CVE-2026-9560

Summary: CVE-2026-9560 affects OpenVPN Connect for macOS (versions 3.5.1–3.8.1). Affected component is the background service that can escalate privileges via a local IPC channel, allowing an attacker to execute arbitrary commands with elevated privileges. The CVSS metrics indicate a high-impact,...

PT-2026-43371

Name of the Vulnerable Software and Affected Versions OpenVPN Connect versions 3.5.1 through 3.8.1 Description A privilege escalation issue exists in the background service of OpenVPN Connect on macOS. This allows attackers to execute arbitrary commands with elevated privileges by utilizing a loc...

@forwardemail/wildduck (>=4.0.1 <=4.0.3), @johnqh/haraka (>=8.0.1 <=8.0.17) +32 more potentially affected by unknown CVE via @opensearch-project/opensearch (>=3.2.0 <=3.5.1)

@opensearch-project/opensearch NPM version =3.2.0, =4.0.1, =8.0.1, =8.0.2, =5.8.38, =1.0.0, =1.0.0, =1.0.0-alpha.1, =1.1.3, =6.2.0, =6.2.0, =6.2.0, =6.2.0, =6.2.0, =6.3.0-beta.2 and more Source cves: unknown CVE Source advisory: OSV:GHSA-27F5-XJRR-Q9FF...

claude-code-cache-fix vulnerable to local code execution via Python triple-quote injection in tools/quota-statusline.sh

Summary tools/quota-statusline.sh introduced in v3.5.0 interpolates Claude Code's hook stdin payload directly into a Python triple-quoted string literal. A ''' byte sequence in any user-controlled field of the payload closes the literal early and lets following bytes execute as Python in the user...

WordPress WPIDE – File Manager & Code Editor plugin <= 3.5.1 - Unauthenticated Reflected Cross-Site Scripting vulnerability

Unauthenticated Reflected Cross-Site Scripting vulnerability discovered by Asaf Mozes in WordPress Plugin WPIDE – File Manager & Code Editor versions = 3.5.1...

WordPress Emailchef plugin <= 3.5.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary plugin Settings Deletion vulnerability

Missing Authorization to Authenticated Subscriber+ Arbitrary plugin Settings Deletion vulnerability discovered by Legion Hunter in WordPress Plugin Emailchef versions = 3.5.1...

CVE-2025-15636 WordPress YouTube Showcase plugin <= 3.5.1 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in emarket-design YouTube Showcase youtube-showcase allows Stored XSS.This issue affects YouTube Showcase: from n/a through = 3.5.1...

CVE-2025-15636 WordPress YouTube Showcase plugin <= 3.5.1 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Emarket-design YouTube Showcase allows Stored XSS.This issue affects YouTube Showcase: from n/a through 3.5.1...

CVE-2025-15636

CVE-2025-15636 concerns the WordPress plugin YouTube Showcase (versions up to 3.5.1). The issue is a Stored Cross-Site Scripting (XSS) vulnerability caused by improper neutralization of input during page generation, enabling injected scripts to run in the context of users viewing the affected pag...

WordPress YouTube Showcase plugin <= 3.5.1 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin YouTube Showcase versions = 3.5.1...

PT-2026-33080

Name of the Vulnerable Software and Affected Versions Emarket-design YouTube Showcase versions n/a through 3.5.1 Description Improper neutralization of input during web page generation allows stored cross-site scripting XSS, a condition where malicious scripts are permanently stored on the target...

EUVD-2026-18202

A security flaw has been discovered in efforthye fast-filesystem-mcp up to 3.5.1. The affected element is the function handleGetDiskUsage of the file src/index.ts. Performing a manipulation results in command injection. The attack is possible to be carried out remotely. The exploit has been...

GHSA-5226-3RVG-HP4X fast-filesystem-mcp is vulnerable to command injection through handleGetDiskUsage function

A security flaw has been discovered in efforthye fast-filesystem-mcp up to 3.5.1. The affected element is the function handleGetDiskUsage of the file src/index.ts. Performing a manipulation results in command injection. The attack is possible to be carried out remotely. The exploit has been...

EUVD-2026-15911

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in nK Visual Portfolio, Photo Gallery & Post Grid visual-portfolio allows PHP Local File Inclusion.This issue affects Visual Portfolio, Photo Gallery & Post Grid: from n/a through =...

CVE-2026-32537

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in nK Visual Portfolio, Photo Gallery & Post Grid visual-portfolio allows PHP Local File Inclusion.This issue affects Visual Portfolio, Photo Gallery & Post Grid: from n/a through =...

CVE-2026-32537

The CVE-2026-32537 entry describes an authenticated Local File Inclusion (LFI) in the WordPress plugin Visual Portfolio, Photo Gallery & Post Grid (visual-portfolio) caused by improper filename control in PHP include/require statements. Affected versions are Visual Portfolio, Photo Gallery & Post...

WordPress plugin Visual Portfolio, Photo Gallery & Post Grid 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. There is...

EUVD-2026-13744

Checkmate is an open-source, self-hosted tool designed to track and monitor server hardware, uptime, response times, and incidents in real-time with beautiful visualizations. In versions from 3.5.1 and prior, a mass assignment vulnerability in Checkmate's user profile update endpoint allows any...

WordPress Visual Portfolio, Photo Gallery & Post Grid plugin <= 3.5.1 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by Nguyen Ba Khanh in WordPress Plugin Visual Portfolio, Photo Gallery & Post Grid versions = 3.5.1...

CVE-2026-32735 Unpacking Arbitrary Mustache Template Files via `maven-dependency-plugin`

openapi-to-java-records-mustache-templates allows users to generate Java Records from OpenAPI specifications. Starting in version 5.1.1 and prior to version 5.5.1, the parent POM file of this project openapi-to-java-records-mustache-templates-parent, which is used to centralize plugin...