CVE-2026-6391 Sentence To SEO (keywords, description and tags) <= 1.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting via Settings Page Parameters

The Sentence To SEO keywords, description and tags plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the createadminpage function. This makes it possible for unauthenticated attackers...

CVE-2026-44380

MISP is an open source threat intelligence and sharing platform. Prior to 2.5.37, an improper access control vulnerability in the authentication key reset functionality allowed an authenticated organization administrator to reset authentication keys belonging to site administrator accounts within...

PT-2026-40910

The Database Backup for WordPress plugin for WordPress is vulnerable to unauthorized arbitrary file read and deletion in all versions up to, and including, 2.5.2. This is due to the plugin not properly enforcing the return value of its authorization check combined with a user-controlled backup...

CVE-2026-44380

MISP is an open source threat intelligence and sharing platform. Prior to 2.5.37, an improper access control vulnerability in the authentication key reset functionality allowed an authenticated organization administrator to reset authentication keys belonging to site administrator accounts within...

EUVD-2026-30167

MISP is an open source threat intelligence and sharing platform. Prior to 2.5.37, an improper access control vulnerability in the authentication key reset functionality allowed an authenticated organization administrator to reset authentication keys belonging to site administrator accounts within...

CVE-2026-44380 MISP: Improper access control in auth key reset allows privilege escalation to site administrator

MISP is an open source threat intelligence and sharing platform. Prior to 2.5.37, an improper access control vulnerability in the authentication key reset functionality allowed an authenticated organization administrator to reset authentication keys belonging to site administrator accounts within...

CVE-2026-44380 MISP: Improper access control in auth key reset allows privilege escalation to site administrator

MISP is an open source threat intelligence and sharing platform. Prior to 2.5.37, an improper access control vulnerability in the authentication key reset functionality allowed an authenticated organization administrator to reset authentication keys belonging to site administrator accounts within...

CVE-2026-44380

CVE-2026-44380 (MISP) is an improper access-control flaw in the authentication key reset feature present before version 2.5.37. An authenticated organization administrator could reset auth keys for site administrator accounts within the same organization, since non-site administrators were not ex...

MISP 安全漏洞

MISP is a set of open-source software solutions developed by MISP. This product is used for collecting, storing, distributing, and sharing network security metrics, and it includes features such as analysis of threats to network security and malware analysis. Prior to MISP 2.5.37, there were...

PT-2026-40808

MISP is an open source threat intelligence and sharing platform. Prior to 2.5.37, an improper access control vulnerability in the authentication key reset functionality allowed an authenticated organization administrator to reset authentication keys belonging to site administrator accounts within...

CVE-2026-41936

Vvveb before version 1.0.8.2 contains an XML external entity XXE injection vulnerability in the admin Tools/Import feature that allows authenticated siteadmin users to read arbitrary files and modify database records. Attackers can exploit the XML parser configuration in system/import/xml.php to...

CVE-2026-41934 Vvveb < 1.0.8.2 Authenticated RCE via Code Editor

Vvveb before version 1.0.8.2 contains an authenticated remote code execution vulnerability in the admin code editor that allows low-privilege authenticated users to execute arbitrary code through insufficient file extension restrictions, with the uploaded payload then executable via subsequent...

CVE-2026-5144

The BuddyPress Groupblog plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.9.3. This is due to the group blog settings handler accepting the groupblog-blogid, default-member, and groupblog-silent-add parameters from user input without proper...

CVE-2026-5144

The CVE-2026-5144 entry describes a Privilege Escalation in the BuddyPress Groupblog WordPress plugin up to version 1.9.3. The root cause is that the group blog settings handler accepts groupblog-blogid, default-member, and groupblog-silent-add from user input without proper authorization checks,...

CVE-2026-4420 Stored XSS via Page Creating functionality in Bludit

Bludit is vulnerable to Stored Cross-Site Scripting XSS in its page creating functionality. An authenticated attacker with page creation privileges such as Author, Editor, or Administrator can embed a malicious JavaScript payload in the tags field of a newly created article. This payload will be...

PT-2026-26218

Name of the Vulnerable Software and Affected Versions Drupal Automated Logout versions 0.0.0 through 1.6.9 Drupal Automated Logout versions 2.0.0 through 2.0.1 Description The Automated Logout module for Drupal does not adequately protect its routes against Cross-Site Request Forgery CSRF. This...

CVE-2025-15100

The CVE concerns the JAY Login & Register plugin for WordPress. A Privilege Escalation affects versions prior to 2.6.04, where an authenticated user (Subscriber-level or higher) can update arbitrary user meta via the jay_panel_ajax_update_profile function, enabling elevation to administrator. Thi...

CVE-2018-6926

In app/Controller/ServersController.php in MISP 2.4.87, a server setting permitted the override of a path variable on certain Red Hed Enterprise Linux and CentOS systems where rhshellfix was enabled, and consequently allowed site admins to inject arbitrary OS commands. The impact is limited by th...

CVE-2025-14999

The Latest Tabs plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.5. This is due to missing or incorrect nonce validation on the settings update handler in admin-page.php. This makes it possible for unauthenticated attackers to modify plugin...

CVE-2022-27244

An issue was discovered in MISP before 2.4.156. A malicious site administrator could store an XSS payload in the custom auth name. This would be executed each time the administrator modifies a user...