CVE-2026-39943 Directus exposes sensitive fields in revision history

Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, Directus stores revision records in directusrevisions whenever items are created or updated. Due to the revision snapshot code not consistently calling the prepareDelta sanitization pipeline,...

EUVD-2026-20950

Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, the PATCH /files/id endpoint accepts a user-controlled filenamedisk parameter. By setting this value to match the storage path of another user's file, an attacker can overwrite that file's content...

CVE-2026-39942

CVE-2026-39942 (Directus) is a path traversal/broken access control issue in the Directus file management API. Prior to 11.17.0, the PATCH /files/{id} endpoint accepts a user-controlled filename_disk parameter. An attacker can set filename_disk to the storage path of another user’s file, allowing...

MAL-2026-2521 Malicious code in gc-grocery-api (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 c6b836daf5ca49f42a298b7400842dda9e2b648326ba12651c7e968459ca12c5 Installing the package or importing the module exfiltrates basic information about the host, and the package has no other purpose. --- Category: PROBABLYPENTES...

GHSA-XRRH-P7F2-27VM decolua 9router vulnerable to authorization bypass

A security vulnerability has been detected in decolua 9router up to 0.3.47. The impacted element is an unknown function of the file /api of the component Administrative API Endpoint. The manipulation leads to authorization bypass. The attack is possible to be carried out remotely. The exploit has...

decolua 9router vulnerable to authorization bypass

A security vulnerability has been detected in decolua 9router up to 0.3.47. The impacted element is an unknown function of the file /api of the component Administrative API Endpoint. The manipulation leads to authorization bypass. The attack is possible to be carried out remotely. The exploit has...

EUVD-2026-20840

The MStore API plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.18.3. This is due to the updateuserprofile function in controllers/flutter-user.php processing the 'metadata' JSON parameter without any allowlist, blocklist, or validatio...

Authorization Bypass Through User-Controlled Key

Overview 9router is a 9Router CLI - Start and manage 9Router server Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the /api/ endpoints of the Administrative API. An attacker can gain unauthorized access to administrative functions by sendi...

RLSA-2026:6461 Important: openssh security update

OpenSSH is an SSH protocol implementation supported by a number of Linux, UNIX, and similar operating systems. It includes the core files necessary for both the OpenSSH client and server. Security Fixes: openssh: OpenSSH GSSAPI: Information disclosure or denial of service due to uninitialized...

CVE-2026-4336

The Ultimate FAQ Accordion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via FAQ content in all versions up to, and including, 2.4.7. This is due to the plugin calling htmlentitydecode on postcontent during rendering in the setdisplayvariables function View.FAQ.class.php, line...

CVE-2026-5842

A security vulnerability has been detected in decolua 9router up to 0.3.47. The impacted element is an unknown function of the file /api of the component Administrative API Endpoint. The manipulation leads to authorization bypass. The attack is possible to be carried out remotely. The exploit has...

CVE-2026-5842 decolua 9router Administrative API Endpoint api authorization

A security vulnerability has been detected in decolua 9router up to 0.3.47. The impacted element is an unknown function of the file /api of the component Administrative API Endpoint. The manipulation leads to authorization bypass. The attack is possible to be carried out remotely. The exploit has...

CVE-2026-5842

CVE-2026-5842 concerns decolua 9router (≤0.3.47) where the Administrative API Endpoint under /api can bypass authorization. The root cause is described as an unauthorized access vulnerability in an unknown function of the API endpoint, exploitable remotely. Public disclosure has occurred and the ...

GHSA-CRH9-3GJH-M6GC api-lab-mcp vulnerable to SSRF

A weakness has been identified in atototo api-lab-mcp up to 0.2.1. This affects the function analyzeapispec/generatetestscenarios/testhttpendpoint of the file src/mcp/http-server.ts of the component HTTP Interface. This manipulation of the argument source/url causes server-side request forgery. T...

api-lab-mcp vulnerable to SSRF

A weakness has been identified in atototo api-lab-mcp up to 0.2.1. This affects the function analyzeapispec/generatetestscenarios/testhttpendpoint of the file src/mcp/http-server.ts of the component HTTP Interface. This manipulation of the argument source/url causes server-side request forgery. T...

CVE-2026-4336

The Ultimate FAQ Accordion plugin for WordPress is vulnerable to Stored Cross-Site Scripting via FAQ content in all versions up to, and including, 2.4.7. This is due to the plugin calling htmlentitydecode on postcontent during rendering in the setdisplayvariables function View.FAQ.class.php, line...

CVE-2026-4336

CVE-2026-4336 affects the WordPress plugin Ultimate FAQ Accordion (≤ 2.4.7). The root cause is that html_entity_decode() is applied to post_content during rendering in View.FAQ.class.php (set_display_variables), which restores HTML entities, combined with insufficient output escaping in faq-answe...

Server-side Request Forgery (SSRF)

Overview api-lab-mcp is a MCP server for API testing and experimentation - Your API Laboratory Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the testhttpendpoint function in the HTTP interface. An attacker can cause the server to initiate arbitrary...

CVE-2026-3568 MStore API <= 4.18.3 - Authenticated (Subscriber+) Insecure Direct Object Reference to Arbitrary User Meta Update

The MStore API plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.18.3. This is due to the updateuserprofile function in controllers/flutter-user.php processing the 'metadata' JSON parameter without any allowlist, blocklist, or validatio...

CVE-2026-3568

The MStore API plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.18.3. This is due to the updateuserprofile function in controllers/flutter-user.php processing the 'metadata' JSON parameter without any allowlist, blocklist, or validatio...