EUVD-2026-38063

The WP Go Maps – Most Popular Map Plugin plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 10.1.01. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers ...

CVE-2026-12238 WP Go Maps <= 10.1.01 - Unauthenticated Arbitrary Record Creation

The WP Go Maps – Most Popular Map Plugin plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 10.1.01. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers ...

Astra Linux – Vulnerability in Linux 5.10

In the Linux kernel, the following vulnerabilities have been resolved: mm/uffd: fixed the pte marker when using fork without a fork event. The patch series is named “mm: Fixes on pte markers”. Patch 1 addresses the issue reported by Pengfei in the syzkiller project. Patch 2 further improves the...

PT-2026-51004

Name of the Vulnerable Software and Affected Versions WP Go Maps versions prior to 10.1.02 Description An authorization bypass exists because the plugin fails to properly verify if a user is authorized to perform specific actions. Unauthenticated attackers can create arbitrary records in plugin...

CVE-2026-8386 WP Go Maps < 10.0.10 - Unauthenticated Sensitive Information Disclosure via Marker ID

The WP Go Maps WordPress plugin before 10.0.10 does not perform any approval-state filtering on its public single-marker REST endpoint, allowing unauthenticated users to retrieve marker records that an administrator has not yet approved for public display, including any PII placed in the address...

CVE-2026-8385 WP Go Maps < 10.0.10 - Unauthenticated Sensitive Information Disclosure via Datatables AJAX Fallback

The WP Go Maps WordPress plugin before 10.0.10 does not properly enforce the marker approval filter on the admin-ajax fallback for its datatables route, allowing unauthenticated visitors to retrieve marker records that the site owner has not approved for public display, including their title,...

CVE-2026-8385

The CVE-2026-8385 entry concerns the WP Go Maps WordPress plugin, specifically versions prior to 10.0.10. The vulnerability arises from improper enforcement of the marker approval filter on the admin-ajax fallback for the plugin’s datatables route, allowing unauthenticated visitors to access mark...

CVE-2026-8385 WP Go Maps < 10.0.10 - Unauthenticated Sensitive Information Disclosure via Datatables AJAX Fallback

The WP Go Maps WordPress plugin before 10.0.10 does not properly enforce the marker approval filter on the admin-ajax fallback for its datatables route, allowing unauthenticated visitors to retrieve marker records that the site owner has not approved for public display, including their title,...

PT-2026-49184

The WP Go Maps WordPress plugin before 10.0.10 does not perform any approval-state filtering on its public single-marker REST endpoint, allowing unauthenticated users to retrieve marker records that an administrator has not yet approved for public display, including any PII placed in the address...

New Attacks Trick OpenClaw AI Agent Into Running Code and Leaking Secrets

Two security teams have shown, in separate research published this week, that OpenClaw, the popular self-hosted AI agent, can be driven to run attacker-controlled code or hand over sensitive data through ordinary-looking inputs. Imperva buried instructions inside shared contacts, vCards, and...

MAL-2026-5470 Malicious code in getd-typescript-eslint-rules (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector caed4b0db34232c4ef920817b6087cee9ac0610ec4ec2e49edbb5f167342f42f On npm install, the postinstall.js script collects the installer's hostname, OS username, platform, current working directory, CI environment markers...

Layer Order Semantics for Automata-Based Cybersecurity

Layered cybersecurity pipelines transform evidence before they decide on it, and the order of those transformations determines which security facts become visible to which layer. This paper gives layer order a finite-state semantics built from a layer-order automaton, deterministic sequential...

pyasn1: pyasn1 Vulnerable to Denial of Service via Unbounded Recursion

An unbounded recursion flaw has been discovered in the pypi pyasn1 library. This uncontrolled recursion occurs when decoding ASN.1 data with deeply nested structures. An attacker can supply a crafted payload containing nested SEQUENCE 0x30 or SET 0x31 tags with Indefinite Length 0x80 markers. Thi...

Elastic Kibana 安全漏洞

Elastic Kibana is a data visualization dashboard software provided by the Elastic company. There is a security vulnerability in Elastic Kibana, which stems from improper input handling. This vulnerability may allow users with write permissions for Elasticsearch indexes to persistently store...

PT-2026-44150

Description SymfonyComponentYamlParser::cleanup strips the optional %YAML directive header, leading comments, and document start/end markers before parsing. The original regexes contained overlapping quantifiers, most notably '^%YAML: d.+. u', whose d.+ and . overlap on the dot, that exhibit...

Malicious code in n8n-nodes-pentest-rce (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2a813bc4a209e75b50151451de1c2a3c4a7e916b181b314416eafc43492b4eb5 On npm install, the package's postinstall script runs a shell pipeline that reads the Kubernetes service-account token from...

CVE-2026-6210

A flaw was found in Qt SVG. A remote attacker could exploit a vulnerability by providing a specially crafted SVG image. This issue arises from incorrect handling of SVG marker references, where the software misinterprets data types, leading to memory access errors and an infinite loop. This can...

UBUNTU-CVE-2026-6210

A type confusion vulnerability in Qt SVG allows an attacker to cause an application crash via a crafted SVG image. When processing SVG marker references, the renderer retrieves a node by its id attribute and casts it to QSvgMarker without verifying the node type. A non-marker element such as a...

CVE-2026-6210 Type confusion and heap-buffer-overflow in Qt SVG marker handling causing application crash

A type confusion vulnerability in Qt SVG allows an attacker to cause an application crash via a crafted SVG image. When processing SVG marker references, the renderer retrieves a node by its id attribute and casts it to QSvgMarker without verifying the node type. A non-marker element such as a...

EUVD-2026-25172

The WP Store Locator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'wpsladdress' post meta value in versions up to, and including, 2.2.261 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...