CVE-2026-9612 WhatsOrder <= 1.0.1 - Unauthenticated Sensitive Information Exposure via Predictable Invoice File URLs

The WhatsOrder – Instant Checkout for WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.1 via the yapacdevgenerateorderpdf. This makes it possible for unauthenticated attackers to extract sensitive customer PII and order...

EUVD-2023-60592

Joomla combooking component 2.4.9 contains an information disclosure vulnerability that allows unauthenticated attackers to enumerate user accounts by exploiting the getUserData function in the customer controller. Attackers can send GET requests to index.php with option=combooking,...

WordPress 2Download Connector for 2DL Hosted Checkout plugin <= 0.1.5 - Missing Authorization to Unauthenticated Sensitive Customer Subscription Data Exposure vulnerability

Missing Authorization to Unauthenticated Sensitive Customer Subscription Data Exposure vulnerability discovered by Mohamed Haidar in WordPress Plugin 2Download Connector for 2DL Hosted Checkout versions = 0.1.5...

Dynamics 365 Customer Voice Spoofing Vulnerability

Improper neutralization of input during web page generation 'cross-site scripting' in Dynamics 365 Customer Voice allows an unauthorized attacker to perform spoofing over a network...

Gitea 1.1.0 - 1.12.5 - Remote Code Execution

Gitea 1.1.0 through 1.12.5 is susceptible to authenticated remote code execution, via the git hook functionality, in customer environments where the documentation is not understood e.g., one viewpoint is that the dangerousness of this feature should be documented immediately above the...

EUVD-2026-37864

The Appointment Booking Calendar plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 1.4.01. This is due to insufficient authorization and missing per-calendar ownership checks in the cpabcappointmentscalendarload2 function, which is reachable vi...

CVE-2026-12111 Appointment Booking Calendar <= 1.4.01 - Authenticated (Contributor+) Sensitive Information Exposure via 'id' Parameter

The Appointment Booking Calendar plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 1.4.01. This is due to insufficient authorization and missing per-calendar ownership checks in the cpabcappointmentscalendarload2 function, which is reachable vi...

CVE-2026-46888

Vulnerability in the Siebel CRM Deployment product of Oracle Siebel CRM component: Database Upgrade. Supported versions that are affected are 17.0-26.5. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Siebel CRM Deployment executes to...

CVE-2026-49780

Customer Privilege Escalation in Dokan = 5.0.2 versions...

CVE-2026-49082

Subscriber Sensitive Data Exposure in Chatway Live Chat AI Chatbot, Customer Support, FAQ & Helpdesk Customer Service & Chat Buttons = 1.4.8 versions...

CVE-2026-48964

Subscriber SQL Injection in ELEX WordPress HelpDesk & Customer Ticketing System = 3.3.6 versions...

CVE-2026-42661

Custom role Path Traversal in WP Customer Area = 8.3.4 versions...

EUVD-2026-36878

Subscriber Sensitive Data Exposure in Chatway Live Chat AI Chatbot, Customer Support, FAQ & Helpdesk Customer Service & Chat Buttons = 1.4.8 versions...

EUVD-2026-36826

Custom role Path Traversal in WP Customer Area = 8.3.4 versions...

CVE-2026-42661 WordPress WP Customer Area plugin <= 8.3.4 - Path Traversal vulnerability

Custom role Path Traversal in WP Customer Area = 8.3.4 versions...

CVE-2026-42661

Affected software : WordPress WP Customer Area plugin

Handala Hacking Group Claims Breach of California Water Service

The Handala hacking group claims it has targeted California Water Service, leaking 5GB of customer database and GPS network files in its latest infrastructure attack...

PT-2026-49452

Custom role Path Traversal in WP Customer Area = 8.3.4 versions...

PT-2026-49493

Subscriber SQL Injection in ELEX WordPress HelpDesk & Customer Ticketing System = 3.3.6 versions...

EUVD-2026-36653

Nefteprodukttekhnika BUK TS-G Gas Station Automation System 2.9.1 through 2.10.2 on Linux contains an Improper Authentication vulnerability CWE-287 in the system configuration module. The /php/ajax-login.php endpoint returns userid=1 administrator in response to any HTTP POST request that supplie...