MAL-2026-5708 Malicious code in vite-svgr (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a22a309bc488d107fc2734705e05bb4032432bb9b54391e8ee2325d980b2cdf5 Package name vite-svgr impersonates the popular vite-plugin-svgr, but the shipped code is a fork of tsconfig-paths package.json description: 'Load no...

WordPress Page Builder: Pagelayer – Drag and Drop website builder plugin <= 2.0.9 - Incorrect Authorization to Authenticated (Contributor+) Mail Relay Configuration vulnerability

Incorrect Authorization to Authenticated Contributor+ Mail Relay Configuration vulnerability discovered by Drew Webber mcdruid in WordPress Plugin PageLayer versions = 2.0.9...

WordPress Page Builder: Pagelayer – Drag and Drop website builder plugin <= 2.0.9 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by ? in WordPress Plugin PageLayer versions = 2.0.9...

WordPress Canvas plugin <= 2.5.2 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Muhammad Yudha - DJ in WordPress Theme Canvas versions = 2.5.2...

Malicious code in eslint-plugin-mistica-local-rules (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c1d21f50741178986b63d1f330373131c2f3f502a5b94e76ca921ce185fab123 package.json declares a preinstall hook that runs index.js automatically on npm install. index.js collects host identity os.hostname, os.platform,...

MAL-2026-5703 Malicious code in eslint-plugin-mistica-local-rules (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c1d21f50741178986b63d1f330373131c2f3f502a5b94e76ca921ce185fab123 package.json declares a preinstall hook that runs index.js automatically on npm install. index.js collects host identity os.hostname, os.platform,...

WordPress Photo Gallery by FooGallery : Responsive Image Gallery, Masonry Gallery & Carousel plugin <= 3.1.31 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Dmitrii Ignatyev - CleanTalk Inc in WordPress Plugin FooGallery versions = 3.1.31...

CVE-2026-6046

Mattermost versions 11.6.x = 11.6.1, 11.5.x = 11.5.4, 10.11.x = 10.11.15, 10.11.x = 10.11.16 fail to validate that a username returned during bot registration belongs to a bot account, which allows an unprivileged attacker to intercept private messages sent by plugins via direct message channels ...

CVE-2026-6046

Mattermost CVE-2026-6046 affects multiple releases: 11.6.x up to 11.6.1, 11.5.x up to 11.5.4, and 10.11.x up to 10.11.16. The vulnerability arises from failing to validate that a username returned during bot registration belongs to a bot account, enabling an unprivileged attacker to intercept pri...

CVE-2026-6046 Plugin bot username conflict allows user account to be used as bot identity in Mattermost Server

Mattermost versions 11.6.x = 11.6.1, 11.5.x = 11.5.4, 10.11.x = 10.11.15, 10.11.x = 10.11.16 fail to validate that a username returned during bot registration belongs to a bot account, which allows an unprivileged attacker to intercept private messages sent by plugins via direct message channels ...

CVE-2026-6046 Plugin bot username conflict allows user account to be used as bot identity in Mattermost Server

Mattermost versions 11.6.x = 11.6.1, 11.5.x = 11.5.4, 10.11.x = 10.11.15, 10.11.x = 10.11.16 fail to validate that a username returned during bot registration belongs to a bot account, which allows an unprivileged attacker to intercept private messages sent by plugins via direct message channels ...

WordPress LWS Optimize – All-in-One Speed Booster & Cache Tools plugin <= 3.3.19 - Authenticated (Editor+) Arbitrary File Read vulnerability

Authenticated Editor+ Arbitrary File Read vulnerability discovered by Omar Elshopky in WordPress Plugin LWS Optimize versions = 3.3.19...

WordPress FastDup plugin <= 2.7.2 - Path Traversal vulnerability

Path Traversal vulnerability discovered by R2D2 in WordPress Plugin FastDup versions = 2.7.2...

WordPress JetEngine plugin <= 3.8.10 - PHP Object Injection vulnerability

PHP Object Injection vulnerability discovered by VanTastic in WordPress Plugin JetEngine versions = 3.8.10...

WordPress WordPress & WooCommerce Scraper Plugin, Import Data from Any Site plugin <= 1.0.7 - Arbitrary File Download vulnerability

Arbitrary File Download vulnerability discovered by Bonds in WordPress Plugin WordPress & WooCommerce Scraper Plugin, Import Data from Any Site versions = 1.0.7...

WordPress WordPress & WooCommerce Scraper Plugin, Import Data from Any Site plugin <= 1.0.7 - Arbitrary File Upload vulnerability

Arbitrary File Upload vulnerability discovered by Denver Jackson in WordPress Plugin WordPress & WooCommerce Scraper Plugin, Import Data from Any Site versions = 1.0.7...

WordPress BookPro plugin <= 1.1.0 - Arbitrary File Deletion vulnerability

Arbitrary File Deletion vulnerability discovered by Phat RiO in WordPress Plugin BookPro versions = 1.1.0...

WordPress Fediverse Embeds plugin <= 1.5.7 - Unauthenticated SSRF vulnerability

Unauthenticated SSRF vulnerability discovered by 0xBassia in WordPress Plugin Fediverse Embeds versions = 1.5.7...

Exploit for CVE-2026-49777

CVE-2026-49777 CVE-2026-49777 - ShapedPlugin Product Slider Pr...

Exploit for CVE-2026-8809

CVE-2026-8809 Advanced Custom Fields: Extended = 0.9.2.5 -...