1398 matches found
CVE-2026-57685 WordPress Martfury - WooCommerce Marketplace WordPress theme theme <= 3.2.8 - Broken Access Control vulnerability
Subscriber Broken Access Control in Martfury - WooCommerce Marketplace WordPress Theme = 3.2.8 versions...
CVE-2026-57685
CVE-2026-57685: A Broken Access Control vulnerability exists in WordPress Martfury - WooCommerce Marketplace Theme (versions
WCFM WooCommerce Multivendor Marketplace < 3.4.12 - SQL Injection
The wcfmajaxcontroller AJAX action of the WCFM Marketplace WordPress plugin before 3.4.12, available to unauthenticated and authenticated user, does not properly sanitise multiple parameters before using them in SQL statements, leading to SQL injections. id: CVE-2021-24849 info: name: WCFM...
Liferay Portal - Cross-Site Scripting
A reflected cross-site scripting XSS vulnerability in the Liferay Portal 7.4.0 through 7.4.3.131, and Liferay DXP 2024.Q4.0 through 2024.Q4.5, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, 2024.Q1.1 through 2024.Q1.12, 7.4 GA through update 92 allows an remote non-authenticated...
WordPress Martfury - WooCommerce Marketplace WordPress theme theme <= 3.2.8 - Broken Access Control vulnerability
WordPress Martfury - WooCommerce Marketplace WordPress theme theme = 3.2.8 - Broken Access Control vulnerability discovered by Ananda Dhakal Patchstack in WordPress Theme Martfury - WooCommerce Marketplace WordPress Theme versions = 3.2.8...
CVE-2026-11783
The CVE concerns the Dokan: AI Powered WooCommerce Multivendor Marketplace Solution for WordPress. A Stored XSS flaw exists in all versions up to 5.0.4 due to insufficient input sanitization and output escaping of the Product SKU, enabling an authenticated attacker with custom-level access or hig...
CVE-2026-11987
The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution (WordPress) up to version 5.0.4 is vulnerable to Insecure Direct Object Reference via the id parameter due to missing validation on a user‑controlled key. Authenticated attackers with subscriber+ access can read other vendors’ pro...
CVE-2026-55413
ToolJet is the open-source foundation am AI-native platform for building and deploying internal tools, workflows and AI agents. Prior to 3.20.178-lts, any authenticated user with builder role free tier can overwrite a globally-shared marketplace plugin with arbitrary JavaScript that executes...
CVE-2026-55413
ToolJet is the open-source foundation am AI-native platform for building and deploying internal tools, workflows and AI agents. Prior to 3.20.178-lts, any authenticated user with builder role free tier can overwrite a globally-shared marketplace plugin with arbitrary JavaScript that executes...
CVE-2026-55413 ToolJet - Marketplace Plugin Poisoning Enables Instance-Wide Remote Code Execution
ToolJet is the open-source foundation am AI-native platform for building and deploying internal tools, workflows and AI agents. Prior to 3.20.178-lts, any authenticated user with builder role free tier can overwrite a globally-shared marketplace plugin with arbitrary JavaScript that executes...
CVE-2026-55413
ToolJet prior to 3.20.178-lts allows any authenticated builder-role user to overwrite a globally-shared marketplace plugin with arbitrary JavaScript, which executes server-side with full Node.js access (require, process). The malicious code runs when any user queries that plugin, enabling instanc...
CVE-2026-54838
Subscriber SQL Injection in WC Vendors Marketplace = 2.6.8 versions...
CVE-2026-54838 WordPress WC Vendors Marketplace plugin <= 2.6.8 - SQL Injection vulnerability
Subscriber SQL Injection in WC Vendors Marketplace = 2.6.8 versions...
EUVD-2026-39368
Subscriber SQL Injection in WC Vendors Marketplace = 2.6.8 versions...
CVE-2026-54838
CVE-2026-54838 affects WordPress WC Vendors Marketplace plugin up to version 2.6.8. The description documents a subscriber SQL injection vulnerability (no explicit root cause details provided). CVSS 3.1 base score 8.5 (HIGH) with network attack vector, low attack complexity, privileges required: ...
CVE-2026-55570
SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, it does not escape the untrusted fields name, version, author, description when they are serialized into the data-obj HTML attribute of each marketplace card. Because the attribute is single-quoted and the value is...
CVE-2026-55570
Technical details are not publicly available in the provided documents. Monitor for updates.
CVE-2026-55570 SiYuan: Stored XSS results to Electron RCE in SiYuan marketplace via unescaped `data-obj` attribute (Bypass for CVE-2026-45375's patch)
SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, it does not escape the untrusted fields name, version, author, description when they are serialized into the data-obj HTML attribute of each marketplace card. Because the attribute is single-quoted and the value is...
DoJ Seizes Huione Cloud Account Tied to Cyber Scam Money Laundering
The U.S. Department of Justice DoJ on Tuesday announced the seizure of a cloud computing account put to use by subsidiaries of Cambodia-based corporate conglomerate HuiOne Group, as the Treasury unveiled fresh sanctions against nine individuals and 26 entities linked to Prince Group. "These...
CVE-2026-56395
SiYuan before v3.6.1 fails to sanitize package metadata and README content in the Bazaar marketplace, allowing malicious package authors to inject arbitrary HTML and JavaScript. Attackers can achieve remote code execution on any user browsing the Bazaar by embedding XSS payloads in package...