EUVD-2026-36926

Unauthenticated SQL Injection in Feed KuantoKusta for WooCommerce – Free = 5.3 versions...

CVE-2026-34901

Unauthenticated Privilege Escalation in iControlWP = 5.5.3 versions...

CVE-2026-42658

The CVE-2026-42658 entry concerns the WordPress Classified Listing plugin, affected versions

CVE-2026-39441 WordPress Feed KuantoKusta for WooCommerce – Free plugin <= 5.3 - SQL Injection vulnerability

Unauthenticated SQL Injection in Feed KuantoKusta for WooCommerce – Free = 5.3 versions...

PT-2026-49442

Unauthenticated Broken Access Control in Classified Listing = 5.3.8 versions...

CVE-2026-47238

CVE-2026-47238 affects ClipBucket v5 prior to 5.5.3 (patch released in 5.5.3 - #133). A normal authenticated user can perform an insecure IDOR in the videos subtitle editor, allowing editing, uploading, renaming, or deleting subtitles belonging to other users due to lack of proper authorization. ...

EUVD-2026-36367

ClipBucket v5 is an open source video sharing platform. Prior to version 5.5.3 - 140, ClipBucket's Remote Play feature allows any authenticated user to add a video by importing an external URL as the source. Some shell commands are run with the URL as a parameter. The URL is concatenated directly...

CVE-2026-35574

ChurchCRM is an open-source church management system. Prior to 6.5.3, a stored Cross-Site Scripting XSS vulnerability in ChurchCRM's Note Editor allows authenticated users with note-adding permissions to execute arbitrary JavaScript code in the context of other users' browsers, including...

GHSA-4VQC-WPWG-VH7J kas's late signature validation may allow unnoticed repository manipulations

Impact So far, kas checks out and processes repositories regarding configuration includes prior to validating signatures of those repositories. This may allow to replace on original repository with one under the control of an attacker under very specific conditions. First of all, the attacker mus...

CVE-2018-25324

The CVE-2018-25324 entry concerns the WordPress plugin Simple Fields versions 0.2–0.3.5, which contains a local file inclusion (LFI) flaw via the wp_abspath parameter. Unauthenticated attackers can read arbitrary files (e.g., /etc/passwd) by injecting null bytes into wp_abspath on PHP versions be...

Linux Distros Unpatched Vulnerability : CVE-2026-44240

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - basic-ftp is an FTP client for Node.js. Prior to 5.3.1, basic-ftp is vulnerable to client-side denial of service when parsing FTP control-channel multiline...

Security Bulletin: IBM Watson Discovery Cartridge affected by vulnerability in cryptography-46.0.3-cp311-abi3-macosx109universal2.whl

Summary IBM Watson Discovery Cartridge affected by vulnerability in cryptography-46.0.3-cp311-abi3-macosx109universal2.whl Vulnerability Details CVEID:CVE-2026-34073 DESCRIPTION: cryptography is a package designed to expose cryptographic primitives and recipes to Python developers. Prior to versi...

PT-2026-36193

Name of the Vulnerable Software and Affected Versions IBM watsonx.data intelligence versions 5.2.0 through 5.2.1 IBM watsonx.data intelligence versions 5.3.0 through 5.3.1 Description User credentials are stored in plain text, allowing a local user to read them. Recommendations At the moment, the...

Security Bulletin: IBM Watson Discovery Cartridge affected by vulnerability in once-1.1.2.tgz

Summary IBM Watson Discovery Cartridge affected by vulnerability in once-1.1.2.tgz Vulnerability Details CVEID:CVE-2026-3449 DESCRIPTION: Versions of the package @tootallnate/once before 3.0.1 are vulnerable to Incorrect Control Flow Scoping in promise resolving when AbortSignal option is used. T...

PT-2026-33885

Name of the Vulnerable Software and Affected Versions OpenBao versions prior to 2.5.3 Description OpenBao is an open source identity-based secrets management system that utilizes namespaces for multi-tenant separation. A flaw exists where a tenant that leaks token accessors may have their token...

EUVD-2026-20048

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'buttoncaption' parameter in the latepointresources shortcode in versions up to and including 5.3.0. This is due to insufficient output escaping when the...

EUVD-2026-15929

Improper Limitation of a Pathname to a Restricted Directory 'Path Traversal' vulnerability in icopydoc YML for Yandex Market yml-for-yandex-market allows Path Traversal.This issue affects YML for Yandex Market: from n/a through 5.3.0...

CVE-2026-1238

SlimStat Analytics for WordPress is affected by a Stored Cross-Site Scripting vulnerability via the 'fh' parameter in all versions up to 5.3.5. The issue arises from insufficient input sanitization and output escaping, allowing unauthenticated attackers to inject scripts that execute when users v...

CVE-2026-32245 Tinyauth's OIDC authorization codes are not bound to client on token exchange

Tinyauth is an authentication and authorization server. Prior to 5.0.3, the OIDC token endpoint does not verify that the client exchanging an authorization code is the same client the code was issued to. A malicious OIDC client operator can exchange another client's authorization code using their...

CVE-2026-25896

fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. From 4.1.3to before 5.3.5, a dot . in a DOCTYPE entity name is treated as a regex wildcard during entity replacement, allowing an attacker to shadow...