EUVD-2026-32922

TinyMCE Cross-Site Scripting XSS vulnerability using media plugin data-mce-object injection...

CVE-2026-1865

The User Registration & Membership – Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder plugin for WordPress is vulnerable to SQL Injection via the ‘membershipids’ parameter in all versions up to, and including, 5.1.2 due to...

CVE-2026-33244

React Router is a router for React. In versions 7.5.1 through 7.13.1, when using Framework Mode with pre-rendering enabled, improper neutralization of the HTTP Location header value can permit Cross-Site Scripting XSS in the statically generated HTML files if the redirect location comes from an...

WordPress MW WP Form plugin <= 5.1.3 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by VanTastic in WordPress Plugin MW WP Form versions = 5.1.3...

Security Bulletin: IBM InfoSphere Optim Archive Viewer is affected by multiple vulnerabilities in minimatch (CVE-2026-26996, CVE-2026-27903, CVE-2026-27904)

Summary Multiple vulnerabilities in the minimatch matching utility CVE-2026-26996, CVE-2026-27903, CVE-2026-27904 used by IBM InfoSphere Optim Archive Viewer have been addressed by upgrading the component to version 5.1.8. Vulnerability Details CVEID:CVE-2026-26996 DESCRIPTION: minimatch is a...

UBUNTU-CVE-2026-47759

TinyMCE is an open source rich text editor. Prior to 5.11.1, 7.9.3, and 8.5.1, there is a stored XSS vulnerability via unsanitized data-mce- attributes data-mce-href, data-mce-src, data-mce-style. Allows attackers to inject malicious values that override safe attributes during serialization,...

CVE-2026-47762

TinyMCE is an open source rich text editor. Prior to 5.11.1, 7.9.3, and 8.5.1, there is a stored XSS vulnerability via forged mce:protected comments. Allows attackers to bypass sanitization and inject scripts that execute when content is restored. Impacts users who utilize the protect option. Thi...

CVE-2026-47762 TinyMCE Cross-Site Scripting (XSS) vulnerability through `mce:protected` comments

TinyMCE is an open source rich text editor. Prior to 5.11.1, 7.9.3, and 8.5.1, there is a stored XSS vulnerability via forged mce:protected comments. Allows attackers to bypass sanitization and inject scripts that execute when content is restored. Impacts users who utilize the protect option. Thi...

CVE-2026-47761

Summary: CVE-2026-47761 is a stored XSS vulnerability in TinyMCE’s media plugin, triggered by crafted data-mce-* attributes during content rendering. Affected software: TinyMCE (open source rich text editor); affected version range prior to 5.11.1, 7.9.3, and 8.5.1. Root cause/Vector: Media plugi...

PT-2026-44391

Name of the Vulnerable Software and Affected Versions TinyMCE versions prior to 5.11.1 TinyMCE versions prior to 7.9.3 TinyMCE versions prior to 8.5.1 Description A stored Cross-Site Scripting XSS issue exists via forged mce:protected comments. This allows attackers to bypass sanitization and...

CVE-2026-8479

IEC 60870-5-104 used in bidirectional mode in RTU500 is vulnerable for a NULL pointer dereferencing, if a specially crafted sequence of messages is sent for a certain time, causing Denial of Service impact. Product is only affected if IEC 60870-5-104 functionality in bidirectional mode BCI is...

Authorization Bypass Through User-Controlled Key

Overview concrete5/concrete5 is a concrete5 open source CMS. Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via the surveys process. An attacker can gain unauthorized access to restricted survey functionality by submitting a restricted option ...

Mattermost 安全漏洞

Mattermost is an open-source collaboration platform developed by the American company Mattermost. Versions of Mattermost such as 11.5.1 and earlier 11.5.x have security vulnerabilities. These vulnerabilities stem from a failure to verify the team-level operating permissions for target teams,...

CVE-2026-32792

NLnet Labs Unbound 1.6.2 up to and including version 1.25.0 has a denial of service vulnerability when compiled with DNSCrypt support '--enable-dnscrypt'. A bad DNSCrypt query could underflow Unbound's DNSCrypt packet reading procedure that may lead to heap overflow. A malicious actor can exploit...

Astra Linux - уязвимость в qt4-x11, qtbase-opensource-src

A issue was discovered in Qt before version 5.15.15, in versions 6.x before 6.2.9, and in versions 6.3.x through 6.5.x before 6.5.1. When an SVG file containing an image is rendered, a QTextLayout buffer overflow can occur...

GHSA-JXX9-PX88-PJ69 n8n-MCP: Multi-tenant MCP requests fall back to process-level n8n credentials when tenant headers are absent or incomplete

Summary When ENABLEMULTITENANT=true, the HTTP transport documents that the target n8n instance is selected per-request from x-n8n-url / x-n8n-key headers. Requests that omitted those headers — or supplied only one of them — silently fell back to the process-level N8NAPIURL / N8NAPIKEY credentials...

EUVD-2026-30753

Mattermost versions 11.5.x = 11.5.1 fail to verify channel membership when processing AI-assisted message rewrites which allows an authenticated attacker to read the content of threads in private channels and direct messages they do not have access to via a crafted request to the post rewrite...

CVE-2026-4286

Mattermost versions 11.5.x = 11.5.1, 10.11.x = 10.11.13 fail to check if teamid was being changed when updating playbooks, allowing users with only Manage Playbook Configurations permission to change a playbook's team, bypassing manage members restriction via PUT api. Mattermost Advisory ID:...

CVE-2026-6334

Mattermost versions 11.5.x = 11.5.1, 10.11.x = 10.11.13 fail to enforce client identity binding during the OAuth authorization code redemption flow which allows an authenticated OAuth client to redeem authorization codes issued to a different client via a crafted token exchange request.. Mattermo...

WordPress InfusedWoo Pro plugin <= 5.1.2 - Unauthenticated Missing Authorization to Privilege Escalation vulnerability

Unauthenticated Missing Authorization to Privilege Escalation vulnerability discovered by Osvaldo Noe Gonzalez Del Rio Os - krei.dev | ogbuilders.io in WordPress Plugin InfusedWoo Pro versions = 5.1.2...