2816 matches found
Forg365 PhaaS Targets Microsoft 365 with Device Code and AitM Session Theft
A new phishing-as-a-service PhaaS operation called Forg365 is using a combination of device code phishing, adversary-in-the-middle AitM tactics, antibot evasion, artificial intelligence AI-assisted lure creation, and post-compromise mailbox operations targeting Microsoft 365 accounts. Distributed...
CVE-2026-57732
Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in tagDiv tagDiv Opt-In Builder td-subscription allows DOM-Based XSS.This issue affects tagDiv Opt-In Builder: from n/a through = 1.7.4...
CVE-2026-57732 WordPress tagDiv Opt-In Builder plugin <= 1.7.4 - Cross Site Scripting (XSS) vulnerability
Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in tagDiv tagDiv Opt-In Builder td-subscription allows DOM-Based XSS.This issue affects tagDiv Opt-In Builder: from n/a through = 1.7.4...
Popup Builder Plugin - SQL Injection and Cross-Site Scripting
The Popup Builder WordPress plugin before 4.1.1 is vulnerable to SQL Injection and Reflected XSS via the sgpb-subscription-popup-id parameter. id: CVE-2022-0479 info: name: Popup Builder Plugin - SQL Injection and Cross-Site Scripting author: ritikchaddha severity: critical description: | The Pop...
CVE-2026-15288 SureForms – Drag and Drop Form Builder for WordPress <= 2.2.1 - Unauthenticated Stripe Payment Amount Manipulation
The SureForms – Drag and Drop Form Builder for WordPress plugin for WordPress is vulnerable to Improper Input Validation in all versions up to, and including, 2.2.1. This is due to the plugin accepting the payment amount directly from user-controlled POST data in the 'createpaymentintent' and...
CVE-2026-5069
The Fluent Forms plugin for WordPress is vulnerable to incorrect authorization via the 'subscriptionid' parameter in versions up to, and including, 6.2.1. This is due to insufficient ownership authorization checks in the payment cancellation AJAX flow. This makes it possible for authenticated...
CVE-2026-5069
Vulnerability summary (CVE-2026-5069) : The Fluent Forms plugin for WordPress up to version 6.2.1 is vulnerable to incorrect authorization via the subscription_id parameter in the payment cancellation AJAX flow. The root cause is insufficient ownership authorization checks, allowing authenticated...
EUVD-2026-42778
The Fluent Forms plugin for WordPress is vulnerable to incorrect authorization via the 'subscriptionid' parameter in versions up to, and including, 6.2.1. This is due to insufficient ownership authorization checks in the payment cancellation AJAX flow. This makes it possible for authenticated...
CVE-2026-5069
The Fluent Forms plugin for WordPress is vulnerable to incorrect authorization via the 'subscriptionid' parameter in versions up to, and including, 6.2.1. This is due to insufficient ownership authorization checks in the payment cancellation AJAX flow. This makes it possible for authenticated...
CVE-2026-5069 Fluent Forms <= 6.2.1 - Incorrect Authorization to Authenticated (Subscriber+) Arbitrary Subscription Cancellation via 'subscription_id'
The Fluent Forms plugin for WordPress is vulnerable to incorrect authorization via the 'subscriptionid' parameter in versions up to, and including, 6.2.1. This is due to insufficient ownership authorization checks in the payment cancellation AJAX flow. This makes it possible for authenticated...
WordPress Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin <= 6.2.1 - Incorrect Authorization to Authenticated (Subscriber+) Arbitrary Subscription Cancellation vulnerability
Incorrect Authorization to Authenticated Subscriber+ Arbitrary Subscription Cancellation vulnerability discovered by Fernando Mecozzi in WordPress Plugin FluentForm versions = 6.2.1...
Improper Authorization
Overview github.com/nats-io/nats-server/server is an A simple, secure and performant communications system for digital systems, services and devices. Affected versions of this package are vulnerable to Improper Authorization via the subscription authorization process. An attacker can access...
Improper Authorization
Overview github.com/nats-io/nats-server/v2/server is an A simple, secure and performant communications system for digital systems, services and devices. Affected versions of this package are vulnerable to Improper Authorization via the subscription authorization process. An attacker can access...
CVE-2026-58213
NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.1 and 2.12.9, an MQTT client could include protocol control characters in subscription filters that were later forwarded as NATS protocol data to route or leafnode connections, corrupti...
CVE-2026-58251
NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.0, 2.12.7, and 2.11.16, an authenticated user with subscription deny permissions could bypass a plain subject deny rule by using a queue subscription, because queue-specific deny...
CVE-2026-58252
CVE-2026-58252 affects NATS Server prior to versions 2.14.0, 2.12.7, and 2.11.16. An authenticated user could receive messages on denied subjects when a wildcard subscription overlapped with a configured wildcard deny rule but was not a subset of it; queue subscriptions could also affect delivery...
CVE-2026-58251 NATS Server: Queue Subscribe Authz Bypass
NATS Server is a high-performance server for NATS.io, the cloud and edge native messaging system. Prior to 2.14.0, 2.12.7, and 2.11.16, an authenticated user with subscription deny permissions could bypass a plain subject deny rule by using a queue subscription, because queue-specific deny...
CVE-2026-56226 Capgo - Unauthenticated Organization Data Disclosure via get_orgs_v6 RPC
Capgo Cap-go/capgo before 12.128.2 exposes the Supabase PostgREST RPC function public.getorgsv6userid uuid, which is SECURITY DEFINER and granted to the anon role, allowing unauthenticated access. Because the function accepts a caller-supplied user UUID without verifying it matches the...
CVE-2026-5459
The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.3.1 via the paymentpage function due to missing validation on the 'userid' user...
EUVD-2026-42229
The User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.3.1 via the paymentpage function due to missing validation on the 'userid' user...