PT-2026-27167

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the API plugin exposes a decryptString action without any authentication. Anyone can submit ciphertext and receive plaintext. Ciphertext is issued publicly e.g., view/url2Embed.json.php, so any user can recover...

PT-2026-27178

Name of the Vulnerable Software and Affected Versions Mantis Bug Tracker versions prior to 2.28.1 Description Mantis Bug Tracker is an open source issue tracker. Instances running on MySQL family databases are affected by an authentication bypass in the SOAP API due to improper type checking on t...

WordPress plugin King Addons for Elementor 信息泄露漏洞

WordPress is a blogging platform developed using the PHP language. The platform has the ability to set up a personal blog site on a PHP and MySQL based server.WordPress plugin is an application plugin. An information disclosure vulnerability exists in the WordPress plugin King Addons for Elemento...

New API 授权问题漏洞

The New API is an interface software developed by QuantumNous. Versions of the New API starting from 0.10.0 have a vulnerability related to authorization. This vulnerability stems from logical flaws in the general security verification process, allowing authenticated users with registered...

PT-2026-27061

The King Addons for Elementor – 4,000+ ready Elementor sections, 650+ templates, 70+ FREE widgets for Elementor plugin for WordPress is vulnerable to unauthenticated API key disclosure in all versions up to, and including, 51.1.49 due to the plugin adding the API keys to the HTML source code via...

📄 DSpace 7.6.6-next Cross Site Scripting

The Discovery Search REST API in DSpace version 7.6.6-next suffers from a cross site scripting vulnerability. ============================================================================================================================================= | Title : DSpace 7.6.6-next Discovery API...

New API 安全漏洞

The New API is an interface software developed by QuantumNous. Versions of the New API prior to 0.11.4-alpha.2 contained a security vulnerability. This vulnerability stemmed from insecure direct object references in the video proxy endpoints, which could allow access to other users’ video content...

CVE-2026-4562 MacCMS Timming API Endpoint Timming.php weak authentication

A security flaw has been discovered in MacCMS 2025.1000.4052. This affects an unknown part of the file application/api/controller/Timming.php of the component Timming API Endpoint. The manipulation results in missing authentication. The attack may be performed from remote. The exploit has been...

CVE-2026-4562

The CVE-2026-4562 entry describes a security flaw in MacCMS version 2025.1000.4052 affecting an unknown part of application/api/controller/Timming.php within the Timming API Endpoint. The vulnerability permits missing authentication, with remote exploitation possible and the exploit publicly rele...

MAL-2026-2035 Malicious code in @emilgroup/api-documentation (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 58c245a310d05383d1fdf2e98691e5ea42d0505bdab8e27120537609d6bb4acd The package @emilgroup/api-documentation was found to contain malicious code. Source: ghsa-malware...

MAL-2026-2058 Malicious code in @emilgroup/public-api-sdk (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 49b32ec5041ad00c8a07401245056cc069fd80826da4c73121803ffc3a705119 The package @emilgroup/public-api-sdk was found to contain malicious code. Source: ghsa-malware...

CVE-2026-33319

WWBN AVideo is an open source video platform. Prior to version 26.0, the uploadVideoToLinkedIn method in the SocialMediaPublisher plugin constructs a shell command by directly interpolating an upload URL received from LinkedIn's API response, without sanitization via escapeshellarg. If an attacke...

CVE-2026-4549 mickasmt next-saas-stripe-starter Stripe API open-customer-portal.ts openCustomerPortal authorization

A flaw has been found in mickasmt next-saas-stripe-starter 1.0.0. Affected by this issue is the function openCustomerPortal of the file actions/open-customer-portal.ts of the component Stripe API. This manipulation causes authorization bypass. Remote exploitation of the attack is possible. The...

CVE-2026-4549

A flaw has been found in mickasmt next-saas-stripe-starter 1.0.0. Affected by this issue is the function openCustomerPortal of the file actions/open-customer-portal.ts of the component Stripe API. This manipulation causes authorization bypass. Remote exploitation of the attack is possible. The...

WWBN AVideo 操作系统命令注入漏洞

WWBN AVideo is a video platform building system developed by the WWBN team using PHP. Versions of WWBN AVideo prior to 26.0 contained a vulnerability related to operating system command injection. This vulnerability stemmed from the uploadVideoToLinkedIn method in the SocialMediaPublisher plugin,...

EUVD-2026-14170

The Punnel – Landing Page Builder plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.3.1. The saveconfig function, which handles the 'punnelsaveconfig' AJAX action, lacks any capability check currentusercan and nonce verification. This makes it...

EUVD-2026-14178

The e-shot form builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.2. The eshotformbuildergetaccountdata function is registered as a wpajax AJAX handler accessible to all authenticated users. The function lacks any capability che...

EUVD-2026-14017

Issue summary: A type confusion vulnerability exists in the signature verification of signed PKCS7 data where an ASN1TYPE union member is accessed without first validating the type, causing an invalid or NULL pointer dereference when processing malformed PKCS7 data. Impact summary: An application...

CVE-2026-3645

The Punnel – Landing Page Builder plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.3.1. The saveconfig function, which handles the 'punnelsaveconfig' AJAX action, lacks any capability check currentusercan and nonce verification. This makes it...

CVE-2026-3546

The e-shot form builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.2. The eshotformbuildergetaccountdata function is registered as a wpajax AJAX handler accessible to all authenticated users. The function lacks any capability che...