CVE-2026-34565 CI4MS: Menu Management (Posts) Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to properly sanitize user-controlled input when adding Posts to navigation menus through the Menu Manageme...

CVE-2026-34430

creationtimestamp| type| source ---|---|--- 2026-04-01 15:26:09+00:00| seen| Telegram/LPiyqtmOsuMBSJ4TiscGzigzJ0idlnzzivv75bN9d93RTXE 2026-04-01 16:29:46+00:00| seen| https://bsky.app/profile/thehackerwire.bsky.social/post/3mih4frky4p2r 2026-04-01 16:50:34+00:00| seen|...

CVE-2026-35093

creationtimestamp| type| source ---|---|--- 2026-04-01 14:51:39+00:00| seen| https://bsky.app/profile/thehackerwire.bsky.social/post/3migwwdkm2v2r 2026-04-01 14:52:27+00:00| seen| https://bsky.app/profile/thehackerwire.bsky.social/post/3migwxqyjga2h 2026-04-01 15:26:18+00:00|...

CVE-2026-35092

creationtimestamp| type| source ---|---|--- 2026-04-01 14:51:31+00:00| seen| https://bsky.app/profile/thehackerwire.bsky.social/post/3migww42ltn27 2026-04-01 14:52:19+00:00| seen| https://bsky.app/profile/thehackerwire.bsky.social/post/3migwxj4al52x 2026-04-01 15:26:18+00:00|...

CVE-2026-35091

creationtimestamp| type| source ---|---|--- 2026-04-01 14:51:25+00:00| seen| https://bsky.app/profile/thehackerwire.bsky.social/post/3migwvvhdlz2c 2026-04-01 14:52:10+00:00| seen| https://bsky.app/profile/thehackerwire.bsky.social/post/3migwxbh3tn2t 2026-04-01 15:19:16+00:00| seen|...

CVE-2026-34725

creationtimestamp| type| source ---|---|--- 2026-04-01 07:49:06+00:00| published-proof-of-concept| https://github.com/dbgate/dbgate/security/advisories/GHSA-35xm-qvjg-8m42 2026-04-02 19:27:20+00:00| published-proof-of-concept| Telegram/zJs9VhJAI5JOvrL4hzeWnrOleMDgHArbbwhOuzjaL80cudA 2026-04-03...

EUVD-2026-17816

The Export All URLs WordPress plugin before 5.1 generates CSV filenames containing posts URLS including private posts in a predictable pattern using a random 6-digit number. These files are stored in the publicly accessible wp-content/uploads/ directory. As a result, any unauthenticated user can...

CVE-2026-2696

The Export All URLs WordPress plugin before 5.1 generates CSV filenames containing posts URLS including private posts in a predictable pattern using a random 6-digit number. These files are stored in the publicly accessible wp-content/uploads/ directory. As a result, any unauthenticated user can...

CVE-2026-2696

The Export All URLs WordPress plugin before 5.1 generates CSV filenames containing posts URLS including private posts in a predictable pattern using a random 6-digit number. These files are stored in the publicly accessible wp-content/uploads/ directory. As a result, any unauthenticated user can...

CVE-2026-2696

The CVE-2026-2696 entry concerns the WordPress plugin Export All URLs (versions before 5.1). Affected component: the plugin’s CSV filename generation uses a predictable pattern based on a random 6‑digit number, and exported CSVs are stored in publicly accessible wp-content/uploads. This enables a...

CVE-2026-2696 Export All URLs < 5.1 - Unauthenticated Sensitive Data Exposure

The Export All URLs WordPress plugin before 5.1 generates CSV filenames containing posts URLS including private posts in a predictable pattern using a random 6-digit number. These files are stored in the publicly accessible wp-content/uploads/ directory. As a result, any unauthenticated user can...

CVE-2026-30879

baserCMS is a website development framework. Prior to version 5.2.3, baserCMS has a cross-site scripting vulnerability in blog posts. This issue has been patched in version 5.2.3...

CVE-2026-27697

baserCMS is a website development framework. Prior to version 5.2.3, baserCMS has a SQL injection vulnerability in blog posts. This issue has been patched in version 5.2.3...

EUVD-2026-17745

XenForo before 2.3.10 and before 2.2.19 is vulnerable to stored cross-site scripting XSS in structured text mentions, primarily affecting legacy profile post content. An attacker can inject malicious scripts through crafted mentions that are stored and executed when other users view the content...

CVE-2026-35057 XenForo Stored Cross-Site Scripting via Structured Text Mentions

XenForo before 2.3.10 and before 2.2.19 is vulnerable to stored cross-site scripting XSS in structured text mentions, primarily affecting legacy profile post content. An attacker can inject malicious scripts through crafted mentions that are stored and executed when other users view the content...

CVE-2026-35057 XenForo Stored Cross-Site Scripting via Structured Text Mentions

XenForo before 2.3.10 and before 2.2.19 is vulnerable to stored cross-site scripting XSS in structured text mentions, primarily affecting legacy profile post content. An attacker can inject malicious scripts through crafted mentions that are stored and executed when other users view the content...

CVE-2026-35057

XenForo is affected in versions prior to 2.3.10 and prior to 2.2.19. The vulnerability is a stored XSS in structured text mentions, primarily impacting legacy profile post content. An attacker can inject malicious scripts via crafted mentions that are stored and executed when other users view the...

CVE-2026-35057

XenForo before 2.3.10 and before 2.2.19 is vulnerable to stored cross-site scripting XSS in structured text mentions, primarily affecting legacy profile post content. An attacker can inject malicious scripts through crafted mentions that are stored and executed when other users view the content...

CVE-2026-35055 XenForo Cross-Site Scripting via Lightbox in Posts

XenForo before 2.3.9 and before 2.2.18 is vulnerable to cross-site scripting XSS related to lightbox usage in posts. An attacker can inject malicious scripts that execute when users interact with post content displayed in the lightbox...

CVE-2026-35055

XenForo is vulnerable to cross-site scripting (XSS) via lightbox usage in posts in versions before 2.3.9 and before 2.2.18. An attacker can inject scripts that execute when users interact with post content displayed in the lightbox. The issue is reported across multiple sources (including CVE-202...