81 matches found
CVE-2026-3772 WP Editor <= 1.2.9.2 - Cross-Site Request Forgery to Remote Code Execution via Plugin and Theme File Editor
The WP Editor plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.9.2. This is due to missing nonce verification in the 'addpluginspage' and 'addthemespage' functions. This makes it possible for unauthenticated attackers to overwrite arbitrar...
CVE-2026-3772 WP Editor <= 1.2.9.2 - Cross-Site Request Forgery to Remote Code Execution via Plugin and Theme File Editor
The WP Editor plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.9.2. This is due to missing nonce verification in the 'addpluginspage' and 'addthemespage' functions. This makes it possible for unauthenticated attackers to overwrite arbitrar...
PT-2026-36318
Name of the Vulnerable Software and Affected Versions WP Editor versions prior to 1.2.9.3 Description The WP Editor plugin for WordPress is susceptible to Cross-Site Request Forgery CSRF, a flaw where an attacker tricks a victim into performing actions they did not intend to. This occurs because...
CVE-2026-34787
Emlog is an open source website building system. In versions 2.6.2 and prior, a Local File Inclusion LFI vulnerability exists in admin/plugin.php at line 80. The $plugin parameter from the GET request is directly used in a requireonce path without proper sanitization. If the CSRF token check can ...
CVE-2026-23483
Blinko is an AI-powered card note-taking project. In versions from 1.8.3 and prior, the plugin file server endpoint uses join to concatenate paths but does not verify if the final path is within the plugins directory, leading to path traversal. At time of publication, there are no publicly...
CVE-2026-23483 Blinko: Unauthorized Arbitrary File Read - /plugins
Blinko is an AI-powered card note-taking project. In versions from 1.8.3 and prior, the plugin file server endpoint uses join to concatenate paths but does not verify if the final path is within the plugins directory, leading to path traversal. At time of publication, there are no publicly...
CVE-2026-23483 Blinko: Unauthorized Arbitrary File Read - /plugins
Blinko is an AI-powered card note-taking project. In versions from 1.8.3 and prior, the plugin file server endpoint uses join to concatenate paths but does not verify if the final path is within the plugins directory, leading to path traversal. At time of publication, there are no publicly...
EUVD-2026-14535
Blinko is an AI-powered card note-taking project. In versions from 1.8.3 and prior, the plugin file server endpoint uses join to concatenate paths but does not verify if the final path is within the plugins directory, leading to path traversal. At time of publication, there are no publicly...
PT-2026-27206
Name of the Vulnerable Software and Affected Versions Blinko versions prior to 1.8.3 Description Blinko is an AI-powered card note-taking project. The plugin file server endpoint uses the join function to concatenate paths but does not verify if the final path is within the plugins directory,...
Blinko 路径遍历漏洞
Blinko is an open-source AI-based card-based note-taking app designed for users who want to quickly capture and organize fleeting ideas. Versions of Blinko 1.8.3 and earlier contained a path traversal vulnerability. This vulnerability occurred because the plugin file server endpoint used the join...
GHSA-W7H5-55JG-CQ2F Improper Control of Generation of Code ('Code Injection') in @tygo-van-den-hurk/slyde
Impact This is a remote code execution RCE vulnerability. Node.js automatically imports /.plugin.js,mjs files including those from nodemodules, so any malicious package with a .plugin.js file could execute arbitrary code when installed or required. All projects using this loading behavior are...
Unsafe Dependency Resolution
Overview @tygo-van-den-hurk/slyde is a Make beautifully animated Slydes and presentations from XML with ease! Affected versions of this package are vulnerable to Unsafe Dependency Resolution via the automatic import process of /.plugin.js,mjs files from dependencies. An attacker can execute...
CVE-2023-4819
The Shared Files WordPress plugin before 1.7.6 does not return the right Content-Type header for the specified uploaded file. Therefore, an attacker can upload an allowed file extension injected with malicious scripts...
EUVD-2018-8755
Malware in sbrugna...
EUVD-2025-15257
Malicious code in bioql PyPI...
EUVD-2025-21034
Malicious code in bioql PyPI...
Linux Distros Unpatched Vulnerability : CVE-2024-26147
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Helm is a package manager for Charts for Kubernetes. Versions prior to 3.14.2 contain an uninitialized variable vulnerability when Helm parses index and plugin...
CVE-2025-7778
The CVE-2025-7778 entry concerns the Icons Factory WordPress plugin (versions up to and including 1.6.12). The vulnerability arises from missing authorization and improper path validation in delete_files(), enabling unauthenticated attackers to delete arbitrary server files (potentially including...
CVE-2025-5391
CVE-2025-5391 affects the WooCommerce Purchase Orders plugin for WordPress (versions ≤ 1.0.2). The vulnerability arises from insufficient file path validation in the delete_file() function, allowing authenticated attackers with Subscriber-level access or higher to delete arbitrary files on the se...
CVE-2025-54780
The CVE concerns the glpi-screenshot-plugin for GLPI. In versions