Mail Mint < 1.19.5 - Unauthenticated Email Disclosure

Mail Mint WordPress plugin 1.19.5 contains an information disclosure vulnerability caused by lack of authorization in a REST API endpoint, letting unauthenticated users retrieve email addresses of blog users, exploit requires no authentication. id: CVE-2026-2025 info: name: Mail Mint 1.19.5 -...

WP Directory Kit < 1.5.0 - Unauthenticated Email Exposure

WP Directory Kit plugin for WordPress = 1.4.9 contains a sensitive information exposure caused by improper access control in wdkpublicaction AJAX handler, letting unauthenticated attackers extract email addresses of users with Directory Kit-specific roles. id: CVE-2025-13920 info: name: WP...

Jenkins <=2.196 - Cookie Exposure

Jenkins through 2.196, LTS 2.176.3 and earlier prints the value of the cookie on the /whoAmI/ URL despite it being marked HttpOnly, thus making it possible to steal cookie-based authentication credentials if the URL is exposed or accessed via another cross-site scripting issue. id: CVE-2019-10405...

Dolibarr Unauthenticated Contacts Database Theft

An issue in Dolibarr 16 before 16.0.5 allows unauthenticated attackers to perform a database dump and access a company's entire customer file, prospects, suppliers, and employee information if a contact file exists. id: CVE-2023-33568 info: name: Dolibarr Unauthenticated Contacts Database Theft...

ZKTeco BioTime <= 9.0.1 - Privilege Escalation

BioTime default employee credentials password 123456 allow login. Sessions are not role-validated, enabling privilege escalation to perform admin actions and enumerate backup files. id: CVE-2023-38952 info: name: ZKTeco BioTime = 9.0.1 - Privilege Escalation author: riteshs4hu severity: high...

Email Subscribers & Newsletters <= 5.3.1 - Authenticated SQL Injection

The Email Subscribers & Newsletters WordPress plugin before 5.3.2 does not correctly escape the order and orderby parameters to the ajaxfetchreportlist action, making it vulnerable to blind SQL injection attacks by users with roles as low as Subscriber. Further, it does not have any CSRF protecti...

Contest Gallery - Broken Access Control

Contest Gallery from n/a through 23.1.2 contains an exposure of sensitive information to an unauthorized actor caused by insufficient access controls, letting attackers access sensitive data, exploit requires no specific conditions. id: CVE-2024-43283 info: name: Contest Gallery - Broken Access...

RSVPMaker <= 9.2.5 - SQL Injection

The RSVPMaker plugin for WordPress is vulnerable to unauthenticated SQL Injection due to missing SQL escaping and parameterization on user supplied data passed to a SQL query in the rsvpmaker-util.php file. This makes it possible for unauthenticated attackers to steal sensitive information from t...

CVE-2026-56319

Capgo before 12.128.2 contains an information disclosure vulnerability in the GET /statistics/app/:appid endpoint that allows app-limited API keys to distinguish existing sibling app IDs through differential error responses. Attackers can enumerate real app IDs outside their allowed scope by...

Oracle Coherence 15.1.1.0.x < 15.1.1.0.3 Multiple Vulnerabilities (June 2026 CPU)

The 15.1.1.0.0 version of Coherence installed on the remote host is affected by multiple vulnerabilities as referenced in the June 2026 CPU advisory. - Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware component: Centralized Third Party Jars. The supported version that is...

New Forrester study shows customers who unified with Microsoft Security benefited from 124% ROI

Across many industries, organizations are unifying security and putting AI agents to work. Security teams are utilizing agents that reason, decide, and act on their behalf, under their governance. At Microsoft, we see this firsthand—more than 80% of the Fortune 500 are already using AI.1 The...

EUVD-2026-37929

setupBpmLogs follows symlink for bpm.log open and chown — container-to-host privilege escalation via /etc/shadow. A compromised process inside a bpm container can cause root to chown an arbitrary host file to vcap and append bpm JSON log lines to it. The chown alone lets the attacker take ownersh...

CVE-2026-12527

CVE-2026-12527 affects Shenzhen Liandian Communication Technology LTD V380 IP Camera firmware AppFHE1_V1.0.6.020230803. Root cause: broken authorization boundary in the RTSP media delivery pipeline. This enables unauthenticated network actors to bypass the device’s credential-enforced live-view w...

Adversarial Exposure Validation Turns Security Visibility into Confident Prioritization

For security teams, the findings never stop, but confidence in knowing which ones matter is becoming harder to maintain. The problem is no longer visibility. It's validation. Security teams must decide which findings warrant action while operating under constant pressure and incomplete informatio...

PT-2026-50019

Name of the Vulnerable Software and Affected Versions JD Edwards EnterpriseOne Tools versions 9.2.0.0 through 9.2.26.2 Description An issue exists in the Web Runtime Security component of JD Edwards EnterpriseOne Tools. An unauthenticated attacker with network access via HTTP can compromise the...

CVE-2026-50875

Incorrect access control in the /form/webhooks/webhook endpoint of Deck9 Input v2.0.1 allows authenticated attackers to arbitrarily modify or delete another tenant's webhook via a crafted request...

EUVD-2026-36705

The Wertheim SafeController Family 65000, Controller 65000 - AssemblyVersion 6.11.8130.22319, uses weak custom cryptographic algorithms with hard-coded cryptographic keys to protect communication. An attacker in an adversary-in-the-middle position can decrypt the data traffic. During reassessment...

A week in security (June 8 &#8211; June 14)

Last week on Malwarebytes Labs: Stolen iPhones could soon be worth a lot less to thieves Fake verification pages are stealing Steam accounts from players Google can be liable for false AI Overviews, court rules VRChat says reported data breach never happened Children’s phones must block nude imag...

ROS-20260615-73-0017

The vulnerability of the xfAppUpdateWindowFromSurface function in the RDP client FreeRDP relates to the use of memory after it is freed. Exploiting this vulnerability could allow a remote attacker to compromise the confidentiality, integrity, and accessibility of the protected information...

PT-2026-48839

The iVEC-IEI Virtualization Edge Computer developed by IEI Integration Corp has a Arbitrary File Read vulnerability, allowing privileged remote attackers to access files outside the intended directory scope...