CVE-2026-9612

The CVE-2026-9612 entry concerns the WhatsOrder – Instant Checkout for WooCommerce plugin for WordPress. Affects versions up to 1.0.1 and is caused by the yapacdev_generate_order_pdf function, which exposes sensitive customer PII and order details. Attack flow: an unauthenticated user can enumera...

CVE-2026-46547

CVE-2026-46547 (NocoDB) is a reflected XSS in the Page Leaving Warning page. The issue arises because the query parameters ncRedirectUrl and ncBackUrl are used in window.location.href and in an tag href without proper validation, allowing javascript: URI injection. Exploitation could enable arbi...

CVE-2026-53927

NocoDB is software for building databases as spreadsheets. Prior to 2026.05.1, the spreadsheet-fetch endpoint axiosRequestMake accepted URLs whose path contained a permitted extension anywhere in the string, and applied a hand-rolled regex blocklist that omitted 127.0.0.0/8 and 169.254.0.0/16,...

dotnet: .NET: Local file tampering via link following vulnerability

A flaw was found in .NET's System.Formats.Tar library. When extracting a specially crafted TAR archive containing symbolic links, the TarFile.ExtractToDirectory method may incorrectly follow those links and write files outside the intended extraction directory. An attacker could exploit this issu...

CVE-2026-56348

creationtimestamp| type| source ---|---|--- 2026-06-22 23:01:55+00:00| seen| https://bsky.app/profile/securitycyberuk.bsky.social/post/3movykjgn3v2m 2026-06-22 23:49:30+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mow37lsgda2w...

CVE-2026-56266

Crawl4AI before 0.8.7 contains a server-side request forgery vulnerability in the /crawl, /crawl/stream, /md, and /llm endpoints that fetch arbitrary user-supplied URLs without validation. Unauthenticated attackers can bypass the internal-address blocklist using IPv6-mapped IPv4 addresses to reac...

golang: internal/syscall/unix: Root.Chmod can follow symlinks out of the root

A flaw was found in the internal/syscall/unix package in the Go standard library. If the target of the Root.Chmod function is replaced with a symbolic link during execution, specifically after Root.Chmod checks the target but before acting, the chmod operation will be performed on the file the...

dotnet: .NET: Local file tampering via link following vulnerability

A flaw was found in .NET's System.Formats.Tar library. When extracting a specially crafted TAR archive containing symbolic links, the TarFile.ExtractToDirectory method may incorrectly follow those links and write files outside the intended extraction directory. An attacker could exploit this issu...

dotnet: .NET: Local file tampering via link following vulnerability

A flaw was found in .NET's System.Formats.Tar library. When extracting a specially crafted TAR archive containing symbolic links, the TarFile.ExtractToDirectory method may incorrectly follow those links and write files outside the intended extraction directory. An attacker could exploit this issu...

CVE-2026-50178

The Angular Language Service VS Code Extension provides a rich editing experience for Angular templates. the client-side Angular Language Service VS Code extension configures the tooltip Markdown renderer with the isTrusted: true option located in client/src/client.ts. This setting instructs VS...

EUVD-2026-38240

An HTML injection vulnerability exists in the Google Chat webhook notification sent by Thinkst Applied Research Canarytokens, enabling Interface Manipulation in Google Chat. An attacker can insert limited HTML content including links. This issue affects Canarytokens: from Docker tag sha-4aef1db90...

CVE-2026-8157

creationtimestamp| type| source ---|---|--- 2026-06-22 07:30:35+00:00| seen| https://infosec.exchange/users/offseq/statuses/116792585922539614 2026-06-22 07:30:35+00:00| seen| https://bsky.app/profile/offseq.bsky.social/post/3mouej4ydjs2l 2026-06-22 08:14:26+00:00| seen|...

LolLMS < 2.2.0 - Server-Side Request Forgery

A Server-Side Request Forgery SSRF vulnerability exists in parisneo/lollms versions prior to 2.2.0. The /api/files/export-content endpoint processes Markdown image URLs by downloading them via downloadimagetotemp in backend/routers/files.py without any validation, allowing an unauthenticated...

CVE-2026-6645

creationtimestamp| type| source ---|---|--- 2026-06-22 04:30:29+00:00| seen| https://infosec.exchange/users/offseq/statuses/116791877623901189 2026-06-22 04:30:31+00:00| seen| https://bsky.app/profile/offseq.bsky.social/post/3mou2gzwtck2t 2026-06-22 04:37:44+00:00| seen|...

CVE-2016-5681

creationtimestamp| type| source ---|---|--- 2026-06-22 03:33:58+00:00| seen| https://bsky.app/profile/ahmandonk.bsky.social/post/3motxbzt5uj2u 2026-06-22 08:01:23+00:00| seen| https://bsky.app/profile/potato.software/post/3mouga7voxc2f 2026-06-22 08:01:23+00:00| seen|...

CVE-2025-71357

creationtimestamp| type| source ---|---|--- 2026-06-21 16:28:41+00:00| seen| https://bsky.app/profile/postac001.bsky.social/post/3moss4gcist27 2026-06-21 17:23:42+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mosv6sga2a2k...

CVE-2025-71348

creationtimestamp| type| source ---|---|--- 2026-06-21 16:27:12+00:00| seen| https://bsky.app/profile/postac001.bsky.social/post/3mosrzrpvn52y 2026-06-21 17:14:24+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mosuo6f7cg2k 2026-06-22 11:40:01+00:00| seen|...

CVE-2026-56330

Capgo before 12.128.2 contains an open redirect vulnerability in stripeportal and stripecheckout endpoints that accept unvalidated callbackUrl, successUrl, and cancelUrl parameters. Authenticated attackers can craft malicious billing URLs to redirect users to attacker-controlled domains for...

EUVD-2026-38126

Capgo before 12.128.2 contains an open redirect vulnerability in stripeportal and stripecheckout endpoints that accept unvalidated callbackUrl, successUrl, and cancelUrl parameters. Authenticated attackers can craft malicious billing URLs to redirect users to attacker-controlled domains for...

Linux Distros Unpatched Vulnerability : CVE-2026-48822

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Shaarli is a personal bookmarking service. Versions 0.16.1 and prior contain a stored Cross-Site Scripting XSS vulnerability in the Markdown-to-HTML conversion...