CVE-2026-45697

Formie is a Craft CMS plugin for creating forms. Prior to 2.2.20 and 3.1.24, unauthenticated users could submit crafted values into Hidden fields with Default value → Custom that were evaluated as Twig during submission handling, which could lead to serious compromise of the Craft site depending ...

CVE-2026-44848

Portainer Community Edition is a lightweight service delivery platform for containerized applications that can be used to manage Docker, Swarm, Kubernetes and ACI environments. From 2.33.0 to before 2.33.8, 2.39.2, and 2.41.0, The Docker plugin management endpoints /plugins/ were not registered...

WordPress ZeM STL plugin <= 1.0 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Gilang - DJ in WordPress Plugin ZeM STL versions = 1.0...

WordPress BirdSeed plugin <= 2.2.0 - Cross-Site Request Forgery vulnerability

Cross-Site Request Forgery vulnerability discovered by Nabil Irawan - Heroes Cyber Security in WordPress Plugin BirdSeed versions = 2.2.0...

WordPress Word Replacer plugin <= 0.4 - Authenticated (Administrator+) Stored Cross-Site Scripting vulnerability

Authenticated Administrator+ Stored Cross-Site Scripting vulnerability discovered by san6051 - COFFSec in WordPress Plugin Word Replacer versions = 0.4...

WordPress WP Nano AD plugin <= 1.31 - Authenticated (Administrator+) Stored Cross-Site Scripting vulnerability

Authenticated Administrator+ Stored Cross-Site Scripting vulnerability discovered by siyuan shao in WordPress Plugin WP Nano AD versions = 1.31...

WordPress DeMomentSomTres Shortcodes plugin <= 1.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by zakaria in WordPress Plugin DeMomentSomTres Shortcodes versions = 1.1.1...

WordPress Remove NoFollow Commenter URL plugin <= 1.0 - Cross-Site Request Forgery to Settings Update vulnerability

Cross-Site Request Forgery to Settings Update vulnerability discovered by swat in WordPress Plugin Remove NoFollow Commenter URL versions = 1.0...

WordPress Google Plus One Bottom plugin <= 0.0.2 - Cross-Site Request Forgery to Plugin Settings Update vulnerability

Cross-Site Request Forgery to Plugin Settings Update vulnerability discovered by swat in WordPress Plugin Google Plus One Bottom versions = 0.0.2...

WordPress Laiser Tag plugin <= 1.2.5 - Cross-Site Request Forgery to Plugin Settings Update vulnerability

Cross-Site Request Forgery to Plugin Settings Update vulnerability discovered by swat in WordPress Plugin Laiser Tag versions = 1.2.5...

WordPress Remove meta boxes per user role plugin <= 1.01 - Cross-Site Request Forgery to Settings Update vulnerability

Cross-Site Request Forgery to Settings Update vulnerability discovered by Muhammad Nur Ibnu Hubab - Pondok Teknologi in WordPress Plugin Remove meta boxes per user role versions = 1.01...

WordPress Kirki plugin 6.0.0-6.0.6 - Unauthenticated Privilege Escalation via 'handle_forgot_password' vulnerability

Unauthenticated Privilege Escalation via 'handleforgotpassword' vulnerability discovered by CHOIGYEONGMIN in WordPress Plugin Kirki – Freeform Page Builder, Website Builder & Customizer versions 6.0.0-6.0.6...

CVE-2026-42678

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Liquid Web / StellarWP GiveWP allows DOM-Based XSS. This issue affects GiveWP: from n/a through 4.14.5...

CVE-2026-42674

Authentication Bypass by Spoofing vulnerability in AAM Plugin Advanced Access Manager allows URL Encoding. This issue affects Advanced Access Manager: from n/a through 7.1.0...

rubygem-katello: Katello: Denial of Service and potential information disclosure via SQL injection

A flaw was found in the Katello plugin for Red Hat Satellite. This vulnerability, caused by improper sanitization of user-provided input, allows a remote attacker to inject arbitrary SQL commands into the sortby parameter of the /api/hosts/bootcimages API endpoint. This can lead to a Denial of...

OPENSUSE-SU-2026:20856-1 Security update for shadowsocks-v2ray-plugin

This update for shadowsocks-v2ray-plugin fixes the following issues: Changes in shadowsocks-v2ray-plugin: - Update version to 5.49.0 Update v2ray-core to 5.49.0 Update grpc to 1.81.1 boo1260328 and CVE-2026-33186 - Update version to 5.44.1 Update v2ray-core to v5.44.1 - Update version to 5.41.0...

CVE-2026-9757

The GEO my WP plugin for WordPress is vulnerable to SQL Injection via the 'swlatlng' and 'nelatlng' parameters in all versions up to, and including, 4.5.5 The parameters are read from $SERVER'QUERYSTRING' via parsestr bypassing WordPress's wpmagicquotes protection, which only covers...

CVE-2026-7459

The Simple History – Track, Log, and Audit WordPress Changes plugin for WordPress is vulnerable to authenticated Subscriber+ account takeover in all versions up to, and including, 5.26.0 via the event reaction endpoints reacttoevent / unreacttoevent. The endpoints register getitemspermissionschec...

Unauthenticated Privilege Escalation Vulnerability Patched in Kirki WordPress Plugin

On May 4th, 2026, we received a submission for an Unauthenticated Privilege Escalation vulnerability in the Kirki WordPress plugin. Although the plugin has more than 500,000 active installations, we estimate that only around 150,000 sites are using a vulnerable version, as the issue was introduce...

Malicious Package

Overview peertube-plugin-google-analytics-js is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization an...