CVE-2026-41175 Statamic: Unsafe method invocation via query value resolution allows data destruction

Statamic is a Laravel and Git powered content management system CMS. Prior to versions 5.73.20 and 6.13.0, manipulating query parameters on Control Panel and REST API endpoints, or arguments in GraphQL queries, could result in the loss of content, assets, and user accounts. The Control Panel...

CVE-2026-41175

Statamic CMS (Laravel/Git-based) prior to 5.73.20 and 6.13.0 is affected. The issue stems from unsafe method invocation during query value resolution, enabling data destruction via manipulated query parameters on Control Panel, REST API endpoints, or GraphQL queries. Exploitation requires REST/Gr...

CVE-2026-41175

Statamic is a Laravel and Git powered content management system CMS. Prior to versions 5.73.20 and 6.13.0, manipulating query parameters on Control Panel and REST API endpoints, or arguments in GraphQL queries, could result in the loss of content, assets, and user accounts. The Control Panel...

CVE-2026-2717

The CVE concerns the WordPress HTTP Headers plugin (versions up to and including 1.19.2) vulnerable to CRLF Injection. The issue arises from insufficient sanitization of custom header name/value fields before they are written to the Apache .htaccess file via insert_with_markers(), enabling authen...

Rclone 访问控制错误漏洞

Rclone is a software developed by the Rclone team that can synchronize data asynchronously from cloud storage. This software supports various cloud storage services such as Google Drive, Amazon Drive, S3, Dropbox, Backblaze B2, One Drive, Swift, Hubic, Cloudfiles, Google Cloud Storage, and Yandex...

PT-2026-33880

Name of the Vulnerable Software and Affected Versions Neko versions 3.0.0 through 3.0.10 Neko versions 3.1.0 through 3.1.1 Description An issue allows any authenticated user to obtain full administrative control of the Neko instance, including member management, room settings, broadcast control,...

CVE-2026-4852 Image Source Control Lite – Show Image Credits and Captions <= 3.9.1 - Authenticated (Author+) Stored Cross-Site Scripting via 'Image Source' Field

The Image Source Control Lite – Show Image Credits and Captions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Image Source' attachment field in all versions up to, and including, 3.9.1 due to insufficient input sanitization and output escaping. This makes it possible...

CVE-2026-2986

The Contextual Related Posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'otherattributes' parameter in versions up to, and including, 4.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

CVE-2026-3518 OS Command Injection Remote Code Execution Vulnerability in Progress LoadMaster, ECS Connection Manager, Object Scale Connection Manager & MOVEit WAF

OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an authenticated attacker with “All” permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the 'killsession' command...

Movary 安全漏洞

Movary is a film review program developed by Lee Peuker personally. Versions of Movary prior to 0.71.1 contained security vulnerabilities. These vulnerabilities stemmed from the /settings/jellyfin/server-url-verify endpoint, which allowed user-controlled URLs to initiate server-side HTTP requests...

EUVD-2026-23502

Dolibarr: OS Command Injection RCE via MAINODTASPDF configuration...

CVE-2026-40283

WeGIA is a web manager for charitable institutions. In versions prior to 3.6.10, a Stored Cross-Site Scripting XSS vulnerability allows an authenticated user to inject malicious JavaScript via the "Nome" field in the "Informações Pacientes" page. The payload is stored and executed when the patien...

DEBIAN-CVE-2026-32107

xrdp is an open source RDP server. In versions through 0.10.5, the session execution component did not properly handle an error during the privilege drop process. This improper privilege management could allow an authenticated local attacker to escalate privileges to root and execute arbitrary co...

CVE-2026-5502 Tutor LMS <= 3.9.8 - Authenticated (Subscriber+) Arbitrary Course Content Manipulation via tutor_update_course_content_order

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized course content manipulation in versions up to and including 3.9.8. This is due to a missing authorization check in the tutorupdatecoursecontentorder function. The function only validates the...

PT-2026-33465

Name of the Vulnerable Software and Affected Versions WP Customer Area versions prior to 8.3.5 Description Insufficient file path validation in the ajax attach file function allows authenticated attackers with roles granted by an administrator, such as Subscriber, to read or delete arbitrary file...

Statamic: Unsafe method invocation via query value resolution allows data destruction

Impact Manipulating query parameters on Control Panel and REST API endpoints, or arguments in GraphQL queries, could result in the loss of content, assets, and user accounts. The Control Panel requires authentication with minimal permissions in order to exploit. e.g. "view entries" permission to...

CVE-2023-3634

In products of the MSE6 product-family by Festo a remote authenticated, low privileged attacker could use functions of undocumented test mode which could lead to a complete loss of confidentiality, integrity and availability...

CVE-2026-3878

The vulnerability affects the WordPress WP Docs plugin, with a Stored Cross-Site Scripting (XSS) flaw in the wpdocs_options[icon_size] parameter across all versions up to 2.2.9. The root cause is insufficient input sanitization and output escaping, allowing authenticated attackers with subscriber...

PT-2026-33252

The WP Docs plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wpdocs optionsicon size' parameter in all versions up to, and including, 2.2.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-lev...

PT-2026-33277

The BetterDocs plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'betterdocs feedback form' shortcode in all versions up to, and including, 4.3.8. This is due to insufficient input sanitization and output escaping on user supplied shortcode attributes. This makes it possib...