CVE-2026-42223

Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.8, the GetSettings API handler api/settings/settings.go:24-65 serializes all settings structs to JSON and returns them to authenticated users. Many sensitive fields are tagged with protected:"true" - however, this tag...

CVE-2026-25863

Conditional Fields for Contact Form 7 WordPress plugin through version 2.7.2 contains an uncontrolled resource consumption vulnerability in the Wpcf7cfMailParser class where the hidehiddenmailfieldsregexcallback method reads an iteration count directly from user-supplied POST parameters without...

Cross-site Scripting (XSS)

Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the email notification template system. An attacker can inject arbitrary HTML content by supplying crafted values in device, geofence, or driver name fields, which are then rendered in notification emails se...

Prototype Pollution

Axios is vulnerable to Prototype Pollution. The vulnerability is due to direct property access of configuration fields in the HTTP adapter e.g., config.auth, config.baseURL, config.socketPath, config.beforeRedirect, config.insecureHTTPParser without hasOwnProperty checks, allowing polluted...

kernel: crypto: asymmetric_keys - prevent overflow in asymmetric_key_generate_id

In the Linux kernel, the following vulnerability has been resolved: crypto: asymmetrickeys - prevent overflow in asymmetrickeygenerateid Use checkaddoverflow to guard against potential integer overflows when adding the binary blob lengths and the size of an asymmetrickeyid structure and return...

SUSE CVE-2026-43026

In the Linux kernel, the following vulnerability has been resolved: netfilter: ctnetlink: zero expect NAT fields when CTAEXPECTNAT absent ctnetlinkallocexpect allocates expectations from a non-zeroing slab cache via nfctexpectalloc. When CTAEXPECTNAT is not present in the netlink message, savedad...

PT-2026-37307

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 8.6.76 Parse Server versions prior to 9.9.0-alpha.2 Description A race condition exists in the MFA SMS one-time password OTP login path. This allows two concurrent requests to the '/login' endpoint using the same...

GHSA-FC86-6RV6-2JPM webonyx/graphql-php has quadratic validation cost in OverlappingFieldsCanBeMerged via inline fragments

Summary OverlappingFieldsCanBeMerged validation rule has On^2 x m^2 worst case via flattened inline fragments. The CVE-2023-26144 named-fragment cache does not cover inline fragments. A 364 KB query 200 outer x 100 inner inline fragments consumes 117 seconds of CPU per request, with no comparison...

CVE-2026-42223

Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.8, the GetSettings API handler api/settings/settings.go:24-65 serializes all settings structs to JSON and returns them to authenticated users. Many sensitive fields are tagged with protected:"true" - however, this tag...

Improper Authentication

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Improper Authentication via the bootstrap config endpoint. An attacker can access sensitive configuration fields intended for authenticated sessions by sending unauthenticated requests to...

CVE-2026-5112

The Gravity Forms plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting in versions up to and including 2.10.0. This is due to insufficient input validation and output escaping of Calculation Product field product names when rendered inside Repeater fields. The validat...

CVE-2026-7641

The Import and export users and customers plugin for WordPress is vulnerable to Privilege Escalation in all versions up to and including 2.0.8 via the saveextrauserprofilefields function. This is due to an incomplete blocklist that correctly restricts capability meta keys for the primary site e.g...

CVE-2026-5113

The Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Consent field hidden inputs in versions up to and including 2.10.0. This is due to a flawed state validation mechanism that fails open when input is sanitized by wpkses, combined with insufficient output...

CVE-2026-42223

Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.8, the GetSettings API handler api/settings/settings.go:24-65 serializes all settings structs to JSON and returns them to authenticated users. Many sensitive fields are tagged with protected:"true" - however, this tag...

CVE-2026-42223 nginx-ui: Settings API Exposes Protected Secrets

Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.8, the GetSettings API handler api/settings/settings.go:24-65 serializes all settings structs to JSON and returns them to authenticated users. Many sensitive fields are tagged with protected:"true" - however, this tag...

CVE-2026-42223

Nginx UI (nginx-ui) before version 2.3.8 exposes sensitive settings through the GetSettings API. The handler serializes all settings structs to JSON and returns them to authenticated users, while the protected:"true" tag is only enforced on writes, not reads. This leaks 40+ protected fields, incl...

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization in the JoinWorkflowSpec process. An attacker can gain unauthorized access to host networking, override service account assignments, modify pod security contexts, add tolerations, or enable service account token...

CVE-2026-25863

Conditional Fields for Contact Form 7 WordPress plugin through version 2.7.2 contains an uncontrolled resource consumption vulnerability in the Wpcf7cfMailParser class where the hidehiddenmailfieldsregexcallback method reads an iteration count directly from user-supplied POST parameters without...

CVE-2026-25863

Vulnerability summary (CVE-2026-25863): The WordPress plugin “Conditional Fields for Contact Form 7” (CF7 Conditional Fields), affected up to version 2.6.7, contains an uncontrolled resource consumption issue in Wpcf7cfMailParser.hide_hidden_mail_fields_regex_callback(). The method reads an itera...

CVE-2026-25863 Conditional Fields for Contact Form 7 < 2.7.3 DoS via Uncontrolled Resource Consumption

Conditional Fields for Contact Form 7 WordPress plugin through version 2.7.2 contains an uncontrolled resource consumption vulnerability in the Wpcf7cfMailParser class where the hidehiddenmailfieldsregexcallback method reads an iteration count directly from user-supplied POST parameters without...