CVE-2026-27331 WordPress WpTravelly plugin <= 2.1.5 - Broken Access Control vulnerability

Missing Authorization vulnerability in Magepeople inc. WpTravelly allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WpTravelly: from n/a through 2.1.5...

CVE-2026-44371

Open OnDemand (HPC portal) is affected prior to versions 4.0.11, 4.1.5, and 4.2.2. The issue allows specially crafted filenames to execute JavaScript in the file browser. The vulnerability is fixed in 4.0.11, 4.1.5, and 4.2.2. Impact is web/application-level, with JavaScript execution in the file...

CVE-2026-41901 Thymeleaf: Improper recognition of unauthorized syntax patterns in sandboxed Thymeleaf expressions

Thymeleaf is a server-side Java template engine for web and standalone environments. Prior to 3.1.5.RELEASE, a security bypass vulnerability exists in the expression execution mechanisms of Thymeleaf. Although the library provides mechanisms to avoid the execution of potentially dangerous...

WordPress XT Quick View for WooCommerce plugin <= 2.1.5 - Unauthenticated Reflected Cross-Site Scripting vulnerability

Unauthenticated Reflected Cross-Site Scripting vulnerability discovered by Asaf Mozes in WordPress Plugin XT Quick View for WooCommerce versions = 2.1.5...

CVE-2026-42652 WordPress User Registration plugin <= 5.1.5 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in wpeverest User Registration user-registration allows Reflected XSS.This issue affects User Registration: from n/a through = 5.1.5...

CVE-2026-5619

A flaw has been found in Braffolk mcp-summarization-functions up to 0.1.5. This impacts an unknown function of the file src/server/mcp-server.ts of the component summarizecommand. Executing a manipulation of the argument command can lead to os command injection. The attack requires local access...

CVE-2026-31796 iccDEV has a heap-based buffer overflow in icCurvesFromXml()

iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to 2.3.1.5, there is a heap-based buffer overflow in icCurvesFromXml causing heap memory corruption or crash. This vulnerability is fixed in 2.3.1.5...

PT-2026-24349

Name of the Vulnerable Software and Affected Versions iccDEV versions prior to 2.3.1.5 Description iccDEV is a set of libraries and tools for working with ICC color management profiles. A stack overflow exists in the CIccBasicStructFactory::CreateStruct function, leading to uncontrolled recursion...

CVE-2024-55024

An authentication bypass vulnerability in the authorization mechanism of Weintek cMT-3072XH2 easyweb v2.1.53, OS v20231011 allows unauthorized attackers to perform Administrative actions using service accounts...

DOM-based XSS @remix-run/router Dependency in Crowd Data Center

This High severity DOM-based XSS vulnerability was introduced in version 7.1.0 of Crowd Data Center. This DOM-based XSS vulnerability, with a CVSS Score of 8 and a CVSS Vector of CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N allows an unauthenticated attacker to execute arbitrary HTML or JavaScrip...

PT-2026-8317

A vulnerability was identified in vichan-devel vichan up to 5.1.5. This vulnerability affects unknown code of the file inc/mod/pages.php of the component Password Change Handler. The manipulation of the argument Password leads to unverified password change. The attack can be initiated remotely. T...

WordPress Tutor LMS Elementor Addons plugin <= 2.1.5 - Missing Authorization to Authenticated (Subscriber+) Limited Plugin Installation vulnerability

Missing Authorization to Authenticated Subscriber+ Limited Plugin Installation vulnerability discovered by Tieu Pham Trong Nhan - TechlabCorp in WordPress Plugin Tutor LMS Elementor Addons versions = 2.1.5...

CVE-2025-70368

Worklenz version 2.1.5 contains a Stored Cross-Site Scripting XSS vulnerability in the Project Updates feature. An attacker can submit a malicious payload in the Updates text field which is then rendered in the reporting view without proper sanitization. Malicious JavaScript may be executed in a...

CVE-2022-27819

SWHKD 1.1.5 allows unsafe parsing via the -c option. An information leak might occur but there is a simple denial of service memory exhaustion upon an attempt to parse a large or infinite file such as a block or character device...

PT-2026-1567

Name of the Vulnerable Software and Affected Versions NS IE Compatibility Fixer plugin for WordPress versions through 2.1.5 Description The software is susceptible to Cross-Site Request Forgery CSRF due to the absence of nonce validation on the settings update functionality. This allows attackers...

CVE-2025-62153

CVE-2025-62153 concerns WordPress plugin “Quick Interest Slider” (versions up to 3.1.7) with a Missing Authorization / Broken Access Control flaw. Public descriptions from NVD/Red Hat/ENISA (and CVE enrichment) indicate an improper access-control configuration that could allow an attacker to expl...

CVE-2025-66091

CVE-2025-66091 is a DOM-based XSS vulnerability in the WordPress plugin Stylish Cost Calculator (design stylish-cost-calculator) up to version

CVE-2025-34243

Advantech WebAccess/VPN versions prior to 1.1.5 contain a SQL injection vulnerability in AjaxFwRulesController.ajaxNetworkFwRulesAction that allows an authenticated low-privileged observer user to inject SQL via datatable search parameters, leading to disclosure of database information...

WordPress StreamWeasels Kick Integration plugin <= 1.1.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via vodsChannel Parameter vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via vodsChannel Parameter vulnerability discovered by Peter Thaleikis in WordPress Plugin SW Kick Integration versions = 1.1.5...

CVE-2023-32594

Cross-Site Request Forgery CSRF vulnerability in Benedict B., Maciej Gryniuk Hyphenator plugin = 5.1.5 versions...