CVE-2025-13842

The Breadcrumb NavXT plugin for WordPress is vulnerable to authorization bypass through user-controlled key in versions up to and including 7.5.0. This is due to the Gutenberg block renderer trusting the $REQUEST'postid' parameter without verification in the...

CVE-2025-13842

CVE-2025-13842 applies to the Breadcrumb NavXT WordPress plugin, affected up to version 7.5.0. The underlying issue is an authorization bypass: the Gutenberg block renderer trusts the $_REQUEST['post_id'] in includes/blocks/build/breadcrumb-trail/render.php, enabling unauthenticated users to enum...

CVE-2025-13842 Breadcrumb NavXT <= 7.5.0 - Missing Authorization to Sensitive Information Exposure

The Breadcrumb NavXT plugin for WordPress is vulnerable to authorization bypass through user-controlled key in versions up to and including 7.5.0. This is due to the Gutenberg block renderer trusting the $REQUEST'postid' parameter without verification in the...

CVE-2026-1793

The Element Pack Addons for Elementor plugin for WordPress is vulnerable to arbitrary file reads in all versions up to, and including, 8.3.17 via the SVG widget and a lack of sufficient file validation in the 'rendersvg' function. This makes it possible for authenticated attackers, with...

EUVD-2026-5833

The Element Pack Addons for Elementor plugin for WordPress is vulnerable to arbitrary file reads in all versions up to, and including, 8.3.17 via the SVG widget and a lack of sufficient file validation in the 'rendersvg' function. This makes it possible for authenticated attackers, with...

PT-2026-8224

The Element Pack Addons for Elementor plugin for WordPress is vulnerable to arbitrary file reads in all versions up to, and including, 8.3.17 via the SVG widget and a lack of sufficient file validation in the 'render svg' function. This makes it possible for authenticated attackers, with...

CVE-2026-0950

The Spectra Gutenberg Blocks – Website Builder for the Block Editor plugin for WordPress is vulnerable to Information Disclosure in all versions up to, and including, 2.19.17. This is due to the plugin failing to check postpasswordrequired before rendering post excerpts in the renderexcerpt...

CVE-2026-0950

The Spectra Gutenberg Blocks – Website Builder for the Block Editor plugin for WordPress is vulnerable to Information Disclosure in all versions up to, and including, 2.19.17. This is due to the plugin failing to check postpasswordrequired before rendering post excerpts in the renderexcerpt...

PT-2026-3877

Name of the Vulnerable Software and Affected Versions Docmost versions 0.3.0 through 0.23.2 Description Docmost is collaborative wiki and documentation software. Versions 0.3.0 through 0.23.2 are susceptible to stored Cross-Site Scripting XSS due to improper sanitization when rendering Mermaid co...

CVE-2026-21618

Improper Neutralization of Input During Web Page Generation XSS or 'Cross-site Scripting' vulnerability in hexpm hexpm/hexpm 'Elixir.HexpmWeb.SharedAuthorizationView' modules allows Cross-Site Scripting XSS. This vulnerability is associated with program files...

CVE-2026-21618

Improper Neutralization of Input During Web Page Generation XSS or 'Cross-site Scripting' vulnerability in hexpm hexpm/hexpm 'Elixir.HexpmWeb.SharedAuthorizationView' modules allows Cross-Site Scripting XSS. This vulnerability is associated with program files...

CVE-2026-21618

Improper Neutralization of Input During Web Page Generation XSS or 'Cross-site Scripting' vulnerability in hexpm hexpm/hexpm 'Elixir.HexpmWeb.SharedAuthorizationView' modules allows Cross-Site Scripting XSS. This vulnerability is associated with program files...

EEF-CVE-2026-21618 Cross-site scripting (XSS) in OAuth Device Authorization screen

Improper Neutralization of Input During Web Page Generation XSS or 'Cross-site Scripting' vulnerability in hexpm hexpm/hexpm 'Elixir.HexpmWeb.SharedAuthorizationView' modules allows Cross-Site Scripting XSS. This vulnerability is associated with program files...

CVE-2026-21618 Cross-site scripting (XSS) in OAuth Device Authorization screen

Improper Neutralization of Input During Web Page Generation XSS or 'Cross-site Scripting' vulnerability in hexpm hexpm/hexpm 'Elixir.HexpmWeb.SharedAuthorizationView' modules allows Cross-Site Scripting XSS. This vulnerability is associated with program files...

CVE-2025-14435

Summary (CVE-2025-14435): Mattermost contains a application-level DoS vulnerability due to unbounded React component re-renders triggered by API errors. Affected versions are 10.11.x ≤ 10.11.8, 11.1.x ≤ 11.1.1, and 11.0.x ≤ 11.0.6. The issue arises because errors from API responses fail to stop r...

CVE-2025-14435 Application-Level DoS via infinite re-render loop in user profile handling

Mattermost versions 10.11.x = 10.11.8, 11.1.x = 11.1.1, 11.0.x = 11.0.6 fail to prevent infinite re-renders on API errors which allows authenticated users to cause application-level DoS via triggering unbounded component re-render loops...

CVE-2025-14435 Application-Level DoS via infinite re-render loop in user profile handling

Mattermost versions 10.11.x = 10.11.8, 11.1.x = 11.1.1, 11.0.x = 11.0.6 fail to prevent infinite re-renders on API errors which allows authenticated users to cause application-level DoS via triggering unbounded component re-render loops...

Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: kernel (UTSA-2026-001168)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-001168 advisory. The vmwsurfacedefineioctl function in drivers/gpu/drm/vmwgfx/vmwgfxsurface.c in the Linux kernel through 4.10.6 does not validate addition of certain levels data,...

Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: kernel (UTSA-2026-001652)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-001652 advisory. The vmwsurfacedefineioctl function in drivers/gpu/drm/vmwgfx/vmwgfxsurface.c in the Linux kernel through 4.10.5 does not check for a zero value of certain levels dat...

CVE-2025-15265 Svelte 5.46.0 - Hydratable Key Script-Breakout XSS (SSR)

An SSR XSS exists in async hydration when attacker‑controlled keys are passed to hydratable. The key is embedded inside a block without HTML‑safe escaping, allowing to terminate the script and inject arbitrary JavaScript. This enables remote script execution in users' browsers, with potential for...