PT-2026-23439

Name of the Vulnerable Software and Affected Versions Backstage versions prior to 3.1.4 Description Backstage is a framework for building developer portals. A malicious scaffolder template can bypass the log redaction mechanism, potentially exposing secrets provided through task event logs. The...

CVE-2026-26207 DIscourse's discourse-policy plugin lacks post access check

Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, discourse-policy plugin allows any authenticated user to interact with policies on posts they do not have permission to view. The PolicyController loads posts by ID without verifying the current...

EUVD-2022-41822

Malicious code in bioql PyPI...

PT-2025-26912 · WordPress · Simple User Registration

Name of the Vulnerable Software and Affected Versions: The Simple User Registration plugin for WordPress versions up to, and including, 6.3 Description: The issue is due to insufficient restrictions on user meta values that can be supplied during registration, making it possible for unauthenticat...

Claude Code Improper Authorization via websocket connections from arbitrary origins

Claude Code extensions in VSCode and forks e.g., Cursor, Windsurf, and VSCodium and JetBrains IDEs e.g., IntelliJ, Pycharm, and Android Studio are vulnerable to unauthorized websocket connections from an attacker when visiting attacker-controlled webpages. Claude Code for VSCode IDE extensions...

CVE-2025-49000 InvenTree has uncontrolled memory allocation via built-in label-sheet plugin

InvenTree is an Open Source Inventory Management System. Prior to version 0.17.13, the skip field in the built-in label-sheet plugin lacks an upper bound, so a large value forces the server to allocate an enormous Python list. This lets any authenticated label-printing user trigger a...

PT-2025-23374 · WordPress · Psw Front-End Login & Registration

Name of the Vulnerable Software and Affected Versions: PSW Front-end Login & Registration plugin for WordPress versions up to, and including, 1.12 Description: The issue is related to Privilege Escalation due to a weak, low-entropy OTP mechanism used in the forget function. This allows...

PT-2025-22337 · WordPress · Wp Youtube Video Optimizer

Name of the Vulnerable Software and Affected Versions: WP YouTube Video Optimizer plugin for WordPress versions up to, and including, 1.2 Description: The issue is related to Stored Cross-Site Scripting via the plugin's 'ib youtube' shortcode due to insufficient input sanitization and output...

CVE-2022-39355

Discourse Patreon enables syncronization between Discourse Groups and Patreon rewards. On sites with Patreon login enabled, an improper authentication vulnerability could be used to take control of a victim's forum account. This vulnerability is patched in commit number...

CVE-2023-45288 affecting package sriov-network-device-plugin for versions less than 3.6.2-3

CVE-2023-45288 affecting package sriov-network-device-plugin for versions less than 3.6.2-3. A patched version of the package is available...

CVE-2024-4039 Orders Tracking for WooCommerce <= 1.2.10 - Unauthenticated Arbitrary Shortcode Execution

The The Orders Tracking for WooCommerce plugin for WordPress for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.2.10. This is due to the plugin allowing users to execute an action that does not properly validate a value before running doshortcode...

PHP Object Injection Vulnerability in Booking Calendar Plugin

On April 18, 2022, the Wordfence Threat Intelligence team initiated the responsible disclosure process for an Object Injection vulnerability in the Booking Calendar plugin for WordPress, which has over 60,000 installations. We received a response the same day and sent over our full disclosure ear...

PT-2022-18858 · Jenkins · Jenkins Tests Selector Plugin +1

Name of the Vulnerable Software and Affected Versions: Jenkins Tests Selector Plugin versions 1.3.3 and earlier Description: The issue results in a stored cross-site scripting XSS vulnerability. This occurs because the Properties File Path option for Choosing Tests parameters is not properly...

Solaris 10 (sparc) : 125332-24 (deprecated)

JDS 3: Macromedia Flash Player Plugin Patch. Date this patch was last updated by Sun : May/21/12 This plugin has been deprecated and either replaced with individual 125332 patch-revision plugins, or deemed non-security related. %NASLMINLEVEL 70300 C Tenable Network Security, Inc. @DEPRECATED@...

Solaris 5.9 (sparc) : 117875-05

Application Server 7.1: Proxy Plugin Patch. Date this patch was last updated by Sun : Feb/27/06 %NASLMINLEVEL 999999 @DEPRECATED@ This script has been deprecated as the associated patch is not currently a recommended security fix. Disabled on 2011/09/17. C Tenable Network Security, Inc. if !...

Solaris 8 (sparc) : 116292-14

Sun One Application Server 7.0: Proxy Plugin Patch. Date this patch was last updated by Sun : Oct/08/04 %NASLMINLEVEL 70300 C Tenable Network Security, Inc. The descriptive text in this plugin was extracted from the Oracle SunOS Patch Updates. include'deprecatednasllevel.inc'; include'compat.inc'...