WordPress Burst Statistics 3.4.0-3.4.1.1 - Authentication Bypass

Burst Statistics – Privacy-Friendly WordPress Analytics plugin 3.4.0 to 3.4.1.1 contains an authentication bypass caused by incorrect return-value handling in ismainwpauthenticated function, letting unauthenticated attackers impersonate administrators, exploit requires knowledge of an administrat...

Attackers Actively Exploiting Critical Vulnerability in Burst Statistics Plugin

On May 13th, 2026, we publicly disclosed a critical Authentication Bypass vulnerability in Burst Statistics, a WordPress plugin with 200,000 active installations. This vulnerability can be leveraged by unauthenticated attackers, with knowledge of an administrator username, to impersonate that...

EUVD-2026-32337

In the Linux kernel, the following vulnerability has been resolved: tpm: st33zp24: Fix missing cleanup on getburstcount error getburstcount can return -EBUSY on timeout. When this happens, st33zp24send returns directly without releasing the locality acquired earlier. Use goto outerr to ensure...

CVE-2026-45941

In the Linux kernel, the following vulnerability has been resolved: tpm: tpmi2cinfineon: Fix locality leak on getburstcount failure getburstcount can return -EBUSY on timeout. When this happens, the function returns directly without releasing the locality that was acquired at the beginning of...

CVE-2026-45941 tpm: tpm_i2c_infineon: Fix locality leak on get_burstcount() failure

In the Linux kernel, the following vulnerability has been resolved: tpm: tpmi2cinfineon: Fix locality leak on getburstcount failure getburstcount can return -EBUSY on timeout. When this happens, the function returns directly without releasing the locality that was acquired at the beginning of...

CVE-2026-45941

CVE-2026-45941 affects the Linux kernel TPMS: tpm_i2c_infineon subsystem. The vulnerability arises when get_burstcount() times out and returns -EBUSY, causing the function to return without releasing the locality acquired at the start of tpm_tis_i2c_send(). The documented fix ensures proper clean...

Linux kernel 安全漏洞

The Linux kernel is the kernel used by the Linux operating system developed by the Linux Foundation in the United States. There is a security vulnerability in the Linux kernel, which stems from the getburstcount function in tpm/tpmi2cinfineon. When this function returns -EBUSY due to timeout, the...

PT-2026-43808

In the Linux kernel, the following vulnerability has been resolved: tpm: tpm i2c infineon: Fix locality leak on get burstcount failure get burstcount can return -EBUSY on timeout. When this happens, the function returns directly without releasing the locality that was acquired at the beginning of...

Linux kernel 安全漏洞

The Linux kernel is the core of the open-source operating system Linux, developed by the Linux Foundation in the United States. There is a security vulnerability in the Linux kernel, which stems from the st33zp24 TPM driver. This vulnerability occurs when the getburstcount function returns an...

Exploit for CVE-2026-8181

CVE-2026-8181 — Burst Statistics 3.4.0 – 3.4.1.1 — Authenticat...

Astra Linux - уязвимость в unbound

The DNS protocol in RFC 1035 and its updates allows remote attackers to cause a denial of service resource consumption by arranging for DNS queries to be accumulated over seconds. As a result, responses are sent in a pulsing burst, which can be considered traffic amplification in some cases. This...

unbound: DNSBomb vulnerability

A DNSBomb flaw was found in the unbound package. The DNSBomb attack works by sending low-rate spoofed queries for a malicious zone to Unbound. By controlling the delay of the malicious authoritative answers, Unbound slowly accumulates pending answers for the spoofed addresses. When the...

unbound: DNSBomb vulnerability

A DNSBomb flaw was found in the unbound package. The DNSBomb attack works by sending low-rate spoofed queries for a malicious zone to Unbound. By controlling the delay of the malicious authoritative answers, Unbound slowly accumulates pending answers for the spoofed addresses. When the...

MAL-2026-3990 Malicious code in @antv/g6-mobile (npm)

Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...

MAL-2026-3913 Malicious code in @antv/g-compat (npm)

Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...

MAL-2026-3895 Malicious code in @antv/f2-react (npm)

Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...

MAL-2026-4132 Malicious code in echarts-for-react (npm)

Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...

Exploit for CVE-2026-8181

CVE-2026-8181 Burst Statistics | Authentication Bypass to Admi...

Exploit for CVE-2026-8181

CVE-2026-8181 — Burst Statistics Authentication Bypass Lab Lo...

Exploit for CVE-2026-8181

CVE-2026-8181 exploit Burst Statistics WordPress Plugin —...