GHSA-XW54-C3MX-9PM3 Admidio: Any logged-in user can delete inventory fields via `mode=field_delete` — incomplete fix of #2024

Summary Commit d37ca6b27b9674238e58491cf7ba292e66898f15 "Delete item not check admin rights 2024", 2026-04-12 added a missing isAdministratorInventory gate to case 'itemdelete': in modules/inventory.php. The same fix was not applied to the sibling case 'fielddelete': handler, which destroys an...

CVE-2026-5118

CVE-2026-5118 affects Divi Form Builder for WordPress (

CVE-2026-32673

The CVE-2026-32673 issue affects BIG-IP scripted monitors. An authenticated attacker with Resource Administrator or Administrator privileges can execute arbitrary system commands with elevated rights via the affected iControl REST endpoint or local tmsh access. In appliance mode, exploitation may...

EUVD-2026-28276

Admidio is an open-source user management solution. Prior to version 5.0.9, Role::stopMembership does not verify whether removing a user from the administrator role leaves zero administrators. The deprecated Membership::stopMembership contains this safety check, but the current code path bypasses...

Directory Traversal

Overview phpmyfaq/phpmyfaq is a FAQ system for PHP and MySQL, PostgreSQL and other databases Affected versions of this package are vulnerable to Directory Traversal in the deleteClientFolder process. An attacker can delete arbitrary directories on the server by submitting a crafted URL containing...

CVE-2026-7641

The Import and export users and customers plugin for WordPress is vulnerable to Privilege Escalation in all versions up to and including 2.0.8 via the saveextrauserprofilefields function. This is due to an incomplete blocklist that correctly restricts capability meta keys for the primary site e.g...

IBM i 访问控制错误漏洞

IBM i is an integrated operating system developed by IBM for use on IBM Power Systems servers, providing database, network, and application services. An elevation of privilege vulnerability exists in IBM i. The vulnerability stems from an invalid authorization check in the Web Administration GUI...

CVE-2025-69689

The Fan Control application V251 contains an improper privilege handling vulnerability in its Open File Dialog. The dialog processes user-supplied paths with elevated permissions, which can be exploited by a local attacker to perform actions with administrator-level privileges...

SKYSEA Client View 安全漏洞

SKYSEA Client View is a software developed by SKYSEA Corporation in Japan. It supports information leakage countermeasures and IT operations management. There is a security vulnerability in SKYSEA Client View, which stems from improper permission settings in the installation folder. This...

OMRON PowerAttendant 安全漏洞

OMRON PowerAttendant is a power management software developed by the Japanese company Omron. OMRON PowerAttendant has a security vulnerability, which stems from improper permission settings in the installation directory. This vulnerability could allow malicious actors to install and execute DLLs...

CVE-2026-34382

Admidio is an open-source user management solution. From version 5.0.0 to before version 5.0.8, the delete mode handler in mylistfunction.php permanently deletes list configurations without validating a CSRF token. An attacker who can lure an authenticated user to a malicious page can silently...

CVE-2026-34382

Admidio is an open-source user management solution. From version 5.0.0 to before version 5.0.8, the delete mode handler in mylistfunction.php permanently deletes list configurations without validating a CSRF token. An attacker who can lure an authenticated user to a malicious page can silently...

CVE-2024-14024

An improper certificate validation vulnerability has been reported to affect Video Station. If an attacker gains local network access who have also gained an administrator account, they can then exploit the vulnerability to compromise the security of the system. We have already fixed the...

EUVD-2026-14275

The 'The Ultimate WordPress Toolkit – WP Extended' plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 3.2.4. This is due to the isDashboardOrProfileRequest method in the Menu Editor module using an insecure strpos check against $SERVER'REQUESTURI' to...

CVE-2026-33549

SPIP 4.4.10 through 4.4.12 before 4.4.13 allows unintended privilege assignment of administrator privileges during the editing of an author data structure because of STATUT mishandling...

PT-2026-26961

SPIP 4.4.10 through 4.4.12 before 4.4.13 allows unintended privilege assignment of administrator privileges during the editing of an author data structure because of STATUT mishandling...

PT-2026-26947

Name of the Vulnerable Software and Affected Versions WordPress Import and export users and customers plugin versions up to and including 1.29.7 Description The Import and export users and customers plugin for WordPress is susceptible to privilege escalation. This occurs because the save extra us...

CVE-2026-2432

The CM Custom Reports – Flexible reporting to track what matters most plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.2.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticat...

ClawJacked Flaw Lets Malicious Sites Hijack Local OpenClaw AI Agents via WebSocket

OpenClaw has fixed a high-severity security issue that, if successfully exploited, could have allowed a malicious website to connect to a locally running artificial intelligence AI agent and take over control. "Our vulnerability lives in the core system itself – no plugins, no marketplace, no...

PT-2026-22305

Name of the Vulnerable Software and Affected Versions Listee theme for WordPress versions prior to 1.1.7 Description The Listee theme for WordPress is affected by a privilege escalation issue. A broken validation check in the bundled listee-core plugin’s user registration function does not proper...