CVE-2026-9189

The Contact Form 7 – PayPal & Stripe Add-on plugin for WordPress is vulnerable to Payment Bypass via Insufficient Verification of Data Authenticity in all versions up to, and including, 2.4.9. Although cf7pppaypalipnhandler correctly validates IPN authenticity by posting back to PayPal with...

CVE-2024-39836

Mattermost versions 9.9.x = 9.9.1, 9.5.x = 9.5.7, 9.10.x = 9.10.0 and 9.8.x = 9.8.2 fail to ensure that remote/synthetic users cannot create sessions or reset passwords, which allows the munged email addresses, created by shared channels, to be used to receive email notifications and to reset...

Design/Logic Flaw

Flarum is a forum software for building communities. Using the notifications feature, one can read restricted/private content and bypass access checks that would be in place for such content. The notification-sending component does not check that the subject of the notification can be seen by the...

FBI server hijacked to send up to 100,000 bogus attack mails

If you received a scary missive from what appears to be from the FBI over the last few days, youre not alone. The emails, which may have reached as many as 100,000 people, blamed a fictitious cyberattack on an innocent party. The mail read as follows: Our intelligence monitoring indicates...

Authentication flaw

An issue was discovered in the Infosysta "In-App & Desktop Notifications" app 1.6.13J8 for Jira. By using plugins/servlet/nfj/PushNotification?username= with a modified username, a different user's notifications can be read without authentication/authorization. These notifications are then no...