WordPress Easy Forms for Mailchimp Plugin < 6.8.9 - Cross-Site Scripting

The Easy Forms for Mailchimp plugin before version 6.8.9 contains a reflected cross-site scripting vulnerability. The plugin does not properly sanitize and escape the sqlerror parameter before outputting it back in the page when the debug option is enabled, which could allow attackers to execute...

CVE-2018-25402

CVE-2018-25402 affects Open ISES Project 3.30A. A SQL injection flaw in inc_types_graph.php via the p1 parameter allows unauthenticated remote attackers to execute arbitrary SQL and extract sensitive DB information (schema names, data). The CVE is associated with high-severity metrics (CVSS 3.1/4...

CVE-2018-25402 The Open ISES Project 3.30A SQL Injection via inc_types_graph.php

The Open ISES Project 3.30A contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the p1 parameter. Attackers can send GET requests to inctypesgraph.php with crafted SQL payloads to extract sensitive...

EUVD-2018-21924

The Open ISES Project 3.30A contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the p1 parameter. Attackers can send GET requests to inctypesgraph.php with crafted SQL payloads to extract sensitive...

CVE-2018-25402

The Open ISES Project 3.30A contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the p1 parameter. Attackers can send GET requests to inctypesgraph.php with crafted SQL payloads to extract sensitive...

CVE-2026-45857

In the Linux kernel, the following vulnerability has been resolved: scsi: csiostor: Fix dereference of null pointer rn The error exit path when rn is NULL ends up deferencing the null pointer rn via the use of the macro CSIOINCSTATS. Fix this by adding a new error return path label after the use ...

CVE-2026-25426

Missing Authorization vulnerability in Magepeople inc. Taxi Booking Manager for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Taxi Booking Manager for WooCommerce: from n/a through 2.0.1...

EUVD-2026-31967

Missing Authorization vulnerability in Magepeople inc. Taxi Booking Manager for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Taxi Booking Manager for WooCommerce: from n/a through 2.0.1...

CVE-2026-25444 WordPress WpBookingly plugin <= 1.2.9 - Broken Access Control vulnerability

Missing Authorization vulnerability in Magepeople inc. WpBookingly allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WpBookingly: from n/a through 1.2.9...

PT-2026-43386

Missing Authorization vulnerability in Magepeople inc. WpTravelly allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WpTravelly: from n/a through 2.1.5...

CVE-2026-48235 Open ISES Tickets < 3.44.2 SQL Injection in incs/remotes.inc.php via External GPS Tracker Data

Open ISES Tickets before 3.44.2 contains a SQL injection vulnerability in incs/remotes.inc.php where latitude, longitude, callsign, mph, altitude, and timestamp values parsed from external GPS tracking service XML/JSON responses InstaMapper and Google Latitude integration are concatenated into...

EUVD-2026-31097

Missing Authorization vulnerability in Magepeople inc. WpBookingly allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WpBookingly: from n/a through 1.2.9...

WordPress AIWU plugin <= 1.4.21 - SQL Injection vulnerability

SQL Injection vulnerability discovered by Kazuma Matsumoto - GMO Cybersecurity by IERAE, Inc. in WordPress Plugin AIWU versions = 1.4.21...

CVE-2026-41872

"Kura Sushi Official App" provided by EPG, Inc. is vulnerable to improper certificate validation. A man-in-the-middle attack may allow eavesdropping on, or altering, the communication on push notifications between the affected application and the relevant server...

WordPress Hostinger Reach – AI-Powered Email Marketing for WordPress plugin <= 1.3.8 - Missing Authorization to Authenticated (Subscriber+) Integration API Key Update vulnerability

Missing Authorization to Authenticated Subscriber+ Integration API Key Update vulnerability discovered by Dmitrii Ignatyev - CleanTalk Inc in WordPress Plugin Hostinger Reach AI-Powered Email Marketing for WordPress versions = 1.3.8...

CVE-2026-42213 SolidCAM-GPPL-IDE: Path traversal in `inc` directive enables file probing and NTLM-hash leak

SolidCAM-GPPL-IDE is an unofficial, independently developed extension, Postprocessor IDE for SolidCAM. From version 1.0.0 to before version 1.0.2, the inc "filename" directive in GPPL postprocessor files is resolved by GpplDocumentLinkHandler into a clickable link VS Code textDocument/documentLin...

CVE-2026-42213 SolidCAM-GPPL-IDE: Path traversal in `inc` directive enables file probing and NTLM-hash leak

SolidCAM-GPPL-IDE is an unofficial, independently developed extension, Postprocessor IDE for SolidCAM. From version 1.0.0 to before version 1.0.2, the inc "filename" directive in GPPL postprocessor files is resolved by GpplDocumentLinkHandler into a clickable link VS Code textDocument/documentLin...

CVE-2026-42213

SolidCAM-GPPL-IDE (unofficial GPPL Postprocessor IDE) contains a vulnerability in the inc "filename" directive handling. GpplDocumentLinkHandler resolves the directive into clickable links and probes arbitrary paths (absolute, relative with .., UNC paths, etc.) using File.Exists to decide renderi...

Postprocessor IDE for SolidCAM 路径遍历漏洞

Postprocessor IDE for SolidCAM is a GPPL language development support tool developed by Andrey Zorin. Versions of Postprocessor IDE for SolidCAM from 1.0.0 to 1.0.2 had a path traversal vulnerability. This vulnerability stemmed from the fact that the inc directive in the GPPL postprocessor files...

Astra Linux - уязвимость в rsync

A path traversal vulnerability exists in rsync. It stems from behavior enabled by the --inc-recursive option, a default-enabled option for many client options and can be enabled by the server even if not explicitly enabled by the client. When using the --inc-recursive option, a lack of proper...