EUVD-2026-22903

Cross-Site Request Forgery CSRF vulnerability in Syed Balkhi Contact Form by WPForms wpforms-lite allows Cross Site Request Forgery.This issue affects Contact Form by WPForms: from n/a through = 1.10.0.2...

Google Chrome 安全漏洞

Google Chrome is a web browser from Google, an American company. A memory misreference vulnerability exists in the Google Chrome Forms component, which can be exploited by an attacker to execute arbitrary code from a specially crafted HTML page in a sandbox...

CVE-2026-1396

The Magic Conversation For Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'magic-conversation' shortcode in all versions up to, and including, 3.0.97 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it...

Attackers Actively Exploiting Critical Vulnerability in Kali Forms Plugin

On March 2nd, 2026, we received a submission through our Bug Bounty Program for a Remote Code Execution vulnerability in Kali Forms, a WordPress plugin with more than 10,000 active installations. This vulnerability makes it possible for an unauthenticated attacker to execute code on the server. T...

CVE-2025-66769

A NULL pointer dereference in Nitro PDF Pro for Windows v14.41.1.4 allows attackers to cause a Denial of Service DoS via a crafted XFA packet...

CVE-2025-66769

A NULL pointer dereference in Nitro PDF Pro for Windows v14.41.1.4 allows attackers to cause a Denial of Service DoS via a crafted XFA packet...

EUVD-2019-20139

Heatmiser Wifi Thermostat 1.7 contains a cross-site request forgery vulnerability that allows attackers to change administrator credentials by tricking authenticated users into submitting malicious requests. Attackers can craft HTML forms targeting the networkSetup.htm endpoint with parameters...

CVE-2019-25708

Heatmiser Wifi Thermostat 1.7 contains a cross-site request forgery vulnerability that allows attackers to change administrator credentials by tricking authenticated users into submitting malicious requests. Attackers can craft HTML forms targeting the networkSetup.htm endpoint with parameters...

CVE-2026-1263 Webling <= 3.9.0 - Authenticated (Subscriber+) Stored Cross-Site Scripting via 'title' Parameter

The Webling plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 3.9.0 due to insufficient input sanitization, insufficient output escaping, and missing capabilities checks in the 'weblingadminsaveform' and 'weblingadminsavememberlist' functions...

CVE-2026-1263

CVE-2026-1263 affects the Webling WordPress plugin up to version 3.9.0. The vulnerability is a Stored Cross-Site Scripting in the title parameter via the functions webling_admin_save_form and webling_admin_save_memberlist . It enables authenticated users with Subscriber-level access and above to ...

CVE-2026-1263 Webling <= 3.9.0 - Authenticated (Subscriber+) Stored Cross-Site Scripting via 'title' Parameter

The Webling plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 3.9.0 due to insufficient input sanitization, insufficient output escaping, and missing capabilities checks in the 'weblingadminsaveform' and 'weblingadminsavememberlist' functions...

PT-2026-31842

Name of the Vulnerable Software and Affected Versions Webling plugin for WordPress versions prior to 3.9.1 Description The Webling plugin for WordPress is susceptible to Stored Cross-Site Scripting due to insufficient input sanitization, insufficient output escaping, and missing capabilities chec...

CVE-2026-39657

Missing Authorization vulnerability in leadlovers leadlovers forms leadlovers-forms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects leadlovers forms: from n/a through = 1.0.2...

@4399ywkf/router (>=0.0.1 <=0.0.4), @akash-aw/aw-wizard-forms (=4.14.0) +155 more potentially affected by CVE-2026-23869 via @modern-js/utils (>=2.65.2 <=2.70.4)

@modern-js/utils NPM version =2.65.2, =0.0.1, =1.0.0, =1.0.0, =0.44.0, =2.23.0, =0.3.53, =0.0.0-beta.1, =1.0.1, =0.30.0, =0.3.0, =0.3.0-alpha.1 and more Source cves: CVE-2026-23869 Source advisory: SNYK:JS-MODERNJSUTILS-15954203...

EUVD-2026-20324

Missing Authorization vulnerability in leadlovers leadlovers forms leadlovers-forms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects leadlovers forms: from n/a through = 1.0.2...

EUVD-2026-20131

The Magic Conversation For Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'magic-conversation' shortcode in all versions up to, and including, 3.0.97 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it...

CVE-2026-39657

Missing Authorization vulnerability in leadlovers leadlovers forms leadlovers-forms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects leadlovers forms: from n/a through = 1.0.2...

CVE-2026-1396

The Magic Conversation For Gravity Forms plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'magic-conversation' shortcode in all versions up to, and including, 3.0.97 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it...

CVE-2026-39657 WordPress leadlovers forms plugin <= 1.0.2 - Broken Access Control vulnerability

Missing Authorization vulnerability in leadlovers leadlovers forms leadlovers-forms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects leadlovers forms: from n/a through = 1.0.2...

CVE-2026-39657

CVE-2026-39657 concerns a missing authorization vulnerability in the WordPress WordPress plugin family “leadlovers forms” (leadlovers-forms). The vulnerability is described as Broken Access Control caused by incorrectly configured access control security levels, allowing exploitation of missing a...