CVE-2026-27176

MajorDoMo aka Major Domestic Module contains a reflected cross-site scripting XSS vulnerability in command.php. The $qry parameter is rendered directly into the HTML page without sanitization via htmlspecialchars, both in an input field value attribute and in a paragraph element. An attacker can...

CVE-2026-27175

MajorDoMo aka Major Domestic Module is vulnerable to unauthenticated OS command injection via rc/index.php. The $param variable from user input is interpolated into a command string within double quotes without sanitization via escapeshellarg. The command is inserted into a database queue by...

CVE-2026-27175 MajorDoMo Command Injection in rc/index.php via Race Condition

MajorDoMo aka Major Domestic Module is vulnerable to unauthenticated OS command injection via rc/index.php. The $param variable from user input is interpolated into a command string within double quotes without sanitization via escapeshellarg. The command is inserted into a database queue by...

CVE-2026-27174

CVE-2026-27174 affects MajorDoMo. An include-order bug in modules/panel.class.php lets unauthenticated users reach the admin panel’s PHP console, with execution continuing into inc_panel_ajax.php after a redirect that lacks an exit. The console handler passes GET parameters (via register_globals)...

WordPress WP All Export plugin <= 1.4.14 - Unauthenticated Sensitive Information Exposure via PHP Type Juggling vulnerability

Unauthenticated Sensitive Information Exposure via PHP Type Juggling vulnerability discovered by Vincent Theriault-Laine in WordPress Plugin Export any WordPress data to XML/CSV versions = 1.4.14...

CVE-2025-70151

code-projects Scholars Tracking System 1.0 allows an authenticated attacker to achieve remote code execution via unrestricted file upload. The endpoints updateprofilepicture.php and uploadpicture.php store uploaded files in a web-accessible uploads/ directory using the original, user-supplied...

CVE-2025-70147

Missing authentication in /admin/student.php and /admin/teacher.php in ProjectWorlds Online Time Table Generator 1.0 allows remote attackers to obtain sensitive information including plaintext password field values via direct HTTP GET requests to these endpoints without a valid session...

CVE-2025-65791

ZoneMinder v1.36.34 is vulnerable to Command Injection in web/views/image.php. The application passes unsanitized user input directly to the exec function. NOTE: this is disputed by the Supplier because there is no unsanitized user input to web/views/image.php...

CVE-2025-65791

ZoneMinder v1.36.34 is vulnerable to Command Injection in web/views/image.php. The application passes unsanitized user input directly to the exec function. NOTE: this is disputed by the Supplier because there is no unsanitized user input to web/views/image.php...

CVE-2026-1426

The Advanced AJAX Product Filters plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.1.9.6 via deserialization of untrusted input in the shortcodecheck function within the Live Composer compatibility layer. This makes it possible for authenticated...

CVE-2026-1426 Advanced AJAX Product Filters <= 3.1.9.6 - Authenticated (Author+) PHP Object Injection via Live Composer Compatibility

The Advanced AJAX Product Filters plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.1.9.6 via deserialization of untrusted input in the shortcodecheck function within the Live Composer compatibility layer. This makes it possible for authenticated...

CVE-2026-1426 Advanced AJAX Product Filters <= 3.1.9.6 - Authenticated (Author+) PHP Object Injection via Live Composer Compatibility

The Advanced AJAX Product Filters plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 3.1.9.6 via deserialization of untrusted input in the shortcodecheck function within the Live Composer compatibility layer. This makes it possible for authenticated...

[R2] Security Center Version 6.8.0 Fixes Multiple Vulnerabilities

R2 Security Center Version 6.8.0 Fixes Multiple Vulnerabilities Arnie Cabral Wed, 02/18/2026 - 08:32 Security Center leverages third-party software to help provide underlying functionality. Several of the third-party components libssh, postgresql were found to contain vulnerabilities, and updated...

CVE-2026-1317

The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 7.37. This is due to insufficient escaping on the filename parameter which is stored in the database during file upload and later used in raw SQL queri...

WordPress Valenti theme <= 5.6.3.5 - PHP Object Injection vulnerability

PHP Object Injection vulnerability discovered by João Pedro S Alcântara Kinorth in WordPress Theme Valenti versions = 5.6.3.5...

CVE-2026-1582 WP All Export <= 1.4.14 - Unauthenticated Sensitive Information Exposure via PHP Type Juggling

The WP All Export plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.4.14 via the export download endpoint. This is due to a PHP type juggling vulnerability in the security token comparison which uses loose comparison == instead of strict...

CVE-2026-1317 WP Import – Ultimate CSV XML Importer for WordPress <= 7.37 - Authenticated (Subscriber+) SQL Injection via File Name

The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 7.37. This is due to insufficient escaping on the filename parameter which is stored in the database during file upload and later used in raw SQL queri...

CVE-2026-1317 WP Import – Ultimate CSV XML Importer for WordPress <= 7.37 - Authenticated (Subscriber+) SQL Injection via File Name

The WP Import – Ultimate CSV XML Importer for WordPress plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 7.37. This is due to insufficient escaping on the filename parameter which is stored in the database during file upload and later used in raw SQL queri...

CVE-2026-1582

The vulnerability CVE-2026-1582 affects the WordPress plugin WP All Export up to version 1.4.14 . A PHP type juggling flaw in the security token comparison (loose ==) allows an unauthenticated attacker to bypass authentication via “magic hash” values when the MD5 prefix matches the pattern ^0e\d+...

CVE-2026-1582 WP All Export <= 1.4.14 - Unauthenticated Sensitive Information Exposure via PHP Type Juggling

The WP All Export plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.4.14 via the export download endpoint. This is due to a PHP type juggling vulnerability in the security token comparison which uses loose comparison == instead of strict...