CVE-2026-6957

Mattermost Plugins versions =1.1.5 fail to sanitize filenames received from federated peers before using them to construct export destination paths, which allows an administrator of a remote federated Mattermost server to write files to arbitrary locations within the target server's filestore via...

CVE-2026-9674

CVE-2026-9674 is a CSRF vulnerability in Jenkins Multijob Plugin (versions including 662.vd2e0001f6b_b_d and earlier) that allows an attacker to resume failed Multijob builds. The NVD/NVD-derived data attributes a CVSS v3.1 base score of 4.3 (Medium) with network attack vector, low attack complex...

CVE-2026-48927

Jenkins buildgraph-view Plugin 1.8 and earlier does not escape the build URL, resulting in a stored cross-site scripting XSS vulnerability exploitable by attackers able to configure jobs or views...

WordPress Export WP Page to Static HTML/CSS plugin <= 6.0.0 - Cross Site Request Forgery (CSRF) vulnerability

Cross Site Request Forgery CSRF vulnerability discovered by Nabil Irawan in WordPress Plugin Export WP Page to Static HTML/CSS versions = 6.0.0...

WordPress plugin Sunshine Photo Cart 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform has the ability to host personal blog sites on PHP and MySQL based servers.WordPress plugin is an application plugin. A security vulnerabili...

WordPress plugin Newses 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform has the ability to host personal blog sites on PHP and MySQL based servers.WordPress plugin is an application plugin. A security vulnerabili...

WordPress FluentCRM – Email Newsletter, Automation, Email Marketing, Email Campaigns, Optins, Leads, and CRM Solution plugin <= 2.9.87 - Unauthenticated Blind Server-Side Request Forgery vulnerability

Unauthenticated Blind Server-Side Request Forgery vulnerability discovered by Saleh Elsayed 0xManticore in WordPress Plugin Fluent CRM versions = 2.9.87...

WordPress BLOGCHAT Chat System plugin <= 1.3.6.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting vulnerability

Cross-Site Request Forgery to Stored Cross-Site Scripting vulnerability discovered by Muhammad Nur Ibnu Hubab Ibnu - Pondok Teknologi in WordPress Plugin BLOGCHAT Chat System versions = 1.3.6.3...

@antv/f6 (>=0.0.16 <=0.0.19), @antv/f6-plugin (>=1.0.3 <=1.0.6) +5 more potentially affected by unknown CVE via @antv/f6-hammerjs (=0.0.1)

@antv/f6-hammerjs NPM version =0.0.1 is affected by a known vulnerability. The following packages have a transitive dependency on @antv/f6-hammerjs and may be impacted: - @antv/f6 =0.0.16, =1.0.3, =0.0.11, =1.1.2-5.2, =2.0.1, =1.0.0, =1.0.2 Source cves: unknown CVE Source advisory:...

WordPress Broadstreet plugin <= 1.53.1 - Authenticated (Admin+) Stored Cross-Site Scripting vulnerability

Authenticated Admin+ Stored Cross-Site Scripting vulnerability discovered by greenhats - Student in WordPress Plugin Broadstreet Ads versions = 1.53.1...

WordPress Hostinger Reach – AI-Powered Email Marketing for WordPress plugin <= 1.3.8 - Missing Authorization to Authenticated (Subscriber+) Integration API Key Update vulnerability

Missing Authorization to Authenticated Subscriber+ Integration API Key Update vulnerability discovered by Dmitrii Ignatyev - CleanTalk Inc in WordPress Plugin Hostinger Reach AI-Powered Email Marketing for WordPress versions = 1.3.8...

WordPress plugin Publish 2 Ping.fm 跨站请求伪造漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. WordPres...

WordPress AI Bud – AI Content Generator, AI Chatbot, ChatGPT, Gemini, GPT-4o plugin <= 1.7.2 - Unauthenticated Reflected Cross-Site Scripting vulnerability

Unauthenticated Reflected Cross-Site Scripting vulnerability discovered by Asaf Mozes in WordPress Plugin AiBud WP versions = 1.7.2...

com.base2services.jenkins:github-sqs-plugin (>=1.0 <=1.5), com.elasticbox.jenkins-ci.plugins:elasticbox (>=4.0.9 <=4.1.6) +27 more potentially affected by CVE-2026-42523 via com.coravy.hudson.plugins.github:github (>=1.10 <=1.45.0)

com.coravy.hudson.plugins.github:github MAVEN version =1.10, =1.0, =4.0.9, =1.0-alpha-1, =1.27.17, =1.0-alpha-1, =1.0-alpha-1, =1.0.0, =1.0.0, =1.0-alpha-8, =1.0-alpha-4, =0.1-preview-4, =1.0-alpha-1, =634.v371dc6d978a3, =1.83.v5bff0e55cd2d, =1.3.0, =1.4.3 and more Source cves: CVE-2026-42523...

CVE-2025-11762

The HubSpot All-In-One Marketing - Forms, Popups, Live Chat plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 11.3.32 via the leadin/public/admin/class-adminconstants.php file. This makes it possible for authenticated attackers, with...

CVE-2025-11762

The CVE-2025-11762 entry concerns the HubSpot All-In-One Marketing – Forms, Popups, Live Chat WordPress plugin. Affected versions are up to and including 11.3.32. The issue is a Sensitive Information Exposure vulnerability in leadin/public/admin/class-adminconstants.php, allowing authenticated at...

PT-2026-34861

The HubSpot All-In-One Marketing - Forms, Popups, Live Chat plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 11.3.32 via the leadin/public/admin/class-adminconstants.php file. This makes it possible for authenticated attackers, with...

WordPress HTTP Headers plugin <= 1.19.2 - Authenticated (Administrator+) CRLF Injection vulnerability

Authenticated Administrator+ CRLF Injection vulnerability discovered by Kai Aizen in WordPress Plugin HTTP Headers versions = 1.19.2...

WordPress Tutor LMS plugin <= 3.9.7 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by lagi bljr in WordPress Plugin Tutor LMS versions = 3.9.7...

WordPress Pz-LinkCard plugin <= 2.5.8.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Shortcode Attributes vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin Pz-LinkCard versions = 2.5.8.1...