CVE-2026-45328

ESF-IDF is the Espressif Internet of Things IOT Development Framework. In versions 5.5.4 and 6.0, the esptee component exposes secure-service wrappers in espsecureservices.c and espsecureservicesiram.c that bridge calls from the user application i.e. the REE to TEE-protected hardware peripherals...

CVE-2026-24574

Cross-Site Request Forgery CSRF vulnerability in Recorp Export WP Page to Static HTML/CSS allows Cross Site Request Forgery. This issue affects Export WP Page to Static HTML/CSS: from n/a through 6.0.0...

[BSA-133] Security Update for incus

Mathias Gibbens uploaded new packages for incus which fixed the following security problems: CVE ID : CVE-2026-40195 CVE-2026-40197 CVE-2026-40243 CVE-2026-40251 CVE-2026-41647 CVE-2026-41648 CVE-2026-41684 CVE-2026-41685 Multiple security issues were discovered in Incus, a system container and...

Django Uses Persistent Cookies Containing Sensitive Information

An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14. Response headers do not vary on cookies if a session is not modified, but SESSIONSAVEEVERYREQUEST is True. A remote attacker can steal a user's session after that user visits a cached public page. Earlier, unsupported Django serie...

CVE-2026-40305 DNN has Force Friend Request Acceptance

DNN formerly DotNetNuke is an open-source web content management platform CMS in the Microsoft ecosystem. Starting in version 6.0.0 and prior to version 10.2.2, in the friends feature, a user could craft a request that would force the acceptance of a friend request on another user. Version 10.2.2...

CVE-2026-39864 Kamailio Auth: Processing Vulnerability For Additional Authenticated User Identity Checks

Kamailio is an open source implementation of a SIP Signaling Server. Prior to 6.0.5 and 5.8.7, an out-of-bounds read in the auth module of Kamailio formerly OpenSER and SER allows remote attackers to cause a denial of service process crash via a specially crafted SIP packet if a successful user...

Pi-Hole Adminlte 安全漏洞

Pi-Hole Adminlte is a control panel used for collecting more data. Versions of Pi-Hole Adminlte from 6.0 to 6.5 had security vulnerabilities. These vulnerabilities stemmed from a reflection-based DOM cross-site scripting vulnerability in the taillog.js library, which could allow unauthenticated...

WordPress RegistrationMagic plugin <= 6.0.7.6 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Supakiad S. m3ez in WordPress Plugin RegistrationMagic versions = 6.0.7.6...

CVE-2026-30919 facileManager Affected by Stored Cross-Site Scripting (XSS)

facileManager is a modular suite of web apps built with the sysadmin in mind. Prior to 6.0.4 , stored XSS also known as persistent or second-order XSS occurs when an application receives data from an untrusted source and includes that data in its subsequent HTTP responses in an unsafe manner. Thi...

BIT-SUPERSET-2026-23984 Apache Superset: SQLLab Read-Only Bypass on PostgreSQL

An Improper Input Validation vulnerability exists in Apache Superset that allows an authenticated user with SQLLab access to bypass the read-only verification check when using a PostgreSQL database connection. While the system effectively blocks standard Data Manipulation Language DML statements...

CVE-2026-23982

An Improper Authorization vulnerability exists in Apache Superset that allows a low-privileged user to bypass data access controls. When creating a dataset, Superset enforces permission checks to prevent users from querying unauthorized data. However, an authenticated attacker with permissions to...

GHSA-GVXG-9HQX-F4RG Apache Superset allows privileged users to conduct error-based SQL Injection

Improper Neutralization of Special Elements used in a SQL Command 'SQL Injection' vulnerability in Apache Superset allows an authenticated user with read access to conduct error-based SQL injection via the sqlExpression or where parameters. This issue affects Apache Superset: before 6.0.0. Users...

CVE-2026-23980

Apache Superset CVE-2026-23980 describes an SQL injection issue (improper neutralization of special elements) that can be exploited by an authenticated user with read access via sqlExpression or where parameters. Affected software: Superset versions before 6.0.0. Impact as per CVSS: MEDIUM (5.3),...

EUVD-2026-8474

Improper Neutralization of Special Elements used in a SQL Command 'SQL Injection' vulnerability in Apache Superset allows an authenticated user with read access to conduct error-based SQL injection via the sqlExpression or where parameters. This issue affects Apache Superset: before 6.0.0. Users...

CVE-2026-1729 AdForest <= 6.0.12 - Authentication Bypass

The AdForest theme for WordPress is vulnerable to authentication bypass in all versions up to, and including, 6.0.12. This is due to the plugin not properly verifying a user's identity prior to authenticating them through the 'sbloginuserwithotpfun' function. This makes it possible for...

InternetSoft Domain Quester Pro 安全漏洞

InternetSoft Domain Quester Pro is a domain name search and query tool provided by InternetSoft Corporation. Version 6.02 of InternetSoft Domain Quester Pro contains a security vulnerability. This vulnerability stems from a stack overflow issue in the Domain Name Keywords input field, which could...

PYSEC-2026-42

An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.The django.contrib.auth.handlers.modwsgi.checkpassword function for authentication via modwsgi allows remote attackers to enumerate users via a timing attack.Earlier, unsupported Django series such as 5.0.x,...

WordPress AdForest theme <= 6.0.11 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by João Pedro S Alcântara Kinorth in WordPress Theme AdForest versions = 6.0.11...

EUVD-2026-0751

listmonk is a standalone, self-hosted, newsletter and mailing list manager. Prior to version 6.0.0, lower-privileged user with campaign management permissions can inject malicious JavaScript into campaigns or templates. When a higher-privileged user Super Admin views or previews this content, the...

CVE-2025-67873

Capstone is a disassembly framework. In versions 6.0.0-Alpha5 and prior, Skipdata length is not bounds-checked, so a user-provided skipdata callback can make csdisasm/csdisasmiter memcpy more than 24 bytes into csinsn.bytes, causing a heap buffer overflow in the disassembly path. Commit...