CVE-2026-40797

WordPress WebinarIgnition plugin (vulnerable: up to 4.08.253) by Saleswonder LLC contains an SQL Injection flaw described as an improper neutralization of SQL commands, allowing Blind SQL Injection. The issue affects WebinarIgnition versions from n/a through 4.08.253. CVSS 3.1 base score 9.3 (CRI...

EUVD-2026-27219

A vulnerability was identified in itsourcecode Courier Management System 1.0. This impacts an unknown function of the file /printpdets.php. The manipulation of the argument ids leads to sql injection. The attack may be initiated remotely. The exploit is publicly available and might be used...

EUVD-2026-27175

The GeekyBot — Generate AI Content Without Prompt, Chatbot and Lead Generation plugin for WordPress is vulnerable to SQL Injection via the 'attributekey' parameter in versions up to, and including, 1.2.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparatio...

SQL Injection

org.springframework.ai, spring-ai-azure-cosmos-db-store is vulnerable to SQL Injection. The vulnerability is due to improper handling of crafted document IDs in the CosmosDBVectorStore, which allows an attacker to execute arbitrary SQL queries...

CVE-2026-7822

A vulnerability was identified in itsourcecode Courier Management System 1.0. This impacts an unknown function of the file /printpdets.php. The manipulation of the argument ids leads to sql injection. The attack may be initiated remotely. The exploit is publicly available and might be used...

CVE-2026-7822 itsourcecode Courier Management System print_pdets.php sql injection

A vulnerability was identified in itsourcecode Courier Management System 1.0. This impacts an unknown function of the file /printpdets.php. The manipulation of the argument ids leads to sql injection. The attack may be initiated remotely. The exploit is publicly available and might be used...

CVE-2026-3456

The CVE concerns the WordPress plugin GeekyBot – Generate AI Content Without Prompt, Chatbot and Lead Generation (versions up to 1.2.0). It is vulnerable to SQL Injection via the attributekey parameter due to insufficient escaping and lack of proper query parameterization, allowing unauthenticate...

CVE-2026-5100

The AWP Classifieds plugin for WordPress is vulnerable to SQL Injection via the 'regions' parameter array keys in versions up to, and including, 4.4.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible f...

CVE-2026-5100 AWP Classifieds <= 4.4.5 - Unauthenticated SQL Injection via 'regions'

The AWP Classifieds plugin for WordPress is vulnerable to SQL Injection via the 'regions' parameter array keys in versions up to, and including, 4.4.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible f...

CLSA-2026-1777946894 Fix CVE(s): CVE-2022-0391, CVE-2022-45061, CVE-2024-7592, CVE-2026-4519

SECURITY UPDATE: URL parsing accepts ASCII tab/CR/LF URL smuggling - debian/patches/CVE-2022-0391.patch: sanitise tab, CR, LF anywhere in URL/scheme inside urlsplit before cache lookup, plus regression test in Lib/urlparse.py, Lib/test/testurlparse.py. - CVE-2022-0391 SECURITY UPDATE: Quadratic...

GHSA-8PQQ-224H-X875 ogham-mcp had credentials embedded in published PyPI sdists -- Neon postgres URLs and Voyage API key

Summary Between 2026-02 and 2026-04-24 a total of 22 public PyPI sdists of ogham-mcp contained development credentials embedded in source files. All credentials have since been rotated on the respective providers. No known exploitation. Upgrade to v0.11.1 to get a clean release. What was leaked |...

Use of Hard-coded Credentials

Overview ogham-mcp is a Shared memory MCP server — persistent, searchable, cross-client Affected versions of this package are vulnerable to Use of Hard-coded Credentials due to hardcoded credentials present in the source files, including development database URLs and an API key. An attacker can...

ogham-mcp had credentials embedded in published PyPI sdists -- Neon postgres URLs and Voyage API key

Summary Between 2026-02 and 2026-04-24 a total of 22 public PyPI sdists of ogham-mcp contained development credentials embedded in source files. All credentials have since been rotated on the respective providers. No known exploitation. Upgrade to v0.11.1 to get a clean release. What was leaked |...

WordPress plugin Backup Migration 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...

PT-2026-36963

The GeekyBot — Generate AI Content Without Prompt, Chatbot and Lead Generation plugin for WordPress is vulnerable to SQL Injection via the 'attributekey' parameter in versions up to, and including, 1.2.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparatio...

This Week in Spring - May 5th, 2026

Hi, Spring fans! Welcome to another installment of This Week in Spring! It's May 5th, 2026, and I'm in Mainz, Germany, for the legendary JAX conference! It's been infinitely far too long since I've been at this amazing show, and I'm oh-so happy to be back here! Tonight, after my two talks here, I...

PT-2026-37001

WordPress Plugin Backup Migration 1.2.8 contains an information disclosure vulnerability that allows unauthenticated attackers to download complete database backups by accessing predictable file paths. Attackers can enumerate backup directories through configuration files and complete logs, then...

PT-2026-37317

Name of the Vulnerable Software and Affected Versions ArcadeDB versions prior to 26.4.2 Description Authenticated users and API tokens scoped to a specific database can read, write, and mutate schema on any other database on the same server. This occurs due to two defects: first, the...

PT-2026-37238

Name of the Vulnerable Software and Affected Versions ProFTPD versions prior to 1.3.9a 7666224 Description A SQL injection issue exists in the sqltab fetch clients cb function within contrib/mod wrap2 sql.c. When the "UseReverseDNS on" setting is enabled, a remote attacker can inject arbitrary SQ...

PT-2026-37235

Name of the Vulnerable Software and Affected Versions Masa CMS versions prior to 7.2.10 Masa CMS versions prior to 7.3.15 Masa CMS versions prior to 7.4.10 Masa CMS versions prior to 7.5.3 Description A SQL injection exists in the beanFeed.cfc component within the getQuery function's processing o...