WordPress多款产品 跨站脚本漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be added t...

PT-2026-36299

Multiple plugins and/or themes for WordPress are vulnerable to Reflected Cross-Site Scripting via the url parameter in various versions due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that...

Wordfence Intelligence Weekly WordPress Vulnerability Report (April 20, 2026 to April 26, 2026)

Last week, there were 158 vulnerabilities disclosed in 123 WordPress Plugins and 27 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 69 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilitie...

ch.iterial.keycloak.plugins:keycloak-directus-plugin (>=0.1.0 <=0.7.0), com.charlyghislain.keycloak:keycloak-importexport (>=21.0.0 <=23.0.1) +174 more potentially affected by CVE-2026-7500 via org.keycloak:keycloak-services (>=1.0-alpha-1 <=26.6.1)

org.keycloak:keycloak-services MAVEN version =1.0-alpha-1, =0.1.0, =21.0.0, =1.4.10, =1.4.10, =1.4.10, =1.4.10, =1.4.10, =1.4.10, =1.4.10, =1.4.10, =1.4.10, =1.4.11 - com.github.wnameless.spring.boot.up:spring-boot-up-embedded-keycloak =24.3.0.0 -...

com.base2services.jenkins:github-sqs-plugin (>=1.0 <=1.5), com.elasticbox.jenkins-ci.plugins:elasticbox (>=4.0.9 <=4.1.6) +27 more potentially affected by CVE-2026-42523 via com.coravy.hudson.plugins.github:github (>=1.10 <=1.45.0)

com.coravy.hudson.plugins.github:github MAVEN version =1.10, =1.0, =4.0.9, =1.0-alpha-1, =1.27.17, =1.0-alpha-1, =1.0-alpha-1, =1.0.0, =1.0.0, =1.0-alpha-8, =1.0-alpha-4, =0.1-preview-4, =1.0-alpha-1, =634.v371dc6d978a3, =1.83.v5bff0e55cd2d, =1.3.0, =1.4.3 and more Source cves: CVE-2026-42523...

org.jenkins-ci.plugins:azure-ad (>=378.380.v545b_1154b_3fb_ <=457.vf85d61f83b_26), org.openshift.jenkins:openshift-login (>=1.1.0.227.v27e08dfb_1a_20 <=1.1.0.248.v1908df5c4f5e) potentially affected by CVE-2026-42521 via org.jenkins-ci.plugins:matrix-auth (>=3.1.10 <=3.2.1)

org.jenkins-ci.plugins:matrix-auth MAVEN version =3.1.10, =378.380.v545b1154b3fb, =1.1.0.227.v27e08dfb1a20, =1.1.0.248.v1908df5c4f5e Source cves: CVE-2026-42521 Source advisory: SNYK:JAVA-ORGJENKINSCIPLUGINS-16322871...

Important: Red Hat Security Advisory: containernetworking-plugins security update

An update for containernetworking-plugins is now available for Red Hat Enterprise Linux 9.4 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity...

Halo 代码问题漏洞

Halo is a powerful and easy-to-use open-source website building tool developed by Halo. Version 2.22.14 of Halo has a code vulnerability. This vulnerability stems from server-side request forgery at the /plugins/-/install-from-uri endpoint, which may allow authenticated attackers to scan internal...

Medium: gstreamer-plugins-good

Issue Overview: An out-of-bounds read in the WAV parser that can cause crashes for certain input files. CVE-2026-1940 Affected Packages: gstreamer-plugins-good Note: This advisory is applicable to Amazon Linux 2 AL2 Core repository. Visit this FAQ section for the difference between AL2 Core and A...

