symfony/ux-autocomplete XSS via unescaped AJAX response data

More info at https://github.com/symfony/ux/security/advisories/GHSA-mwqm-4fw3-cjvr...

PT-2026-44911

Summary Axios versions before the fixed releases contain prototype-pollution gadgets in request config processing. If another vulnerability in the same JavaScript process has already polluted Object.prototype.transformResponse, affected Axios versions may treat that inherited value as request...

CVE-2026-7621

The SMTP2GO for WordPress – Email Made Easy plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 1.16.0. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers,...

CVE-2026-7621 SMTP2GO for WordPress <= 1.16.0 - Missing Authorization to Authenticated (Subscriber+) Log Read/Truncate

The SMTP2GO for WordPress – Email Made Easy plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 1.16.0. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers,...

CVE-2026-7621 SMTP2GO for WordPress <= 1.16.0 - Missing Authorization to Authenticated (Subscriber+) Log Read/Truncate

The SMTP2GO for WordPress – Email Made Easy plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 1.16.0. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers,...

Linux kernel 安全漏洞

The Linux kernel is the kernel used by the Linux operating system developed by the Linux Foundation in the United States. There is a security vulnerability in the Linux kernel, which stems from the failure to promptly check the response data in the IPMI event message buffer. This could lead to...

WordPress plugin SMTP2GO for WordPress – Email Made Easy 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows users to create personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that extends the...

PT-2026-44202

The SMTP2GO for WordPress – Email Made Easy plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 1.16.0. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers,...

Astra Linux - уязвимость в linux-6.1, linux-5.15

In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: mvm: rfi: fix potential response leaks If the check for the rx payload length fails, or if kmemdup fails, we still need to free the command response. Fix that issue...

OESA-2026-2316 httpd security update

Apache HTTP Server is a powerful and flexible HTTP/1.1 compliant web server. Security Fixes: An escalation of privilege bug in various modules in Apache HTTP 2.4.66 and earlier allows local .htaccess authors to read files with the privileges of the httpd user. Users are recommended to upgrade to...

EUVD-2026-28591

Lack of proper authorization implementation in the CashDro 3 web administration panel, version 24.01.00.26. The backend lacks authorization controls, leaving security entirely to the frontend. By modifying the binary string in the ‘Permissions’ field of the JSON response, an attacker could escala...

CVE-2026-8077

Lack of proper authorization implementation in the CashDro 3 web administration panel, version 24.01.00.26. The backend lacks authorization controls, leaving security entirely to the frontend. By modifying the binary string in the ‘Permissions’ field of the JSON response, an attacker could escala...

CVE-2026-41645

Nuclei is a vulnerability scanner built on a simple YAML-based DSL. From version 3.0.0 to before version 3.8.0, a vulnerability in Nuclei's expression evaluation engine makes it possible for a malicious target server to inject and execute supported DSL expressions. This happens when HTTP response...

EUVD-2026-28498

Nuclei is a vulnerability scanner built on a simple YAML-based DSL. From version 3.0.0 to before version 3.8.0, a vulnerability in Nuclei's expression evaluation engine makes it possible for a malicious target server to inject and execute supported DSL expressions. This happens when HTTP response...

CVE-2026-29168

Allocation of Resources Without Limits or Throttling vulnerability in Apache HTTP Server's modmd via OCSP response data. This issue affects Apache HTTP Server: from 2.4.30 through 2.4.66. Users are recommended to upgrade to version 2.4.67, which fixes the issue...

CVE-2026-7429 SSCMS v7.4.0 Reflected Cross-Site Scripting via STL Processing

SSCMS v7.4.0 contains a reflected cross-site scripting vulnerability in the STL processing endpoint that allows attackers to execute arbitrary JavaScript by crafting malicious STL template payloads that are decrypted and returned without proper sanitization. Attackers can exploit improper output...

PT-2026-37167

Name of the Vulnerable Software and Affected Versions wlc versions prior to 2.0.0 Description The HTML output format embeds API response data into HTML without proper escaping. This allows for cross-site scripting XSS, a technique where malicious scripts are injected into trusted websites, when t...

WWBN AVideo 代码问题漏洞

WWBN AVideo is a video platform building system developed by the WWBN team using PHP. Versions of WWBN AVideo prior to 29.0 contained code vulnerabilities. These vulnerabilities stemmed from the isSSRFSafeURL function in objects/functions.php, which had a short-circuit syntax within the same...

CVE-2026-39974

n8n-MCP is a Model Context Protocol MCP server that provides AI assistants with comprehensive access to n8n node documentation, properties, and operations. Prior to 2.47.4, an authenticated Server-Side Request Forgery in n8n-mcp allows a caller holding a valid AUTHTOKEN to cause the server to iss...

PT-2026-30739

Name of the Vulnerable Software and Affected Versions Open edX Platform affected versions not specified Description The Open edX Platform allows for the creation and delivery of online learning content. The view survey API endpoint is susceptible to an open redirect issue due to the lack of...