CVE-2026-3328 Frontend Admin by DynamiApps <= 3.28.31 - Authenticated (Editor+) PHP Object Injection via 'post_content' of Admin Form Posts

The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to PHP Object Injection via deserialization of the 'postcontent' of adminform posts in all versions up to, and including, 3.28.31. This is due to the use of WordPress's maybeunserialize function without class restrictions on...

CVE-2026-3328

The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to PHP Object Injection via deserialization of the 'postcontent' of adminform posts in all versions up to, and including, 3.28.31. This is due to the use of WordPress's maybeunserialize function without class restrictions on...

CVE-2026-3328

Affected: Frontend Admin by DynamiApps (WordPress). Vulnerable component: PHP deserialization of admin_form post_content via maybe_unserialize() with no class restrictions. Impact: authenticated attackers with Editor+ can inject a PHP Object; presence of a POP chain enables remote code execution....

CVE-2026-4484 Masteriyo LMS <= 2.1.6 - Missing Authorization to Authenticated (Student+) Privilege Escalation to Administrator

The Masteriyo LMS plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.1.6. This is due to the plugin allowing a user to update the user role through the 'InstructorsController::prepareobjectfordatabase' function. This makes it possible for...

CVE-2026-4484 Masteriyo LMS <= 2.1.6 - Missing Authorization to Authenticated (Student+) Privilege Escalation to Administrator

The Masteriyo LMS plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.1.6. This is due to the plugin allowing a user to update the user role through the 'InstructorsController::prepareobjectfordatabase' function. This makes it possible for...

CVE-2026-33942

Saloon is a PHP library that gives users tools to build API integrations and SDKs. Versions prior to 4.0.0 used PHP's unserialize in AccessTokenAuthenticator::unserialize to restore OAuth token state from cache or storage, with allowedclasses = true. An attacker who can control the serialized...

CVE-2026-33228

A flaw was found in flatted, a JavaScript Object Notation JSON parser designed for handling circular data structures. A remote attacker can exploit this vulnerability by providing specially crafted JSON input. The parse function in flatted fails to properly validate string values used as array...

CVE-2026-33942

Saloon is a PHP library that gives users tools to build API integrations and SDKs. Versions prior to 4.0.0 used PHP's unserialize in AccessTokenAuthenticator::unserialize to restore OAuth token state from cache or storage, with allowedclasses = true. An attacker who can control the serialized...

CVE-2026-33942 Saloon has insecure deserialization in AccessTokenAuthenticator (object injection / RCE)

Saloon is a PHP library that gives users tools to build API integrations and SDKs. Versions prior to 4.0.0 used PHP's unserialize in AccessTokenAuthenticator::unserialize to restore OAuth token state from cache or storage, with allowedclasses = true. An attacker who can control the serialized...

CVE-2026-33942

Saloon PHP library prior to version 4.0.0 deserializes OAuth token state via PHP unserialize() in AccessTokenAuthenticator::unserialize() with allowed_classes enabled. An attacker who controls the serialized data (e.g., by overwriting a cached token or injection) can submit a gadget object; upon ...

CVE-2026-33942 Saloon has insecure deserialization in AccessTokenAuthenticator (object injection / RCE)

Saloon is a PHP library that gives users tools to build API integrations and SDKs. Versions prior to 4.0.0 used PHP's unserialize in AccessTokenAuthenticator::unserialize to restore OAuth token state from cache or storage, with allowedclasses = true. An attacker who can control the serialized...

CVE-2026-33931

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, an Insecure Direct Object Reference IDOR vulnerability in the patient portal payment page allows any authenticated portal patient to access other patients' payment...

PT-2026-28540

Name of the Vulnerable Software and Affected Versions convict versions 6.2.4 Description A prototype pollution issue exists in the convict npm package. The issue stems from an incomplete fix that attempted to prevent prototype pollution by checking if user input begins with a prohibited key...

WordPress plugin Frontend Admin by DynamiApps 代码问题漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be added t...

OpenEMR 安全漏洞

OpenEMR is a set of open-source medical management systems developed by the OpenEMR community. This system can be used for medical practice management, electronic medical records, prescription writing, and medical billing applications. Versions of OpenEMR prior to 8.0.0.3 contained security...

PT-2026-28193

The Frontend Admin by DynamiApps plugin for WordPress is vulnerable to PHP Object Injection via deserialization of the 'post content' of admin form posts in all versions up to, and including, 3.28.31. This is due to the use of WordPress's maybe unserialize function without class restrictions on...

PT-2026-28539

Name of the Vulnerable Software and Affected Versions Convict affected versions not specified Description The software contains two prototype pollution flaws not addressed by prior fixes. The first flaw exists in the config.load and config.loadFile functions, where the overlay function recursivel...

OpenEMR 安全漏洞

OpenEMR is a set of open-source medical management systems developed by the OpenEMR community. This system can be used for medical practice management, electronic medical records, prescription writing, and medical billing applications. Versions of OpenEMR prior to 8.0.0.3 contained security...

WordPress plugin Masteriyo LMS 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. The...

WordPress plugin Amelia Booking 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. There is...