CVE-2026-41206

PySpector is a static analysis security testing SAST Framework engineered for modern Python development workflows. The plugin security validator in PySpector uses AST-based static analysis to prevent dangerous code from being loaded as plugins. Prior to version 0.1.8, the blocklist implemented in...

CVE-2026-33139

PySpector is a static analysis security testing SAST Framework engineered for modern Python development workflows. PySpector versions 0.1.6 and prior are affected by a security validation bypass in the plugin system. The validateplugincode function in pluginsystem.py, performs static AST analysis...

PySpector has a Plugin Sandbox Bypass leads to Arbitrary Code Execution

Summary PySpector versions = 0.1.6 are affected by a security validation bypass in the plugin system. The validateplugincode function in pluginsystem.py, performs static AST analysis to block dangerous API calls before a plugin is trusted and executed. However, the internal resolvename helper onl...

PT-2026-26196

Name of the Vulnerable Software and Affected Versions PySpector versions 0.1.6 and prior Description PySpector, a static analysis security testing framework for Python development, is affected by a security validation bypass in its plugin system. The validate plugin code function in plugin...

Path Traversal

Stripe-CLI is vulnerable to path traversal. The vulnerability is due to improper validation of plugin shortnames in the manifest when installing plugins using the --archive-url or --archive-path flags, allowing an attacker to overwrite arbitrary files on the system by exploiting the path traversa...

Spectra < 2.7.10 - Contributor+ Stored XSS

Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

CBX Map for Google Map & OpenStreetMap < 1.1.12 - Contributor+ Stored XSS via shortcode

Description The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

Icons Font Loader < 1.1.3 - Admin+ Arbitrary File Upload

Description The plugin does not properly validate files to be uploaded, allowing high privilege users such as admin to upload arbitrary file on the server...

Apollo13 Framework Extensions < 1.9.1 - Contributor+ Stored XSS

Description The plugin does not validate and escape some parameters, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

AI ChatBot < 4.9.1 - Subscriber+ Arbitrary File Deletion

Description The plugin does not properly validate files to be deleted in the qcldopenaideletetrainingfile function, allowing users with roles as low as subscriber to delete arbitrary files on the server...

Stock Quotes List <= 2.9.11 - Contributor+ Stored XSS

Description The plugin does not validate and escape some parameters, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

Goods Catalog <= 2.4.1 - Contributor+ Stored XSS

Description The plugin does not validate and escape some parameters, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks...

Slimstat Analytics < 5.0.9 - Admin+ Stored XSS

Description The plugin does not validate and escape some parameters, which could allow users with the admin role and above to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

nuajik CDN <= 0.1.0 - Admin+ Stored XSS

Description The plugin does not validate and escape some parameters, which could allow users with the admin role and above to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

WRC Pricing Tables < 2.3.9 - Admin+ Stored XSS

Description The plugin does not validate and escape some parameters, which could allow users with the admin role and above to perform Stored Cross-Site Scripting attacks even when the unfilteredhtml capability is disallowed for example in multisite setup...

a3 Portfolio < 3.1.1 - Author+ Stored XSS

Description The plugin does not validate and escape some parameters, which could allow users with the author role and above to perform Stored Cross-Site Scripting attacks...

Directorist < 7.5.5 - Subscriber+ Insecure Direct Object Reference to Arbitrary Post Deletion

The plugin does not properly validate that users are authorized to delete a given listing, or that it is a listing at all, making it possible for less-privileged users like subscribers to delete posts...

Display post meta, term meta, comment meta, and user meta <= 0.4.1 - Contributor+ Stored Cross-Site Scripting

The plugin does not validate and escape post metadata before outputting it back into the page, which could allow users with a role as low as a contributor to perform Stored Cross-Site Scripting attacks, which could be used against high-privilege users such as admins...

Ocean Extra < 2.1.3 - Contributor+ Stored XSS

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks PoC Note: This requires the OceanWP theme to...

Download Video Sidebar Widgets <= 6.1 - Contributor+ Stored XSS via Shortcode

The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks PoC vsw source="youtube" id="3PdILZ1P74"...