafted CFB file with a cycle in the...

CVE-2026-41511

OpenMcdf is a fully .NET / C library to manipulate Compound File Binary File Format files, also known as Structured Storage. Prior to version 3.1.3, OpenMcdf does not detect cycles in the directory entry red-black tree of a Compound File Binary CFB document. A crafted CFB file with a cycle in the...

CVE-2026-41511 OpenMcdf has an Infinite loop DoS via crafted CFB directory cycle

OpenMcdf is a fully .NET / C library to manipulate Compound File Binary File Format files, also known as Structured Storage. Prior to version 3.1.3, OpenMcdf does not detect cycles in the directory entry red-black tree of a Compound File Binary CFB document. A crafted CFB file with a cycle in the...

CVE-2026-41511 OpenMcdf has an Infinite loop DoS via crafted CFB directory cycle

OpenMcdf is a fully .NET / C library to manipulate Compound File Binary File Format files, also known as Structured Storage. Prior to version 3.1.3, OpenMcdf does not detect cycles in the directory entry red-black tree of a Compound File Binary CFB document. A crafted CFB file with a cycle in the...

Security Bulletin:Flask Vary Cookie Header Vulnerability: Use of Cache Containing Sensitive Information Fixed in 3.1.3

Summary Flask is a web server gateway interface WSGI web application framework. In versions 3.1.2 and below, when the session object is accessed, Flask should set the Vary: Cookie header., resulting in a Use of Cache Containing Sensitive Information vulnerability. The logic instructs caches not t...

EUVD-2026-24660

The Call To Action Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.1.3. This is due to missing nonce validation in the cboxoptionspage function which handles saving, creating, and deleting plugin settings. The form rendered on the...

CVE-2026-4118

The CVE-2026-4118 entry concerns the WordPress Call To Action Plugin (versions update(). This enables unauthenticated attackers to modify configuration fields (e.g., title, content, link URL, image URL, colors) by forging requests, provided a site administrator is induced to perform an action suc...

CVE-2026-4118 Call To Action Plugin <= 3.1.3 - Cross-Site Request Forgery via Settings Update

The Call To Action Plugin plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.1.3. This is due to missing nonce validation in the cboxoptionspage function which handles saving, creating, and deleting plugin settings. The form rendered on the...

CVE-2026-40478

Thymeleaf is a server-side Java template engine for web and standalone environments. Versions 3.1.3.RELEASE and prior contain a security bypass vulnerability in the the expression execution mechanisms. Although the library provides mechanisms to prevent expression injection, it fails to properly...

CVE-2026-24749

The CVE concerns the SilverStripe Assets Module (required for SilverStripe Framework). In versions prior to 2.4.5 and 3.0.0-rc1 through 3.1.2, images rendered via templates or accessed with DBFile::getURL() or DBFile::getSourceURL() erroneously add an access grant to the current session, bypassin...

GHSA-XJW8-8C5C-9R79 Improper neutralization of specific syntax patterns for unauthorized expressions in Thymeleaf

Impact A security bypass vulnerability exists in the expression execution mechanisms of Thymeleaf up to and including 3.1.3.RELEASE. Although the library provides mechanisms to prevent expression injection, it fails to properly neutralize specific syntax patterns that allow for the execution of...

CVE-2026-3830 Product Filter for WooCommerce by WBW < 3.1.3 - Unauthenticated SQLi

The Product Filter for WooCommerce by WBW WordPress plugin before 3.1.3 does not sanitize and escape a parameter before using it in a SQL statement, allowing unauthenticated users to perform SQL injection attacks...

Medium: python-flask

Issue Overview: Flask is a web server gateway interface WSGI web application framework. In versions 3.1.2 and below, when the session object is accessed, Flask should set the Vary: Cookie header., resulting in a Use of Cache Containing Sensitive Information vulnerability. The logic instructs cach...

EUVD-2026-15746

Missing Authorization vulnerability in avalex avalex avalex allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects avalex: from n/a through = 3.1.3...

EUVD-2026-15477

Improper Neutralization of Input During Web Page Generation "Cross-site Scripting" vulnerability in Drupal SAML SSO - Service Provider allows Cross-Site Scripting XSS.This issue affects SAML SSO - Service Provider: from 0.0.0 before 3.1.3...

CVE-2026-25462

Missing Authorization vulnerability in avalex avalex avalex allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects avalex: from n/a through = 3.1.3...

CVE-2026-25462 WordPress avalex plugin <= 3.1.3 - Broken Access Control vulnerability

Missing Authorization vulnerability in avalex avalex avalex allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects avalex: from n/a through = 3.1.3...

CVE-2026-3217 SAML SSO - Service Provider - Critical - Cross-site scripting - SA-CONTRIB-2026-018

Improper Neutralization of Input During Web Page Generation "Cross-site Scripting" vulnerability in Drupal SAML SSO - Service Provider allows Cross-Site Scripting XSS.This issue affects SAML SSO - Service Provider: from 0.0.0 before 3.1.3...

CVE-2026-3217

Summary: CVE-2026-3217 affects Drupal SAML SSO - Service Provider module. The issue is a failure to sufficiently sanitize user input, causing a reflected Cross-site Scripting (XSS) vulnerability in web page generation. Affected version range is: Drupal SAML SSO - Service Provider: before 3.1.3 (r...