PT-2026-31664

Name of the Vulnerable Software and Affected Versions OpenCTI versions prior to 6.9.5 Description OpenCTI is a platform for managing cyber threat intelligence. Prior to version 6.9.5, the safeEjs.ts file does not properly sanitize EJS templates. Users with Manage customization capability can...

EUVD-2026-20530

The Advanced Contact form 7 DB plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'vszcf7exporttoexcel' function in all versions up to, and including, 2.0.9. This makes it possible for authenticated attackers, with Subscriber-level access an...

EUVD-2024-47007

The Easy Affiliate Links plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the eaflresetsettings AJAX action in all versions up to, and including, 3.7.3. This makes it possible for authenticated attackers, with Subscriber-level access and...

CVE-2026-0814

The Advanced Contact form 7 DB plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'vszcf7exporttoexcel' function in all versions up to, and including, 2.0.9. This makes it possible for authenticated attackers, with Subscriber-level access an...

EUVD-2024-33433

The Bard Extra plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the bardxtraimportxml function in all versions up to, and including, 1.2.7. This makes it possible for authenticated attackers, with subscriber-level access and above, to...

CVE-2026-30080

OpenAirInterface v2.2.0 accepts Security Mode Complete without any integrity protection. Configuration has supported integrity NIA1 and NIA2. But if an UE sends initial registration request with only security capability IA0, OpenAirInterface accepts and proceeds. This downgrade security context c...

EUVD-2026-20102

The PZ Frontend Manager plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 1.0.6. The pzfmuserrequestactioncallback function, registered via the wpajaxpzfmuserrequestaction action hook, lacks both capability checks and nonce verification. This function...

CVE-2026-4300

Robo Gallery for WordPress is affected up to version 5.1.3 with a Stored XSS in the Loading Label field (rbs_gallery_LoadingWord). The plugin uses a custom |... | marker in fixJsFunction() to embed raw JS within JSON; json_encode() preserves quotes, then fixJsFunction() strips the markers, turnin...

CVE-2026-3480

The WP Blockade plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 0.9.14. The plugin registers an adminpost action hook 'wp-blockade-shortcode-render' that maps to the rendershortcodepreview function. This function lacks any capability check...

CVE-2026-3477

CVE-2026-3477 concerns the PZ Frontend Manager plugin for WordPress (versions up to 1.0.6). The vulnerability stems from the AJAX handler pzfm_user_request_action_callback(), registered via wp_ajax_pzfm_user_request_action, which lacks both capability checks and nonce verification. When the reque...

CVE-2026-4299 MainWP Child Reports <= 2.2.6 - Missing Authorization to Authenticated (Subscriber+) Information Disclosure via Heartbeat API

The MainWP Child Reports plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 2.2.6. This is due to a missing capability check in the heartbeatreceived function in the LiveUpdate class. This makes it possible for authenticated attackers, with...

EUVD-2026-19956

The Smart Slider 3 plugin for WordPress is vulnerable to unauthorized access and modification of data due to missing capability checks on multiple wpajaxsmart-slider3 controller actions in all versions up to, and including, 3.5.1.33. The displayadminajax method does not call checkForCap which...

CVE-2026-2263

The Hustle – Email Marketing, Lead Generation, Optins, Popups plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'hustlemoduleconverted' AJAX action in all versions up to, and including, 7.8.10.2. This makes it possible for...

CVE-2026-30080

OpenAirInterface v2.2.0 accepts Security Mode Complete without any integrity protection. Configuration has supported integrity NIA1 and NIA2. But if an UE sends initial registration request with only security capability IA0, OpenAirInterface accepts and proceeds. This downgrade security context c...

PT-2026-31326

Name of the Vulnerable Software and Affected Versions OpenAirInterface version 2.2.0 Description OpenAirInterface version 2.2.0 allows Security Mode Complete without integrity protection. Despite supporting integrity protection configurations NIA1 and NIA2, the system accepts initial registration...

PT-2026-31390

The Advanced Contact form 7 DB plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'vsz cf7 export to excel' function in all versions up to, and including, 2.0.9. This makes it possible for authenticated attackers, with Subscriber-level acces...

CVE-2026-4065

The Smart Slider 3 plugin for WordPress is vulnerable to unauthorized access and modification of data due to missing capability checks on multiple wpajaxsmart-slider3 controller actions in all versions up to, and including, 3.5.1.33. The displayadminajax method does not call checkForCap which...

CVE-2026-4065 Smart Slider 3 <= 3.5.1.33 - Missing Authorization to Authenticated (Contributor+) Slider Data Read and Image Record Manipulation

The Smart Slider 3 plugin for WordPress is vulnerable to unauthorized access and modification of data due to missing capability checks on multiple wpajaxsmart-slider3 controller actions in all versions up to, and including, 3.5.1.33. The displayadminajax method does not call checkForCap which...

Your Agent, Their Asset: A Real-World Safety Analysis of OpenClaw

OpenClaw, the most widely deployed personal AI agent in early 2026, operates with full local system access and integrates with sensitive services such as Gmail, Stripe, and the filesystem. While these broad privileges enable high levels of automation and powerful personalization, they also expose...

PT-2026-31034

The Smart Slider 3 plugin for WordPress is vulnerable to unauthorized access and modification of data due to missing capability checks on multiple wp ajax smart-slider3 controller actions in all versions up to, and including, 3.5.1.33. The display admin ajax method does not call checkForCap which...