CVE-2026-7881

Concrete CMS 9.5.0 and below is subject to Insecure Direct Object Reference IDOR in the Express Entry Detail block via the exEntryID parameter. This IDOR leads to unauthorized access to all Express form submissions. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.3...

CVE-2026-5396 Fluent Forms <= 6.1.21 - Authenticated (Subscriber+) Authorization Bypass via 'form_id' Parameter

The Fluent Forms plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to, and including, 6.1.21. This is due to the SubmissionPolicy class authorizing submission-level actions read, modify, delete, add notes based on a user-supplied formid quer...

CVE-2026-3831

The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the entriesshortcode function in all versions up to, and including, 1.4.9. This makes it possible for authenticated attackers, with...

CVE-2025-64705

Frappe Learning version range 2.0.0–2.40.9 suffers an information-disclosure vulnerability where users could view submissions from other students due to improper access control and direct URL access. The issue is fixed in version 2.41.0 by enforcing proper roles and redirecting direct URL access....

PT-2025-46768

Name of the Vulnerable Software and Affected Versions Frappe Learning versions 2.0.0 through 2.40.9 Description Frappe Learning allows users to structure content. Versions 2.0.0 through 2.40.9 permitted users to access submissions made by other students. The issue was addressed in version 2.41.0 ...

EUVD-2013-4134

Malware in sbrugna...