Schools Alert Management Script - Arbitrary File Read

Schools Alert Management Script is susceptible to an arbitrary file read vulnerability via the f parameter in img.php, aka absolute path traversal. id: CVE-2018-12054 info: name: Schools Alert Management Script - Arbitrary File Read author: wisnupramoedya severity: high description: Schools Alert...

EUVD-2026-38167

Capgo before 12.128.2 contains an unauthenticated security definer RPC function getidentityapikeyonly that returns the owning userid for supplied API keys, creating an API key validity oracle and user identity disclosure primitive. Attackers can call this endpoint with valid or invalid API keys t...

EUVD-2026-38118

Flowise before 3.0.13 contains an information exposure vulnerability in the POST /api/v1/account/forgot-password endpoint that returns full user objects including PII to unauthenticated attackers. An attacker can enumerate valid email addresses and harvest sensitive user data including user IDs,...

CVE-2026-56267

Flowise prior to version 3.0.13 contains an information exposure vulnerability in the POST /api/v1/account/forgot-password endpoint. The endpoint returns full user objects including PII to unauthenticated attackers, enabling enumeration of valid email addresses and harvesting of sensitive data su...

CVE-2026-10034 WP DSGVO Tools (GDPR) <= 3.1.39 - Missing Authorization to Unauthenticated Sensitive Personal Data Disclosure via subject-access-request AJAX Endpoint (process_now/is_ajax Parameters)

The WP DSGVO Tools GDPR plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.1.39. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to supply an...

WordPress WP DSGVO Tools (GDPR) plugin <= 3.1.39 - Missing Authorization to Unauthenticated Sensitive Personal Data Disclosure vulnerability

Missing Authorization to Unauthenticated Sensitive Personal Data Disclosure vulnerability discovered by kalomba - KAPENTEST in WordPress Plugin WP DSGVO Tools GDPR versions = 3.1.39...

EUVD-2026-37839

The FireBox Popups – Increase Sales and Grow Your Email List plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.1.7 via the 'formid' parameter. This makes it possible for unauthenticated attackers to extract download a full CSV export of a...

The FCC Wants to Eliminate Burner Phones

A proposed FCC rule would kill burner phones: phones whose accounts are not attached to a particular person. The FCC plans to do this by legally forcing the country's telecoms to store a wealth of personal information about essentially all phone customers, including a government issued...

CVE-2026-8386

The WP Go Maps WordPress plugin before 10.0.10 does not perform any approval-state filtering on its public single-marker REST endpoint, allowing unauthenticated users to retrieve marker records that an administrator has not yet approved for public display, including any PII placed in the address...

CVE-2026-8386 WP Go Maps < 10.0.10 - Unauthenticated Sensitive Information Disclosure via Marker ID

The WP Go Maps WordPress plugin before 10.0.10 does not perform any approval-state filtering on its public single-marker REST endpoint, allowing unauthenticated users to retrieve marker records that an administrator has not yet approved for public display, including any PII placed in the address...

CVE-2026-8386 WP Go Maps < 10.0.10 - Unauthenticated Sensitive Information Disclosure via Marker ID

The WP Go Maps WordPress plugin before 10.0.10 does not perform any approval-state filtering on its public single-marker REST endpoint, allowing unauthenticated users to retrieve marker records that an administrator has not yet approved for public display, including any PII placed in the address...

Exploit for Authorization Bypass Through User-Controlled Key in Saleor

CVE-2026-24136 - Saleor GraphQL IDOR / Unauthenticated PII Exf...

WordPress Magic Export & Import plugin < 1.2.0 - Unauthenticated PII Disclosure vulnerability

Unauthenticated PII Disclosure vulnerability discovered by Hoang Phuong in WordPress Plugin Magic Export & Import versions 1.2.0...

PostgreSQL Anonymizer SQL注入漏洞

PostgreSQL Anonymizer is an open-source extension developed by DALIBO in France, designed to mask or replace personally identifiable information PII or commercially sensitive data in PostgreSQL databases. PostgreSQL Anonymizer has a SQL injection vulnerability. This vulnerability arises from...

UNC3753 Used Vishing and Physical Intrusions in U.S. Data Theft Extortion Campaign

Cybersecurity researchers have disclosed details of a financially motivated data theft extortion campaign that has targeted dozens of organizations across professional, legal, and financial services in the U.S. between January and May 2026. The activity has been attributed by Google Mandiant and...

CVE-2026-8611 Klamra Paycal for Aspaclaria <= 1.1.4 - Insecure Direct Object Reference to Authenticated (Subscriber+) Sensitive Information Exposure via 'invoice_id' Parameter

The Klamra Paycal for Aspaclaria plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.1.4 via the 'invoiceid' parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with...

CVE-2026-8611

The Klamra Paycal for Aspaclaria plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.1.4 via the 'invoiceid' parameter due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with...

CVE-2025-67223

The Aranda File Server AFS component in Aranda Software Aranda Service Desk before 8.3.12 stores daily activity logs with predictable names in a publicly accessible directory, which allows unauthenticated remote attackers to obtain direct virtual paths of uploaded files and bypass access controls...

CVE-2026-37428

qihang-wms commit 75c15a was discovered to contain a SQL injection vulnerability via the datascope parameter in the SysDeptMapper.xml file. This vulnerability allows attackers to access sensitive database information, including users' Personally Identifiable Information PII...

CVE-2026-34233

CtrlPanel is open-source billing software for hosting providers. In versions 1.1.1 and prior, multiple admin controllers expose DataTable endpoints without authorization checks, allowing any authenticated user to access sensitive administrative data that should be restricted to administrators onl...