Authorization Bypass Through User-Controlled Key

Overview Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the mcajaxmcjsaction function. An attacker can access sensitive event data from other sub-sites or cause a denial of service by sending crafted requests to the unauthenticated endpoin...

CVE-2026-40308

CVE-2026-40308 - My Calendar (WordPress) plugin : Affected versions are 3.7.6 and earlier. The mc_ajax_mcjs_action AJAX endpoint, exposed to unauthenticated users, passes user-supplied arguments through parse_str() without validation, enabling injection of arbitrary parameters including a site va...

EUVD-2026-23306

My Calendar is a WordPress plugin for managing calendar events. In versions 3.7.6 and below, the mcajaxmcjsaction AJAX endpoint, registered for unauthenticated users, passes user-supplied arguments through parsestr without validation, allowing injection of arbitrary parameters including a site...

PT-2026-33370

Name of the Vulnerable Software and Affected Versions My Calendar versions prior to 3.7.7 Description An unauthenticated issue exists in the 'mc ajax mcjs action' AJAX endpoint, which is registered for unauthenticated users. The endpoint passes user-supplied arguments through the parse str functi...

CVE-2026-4816

A Reflected Cross Site Scripting XSS vulnerability has been found in Support Board v3.7.7. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending the victim a malicious URL using the 'search' parameter in '/supportboard/include/articles.php'. This...

CVE-2026-4816

A Reflected Cross Site Scripting XSS vulnerability has been found in Support Board v3.7.7. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending the victim a malicious URL using the 'search' parameter in '/supportboard/include/articles.php'. This...

CVE-2026-4815

A SQL Injection vulnerability has been found in Support Board v3.7.7. This vulnerability allows an attacker to retrieve, create, update and delete database via 'calls0messageids' parameter in '/supportboard/include/ajax.php' endpoint...

CVE-2026-4816

A Reflected Cross Site Scripting XSS vulnerability has been found in Support Board v3.7.7. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending the victim a malicious URL using the 'search' parameter in '/supportboard/include/articles.php'. This...

Support Board 跨站脚本漏洞

Support Board is a sales chat software developed by the British company Support Board. Version 3.7.7 of Support Board contains a cross-site scripting vulnerability, which stems from incorrect handling of the parameter 'search' in the file /supportboard/include/articles.php. This vulnerability may...

Support Board SQL注入漏洞

Support Board is a sales chat software developed by the British company Support Board. Version 3.7.7 of Support Board contains an SQL injection vulnerability. This vulnerability arises from incorrect handling of the parameter calls0messageids in the file /supportboard/include/ajax.php, which may...

CVE-2026-32428

The CVE affects WordPress Popup Like box plugin

WordPress plugin Popup Like box 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...

WordPress Popup Like box plugin <= 3.7.7 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Nabil Irawan in WordPress Plugin Popup Like box versions = 3.7.7...

CVE-2025-67923

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Crocoblock JetEngine jet-engine allows Reflected XSS.This issue affects JetEngine: from n/a through = 3.7.7...

CVE-2023-4726

The Ultimate Dashboard plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in versions up to, and including, 3.7.7. due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions...

EUVD-2024-54910

Malicious code in bioql PyPI...

CVE-2024-46413

Rebuild v3.7.7 was discovered to contain a Server-Side Request Forgery SSRF via the type parameter in the com.rebuild.web.admin.rbstore.RBStoreControllerloadDataIndex method...

CVE-2024-46412

CVE-2024-46412 affects Rebuild v3.7.7. The issue is an incorrect access control in the prehandle function, allowing an attacker to bypass authentication by sending a crafted GET request to /commons/ip-location. Public sources in the connected documents corroborate this description across Red Hat ...

PT-2025-34652 · Unknown · Rebuild 3.7.7

Name of the Vulnerable Software and Affected Versions: Rebuild version 3.7.7 Description: An incorrect access control issue exists in the prehandle function. This allows attackers to bypass authentication by sending a crafted GET request to the /commons/ip-location API endpoint. Recommendations:...

Rebuild 安全漏洞

Rebuild is a highly customizable enterprise management system from getrebuild open source. A security vulnerability exists in Rebuild version v3.7.7, which stems from a server-side request forgery in the type parameter of the com.rebuild.web.admin.rbstore.RBStoreControllerloadDataIndex method...