CVE-2026-2425 hiWeb Migration Simple <= 2.0.0.1 - Reflected Cross-Site Scripting via 'new_domain' Parameter

The hiWeb Migration Simple plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'newdomain' parameter in all versions up to, and including, 2.0.0.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...

PT-2026-45703

The hiWeb Migration Simple plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'new domain' parameter in all versions up to, and including, 2.0.0.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...

CVE-2026-9618 PeachPay <= 1.120.46 - Cross-Site Request Forgery to Stripe Unlink

The PeachPay — Payments & Express Checkout for WooCommerce supports Stripe, PayPal, Square, Authorize.net, NMI plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.120.46. This is due to missing or incorrect nonce validation on the...

CVE-2026-9618 PeachPay <= 1.120.46 - Cross-Site Request Forgery to Stripe Unlink

The PeachPay — Payments & Express Checkout for WooCommerce supports Stripe, PayPal, Square, Authorize.net, NMI plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.120.46. This is due to missing or incorrect nonce validation on the...

EUVD-2026-32731

The PeachPay — Payments & Express Checkout for WooCommerce supports Stripe, PayPal, Square, Authorize.net, NMI plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.120.46. This is due to missing or incorrect nonce validation on the...

CVE-2026-8906

The WP Promoter plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.3. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts...

CVE-2026-7561 Tm – WordPress Redirection <= 1.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting

The Tm – WordPress Redirection plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to update settings and inject malicio...

CVE-2026-7616

The CVE-2026-7616 entry concerns the WordPress Zawgyi Embed plugin (versions up to 2.1.1). The root cause is missing or incorrect nonce validation in the zawgyi_adminpage function, enabling Cross-Site Request Forgery. This allows unauthenticated attackers to modify the plugin’s zawgyi_forceCSS se...

GHSA-MM2Q-QCMX-GW4W RustFS: ListServiceAccount authorizes against wrong admin action, enabling cross-user enumeration and root service account takeover

Summary ListServiceAccount GET /rustfs/admin/v3/list-service-accounts?user= authorizes cross-user requests against UpdateServiceAccountAdminAction instead of ListServiceAccountsAdminAction at rustfs/src/admin/handlers/serviceaccount.rs:936. The handler accepts the wrong admin action and rejects t...

RustFS: ListServiceAccount authorizes against wrong admin action, enabling cross-user enumeration and root service account takeover

Summary ListServiceAccount GET /rustfs/admin/v3/list-service-accounts?user= authorizes cross-user requests against UpdateServiceAccountAdminAction instead of ListServiceAccountsAdminAction at rustfs/src/admin/handlers/serviceaccount.rs:936. The handler accepts the wrong admin action and rejects t...

CVE-2026-7408

A vulnerability was detected in SourceCodester Pizzafy Ecommerce System 1.0. Affected by this issue is the function savemenu of the file /admin/ajax.php?action=savemenu. Performing a manipulation results in sql injection. The attack can be initiated remotely. The exploit is now public and may be...

PT-2026-34292

Name of the Vulnerable Software and Affected Versions WP Responsive Popup + Optin versions prior to 1.5 Description The WP Responsive Popup + Optin plugin for WordPress is susceptible to Cross-Site Request Forgery. The settings form on the admin page 'wpo admin page.php' fails to implement nonce...

PT-2026-34559

Name of the Vulnerable Software and Affected Versions RustFS versions prior to 1.0.0-alpha.94 Description Four notification target admin API endpoints in rustfs/src/admin/handlers/event.rs use a check permissions helper that validates authentication but fails to perform admin-action authorization...

CVE-2026-6711 Website LLMs.txt <= 8.2.6 - Reflected Cross-Site Scripting

The Website LLMs.txt plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'tab' parameter in all versions up to, and including, 8.2.6. This is due to the use of filterinput without a sanitization filter and insufficient output escaping. This makes it possible for...

CVE-2026-5181

A vulnerability has been found in SourceCodester Simple Doctors Appointment System up to 1.0. This issue affects some unknown processing of the file /doctorsappointment/admin/ajax.php?action=savecategory. Such manipulation of the argument img leads to unrestricted upload. The attack may be...

ALPINE-CVE-2026-24031

Dovecot SQL based authentication can be bypassed when authusernamechars is cleared by admin. This vulnerability allows bypassing authentication for any user and user enumeration. Do not clear authusernamechars. If this is not possible, install latest fixed version. No publicly available exploits...

UBUNTU-CVE-2026-24031

Dovecot SQL based authentication can be bypassed when authusernamechars is cleared by admin. This vulnerability allows bypassing authentication for any user and user enumeration. Do not clear authusernamechars. If this is not possible, install latest fixed version. No publicly available exploits...

CVE-2026-4473

A vulnerability was detected in itsourcecode Online Doctor Appointment System 1.0. This issue affects some unknown processing of the file /admin/appointmentaction.php. The manipulation of the argument appointmentid results in sql injection. The attack can be launched remotely. The exploit is now...

CVE-2026-3981

A vulnerability was found in itsourcecode Online Doctor Appointment System 1.0. Affected is an unknown function of the file /admin/doctoraction.php. Performing a manipulation of the argument ID results in sql injection. Remote exploitation of the attack is possible. The exploit has been made publ...

CVE-2026-3980

A vulnerability has been found in itsourcecode Online Doctor Appointment System 1.0. This impacts an unknown function of the file /admin/patientaction.php. Such manipulation of the argument patientid leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to th...