CVE-2026-1251

CVE-2026-1251 describes an Insecure Direct Object Reference in the WordPress plugin SupportCandy – Helpdesk & Customer Support Ticket System (versions up to and including 3.4.4). The vulnerability allows an authenticated attacker with subscriber-level access or higher to steal attachments uploade...

CVE-2026-1251 SupportCandy – Helpdesk & Customer Support Ticket System <= 3.4.4 - Authenticated (Subscriber+) Insecure Direct Object Reference

The SupportCandy – Helpdesk & Customer Support Ticket System plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.4.4 via the 'addreply' function due to missing validation on a user controlled key. This makes it possible for authenticated...

CVE-2026-1251 SupportCandy – Helpdesk & Customer Support Ticket System <= 3.4.4 - Authenticated (Subscriber+) Insecure Direct Object Reference

The SupportCandy – Helpdesk & Customer Support Ticket System plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.4.4 via the 'addreply' function due to missing validation on a user controlled key. This makes it possible for authenticated...

CVE-2026-25156 HotCRP vulnerable to stored XSS via comment attachments

HotCRP is conference review software. HotCRP versions from October 2025 through January 2026 delivered documents of all types with inline Content-Disposition, causing them to be rendered in the user’s browser rather than downloaded. The intended behavior was for only text/plain, application/pdf,...

CVE-2026-25156 HotCRP vulnerable to stored XSS via comment attachments

HotCRP is conference review software. HotCRP versions from October 2025 through January 2026 delivered documents of all types with inline Content-Disposition, causing them to be rendered in the user’s browser rather than downloaded. The intended behavior was for only text/plain, application/pdf,...

CVE-2026-25156 HotCRP vulnerable to stored XSS via comment attachments

HotCRP is conference review software. HotCRP versions from October 2025 through January 2026 delivered documents of all types with inline Content-Disposition, causing them to be rendered in the user’s browser rather than downloaded. The intended behavior was for only text/plain, application/pdf,...

CVE-2026-25156

HotCRP (versions 2025-10 to 2026-01) delivered inline content for all document types due to Content-Disposition handling, allowing HTML/SVG to render in the browser with HotCRP credentials and potential API access. Root cause: a commit introduced this behavior; it affected development versions an...

BIT-GITEA-2026-20912 Gitea: Cross-Repository Authorization Bypass via Release Attachment Linking Leads to Private Attachment Disclosure

Gitea does not properly validate repository ownership when linking attachments to releases. An attachment uploaded to a private repository could potentially be linked to a release in a different public repository, making it accessible to unauthorized users...

CVE-2026-24769

NocoDB is software for building databases as spreadsheets. Prior to version 0.301.0, a stored cross-site scripting XSS vulnerability exists in NocoDB’s attachment handling mechanism. Authenticated users can upload malicious SVG files containing embedded JavaScript, which are later rendered inline...

CVE-2026-24769

NocoDB is software for building databases as spreadsheets. Prior to version 0.301.0, a stored cross-site scripting XSS vulnerability exists in NocoDB’s attachment handling mechanism. Authenticated users can upload malicious SVG files containing embedded JavaScript, which are later rendered inline...

CVE-2026-1298

The CVE-2026-1298 entry refers to the WordPress plugin Easy Replace Image (

PT-2026-5194

Name of the Vulnerable Software and Affected Versions Discourse versions prior to 3.5.4 Discourse versions prior to 2025.11.2 Discourse versions prior to 2025.12.1 Discourse versions prior to 2026.1.0 Description Discourse is an open source discussion platform. Moderators can access the top uploa...

PT-2026-5221

Name of the Vulnerable Software and Affected Versions NocoDB versions prior to 0.301.0 Description NocoDB has a stored cross-site scripting XSS issue in its attachment handling. Authenticated users can upload malicious SVG files containing embedded JavaScript. These files are rendered inline and...

PT-2026-5061

The Easy Replace Image plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.5.2. This is due to missing capability checks on the image replacement from url function that is hooked to the eri from url AJAX action. This makes it possible for...

WhatsApp Rolls Out Lockdown-Style Security Mode to Protect Targeted Users From Spyware

Meta on Tuesday announced it's adding Strict Account Settings on WhatsApp to secure certain users against advanced cyber attacks because of who they are and what they do. The feature, similar to Lockdown Mode in Apple iOS and Advanced Protection in Android, aims to protect individuals, such as...

CVE-2026-20912

Gitea does not properly validate repository ownership when linking attachments to releases. An attachment uploaded to a private repository could potentially be linked to a release in a different public repository, making it accessible to unauthorized users. Mitigation Mitigation for this issue is...

CVE-2025-14629

CVE-2025-14629 affects the WordPress plugin Alchemist Ajax Upload . The vulnerability is a missing capability check in the delete_file function, allowing unauthenticated users to delete arbitrary WordPress media attachments in all versions up to and including 1.1. The Wordfence report catalogs th...

CVE-2026-24420 phpMyFAQ: Attachment download allowed without dlattachment right (broken access control)

phpMyFAQ is an open source FAQ web application. Versions 4.0.16 and below allow an authenticated user without the dlattachment permission to download FAQ attachments due to a incomprehensive permissions check. The presence of a right key is improperly validated as proof of authorization in...

PT-2026-4569

The Alchemist Ajax Upload plugin for WordPress is vulnerable to unauthorized media file deletion due to a missing capability check on the 'delete file' function in all versions up to, and including, 1.1. This makes it possible for unauthenticated attackers to delete arbitrary WordPress media...

WordPress plugin Alchemist Ajax: Security Vulnerabilities

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...