Dify User Enumeration via Observable Response Discrepancy

Dify is an open-source LLM app development platform. Prior to 1.9.0, responses from the Dify API to existing and non-existent accounts differ, allowing an attacker to enumerate email addresses registered with Dify. Version 1.9.0 fixes the issue. id: CVE-2026-28288 info: name: Dify User Enumeratio...

CVE-2026-49293

CVE-2026-49293 affects js-toml up to v1.1.0. The parsing of hexadecimal/octal/binary integer literals uses a hand-written parseBigInt loop that multiplies the BigInt accumulator by the radix for every digit, yielding an O(n^2) time complexity in the length of the literal. A single TOML document c...

WordPress Fancy Testimonials plugin <= 1.0 - Authenticated (Author+) Stored Cross-Site Scripting vulnerability

Authenticated Author+ Stored Cross-Site Scripting vulnerability discovered by zakaria in WordPress Plugin Fancy Testimonials versions = 1.0...

EUVD-2026-37732

Plane CE 1.3.1 allows a low-privileged project member to submit arbitrary HTML/JS in the descriptionhtml field when creating an intake work item through the API v1 intake endpoint...

CVE-2026-40733

Unauthenticated PHP Object Injection in ShiftUp = 1.3 versions...

CVE-2026-39556

Unauthenticated PHP Object Injection in Konsept = 1.9 versions...

CVE-2025-69166

Unauthenticated Local File Inclusion in Gunslinger = 1.7 versions...

CVE-2025-69157

Unauthenticated Local File Inclusion in Gamic = 1.15 versions...

CVE-2026-39537

Unauthenticated Local File Inclusion in Mikado Core = 1.6 versions...

CVE-2025-69176

Unauthenticated Local File Inclusion in ITactics = 1.0 versions...

CVE-2025-69168

Unauthenticated Local File Inclusion in Spike = 1.2 versions...

CVE-2025-69108

Unauthenticated PHP Object Injection in Hot Coffee = 1.7 versions...

CVE-2025-69127 WordPress Plumbing theme <= 1.6 - PHP Object Injection vulnerability

Unauthenticated PHP Object Injection in Plumbing = 1.6 versions...

CVE-2025-69179

Technical details (affected plugin version

CVE-2025-69179 WordPress Support Ticket Management System plugin <= 1.9 - Privilege Escalation vulnerability

Unauthenticated Privilege Escalation in Support Ticket Management System = 1.9 versions...

CVE-2026-48797

Backpropagate is a Python library for fine-tuning LLMs on a single GPU. In versions 1.1.0 and 1.1.1, the Reflex web UI exposes a training control plane without authentication, allowing dataset upload, model load, training control, multi-run orchestration, GGUF export, and HuggingFace Hub push. Th...

CVE-2026-39557

CVE-2026-39557 describes an unauthenticated PHP Object Injection in the WordPress NeoBeat theme, version ≤ 1.7. The underlying issue is a PHP object injection vulnerability in NeoBeat’s code path, enabling unauthenticated attackers to potentially manipulate objects and achieve arbitrary code exec...

CVE-2025-69125

Technical details about CVE-2025-69125 (WordPress Food Drop theme ≤1.3 LFI) are not provided in the supplied documents. Monitor for updates and future advisories to obtain affected versions, impact, and remediation information.

CVE-2025-69124 WordPress Especio theme <= 1.0 - Local File Inclusion vulnerability

Unauthenticated Local File Inclusion in Especio = 1.0 versions...

CVE-2025-69122

CVE-2025-69122 affects WordPress SeaFood Company theme versions up to 1.4. It describes an unauthenticated PHP Object Injection vulnerability with a CVSS v3.1 base score of 9.8 (NETWORK, NONE/LOW ACCESS, HIGH impact on confidentiality, integrity, and availability). The connected documents confirm...