CVE-2026-48207

Deserialization of untrusted data in Apache Fory PyFory. PyFory's ReduceSerializer could bypass documented DeserializationPolicy validation hooks during reduce-state restoration and global-name resolution. An application is vulnerable if it deserializes attacker-controlled data using PyFory...

PT-2026-42180

Name of the Vulnerable Software and Affected Versions phenixdigital phoenix storybook versions 0.2.0 through 1.0.x Description An unauthenticated denial-of-service can occur via BEAM atom table exhaustion. Multiple LiveView event handlers convert user-supplied event parameter strings to atoms usi...

CVE-2026-6237 Quick Table <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'style' Shortcode Attribute

The Quick Table plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'style' attribute of the 'qtbl' shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

WordPress WP-Clippy plugin <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by zakaria in WordPress Plugin WP-Clippy versions = 1.0.0...

WordPress CMS für Motorrad Werkstätten plugin <= 1.0.0 - Cross-Site Request Forgery vulnerability

Cross-Site Request Forgery vulnerability discovered by Régis SENET - ORHUS in WordPress Plugin CMS für Motorrad Werkstätten versions = 1.0.0...

CVE-2026-5508 WowPress <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The WowPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wowpress shortcode in all versions up to, and including, 1.0.0. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated...

CVE-2026-2349 UI Icons - Critical - Cross-site Scripting - SA-CONTRIB-2026-010

Improper Neutralization of Input During Web Page Generation "Cross-site Scripting" vulnerability in Drupal UI Icons allows Cross-Site Scripting XSS.This issue affects UI Icons: from 0.0.0 before 1.0.1, from 1.1.0 before 1.1.1...

CVE-2026-28043

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in ThemeREX Healer - Doctor, Clinic & Medical WordPress Theme healer allows PHP Local File Inclusion.This issue affects Healer - Doctor, Clinic & Medical WordPress Theme: from n/a...

CVE-2026-1795 Address Bar Ads <= 1.0.0 - Reflected Cross-Site Scripting

The Address Bar Ads plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the URL Path in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in...

CVE-2026-1795 Address Bar Ads <= 1.0.0 - Reflected Cross-Site Scripting

The Address Bar Ads plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the URL Path in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in...

CVE-2026-1795

The Address Bar Ads plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the URL Path in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in...

WordPress CookieHint WP plugin <= 1.0.0 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by Nguyen Xuan Chien in WordPress Plugin CookieHint WP versions = 1.0.0...

WordPress Progress Bar Blocks for Gutenberg plugin <= 1.0.0 - Authenticated (Author+) Stored Cross-Site Scripting via SVG vulnerability

Authenticated Author+ Stored Cross-Site Scripting via SVG vulnerability discovered by Peerapat Samatathanyakorn in WordPress Plugin Progress Bar Blocks for Gutenberg versions = 1.0.0...

EUVD-2024-35502

Malicious code in bioql PyPI...

EUVD-2025-26900

Malicious code in bioql PyPI...

EUVD-2025-30524

Malicious code in bioql PyPI...

CVE-2025-9944 Professional Contact Form <= 1.0.0 - Cross-Site Request Forgery to Test Email Sending

The Professional Contact Form plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing or incorrect nonce validation on the watchforcontactformsubmit function. This makes it possible for unauthenticated attackers to trigg...

dev.i10416:slackapis-core_2.13 (>=0.0.1 <=0.0.2), es.weso:rdfshape-server_2.13 (>=0.0.73 <=0.2.14) +16 more potentially affected by CVE-2025-59822 via org.http4s:http4s-ember-core_2.13 (>=1.0.0-M10 <=1.0.0-M44)

org.http4s:http4s-ember-core2.13 MAVEN version =1.0.0-M10, =0.0.1, =0.0.73, =0.1.90, =0.1.90, =0.1.90, =0.1.91, =0.1.109, =0.1.91, =0.1.101, =0.0.82, =0.1.91, =0.1.0, =2.1.0, =2.1.0, =2.2.2 and more Source cves: CVE-2025-59822 Source advisory: OSV:GHSA-WCWH-7GFW-5WRR...

CVE-2025-58661

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in eZee Technosys eZee Online Hotel Booking Engine online-booking-engine allows Stored XSS.This issue affects eZee Online Hotel Booking Engine: from n/a through = 1.0.0...

CVE-2025-58646 WordPress Mobi2Go Plugin <= 1.0.0 - Cross Site Scripting (XSS) Vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in chtombleson Mobi2Go mobi2go allows Stored XSS.This issue affects Mobi2Go: from n/a through = 1.0.0...