CVE-2026-5200 AcyMailing <= 10.8.2 - Missing Authorization to Authenticated (Subscriber+) Privilege Escalation via 'acymailing_router'

The AcyMailing – An Ultimate Newsletter Plugin and Marketing Automation Solution for WordPress plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 10.8.2. This is due to the plugin not properly verifying that a user is authorized to perform an action. Thi...

WordPress plugin AcyMailing – An Ultimate Newsletter Plugin and Marketing Automation Solution 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...

EUVD-2022-55990

uBidAuction 2.0.1 contains a reflected cross-site scripting vulnerability in the backend/mailingLog/manage module. The datecreated, datefrom, dateto, and createdat parameters in the filter functionality are not properly sanitized, allowing remote attackers to inject malicious scripts via crafted...

CVE-2022-50969

uBidAuction 2.0.1 contains a reflected cross-site scripting vulnerability in the backend/mailingLog/manage module. The datecreated, datefrom, dateto, and createdat parameters in the filter functionality are not properly sanitized, allowing remote attackers to inject malicious scripts via crafted...

CVE-2022-50969

CVE-2022-50969 affects uBidAuction 2.0.1 and involves a reflected Cross‑Site Scripting (XSS) vulnerability in the backend/mailingLog/manage module. The issue stems from improper sanitization of the date_created, date_from, date_to, and created_at parameters in the filter functionality, allowing r...

PT-2026-39494

uBidAuction 2.0.1 contains a reflected cross-site scripting vulnerability in the backend/mailingLog/manage module. The date created, date from, date to, and created at parameters in the filter functionality are not properly sanitized, allowing remote attackers to inject malicious scripts via...

More PayPal emails hijacked to deliver tech support scams

Scammers have found another way to get deceptive messages delivered through PayPal’s legitimate services. In December 2025, we reported that PayPal closed a loophole that let scammers send real emails with fake purchase notices. In those cases, scammers created a PayPal subscription and then paus...

CVE-2026-41259

CVE-2026-41259 affects Mastodon prior to versions 4.5.9, 4.4.16, and 4.3.22. The issue is insufficient verification of email addresses: Mastodon allows restricting new user sign-up by domain but does not properly handle characters that some mail servers interpret differently. Root cause is incomp...

SUSE CVE-2026-35535

In Sudo through 1.9.17p2 before 3e474c2, a failure of a setuid, setgid, or setgroups call, during a privilege drop before running the mailer, is not a fatal error and can lead to privilege escalation...

📄 listmonk Session Persistence

listmonk has a flaw where sessions persist as valid after password reset and password change. CVE-2026-34828 listmonk’s Session Persistence After Password Reset and Password Change Intro I found this issue while reviewing listmonk, an open-source newsletter and mailing list manager, with a simple...

Exploit for Improper Input Validation in Microsoft

HTB: Mailing — A Complete Walkthrough By Mursalin --- I...

CVE-2026-1857

The Gutenberg Blocks with AI by Kadence WP plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 3.6.1. This is due to insufficient validation of the endpoint parameter in the getitems function of the GetResponse REST API handler. The endpoint's...

CVE-2025-13079

The Popup Builder – Create highly converting, mobile friendly marketing popups. plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.4.2. This is due to the plugin generating predictable unsubscribe tokens using deterministic data. This makes it...

CVE-2026-24027

creationtimestamp| type| source ---|---|--- 2026-02-10 10:00:10+00:00| seen| https://seclists.org/oss-sec/2026/q1/159...

CVE-2005-1419

SQL injection vulnerability in the admin login panel for Ocean12 Mailing List Manager 1.06 allows remote attackers to execute arbitrary SQL commands via the Adminid parameter...

CVE-2023-40160

Directory traversal vulnerability exists in Mailing List Search CGI pmmls.exe included in A.K.I Software's PMailServer/PMailServer2 products. If this vulnerability is exploited, a remote attacker may obtain arbitrary files on the server...

CVE-2003-1313

Multiple PHP remote file inclusion vulnerabilities in EternalMart Mailing List Manager EMLM 1.32 allow remote attackers to execute arbitrary PHP code via a URL in 1 the emmladminpath parameter to admin/auth.php or 2 the emmlpath parameter to emmlemailfunc.php...

CVE-2021-33038

An issue was discovered in management/commands/hyperkittyimport.py in HyperKitty through 1.3.4. When importing a private mailing list's archives, these archives are publicly visible for the duration of the import. For example, sensitive information might be available on the web for an hour during...

CVE-2025-68280

creationtimestamp| type| source ---|---|--- 2026-01-05 14:18:24+00:00| seen| https://seclists.org/oss-sec/2026/q1/17 2026-01-05 15:30:46+00:00| seen| https://gist.github.com/Darkcrai86/1f974350056ca093e9738c65c3452ad1 2026-01-05 15:55:46+00:00| seen|...

CVE-2025-67895

creationtimestamp| type| source ---|---|--- 2025-12-16 15:13:17+00:00| seen| https://seclists.org/oss-sec/2025/q4/280 2025-12-17 13:42:16+00:00| seen| https://gist.github.com/Darkcrai86/3e68b0ba666c48a6963c4bbdca1c90c3 2025-12-17 15:12:00+00:00| seen|...