CVE-2026-6404 Anomify AI <= 0.3.6 - Authenticated (Administrator+) Stored Cross-Site Scripting via 'anomify_api_key' Parameter

The Anomify AI – Anomaly Detection and Alerting plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'anomifyapikey' parameter in versions up to and including 0.3.6. This is due to insufficient input sanitization and missing output escaping: the plugin applies sanitizetextfie...

CVE-2026-7284

The Easy Elements for Elementor – Addons & Website Templates plugin for WordPress is vulnerable to privilege escalation via user registration in all versions up to, and including, 1.4.4. This is due to the 'easyelhandleregister' function not restricting what user roles a user can register with...

CVE-2026-8418

The Games Catalog plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.2.0. This is due to missing or incorrect nonce validation on the gccrud function which handles the delete action action=delete via a GET request without any wpverifynonce /...

PT-2026-42139

Improper Access Control vulnerability in Mesalvo Meona Client Launcher Component, Mesalvo Meona Server Component enables a normal user gaining access to the admin panel. This issue affects Meona Client Launcher Component: through 19.06.2020 15:11:49; Meona Server Component: through 2025.04 5+3230...

PT-2026-44382

Name of the Vulnerable Software and Affected Versions phpMyFAQ versions prior to 4.1.3 Description An Insecure Direct Object Reference IDOR exists in the Admin API, which allows authenticated administrators to change the password of any user account, including SuperAdmin accounts, without proper...

PT-2026-42221

ArcGIS Server contains an improper authentication vulnerability in an undocumented administrative endpoint. An unauthenticated attacker could exploit this issue by sending a crafted request to the endpoint. Successful exploitation may result in disruption of the web-based browsing interface. This...

PT-2026-42374

DevGuard has an unauthenticated identity assertion via X-Admin-Token header in github.com/l3montree-dev/devguard...

WordPress plugin General Options 跨站脚本漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. Versions...

mailcow dockerized 跨站脚本漏洞

Mailcow Dockerized is an open-source application developed by Mailcow. The version 2026-03b of Mailcow Dockerized contains a cross-site scripting vulnerability. This vulnerability stems from a storage-based cross-site scripting vulnerability in the administrator’s queue manager, which may cause t...

PT-2026-42193

Name of the Vulnerable Software and Affected Versions Cisco Secure Workload versions prior to 3.10.8.3 Cisco Secure Workload versions prior to 4.0.3.17 Description Insufficient validation and authentication in the internal REST API endpoints of Cisco Secure Workload allow an unauthenticated, remo...

📄 ZTE ZXHN H168N 3.6 Credential Leak / Admin Compromise

ZTE ZXHN H168N version 3.5 suffers from a password leak vulnerability that leads to full administrative compromise. Title: ZTE ZXHN H168N V3.5 - Unauthenticated Wizard Credential Leak to Full Admin Compromise Date: 2026-05-20 Author: Mina Nageh Salalma Monx Research CVE: CVE-2021-21735 Vendor: ZT...

PT-2026-42066

Name of the Vulnerable Software and Affected Versions Anomify AI – Anomaly Detection and Alerting plugin for WordPress versions prior to 0.3.7 Description The plugin is subject to Stored Cross-Site Scripting, a condition where malicious scripts are permanently stored on the target server. The iss...

Cisco Secure Workload 访问控制错误漏洞

Cisco Secure Workload is a software product developed by Cisco Corporation in the United States. It allows users to install software agents on their application workloads. There is an access control vulnerability in Cisco Secure Workload, which stems from insufficient access validation in the...

Esri ArcGIS Server 授权问题漏洞

Esri ArcGIS Server is a web-based enterprise-level software platform provided by Esri that can deliver geographic services. Versions of Esri ArcGIS Server 12.0 and earlier had an authorization vulnerability. This vulnerability stemmed from improperly configured authentication for unrecorded...

PT-2026-42063

Name of the Vulnerable Software and Affected Versions General Options versions prior to 1.1.1 Description The General Options plugin for WordPress contains a Stored Cross-Site Scripting issue. This occurs because the sanitize text field function is used for output escaping in the Contact Number a...

PT-2026-42059

The Sentence To SEO keywords, description and tags plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the create admin page function. This makes it possible for unauthenticated attacke...

PT-2026-42061

Name of the Vulnerable Software and Affected Versions Word 2 Cash versions prior to 0.9.3 Description The Word 2 Cash plugin for WordPress is subject to Cross-Site Request Forgery CSRF which can lead to Stored Cross-Site Scripting XSS. This occurs because the w2c admin function lacks nonce...

PT-2026-42085

Name of the Vulnerable Software and Affected Versions Infility Global versions prior to 2.15.17 Description The Infility Global plugin for WordPress contains a flaw allowing authenticated attackers with Subscriber-level access and above to extract sensitive information from the database. This...

PT-2026-42108

Missing authorization vulnerability exists in Movable Type. Under certain conditions, when a user without administrator privileges signs in to the product, unintended update processing may be executed...

PT-2026-42057

The 診断ジェネレータ作成プラグイン Diagnosis Generator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'js' parameter in versions up to and including 1.4.16. This is due to missing authorization checks and insufficient input sanitization in the themeFunc function. The function is hooke...