WPEngine WPGraphQL 0.2.3 - Unauthenticated Comment Posting

The createComment mutation in the WPGraphQL 0.2.3 plugin for WordPress allows unauthenticated users to post comments on any article, even when 'allow comment' is disabled. id: CVE-2019-9881 info: name: WPEngine WPGraphQL 0.2.3 - Unauthenticated Comment Posting author: intelligent-ears severity:...

CVE-2026-46605

creationtimestamp| type| source ---|---|--- 2026-05-31 18:03:18+00:00| seen| https://bsky.app/profile/infosec.skyfleet.blue/post/3mn65mbrzk32l...

CVE-2026-46402

creationtimestamp| type| source ---|---|--- 2026-05-27 23:06:16+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mmumods67b2r 2026-05-28 02:33:22+00:00| seen| https://bsky.app/profile/postac001.bsky.social/post/3mmuyanmsf327 2026-05-28 06:00:29+00:00| seen|...

CVE-2026-2254

creationtimestamp| type| source ---|---|--- 2026-05-27 05:17:07+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mmsqwkq3f22e...

PT-2026-42751

Mattermost versions 11.6.x = 11.6.0, 11.5.x = 11.5.2, 11.5.x = 11.5.3, 11.4.x = 11.4.4, 10.11.x = 10.11.14 fail to validate the TIFF IFD offset in the image header before allocating memory, which allows authenticated users with file upload or posting permissions to cause a denial of service serve...

CVE-2026-9126

creationtimestamp| type| source ---|---|--- 2026-05-20 20:17:06+00:00| seen| https://infosec.exchange/users/vuldb/statuses/116608743862604761 2026-05-20 22:40:17+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mmcxxhekzf2k 2026-05-21 17:07:07+00:00| seen|...

CVE-2026-47068

creationtimestamp| type| source ---|---|--- 2026-05-20 15:28:18+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mmc7sv2h5b2h...

Malicious code in @solarcraft/observix (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 14c39608a172a624520f309b572b40636dc51563f85fe89dac968712490dd40f The package advertises itself as a zero-dependency colorized logger similar to pino-pretty, but dist/index.js does require'./logger' purely for its...

Malicious code in @citely/mcp-server (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 55faa6dd8d70be846b57b28ce2665a4a6bc1eafa6898f5f4f2cc8b25d96e1358 On startup of the documented entrypoint npx @citely/mcp-server, setupServer unconditionally invokes void runHarvest in dist/index.js. The harvester...

GHSA-V549-XX3C-6PC8 Mattermost doesn't check the create_post channel permission during post edit operations

Mattermost versions 11.5.x = 11.5.1, 10.11.x = 10.11.13, 11.4.x = 11.4.3 fail to check the createpost channel permission during post edit operations which allows an authenticated attacker with revoked posting privileges to modify their existing posts via direct API requests to the post update and...

Mattermost doesn't check the create_post channel permission during post edit operations

Mattermost versions 11.5.x = 11.5.1, 10.11.x = 10.11.13, 11.4.x = 11.4.3 fail to check the createpost channel permission during post edit operations which allows an authenticated attacker with revoked posting privileges to modify their existing posts via direct API requests to the post update and...

CVE-2026-3637

Mattermost versions 11.5.x = 11.5.1, 10.11.x = 10.11.13, 11.4.x = 11.4.3 fail to check the createpost channel permission during post edit operations which allows an authenticated attacker with revoked posting privileges to modify their existing posts via direct API requests to the post update and...

CVE-2026-3637 Mattermost fails to enforce create_post permission when editing posts

Mattermost versions 11.5.x = 11.5.1, 10.11.x = 10.11.13, 11.4.x = 11.4.3 fail to check the createpost channel permission during post edit operations which allows an authenticated attacker with revoked posting privileges to modify their existing posts via direct API requests to the post update and...

CVE-2026-42246

creationtimestamp| type| source ---|---|--- 2026-05-09 22:10:04+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mlhb56mffj2q 2026-05-10 01:30:32+00:00| seen| https://bsky.app/profile/offseq.bsky.social/post/3mlhmdq52mi23 2026-05-10 01:30:32+00:00| seen|...

hunter-max-oss

hunter-max A bug-bounty research framework. Two pieces: 1...

CVE-2026-7111

creationtimestamp| type| source ---|---|--- 2026-04-29 15:28:47+00:00| seen| https://bsky.app/profile/infosec.skyfleet.blue/post/3mkng2jxlx22e 2026-04-29 18:20:47+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mknpo3nmon2n 2026-04-30 21:00:38+00:00| seen|...

CVE-2026-31535

In the Linux kernel, the following vulnerability has been resolved: smb: client: make use of smbdirectsocket.recvio.credits.available The logic off managing recv credits by counting posted recvio and granted credits is racy. That's because the peer might already consumed a credit, but between...

PT-2026-34891

In the Linux kernel, the following vulnerability has been resolved: smb: smbdirect: introduce smbdirect socket.recv io.credits.available The logic off managing recv credits by counting posted recv io and granted credits is racy. That's because the peer might already consumed a credit, but between...

PT-2026-34887

In the Linux kernel, the following vulnerability has been resolved: smb: client: make use of smbdirect socket.recv io.credits.available The logic off managing recv credits by counting posted recv io and granted credits is racy. That's because the peer might already consumed a credit, but between...

EUVD-2026-24523

WWBN AVideo is an open source video platform. In versions 29.0 and prior, multiple AVideo JSON endpoints under objects/ accept state-changing requests via $REQUEST/$GET and persist changes tied to the caller's session user, without any anti-CSRF token, origin check, or referer check. A malicious...