CVE-2026-41932 Vvveb < 1.0.8.3 Stored XSS via Signup Controller

Vvveb before 1.0.8.3 contains a stored cross-site scripting vulnerability in the customer signup flow where the Signup::addUser controller copies raw POST username values into the displayname field before sanitization occurs. Attackers can submit HTML and script markup in the username field durin...

BuddyPress < 9.1.1 - Activation Key Disclosure

The plugin disclosed the activation key from responses of the createitem method in the BP REST API Signup controller...