CVE-2026-2466 DukaPress <= 3.2.4 - Reflected XSS

The DukaPress WordPress plugin through 3.2.4 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

PT-2026-24586

The DukaPress WordPress plugin through 3.2.4 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

CVE-2026-28223

Wagtail is an open source content management system built on Django. Prior to versions 6.3.8, 7.0.6, 7.2.3, and 7.3.1, a stored cross-site scripting XSS vulnerability exists on confirmation messages within the wagtail.contrib.simpletranslation module. A user with access to the Wagtail admin area...

EUVD-2026-10027

The WooCommerce WordPress plugin from versions 5.4.0 to 10.5.2 does not properly handle batch requests, which could allow unauthenticated users to make a logged in admin call non store/WC REST endpoints, and create arbitrary admin users via a CSRF attack for example...

CVE-2026-2446

The PowerPack for LearnDash WordPress plugin before 1.3.0 does not have authorization and CRSF checks in an AJAX action, allowing unauthenticated users to update arbitrary WordPress options such as defaultrole etc and create arbitrary admin users...

CVE-2025-59540

CVE-2025-59540 affects Chamilo LMS prior to version 1.11.34. A stored cross-site scripting (XSS) vulnerability exists in the feedback input on the exercise history page, where unencoded input can be stored in the database and later rendered, enabling arbitrary JavaScript execution in the browser ...

PT-2026-23651

Name of the Vulnerable Software and Affected Versions PowerPack for LearnDash WordPress plugin versions prior to 1.3.0 Description The PowerPack for LearnDash WordPress plugin lacks authorization and Cross-Site Request Forgery CSRF checks in an AJAX action. This allows unauthenticated users to...

Leantime has HTML injection through firstname and lastname fields

Summary Leantime v2.3.27 is vulnerable to Stored HTML Injection. The firstname and lastname fields in the admin user edit page are rendered without HTML escaping, allowing an authenticated user to inject arbitrary HTML that executes when the profile is viewed. Vulnerable File...

INSATutorat has an authorization bypass vulnerability in its /api/admin/* endpoints

Impact An authorization bypass vulnerability was discovered in the administration pages of the tutoring application. When a standard user logged in but without administrator privileges attempts to access a resource under /api/admin/, the system detects the error but does not block the request. As...

CVE-2026-23703

The CVE-2026-23703 entry concerns the FinalCode Client installer from Digital Arts Inc. A flaw in the installer's default permissions allows a non-administrative user to escalate to SYSTEM by exploiting local permission settings (LOCAL, PR:L, UI:N). The issue is confirmed by both the CVE record a...

CVE-2026-26991

LibreNMS (versions 26.1.1 and earlier) is vulnerable to Stored Cross‑Site Scripting via the /device-groups name parameter when an admin user creates a device group. The unsanitized name can be stored and later rendered in the UI (e.g., Delete button context), enabling injected JavaScript. The iss...

CVE-2026-26964

Windmill is an open-source developer platform for internal code: APIs, background jobs, workflows and UIs. Versions 1.634.6 and below allow non-admin users to obtain Slack OAuth client secrets, which should only be accessible to workspace administrators. The GET...

WindMill 信息泄露漏洞

WindMill is a free open-source tool developed by Lukasavicus’ individual developer. It is used to control the execution of tasks in Python. Versions of WindMill prior to 1.634.6 contained a vulnerability known as “information leakage,” which occurred because the Slack OAuth client token was...

CVE-2026-26964 Windmill Exposes Workspace Slack OAuth Client Secrets to Non-Admin Workspace Members

Windmill is an open-source developer platform for internal code: APIs, background jobs, workflows and UIs. Versions 1.634.6 and below allow non-admin users to obtain Slack OAuth client secrets, which should only be accessible to workspace administrators. The GET...

CVE-2026-20141 Improper Access Control in Splunk Monitoring Console App

In Splunk Enterprise versions below 10.0.2, 10.0.3, 9.4.8, and 9.3.9, a low-privileged user who does not hold the "admin" Splunk role could access the Splunk Monitoring Console App endpoints due to an improper access control. This could lead to a sensitive information disclosure.The Monitoring...

Axis Camera Station Pro 安全漏洞

Axis Camera Station Pro is a video management software developed by the Swedish company Axis. There is a security vulnerability in Axis Camera Station Pro, which stems from insecure direct object references. This vulnerability may allow non-administrator users to modify or delete certain data...

Axis Camera Station Pro 安全漏洞

Axis Camera Station Pro is a video management software developed by the Swedish company Axis. There is a security vulnerability in Axis Camera Station Pro, which allows non-administrator users to execute privilege escalation attacks on the server...

CVE-2026-2222

A weakness has been identified in code-projects Online Reviewer System 1.0. Affected by this vulnerability is an unknown functionality of the file /system/system/admins/manage/users/btnfunctions.php. Executing a manipulation of the argument firstname can lead to cross site scripting. The attack m...

PT-2026-7087

A vulnerability was detected in code-projects Online Reviewer System 1.0. This affects an unknown part of the file /system/system/admins/manage/users/btn functions.php. The manipulation of the argument firstname results in cross site scripting. It is possible to launch the attack remotely. The...

CVE-2020-37079

Wing FTP Server versions prior to 6.2.7 contain a cross-site request forgery CSRF vulnerability in the web administration interface that allows attackers to delete admin users. Attackers can craft a malicious HTML page with a hidden form to submit a request that deletes the administrative user...