CVE-2026-28223 Wagtail: Improper escaping of HTML (Cross-site Scripting) in simple_translation admin interface

Wagtail is an open source content management system built on Django. Prior to versions 6.3.8, 7.0.6, 7.2.3, and 7.3.1, a stored cross-site scripting XSS vulnerability exists on confirmation messages within the wagtail.contrib.simpletranslation module. A user with access to the Wagtail admin area...

CVE-2026-30777

EC-CUBE (EC-CUBE CO.,LTD.) contains a vulnerability that allows MFA bypass. An attacker with valid administrator credentials may bypass two-factor authentication and gain unauthorized access to the administrative page. The connected CVE records confirm the issue and describe the impact as unautho...

CVE-2026-30777

EC-CUBE provided by EC-CUBE CO.,LTD. contains a multi-factor authentication MFA bypass vulnerability. An attacker who has obtained a valid administrator ID and password may be able to bypass two-factor authentication and gain unauthorized access to the administrative page...

CVE-2026-3523

The Apocalypse Meow plugin for WordPress is vulnerable to SQL Injection via the 'type' parameter in all versions up to, and including, 22.1.0. This is due to a flawed logical operator in the type validation check on line 261 of ajax.php — the condition uses && AND instead of || OR, causing the...

EC-CUBE vulnerable to multi-factor authentication bypass

Overview EC-CUBE provided by EC-CUBE CO.,LTD. contains the following vulnerability. Authentication bypass using an alternate path or channel CWE-288 - CVE-2026-30777 EC-CUBE CO.,LTD. reported this vulnerability to JPCERT/CC to notify users of its solution through JVN. JPCERT/CC and EC-CUBE CO.,LT...

CVE-2026-1651

The Email Subscribers by Icegram Express plugin for WordPress is vulnerable to SQL Injection via the 'workflowids' parameter in all versions up to, and including, 5.9.16 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This...

PT-2026-23132

Name of the Vulnerable Software and Affected Versions Apocalypse Meow plugin for WordPress versions prior to 22.1.0 Description The software is susceptible to SQL injection through the type parameter. A flawed logical operator in the type validation check allows attacker-controlled single quotes ...

CVE-2026-28784

Craft is a content management system CMS. Prior to 5.8.22 and 4.16.18, it is possible to craft a malicious payload using the Twig map filter in text fields that accept Twig input under Settings in the Craft control panel or using the System Messages utility, which could lead to a RCE. For this to...

CVE-2026-28784 Craft is affected by potential authenticated Remote Code Execution via Twig SSTI

Craft is a content management system CMS. Prior to 5.8.22 and 4.16.18, it is possible to craft a malicious payload using the Twig map filter in text fields that accept Twig input under Settings in the Craft control panel or using the System Messages utility, which could lead to a RCE. For this to...

CVE-2026-28784

Craft is a content management system CMS. Prior to 5.8.22 and 4.16.18, it is possible to craft a malicious payload using the Twig map filter in text fields that accept Twig input under Settings in the Craft control panel or using the System Messages utility, which could lead to a RCE. For this to...

CVE-2026-28783 Craft has a Twig Function Blocklist Bypass

Craft is a content management system CMS. Prior to 5.9.0-beta.1 and 4.17.0-beta.1, Craft CMS implements a blocklist to prevent potentially dangerous PHP functions from being called via Twig non-Closure arrow functions. In order to be able to successfully execute this attack, you need to either ha...

CVE-2026-28783 Craft has a Twig Function Blocklist Bypass

Craft is a content management system CMS. Prior to 5.9.0-beta.1 and 4.17.0-beta.1, Craft CMS implements a blocklist to prevent potentially dangerous PHP functions from being called via Twig non-Closure arrow functions. In order to be able to successfully execute this attack, you need to either ha...

CVE-2026-1273

The Post Grid Gutenberg Blocks for News, Magazines, Blog Websites – PostX plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 5.0.8 via the /ultp/v3/starterdummypost/ and /ultp/v3/starterimportcontent/ REST API endpoints. This makes it possible...

CVE-2026-1487

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to SQL Injection via the JSON Import in all versions up to, and including, 5.2.7 due to insufficient validation on the user-supplied JSON data. This makes it possible for authenticated attackers...

CVE-2026-1651

The Email Subscribers by Icegram Express plugin for WordPress is vulnerable to SQL Injection via the 'workflowids' parameter in all versions up to, and including, 5.9.16 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This...

CVE-2026-2289 Taskbuilder <= 5.0.3 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'Block Emails' Field

The Taskbuilder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 5.0.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and...

Exploit for Improper Authentication in Cisco Catalyst_Sd-Wan_Manager

CVE-2026-20127---Cisco-SD-WAN-Preauth-RCE Cisco SD-WAN Zero-...

Cisco Secure Firewall Management Center和Cisco Secure Firewall Threat Defense 安全漏洞

Cisco Secure Firewall Management Center and Cisco Secure Firewall Threat Defense are products of Cisco, a company based in the United States. Cisco Secure Firewall Management Center is a powerful network security management tool. Cisco Secure Firewall Threat Defense is an integrated firewall...

PT-2026-22860

Name of the Vulnerable Software and Affected Versions Taskbuilder plugin for WordPress versions up to and including 5.0.3 Description The Taskbuilder plugin for WordPress is susceptible to Stored Cross-Site Scripting through admin settings. This is due to inadequate input sanitization and output...

Cross-site Scripting (XSS)

Overview craftcms/cms is a content management system. Affected versions of this package are vulnerable to Cross-site Scripting XSS via unsanitized rendering of user-supplied input in settings names and field option labels within the checkbox.twig template. An attacker can execute arbitrary...