WordPress Imba theme <= 1.5.0 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Theme Imba versions = 1.5.0...

WordPress Rosaleen theme <= 2.8 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Theme Rosaleen versions = 2.8...

WordPress Spin theme <= 1.8 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by Bonds in WordPress Theme Spin versions = 1.8...

WordPress Confidant theme <= 1.4 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by Bonds in WordPress Theme Confidant versions = 1.4...

WordPress Crafti theme <= 1.12 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by Bonds in WordPress Theme Crafti versions = 1.12...

WordPress Fermentio theme <= 1.5.0 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Theme Fermentio versions = 1.5.0...

WordPress Geya theme <= 1.15 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by Bonds in WordPress Theme Geya versions = 1.15...

PT-2026-43403

Lumiverse is a full-featured AI chat application. Prior to 0.9.7, the component override system transpiles user-supplied TSX via Sucrase and evaluates it with new Function, shadowing dangerous globals fetch, window, eval, etc. with undefined. A static source validator...

WordPress NanoCare theme < 1.2.2 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by Phat RiO in WordPress Theme NanoCare versions 1.2.2...

CVE-2026-24586 WordPress Newses theme <= 2.0.0.77 - Broken Access Control vulnerability

Missing Authorization vulnerability in Themeansar Newses allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Newses: from n/a through 2.0.0.77...

CVE-2026-24586

The CVE-2026-24586 entry concerns the WordPress Newses theme (versions affected up to 2.0.0.77). Affected component: Themeansar Newses theme; vulnerability type: Broken Access Control due to missing authorization. Impact is described as allowing improper access because access control security lev...

CVE-2026-24586 WordPress Newses theme <= 2.0.0.77 - Broken Access Control vulnerability

Missing Authorization vulnerability in Themeansar Newses allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Newses: from n/a through 2.0.0.77...

CVE-2026-8353

Concrete CMS version 9.0 to 9.5.0 is vulnerable to Stored XSS via page name in the Atomik theme. A rogue editor can inject arbitrary JavaScript that executes in the context of any authenticated user visiting the affected account pages. This can lead to session hijacking, credential theft, malicio...

CVE-2026-8353

Concrete CMS version 9.0 to 9.5.0 is vulnerable to Stored XSS via page name in the Atomik theme. A rogue editor can inject arbitrary JavaScript that executes in the context of any authenticated user visiting the affected account pages. This can lead to session hijacking, credential theft, malicio...

CVE-2026-8353 Concrete CMS version 9.0 to 9.5.0 is vulnerable to Stored XSS via page name in atomik theme

Concrete CMS version 9.0 to 9.5.0 is vulnerable to Stored XSS via page name in the Atomik theme. A rogue editor can inject arbitrary JavaScript that executes in the context of any authenticated user visiting the affected account pages. This can lead to session hijacking, credential theft, malicio...

EUVD-2026-31443

Concrete CMS version 9.0 to 9.5.0 is vulnerable to Stored XSS via page name in the Atomik theme. A rogue editor can inject arbitrary JavaScript that executes in the context of any authenticated user visiting the affected account pages. This can lead to session hijacking, credential theft, malicio...

CVE-2026-8353

Concrete CMS versions 9.0–9.5.0 are vulnerable to a Stored XSS in the Atomik theme triggered by a crafted page name. An attacker with editor privileges can inject JavaScript that runs in the context of any authenticated user visiting affected account pages, enabling session hijacking, credential ...

CVE-2026-8353 Concrete CMS version 9.0 to 9.5.0 is vulnerable to Stored XSS via page name in atomik theme

Concrete CMS version 9.0 to 9.5.0 is vulnerable to Stored XSS via page name in the Atomik theme. A rogue editor can inject arbitrary JavaScript that executes in the context of any authenticated user visiting the affected account pages. This can lead to session hijacking, credential theft, malicio...

CVE-2026-2518

The FastX theme for WordPress is vulnerable to unauthorized limited plugin installation and activation due to missing capability checks on the 'ultpinstallcallback' and 'ultpactivatecallback' functions in all versions up to, and including, 1.0.2. This makes it possible for authenticated attackers...

CVE-2026-2518

The FastX theme for WordPress is vulnerable to unauthorized limited plugin installation and activation due to missing capability checks on the 'ultpinstallcallback' and 'ultpactivatecallback' functions in all versions up to, and including, 1.0.2. This makes it possible for authenticated attackers...