GHSA-C28G-VH7M-FM7V OpenClaw: Owner-enforced commands could accept wildcard channel senders as command owners

Impact OpenClaw deployments before 2026.4.21 could treat a non-owner sender as authorized for owner-enforced slash commands when all of the following were true: - a channel plugin declared commands.enforceOwnerForCommands: true; - the channel accepted wildcard inbound senders with allowFrom: ""; ...

com.btc.ep:btc-embeddedplatform (>=1.9.2-beta <=2.5.9), io.jenkins.blueocean:blueocean (>=1.27.17 <=1.27.25) +8 more potentially affected by CVE-2026-42524 via org.jenkins-ci.plugins:htmlpublisher (>=1.0 <=1.6)

org.jenkins-ci.plugins:htmlpublisher MAVEN version =1.0, =1.9.2-beta, =1.27.17, =1.27.17, =1.27.17, =1.27.17, =1.27.17, =1.27.17, =1.27.17, =1.0.0, =1.0.18 Source cves: CVE-2026-42524 Source advisory: OSV:GHSA-F8H4-46XV-H7JJ...

au.com.versent.jenkins.plugins:ignore-committer-strategy (>=29.v7c3891a_434c3 <=57.v0756db_b_f6926), com.amazon.jenkins.fleet:ec2-fleet (>=1.0 <=4.2.3.539.v8fedff2a_81c3) +120 more potentially affected by CVE-2026-42520 via org.jenkins-ci.plugins:credentials-binding (>=1.10 <=717.v951d49b_5f3a_a_)

org.jenkins-ci.plugins:credentials-binding MAVEN version =1.10, =29.v7c3891a434c3, =1.0, =1.6, =1.4, =1.41.0, =377.vc87a13718939, =57.vde5161ec7aba, =0.17, =60.vce1b19770361, =1.0.43, =1.0.0, =1.27.25 and more Source cves: CVE-2026-42520 Source advisory: OSV:GHSA-P2RF-WPXJ-MX2G...

Jenkins plugins Multiple Vulnerabilities (2026-04-29)

According to their self-reported version numbers, the version of Jenkins plugins running on the remote web server are affected by multiple vulnerabilities: - High HTML Publisher Plugin 427 and earlier does not escape job name and URL in the legacy wrapper file. This results in a stored cross-site...

CVE-2026-42428

OpenClaw versions before 2026.4.8 fail to enforce integrity verification on downloaded plugin archives. Attackers can install malicious or tampered plugin packages without detection, compromising the local assistant environment...

CVE-2026-41396

OpenClaw before 2026.3.31 allows workspace .env files to override the OPENCLAWBUNDLEDPLUGINSDIR environment variable, compromising plugin trust verification. Attackers with control over workspace configuration can inject malicious plugins by overriding the bundled plugin trust root directory...

CVE-2026-41377

OpenClaw before 2026.3.31 contains a fail-open vulnerability in the plugin installation flow where security scan failures do not block installation. Attackers can exploit scan failures to install untrusted plugins when operators proceed despite visible scan warnings...

CVE-2026-42428 OpenClaw < 2026.4.8 - Missing Integrity Verification in Package Downloads

OpenClaw versions before 2026.4.8 fail to enforce integrity verification on downloaded plugin archives. Attackers can install malicious or tampered plugin packages without detection, compromising the local assistant environment...

CVE-2026-42428

OpenClaw versions before 2026.4.8 fail to enforce integrity verification on downloaded plugin archives. Attackers can install malicious or tampered plugin packages without detection, compromising the local assistant environment...

EUVD-2026-26104

OpenClaw before 2026.3.31 allows workspace .env files to override the OPENCLAWBUNDLEDPLUGINSDIR environment variable, compromising plugin trust verification. Attackers with control over workspace configuration can inject malicious plugins by overriding the bundled plugin trust root directory...

CVE-2026-41396

OpenClaw is affected prior to version 2026.3.31. Affected: openclaw (npm). Vulnerability: workspace .env files can override OPENCLAW_BUNDLED_PLUGINS_DIR, allowing manipulation of the bundled plugin trust root and undermining plugin trust verification. Impact: attackers with control over workspace...