CVE-2026-9719

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.6.0. This is due to missing or incorrect nonce validation on the changestatus function. This makes it possible for...

CVE-2025-12656

The Migration, Backup, Staging – WPvivid Backup & Migration plugin for WordPress is vulnerable to arbitrary directory deletion due to insufficient file path validation in the deletecancelstagingsite function in all versions up to, and including, 0.9.128. This makes it possible for authenticated...

CVE-2026-8608

The Event Monster – Event Management, Events Calendar, Tickets plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in versions up to, and including, 2.1.0. This is due to the capturepayment AJAX handler registered via wpajaxnoprivemcapturepayment trusting...

CVE-2026-7523

The Alba Board plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.1.3. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access...

CVE-2026-45776

OpenXDMoD is an open framework for collecting and analyzing HPC metrics. Prior to version 11.0.3, a flaw in Open XDMoD's access control logic allows an attacker to submit a crafted HTTPS POST request that sets a session variable used for authorization decisions. If an installation of Open XDMoD...

CVE-2026-9290

The WP User Manager – User Profile Builder & Membership plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.9.17 via the profile template scope function. This makes it possible for unauthenticated attackers to include and execute arbitrary .php files...

CVE-2026-45777

OpenXDMoD is an open framework for collecting and analyzing HPC metrics. Starting in version 9.5.0 and prior to version 11.0.3, an attacker can remotely execute arbitrary system commands on the web server hosting Open XDMoD with the privileges of the web server process. This could allow an attack...

CVE-2026-46397

HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0, an Authenticated Local File Inclusion LFI vulnerability in the HAXCMS saveOutline endpoint allows a low-privileged user to read arbitrary files on the server by manipulating the location field written in...

CVE-2026-45758

Guardrails AI is a Python framework that helps build AI applications. On May 11, 2026 at approximately 6:00 PM Pacific, an attacker published a malicious version of guardrails-ai 0.10.1 to PyPI. Aany user who installed guardrails-ai==0.10.1 from PyPI on May 11, 2026 may be affected. Security...

CVE-2026-11429

A path traversal vulnerability exists in the Git Service component shared by Altium Enterprise Server and Altium 365. The service accepts a sequence of post-clone file-manipulation operations that use user-supplied paths without validation, allowing an authenticated user with basic git access to...

CVE-2026-46396

HAX CMS helps manage microsite universe with PHP or NodeJs backends. A stored cross-site scripting XSS vulnerability exists in versions prior to 26.0.0 due to improper sanitization of elements. The application allows javascript: URIs in the src attribute, which are executed when a malicious page ...

CVE-2026-46496

HAX CMS helps manage microsite universe with PHP or NodeJs backends. A stored cross-site scripting XSS vulnerability exists in versions prior to 26.0.0 due to improper sanitization of the component. The component allows javascript: URIs in the source attribute, which are executed when the page is...

Exploit for CVE-2019-5513

VMware Horizon /broker/xml Vulnerability Scanner !Security...

Exploit for Authentication Bypass Using an Alternate Path or Channel in Sangoma Freepbx

CVE-2025-57819 — FreePBX Unauthenticated SQLi → RCE One-shot...

New Pink Extortion Group Targets Microsoft 365 Cloud Data Via Vishing Scams

Cybersecurity researchers are warning businesses about Pink Extortion Group, a threat actor that uses voice phishing to bypass multi-factor authentication and steal files from cloud environments...

CVE-2026-9270

DataDog::DogStatsd versions through 0.07 for Perl allow metric injections. DataDog::DogStatsd does not properly sanitise input, allowing metric injections of data from untrusted sources. The sendstats method does not remove newlines from metric names $stat variable, allowing attackers to change t...

CVE-2026-11362

DataDog::DogStatsd versions through 0.07 for Perl allow metric injections from event tags. DataDog::DogStatsd does not properly sanitise input, allowing metric injections of data from untrusted sources. The formatevent method used by the event method does not validate the content of the tags, whi...

CVE-2026-11333

A security vulnerability has been detected in tittuvarghese CollegeManagementSystem 3e476335cfbfb9a049e09f474c7ec885f69a9df3/a38852979f7e27ae67b610dce5979500ef8ebe01. The impacted element is an unknown function of the file dashboardpage/forms/uploadstudentdata.php of the component Student Data...

CVE-2026-45571

go-git is an extensible git implementation library written in pure Go. Prior to 5.19.1 and 6.0.0-alpha.4, a path validation issue in go-git could allow crafted repository data to affect files outside the intended checkout target, including the repository's .git directory. These validations were...

CVE-2026-49493

Markdown Preview Enhanced before 0.8.28 parses Bitfield fenced code blocks with interpretJS, which evaluates the block content as code via vm.runInNewContext, allowing arbitrary code execution. A crafted markdown document containing a malicious bitfield code block executes attacker-controlled cod...