CVE-2026-33326

Summary: Keystone 6 core prior to 6.5.2 had a bypass in isFilterable for findMany via the cursor parameter, allowing potential disclosure by confirming protected field values. The root cause is that the cursor input type reused UniqueWhere checks not patched by the previous fix for CVE-2025-46720...

CVE-2026-33326 @keystone-6/core: `isFilterable` bypass via `cursor` parameter in findMany

Keystone is a content management system for Node.js. Prior to version 6.5.2, field.isFilterable access control can be bypassed in findMany queries by passing a cursor. This can be used to confirm the existence of records by protected field values. The fix for CVE-2025-46720 field-level isFilterab...

PT-2025-37003

Name of the Vulnerable Software and Affected Versions: PowerPack Elementor Addons versions up to and including 2.9.4 Description: The PowerPack Elementor Addons plugin for WordPress is susceptible to Stored Cross-Site Scripting due to insufficient input sanitization and output escaping...

CVE-2024-13699

The Qi Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘cursor’ parameter in all versions up to, and including, 1.8.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-lev...

WordPress plugin Qi Addons For Elementor 跨站脚本漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform supports personal blog sites on PHP and MySQL servers.WordPress plugin is an application plugin. A cross-site scripting vulnerability exists...

PT-2025-1966 · WordPress · Happy Addons For Elementor

Name of the Vulnerable Software and Affected Versions: Happy Addons for Elementor plugin for WordPress versions up to, and including, 3.15.1 Description: The issue is a Stored Cross-Site Scripting vulnerability due to insufficient input sanitization and output escaping. This allows authenticated...