EUVD-2026-39351

An attacker can send a crafted EDNS OPT record that will be ignored by DNSdist’s filtering rules, but will be rewritten as a valid OPT record when EDNS Client Subnet is inserted, causing the backend to see the EDNS options that DNSdist did not filter...

EUVD-2026-39186

The Masteriyo LMS WordPress plugin before 2.2.1 does not perform authorization checks in a course-progress REST API controller, allowing unauthenticated users to read and permanently delete any user's course-progress records...

CVE-2026-10824

The Masteriyo LMS WordPress plugin, version before 2.2.1, has missing authorization checks in the course-progress REST API controller. This allows unauthenticated users to read and permanently delete any user’s course-progress records. The vulnerability is caused by insufficient access control in...

Employee Records System 1.0 - Unauthenticated File Upload RCE

Employee Records System version 1.0 contains an unrestricted file upload vulnerability in uploadID.php that allows remote unauthenticated attackers to upload arbitrary PHP files and achieve remote code execution. id: CVE-2021-4462 info: name: Employee Records System 1.0 - Unauthenticated File...

CVE-2026-56245

Supabase Capgo before 12.128.2 contains an authorization bypass vulnerability in the SECURITY DEFINER recordbuildtime RPC function that allows unauthenticated attackers to insert arbitrary build-time records. Attackers can exploit this by calling POST /rest/v1/rpc/recordbuildtime with a public AP...

CVE-2026-56245

Summary (MODE C): Supabase Capgo before 12.128.2 contains an authorization bypass in the SECURITY DEFINER record_build_time RPC, allowing unauthenticated attackers to insert arbitrary build-time records. Exploitation path: POST /rest/v1/rpc/record_build_time with a public API key. Impact: cross‑t...

CVE-2026-9175

The Devs Accounting – Simple Accounting and Invoicing Solution plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.2.0. This is due to the getsingleaccount REST API callback being registered with a permissioncallback that unconditionally returns tru...

CVE-2026-9172

The Devs Accounting – Simple Accounting and Invoicing Solution plugin for WordPress is vulnerable to unauthorized modification/deletion of data due to a missing capability check on the deletesingleaccount function in versions up to, and including, 1.2.0. The REST route...

CVE-2026-8690

The RentMy Real-Time Rental Management Plugin plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.0.4.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated...

EUVD-2026-38690

The RentMy Real-Time Rental Management Plugin plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 4.0.4.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated...

CVE-2026-12969

An out-of-bounds read vulnerability exists in dnsmasq's findsoa function in src/rfc1035.c. When parsing NS section records, extractname is called with extrabytes=0, failing to validate that 10 additional bytes exist for fixed-length DNS record fields. A remote attacker controlling a DNS zone can...

EUVD-2026-38449

An out-of-bounds read vulnerability exists in dnsmasq's findsoa function in src/rfc1035.c. When parsing NS section records, extractname is called with extrabytes=0, failing to validate that 10 additional bytes exist for fixed-length DNS record fields. A remote attacker controlling a DNS zone can...

CVE-2026-12725

A heap-based buffer overflow was found in dnsmasq. When DNSSEC validation and query logging are both enabled, logging of DS or DNSKEY replies containing unsupported algorithm or digest types can cause dnsmasq to write past the end of an internal logging buffer. A remote attacker able to supply su...

CVE-2026-56341

AVideo through version 26.0 contains multiple unauthenticated list.json.php endpoints in payment plugins lacking authorization checks, exposing PayPal tokens, Authorize.Net webhooks, and Bitcoin transaction records. Unauthenticated attackers can retrieve all payment transaction data including...

CVE-2026-56082

Capgo (Cap-go/capgo) prior to 12.128.2 has an improper access control in the SECURITY DEFINER PostgREST RPC function public.record_build_time, which is accessible to anon and can be called with the public Supabase publishable anon key. An unauthenticated attacker can insert into public.build_logs...

CVE-2026-12238

The WP Go Maps WordPress plugin (up to version 10.1.01) is vulnerable to an authorization bypass that allows unauthenticated attackers to create arbitrary records in plugin tables (maps, markers, circles, polygons, polylines, rectangles, and point labels) by supplying a WPGMZA-namespaced CRUD-bac...

Astra Linux – Vulnerability in Linux 6.1

In the Linux kernel, the following vulnerabilities have been resolved: tls: fixed handling of zero-length records in the rxlist Each recvmsg call must process either: - only contiguous DATA records any number of them - one non-DATA record If the next record has a different type than those that ha...

Astra Linux – Vulnerability in Linux 6.1

In the Linux kernel, the following vulnerability has been resolved: ntfs3: Treating $Extend records as regular files. Since the commit af153bb63a33 "vfs: catching invalid modes in mayopen" requires that any inode be of one of the types SIFDIR/SIFLNK/SIFREG/SIFCHR/SIFBLK/SIFIFO/SIFSOCK, use SIFREG...

Astra Linux – Vulnerability in connman

ConnMan also known as Connection Manager versions 1.30 to 1.39 have a stack-based buffer overflow issue in the uncompress function of dnsproxy.c, occurring due to the use of NAME, RDATA, or RDLENGTH fields for the A or AAAA records...

Astra Linux – Vulnerabilities in Linux 5.10, Linux 5.15

In the Linux kernel, the following vulnerability has been resolved: ntfs: check overflow when iterating ATTRRECORDs The kernel iterates over ATTRRECORDS in mft records in the ntfsattrfind function. Since ATTRRECORDS are adjacent to each other, the kernel can access the next ATTRRECORD from the en...