Malicious code in security-alerts-sdk (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8f881805b709189d00bc52dc57c407bfecdae44fb343f92634a301c31525f6b0 Despite advertising itself as a breach-monitoring SDK, this package executes a remote-access trojan and credential harvester against any installer th...

EUVD-2026-38418

The Simple Basic Contact Form WordPress plugin through 20250114 does not escape user-supplied input before reflecting it into the contact form output on validation errors, leading to a Reflected Cross-Site Scripting vulnerability that unauthenticated attackers can exploit against site visitors vi...

Frontend Post Submission Manager Lite <= 1.2.7 - Open Redirect

The Frontend Post Submission Manager Lite plugin for WordPress is vulnerable to Open Redirection in all versions up to, and including, 1.2.7 due to insufficient validation on the 'requestedpage' POST parameter in the verifyusernamepassword function. This makes it possible for unauthenticated...

CVE-2026-48505

Filament’s MFA recovery-code handling (versions 4.0.0–4.11.5 and 5.6.5) allows the same recovery code to be reused under concurrent submissions. When recovery codes are enabled, an attacker with the user’s password and codes can establish multiple authenticated sessions per code, extending access...

Astra Linux – Vulnerability in Linux 5.10

In the Linux kernel, the following vulnerability has been resolved: In the blkzonewplugbiowork function, do not use submitbionoacctnocheck. Queues of zone write operations have already gone through all preparations in the submitbio path, including freeze protection. Submitting these operations...

CVE-2026-8713 Avada (Fusion) Builder <= 3.15.3 - Unauthenticated Arbitrary File Deletion via Form Entry Value

The Avada Fusion Builder plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the maybedeletefiles function in all versions up to, and including, 3.15.3. This makes it possible for unauthenticated attackers to delete arbitrary files on the...

PT-2026-50479

Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.9.6 Description The chat message listener in the chat page's window message listener processes input:prompt and action:submit messages without enforcing same-origin restrictions. This allows an external site to s...

EUVD-2026-37038

The RTMKit plugin for WordPress is vulnerable to Incorrect Authorization in all versions up to, and including, 2.0.7 This is due to the getsubmissioncontent AJAX endpoint lacking a capability check to verify that a user has permission to access the requested form submission data. This makes it...

VulnCheck KEV: CVE-2026-53435

In Jenkins 2.567 and earlier, LTS 2.555.2 and earlier, it is possible for attackers to have Jenkins deserialize arbitrary types defined in Jenkins core or plugins from an attacker-controlled config.xml submission in a way that allows them to handle HTTP requests afterwards. This can be used to...

VulnPilot

VulnPilot VulnPilot is an automation framework for vulnerabil...

PT-2026-49084

Name of the Vulnerable Software and Affected Versions Page Builder: Pagelayer versions prior to 2.1.0 Description Incorrect Authorization exists in the Page Builder: Pagelayer plugin. The pagelayer save content AJAX handler allows users with basic post-edit capabilities to persist pagelayer conta...

BIT-JENKINS-2026-53435

In Jenkins 2.567 and earlier, LTS 2.555.2 and earlier, it is possible for attackers to have Jenkins deserialize arbitrary types defined in Jenkins core or plugins from an attacker-controlled config.xml submission in a way that allows them to handle HTTP requests afterwards. This can be used to...

CVE-2026-53634

Sharp is a content management framework built for Laravel as a package. From version 9.0.0 to before version 9.22.3, the create and store endpoints of the Quick Creation Command feature did not enforce any authorization check. An authenticated Sharp user without create permission on a given entit...

CVE-2026-53435

CVE-2026-53435 affects Jenkins 2.567 and earlier, including LTS 2.555.2 and earlier. The root cause is unsafe deserialization due to a deserialization sink that bypasses a ClassFilter, allowing an attacker who can POST a config.xml to deserialize arbitrary core/plugin types and reach them via HTT...

CVE-2026-11603

The Product Filter Widget for Elementor plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via 'argsfilterFormArray' Parameter in all versions up to, and including, 1.0.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated...

CVE-2026-11603

The Product Filter Widget for Elementor plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via 'argsfilterFormArray' Parameter in all versions up to, and including, 1.0.6 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated...

CVE-2026-8901

The Integration for Freshsales – Contact Form 7, WPForms, Elementor, Gravity Forms and More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Form Submission Data in all versions up to, and including, 1.0.15 due to insufficient input sanitization and output escaping. This make...

CVE-2026-8901

The Integration for Freshsales – Contact Form 7, WPForms, Elementor, Gravity Forms and More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Form Submission Data in all versions up to, and including, 1.0.15 due to insufficient input sanitization and output escaping. This make...

CVE-2026-8901

The Integration for Freshsales – Contact Form 7, WPForms, Elementor, Gravity Forms and More plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Form Submission Data in all versions up to, and including, 1.0.15 due to insufficient input sanitization and output escaping. This make...

CVE-2026-8901

CVE-2026-8901 affects the WordPress plugin “Integration for Freshsales – Contact Form 7, WPForms, Elementor, Gravity Forms and More.” It is vulnerable to Stored Cross-Site Scripting via Form Submission Data in all versions up to 1.0.15, caused by insufficient input sanitization and output escapin...