PT-2026-21022

Name of the Vulnerable Software and Affected Versions EnOcean SmartServer IoT versions prior to 4.60.009 Description A flaw exists that could allow remote attackers to cause a memory leak. This can occur by sending specially crafted IP-852 messages within LON IP-852 management messages...

Linux Distros Unpatched Vulnerability : CVE-2026-26996

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions 10.2.0 and below are vulnerable to Regular...

CVE-2026-26313

go-ethereum geth is a golang execution layer implementation of the Ethereum protocol. Prior to version 1.17.0, an attacker can cause high memory usage by sending a specially-crafted p2p message. The issue is resolved in the v1.17.0 release...

Improperly Controlled Modification of Dynamically-Determined Object Attributes

Overview org.webjars.npm:svelte is a package for building web applications. Affected versions of this package are vulnerable to Improperly Controlled Modification of Dynamically-Determined Object Attributes in server-side rendering when attribute spreading is performed on elements. An attacker ca...

Timing Attack

Overview hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to Timing Attack via the timingSafeEqual function. An attacker can infer sensitive information by performing timing analysis attacks during authentication comparisons. Remediation Upgrade ho...

GHSA-GQ3J-XVXP-8HRF Hono added timing comparison hardening in basicAuth and bearerAuth

Summary The basicAuth and bearerAuth middlewares previously used a comparison that was not fully timing-safe. The timingSafeEqual function used normal string equality === when comparing hash values. This comparison may stop early if values differ, which can theoretically cause small timing...

CVE-2026-26200

HDF5 is software for managing data. Prior to version 1.14.4-2, an attacker who can control an h5 file parsed by HDF5 can trigger a write-based heap buffer overflow condition. This can lead to a denial-of-service condition, and potentially further issues such as remote code execution depending on...

CVE-2026-23616

GFI MailEssentials AI versions prior to 22.4 contain a stored cross-site scripting vulnerability in the Anti-Spoofing configuration page. An authenticated user can supply HTML/JavaScript in the ctl00$ContentPlaceHolder1$AntiSpoofingGeneral1$TxtSmtpDesc parameter to...

CVE-2026-2232 Product Table and List Builder for WooCommerce Lite <= 4.6.2 - Unauthenticated Time-Based SQL Injection via 'search' Parameter

The Product Table and List Builder for WooCommerce Lite plugin for WordPress is vulnerable to time-based SQL Injection via the 'search' parameter in all versions up to, and including, 4.6.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the...

CVE-2026-2744

CVE-2026-2744 is rejected/not used; this CVE entry does not represent an active vulnerability.

CVE-2026-1582

The WP All Export plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.4.14 via the export download endpoint. This is due to a PHP type juggling vulnerability in the security token comparison which uses loose comparison == instead of strict...

From Exposure to Exploitation: How AI Collapses Your Response Window

We’ve all seen this before: a developer deploys a new cloud workload and grants overly broad permissions just to keep the sprint moving. An engineer generates a "temporary" API key for testing and forgets to revoke it. In the past, these were minor operational risks, debts you’d eventually pay do...

Intimate products maker Tenga spilled customer data

Tenga confirmed reports published by several outlets that the company notified customers of a data breach. The Japanese manufacturer of adult products appears to have fallen victim to a phishing attack targeting one of its employees. Tenga reportedly wrote in the data breach notification: “An...

CVE-2026-2736

Alkacon OpenCms 18.0 is affected by CVE-2026-2736: a reflected XSS vulnerability exploitable by sending a user a malicious URL containing the q parameter in /search/index.html. The issue allows execution of JavaScript in the victim’s browser, enabling potential access to session cookies or action...

CVE-2026-26359

Dell Unisphere for PowerMax 10.2 is vulnerable to External Control of File Name or Path. A low-privileged, remote attacker could overwrite arbitrary files due to unsafely handled file names/paths. The CVSS 3.1 base score is 8.8 (HIGH) with network attack vector, low attack complexity, and privile...

CVE-2026-2702

A security flaw has been discovered in Beetel 777VR1 up to 01.00.09. This issue affects some unknown processing of the component WPA2 PSK. Performing a manipulation results in hard-coded credentials. The attacker must have access to the local network to execute the attack. The complexity of an...

CVE-2026-1455

The Whatsiplus Scheduled Notification for Woocommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.1. This is due to missing nonce validation on the 'wsnfwsaveuserssettings' AJAX action. This makes it possible for unauthenticated...

CVE-2025-13413

The Country Blocker for AdSense plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce validation on the CBFAguardarcbfa function. This makes it possible for unauthenticated attackers to update the plugin's settings...

CVE-2025-14452 WP Customer Reviews <= 3.7.5 - Reflected Cross-Site Scripting via 'wpcr3_fname' Parameter

The WP Customer Reviews plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'wpcr3fname' parameter in all versions up to, and including, 3.7.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...

CVE-2025-12975

The CVE-2025-12975 entry concerns CTX Feed – WooCommerce Product Feed Manager for WordPress (