CVE-2026-11440 theonedev REST API default-branch improper authorization

A vulnerability was determined in theonedev onedev up to 15.0.5. This affects an unknown part of the file /repositories/projectId/default-branch of the component REST API. This manipulation of the argument project.defaultBranch causes improper authorization. It is possible to initiate the attack...

WordPress WPGYM - Wordpress Gym Management System plugin <= 67.7.0 - Authenticated (Subscriber+) Local File Inclusion to Privilege Escalation via Password Update vulnerability

WordPress WPGYM - Wordpress Gym Management System plugin = 67.7.0 - Authenticated Subscriber+ Local File Inclusion to Privilege Escalation via Password Update vulnerability discovered by WordFence in WordPress Plugin WPGYM versions = 67.7.0...

WordPress WP Pipes Plugin <= 1.4.3 - Cross Site Scripting (XSS) Vulnerability

Cross Site Scripting XSS Vulnerability discovered by LVT-tholv2k in WordPress Plugin WP Pipes versions = 1.4.3...

WordPress WPCRM - CRM for Contact form CF7 & WooCommerce plugin <= 3.2.0 - SQL Injection Vulnerability

WordPress WPCRM - CRM for Contact form CF7 & WooCommerce plugin = 3.2.0 - SQL Injection Vulnerability discovered by Phúc ton luoi in WordPress Plugin WPCRM - CRM for Contact form CF7 & WooCommerce versions = 3.2.0...

WordPress Sweet Dessert Theme < 1.1.13 is vulnerable to PHP Object Injection

Software Sweet Dessert Type Theme Vulnerable versions 1.1.13 Fixed in 1.1.13 OWASP Top 10 A3: Injection Classification PHP Object Injection CVE CVE-2025-49073 Patch priority High CVSS severity High 9.8 Developer Claim ownership PSID 3fb9eef0dd59 Credits Tran Nguyen Bao Khanh VCI - VNPT Cyber...

WordPress Uncanny Automator plugin <= 6.4.0.2 - Broken Access Control Vulnerability

Broken Access Control Vulnerability discovered by Denver Jackson in WordPress Plugin Uncanny Automator versions = 6.4.0.2...

WordPress Yozi Theme <= 2.0.52 is vulnerable to Local File Inclusion

Software Yozi Type Theme Vulnerable versions = 2.0.52 Fixed in N/A OWASP Top 10 A3: Injection Classification Local File Inclusion CVE CVE-2025-32289 Patch priority High CVSS severity High 8.1 Developer Claim ownership PSID 2bf3a4e4c4f4 Credits Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity...

WordPress TheGem Theme <= 5.10.3 is vulnerable to Arbitrary File Upload

Software TheGem Type Theme Vulnerable versions = 5.10.3 Fixed in 5.10.3.1 OWASP Top 10 A1: Injection Classification Arbitrary File Upload CVE CVE-2025-4317 Patch priority High CVSS severity High 8.8 Developer Claim ownership PSID 9a2acfb1e3cd Credits Foxyyy Required privilege Subscriber Published...

WordPress PSW Front-end Login & Registration plugin <= 1.13 - Broken Authentication Vulnerability

Broken Authentication Vulnerability discovered by LVT-tholv2k in WordPress Plugin PSW Front-end Login & Registration versions = 1.13...

WordPress PeproDev Ultimate Profile Solutions plugin 1.9.1-7.5.2 - Missing Authorization to Limited Unauthenticated Arbitrary User Meta Update

Missing Authorization to Limited Unauthenticated Arbitrary User Meta Update vulnerability discovered by kr0d in WordPress Plugin PeproDev Ultimate Profile Solutions versions 1.9.1-7.5.2...

WordPress Ivy School Theme <= 1.6.0 is vulnerable to Local File Inclusion

Software Ivy School Type Theme Vulnerable versions = 1.6.0 Fixed in 1.6.1 OWASP Top 10 A3: Injection Classification Local File Inclusion CVE CVE-2025-39470 Patch priority High CVSS severity High 8.1 Developer Claim ownership PSID 2982cc652634 Credits Bonds Required privilege Unauthenticated...

PT-2022-21875 · Eaton · Eaton Foreseer Epms

Name of the Vulnerable Software and Affected Versions: Eaton Foreseer EPMS versions 4.x through 7.5 Description: A security issue was discovered in the Eaton Foreseer EPMS software, which connects devices to reduce energy consumption and prevent unplanned downtime. The problem allows a threat act...