WordPress LiveSmart Video Chat Live Video Chat plugin <= 1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin LiveSmart Video Chat Live Video Chat versions = 1.2...

WordPress Smart Online Order for Clover plugin <= 1.6.0 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by she11f in WordPress Plugin Smart Online Order for Clover versions = 1.6.0...

EUVD-2026-32586

Budibase is an open-source low-code platform. Prior to 3.35.10, the Plugin URL upload endpoint POST /api/plugin validates the submitted URL with a single substring check: url.includes".tar.gz". Any URL containing .tar.gz anywhere in the string — in the path, query string, or fragment — passes thi...

CVE-2026-45061

CVE-2026-45061 : Budibase (open-source low-code platform) remains vulnerable to SSRF due to a trivial substring URL check in the Plugin URL upload endpoint (/api/plugin). Before 3.35.10, the code validates only that the URL contains “.tar.gz” anywhere in the string (path, query, or fragment). The...

CVE-2026-45061

Budibase is an open-source low-code platform. Prior to 3.35.10, the Plugin URL upload endpoint POST /api/plugin validates the submitted URL with a single substring check: url.includes".tar.gz". Any URL containing .tar.gz anywhere in the string — in the path, query string, or fragment — passes thi...

CVE-2026-45061 Budibase: SSRF via trivial `.tar.gz` substring bypass in Plugin URL upload (`/api/plugin`)

Budibase is an open-source low-code platform. Prior to 3.35.10, the Plugin URL upload endpoint POST /api/plugin validates the submitted URL with a single substring check: url.includes".tar.gz". Any URL containing .tar.gz anywhere in the string — in the path, query string, or fragment — passes thi...

CVE-2026-45061 Budibase: SSRF via trivial `.tar.gz` substring bypass in Plugin URL upload (`/api/plugin`)

Budibase is an open-source low-code platform. Prior to 3.35.10, the Plugin URL upload endpoint POST /api/plugin validates the submitted URL with a single substring check: url.includes".tar.gz". Any URL containing .tar.gz anywhere in the string — in the path, query string, or fragment — passes thi...

EUVD-2026-32311

Missing Authorization vulnerability in WebToffee Product Import Export for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Product Import Export for WooCommerce: from n/a through 2.5.6...

CVE-2022-41656

Missing Authorization vulnerability in Bizswoop Account Manager for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Account Manager for WooCommerce: from n/a through 2.1.2...

CVE-2022-41656 WordPress Account Manager for WooCommerce plugin <= 2.1.2 - Broken Access Control vulnerability

Missing Authorization vulnerability in Bizswoop Account Manager for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Account Manager for WooCommerce: from n/a through 2.1.2...

CVE-2026-9674

A cross-site request forgery CSRF vulnerability in Jenkins Multijob Plugin 662.vd2e0001f6bbd and earlier allows attackers to resume failed Multijob builds...

CVE-2026-6957

Mattermost Plugins versions =1.1.5 fail to sanitize filenames received from federated peers before using them to construct export destination paths, which allows an administrator of a remote federated Mattermost server to write files to arbitrary locations within the target server's filestore via...

CVE-2026-48924

Jenkins Bitbucket OAuth Plugin 0.17 and earlier does not restrict the redirect URL after login, allowing attackers to perform phishing attacks...

CVE-2026-48925

A cross-site request forgery CSRF vulnerability in Jenkins GitHub Integration Plugin 0.7.3 and earlier allows attackers to attackers to trigger a build for a pull request...

CVE-2026-49045

Missing Authorization vulnerability in WP Media Adminimize allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Adminimize: from n/a through 1.11.11...

CVE-2026-48926

Jenkins Job Import Plugin 143.v044a2e819b27 and earlier does not perform a permission check in an HTTP endpoint, allowing attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins...

CVE-2026-48927

Jenkins buildgraph-view Plugin 1.8 and earlier does not escape the build URL, resulting in a stored cross-site scripting XSS vulnerability exploitable by attackers able to configure jobs or views...

CVE-2026-48922

Jenkins Credentials Binding Plugin 720.v3f6decef43ea and earlier does not properly sanitize file names for file and zip file credentials, allowing attackers able to provide credentials to a job to write files to arbitrary locations on the node filesystem, which can lead to remote code execution i...

CVE-2026-48920

Jenkins Email Extension Plugin 1933.v45cec755423f and earlier allows inlining images as base64 in email content by setting the data-inline attribute, without restrictions on the image URLs that can be inlined, allowing attackers able to control the email content to specify file: URLs for images t...

CVE-2026-48916

Jenkins LDAP Plugin 807.v7d7de30930cf and earlier follows LDAP referrals...