WordPress Bricks Builder theme <= 2.2 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by w41bu1 in WordPress Theme Bricks Builder versions = 2.2...

CVE-2026-2951 Gutentor – Gutenberg Blocks – Page Builder for Gutenberg Editor <= 3.5.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Gutentor Block HTML

The Gutentor – Gutenberg Blocks – Page Builder for Gutenberg Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.5.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

CVE-2026-2951

CVE-2026-2951 affects the Gutentor – Gutenberg Blocks – Page Builder for WordPress (WordPress plugin). The vulnerability is a Stored Cross-Site Scripting flaw in versions up to and including 3.5.5 caused by insufficient input sanitization and output escaping in Gutentor blocks. This enables authe...

EUVD-2026-22820

The Avada Fusion Builder plugin for WordPress is vulnerable to Arbitrary WordPress Action Execution in all versions up to, and including, 3.15.1. This is due to the plugin's outputactionhook function accepting user-controlled input to trigger any registered WordPress action hook without proper...

@saltcorn/cli (>=1.0.0 <=1.4.3), @saltcorn/mobile-builder (>=1.0.0 <=1.4.3) potentially affected by unknown CVE via @saltcorn/server (>=1.0.0-beta.1 <=1.4.3)

@saltcorn/server NPM version =1.0.0-beta.1, =1.0.0, =1.0.0, =1.4.3 Source cves: unknown CVE Source advisory: SNYK:JS-SALTCORNSERVER-16318352...

@saltcorn/cli (>=1.6.0-alpha.0 <=1.6.0-alpha.17), @saltcorn/mobile-builder (>=1.6.0-alpha.0 <=1.6.0-alpha.17) potentially affected by unknown CVE via @saltcorn/server (>=1.6.0-alpha.0 <=1.6.0-alpha.9)

@saltcorn/server NPM version =1.6.0-alpha.0, =1.6.0-alpha.0, =1.6.0-alpha.0, =1.6.0-alpha.17 Source cves: unknown CVE Source advisory: SNYK:JS-SALTCORNSERVER-16318352...

@saltcorn/cli (>=1.5.0 <=1.5.0-rc.2), @saltcorn/mobile-builder (>=1.5.0 <=1.5.0-rc.2) potentially affected by unknown CVE via @saltcorn/server (>=1.5.0-beta.0 <=1.5.0)

@saltcorn/server NPM version =1.5.0-beta.0, =1.5.0, =1.5.0, =1.5.0-rc.2 Source cves: unknown CVE Source advisory: SNYK:JS-SALTCORNSERVER-16318352...

@saltcorn/admin-models (>=1.5.0 <=1.5.0-rc.2), @saltcorn/base-plugin (>=1.5.0 <=1.5.0-rc.2) +5 more potentially affected by unknown CVE via @saltcorn/data (>=1.5.0-beta.0 <=1.5.0)

@saltcorn/data NPM version =1.5.0-beta.0, =1.5.0, =1.5.0, =1.5.0, =1.5.0, =1.5.0, =1.5.0, =1.5.0, =1.5.0-rc.2 Source cves: unknown CVE Source advisory: SNYK:JS-SALTCORNDATA-16318351...

PT-2026-34614

Name of the Vulnerable Software and Affected Versions fast-xml-parser versions prior to 5.7.0 Description XMLBuilder fails to escape the "--" sequence in comment content and the "" sequence in CDATA sections when generating XML from JavaScript objects. This flaw enables XML injection if...

CVE-2026-26274

October is a Content Management System CMS and web platform. Prior to 3.7.14 and 4.1.10, a vulnerability was identified in the Twig sandbox security policy that allowed database write operations when cms.safemode is enabled. Backend users with Developer permissions could use Twig template markup ...

CVE-2026-26274

The CVE concerns October CMS. A flaw in the Twig sandbox policy allowed backend users with Developer permissions to perform database write operations (insert, update, delete) through the query builder when cms.safe_mode was enabled, bypassing safeguards. This affected versions prior to 3.7.14 and...

CVE-2026-26274 October: Safe Mode Bypass via Twig Database Write Operations

October is a Content Management System CMS and web platform. Prior to 3.7.14 and 4.1.10, a vulnerability was identified in the Twig sandbox security policy that allowed database write operations when cms.safemode is enabled. Backend users with Developer permissions could use Twig template markup ...

CVE-2026-26274

October is a Content Management System CMS and web platform. Prior to 3.7.14 and 4.1.10, a vulnerability was identified in the Twig sandbox security policy that allowed database write operations when cms.safemode is enabled. Backend users with Developer permissions could use Twig template markup ...

CVE-2026-26274 October: Safe Mode Bypass via Twig Database Write Operations

October is a Content Management System CMS and web platform. Prior to 3.7.14 and 4.1.10, a vulnerability was identified in the Twig sandbox security policy that allowed database write operations when cms.safemode is enabled. Backend users with Developer permissions could use Twig template markup ...

CVE-2026-6703

The CVE concerns the WordPress plugin “Responsive Blocks – Page Builder for Blocks & Patterns” (versions up to 2.2.1). The root cause is improper authorization verification, allowing authenticated attackers with contributor-level access or higher to modify global site-wide plugin configuration op...

CVE-2026-6703 Responsive Blocks <= 2.2.1 - Missing Authorization to Authenticated (Contributor+) Arbitrary Modification via AJAX Actions

The Responsive Blocks – Page Builder for Blocks & Patterns plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 2.2.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticat...

CVE-2026-6675

The CVE entry maps to a concrete vulnerability in the WordPress Responsive Blocks plugin (versions ≤ 2.2.0). It describes an unauthenticated open email relay via the REST API 'email_to' parameter, enabling abuse of email delivery functions without login. The source does not provide exploit steps ...

CVE-2026-6675 Responsive Blocks <= 2.2.0 - Unauthenticated Open Email Relay via REST API 'email_to' Parameter

The Responsive Blocks – Page Builder for Blocks & Patterns plugin for WordPress is vulnerable to Unauthenticated Open Email Relay in all versions up to, and including, 2.2.0. This is due to insufficient authorization checks and missing server-side validation of the recipient email address supplie...

WordPress plugin Responsive Blocks – Page Builder for Blocks & Patterns 输入验证错误漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows users to create personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be installed t...

PT-2026-34003

Name of the Vulnerable Software and Affected Versions October versions prior to 3.7.14 October versions prior to 4.1.10 Description A flaw in the Twig sandbox security policy allows database write operations when cms.safe mode is enabled. Backend users with Developer permissions can use Twig...