CVE-2026-8705

The ClearSale Total plugin for WordPress is vulnerable to SQL Injection via the pagsegurometodo POST parameter of the clearsaletotalpush AJAX action in all versions up to, and including, 3.4.2. The handler is registered for unauthenticated users wpajaxnoprivclearsaletotalpush, and although a...

CVE-2026-9709 Themeco Cornerstone < 7.8.9 (Premium, bundled with X Theme) - Subscriber+ Arbitrary User Meta Disclosure

The Cornerstone WordPress plugin before 7.8.9 does not enforce capability checks on one of its REST API routes, allowing any authenticated user to disclose the metadata of any other user, including roles, session token previews and stored billing/shipping fields. This affects the premium co...

EUVD-2026-38672

The ClearSale Total plugin for WordPress is vulnerable to SQL Injection via the pagsegurometodo POST parameter of the clearsaletotalpush AJAX action in all versions up to, and including, 3.4.2. The handler is registered for unauthenticated users wpajaxnoprivclearsaletotalpush, and although a...

CVE-2026-8705 ClearSale Total <= 3.4.2 - Unauthenticated SQL Injection

The ClearSale Total plugin for WordPress is vulnerable to SQL Injection via the pagsegurometodo POST parameter of the clearsaletotalpush AJAX action in all versions up to, and including, 3.4.2. The handler is registered for unauthenticated users wpajaxnoprivclearsaletotalpush, and although a...

JSONPath Plus < 10.3.0 - Remote Code Execution

Versions of the package jsonpath-plus before 10.3.0 are vulnerable to Remote Code Execution RCE due to improper input sanitization. An attacker can execute aribitrary code on the system by exploiting the unsafe default usage of eval='safe' mode. Note: This is caused by an incomplete fix for...

Cockpit Web Console < 360 - Remote Code Execution

Cockpit's remote login feature passes user-supplied hostnames and usernames from the web interface to the SSH client without validation or sanitization. An attacker with network access to the Cockpit web service can craft a single HTTP request to the login endpoint that injects malicious SSH...

CVE-2026-46064 affecting package kernel for versions less than 6.6.141.1-1

CVE-2026-46064 affecting package kernel for versions less than 6.6.141.1-1. An upgraded version of the package is available that resolves this issue...

CVE-2026-46075 affecting package kernel for versions less than 6.6.141.1-1

CVE-2026-46075 affecting package kernel for versions less than 6.6.141.1-1. An upgraded version of the package is available that resolves this issue...

CVE-2026-46068 affecting package kernel for versions less than 6.6.141.1-1

CVE-2026-46068 affecting package kernel for versions less than 6.6.141.1-1. An upgraded version of the package is available that resolves this issue...

CVE-2026-46077 affecting package kernel for versions less than 6.6.141.1-1

CVE-2026-46077 affecting package kernel for versions less than 6.6.141.1-1. An upgraded version of the package is available that resolves this issue...

CVE-2026-46086 affecting package kernel for versions less than 6.6.141.1-1

CVE-2026-46086 affecting package kernel for versions less than 6.6.141.1-1. An upgraded version of the package is available that resolves this issue...

CVE-2026-46132 affecting package kernel for versions less than 6.6.141.1-1

CVE-2026-46132 affecting package kernel for versions less than 6.6.141.1-1. An upgraded version of the package is available that resolves this issue...

CVE-2026-46142 affecting package kernel for versions less than 6.6.141.1-1

CVE-2026-46142 affecting package kernel for versions less than 6.6.141.1-1. An upgraded version of the package is available that resolves this issue...

WordPress Transbank Webpay plugin < 1.14.0 - Unauthenticated Stored XSS vulnerability

Unauthenticated Stored XSS vulnerability discovered by Mateo Contenla & Matías Schiappacasse in WordPress Plugin Transbank Webpay REST versions 1.14.0...

NPM: undici vulnerable to HTTP header injection via Set-Cookie percent-decoding

NPM: undici vulnerable to HTTP header injection via Set-Cookie percent-decoding vulnerability discovered by ? in WordPress Npm undici versions 6.27.0...

Astra Linux – Vulnerability in Firefox and Thunderbird

If a PAC URL was set, and the server hosting the PAC was unreachable, OCSP requests would be blocked, resulting in incorrect error pages being displayed. This vulnerability affects Firefox 102, Firefox ESR 91.11, Thunderbird 102, and Thunderbird 91.11...

Astra Linux – Vulnerability in Firefox

The HTML Sanitizer should have sanitized the href attribute of SVG use tags; however, it incorrectly did not sanitize the xlink:href attributes. This vulnerability affects Firefox versions earlier than 102...

Astra Linux – Vulnerability in Chromium

Before version 92.0.4515.107, using free memory in GPUs with Google Chrome allowed a remote attacker to potentially exploit heap corruption through a crafted HTML page...

Astra Linux – Vulnerability in Chromium

Before version 90.0.4430.212, using Autofill in Google Chrome allowed a remote attacker who had compromised the renderer process to potentially exploit heap corruption through a crafted HTML page...

Astra Linux – Vulnerability in Firefox and Thunderbird

Integer overflow in the SVG component. This vulnerability was fixed in Firefox 143, Firefox ESR 115.28, Firefox ESR 140.3, Thunderbird 143, and Thunderbird 140.3...