CVE-2026-11773 Masteriyo LMS <= 2.2.1 - Missing Authorization to Authenticated (Student+) Arbitrary Course Announcement Modification

The Masteriyo LMS – LMS Course Builder, Quizzes & Certificates plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.2.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for...

CVE-2026-57431

Author Cross Site Scripting XSS in Featured Image = 2.1 versions...

CVE-2026-57914

By sending a deeply nested ASN1 structure to a Apache Kerby client or service, it's possible to trigger a StackOverFlow Exception which can lead to denial of service issues. Users are recommended to upgrade to version 2.1.2, which fixes this issue...

PT-2026-52073

Name of the Vulnerable Software and Affected Versions Ghost versions 5.46.1 through 6.21.1 Description Validation applied to filters on public API endpoints could be partially bypassed, allowing the disclosure of private fields through a brute force attack. The impact varies by database: when usi...

Astra Linux – Vulnerability in Qemu

The ethgetgsotype function in net/eth.c in QEMU 4.2.1 allows guest OS users to trigger an assertion failure. A guest can crash the QEMU process by sending packet data that lacks a valid Layer 3 protocol...

EUVD-2026-37592

Subscriber Broken Access Control in Bricks Builder = 2.1.4 versions...

CVE-2026-40723

Subscriber Broken Access Control in Bricks Builder = 2.1.4 versions...

CVE-2026-35265

Vulnerability in the Identity Manager product of Oracle Fusion Middleware component: Security. Supported versions that are affected are 12.2.1.4.0 and 14.1.2.1.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Identity Manager. Successfu...

CVE-2026-39574

Unauthenticated SQL Injection in InPost Gallery = 2.1.4.6 versions...

EUVD-2026-36993

Subscriber Sensitive Data Exposure in WP SMS = 7.2.1 versions...

CVE-2026-40792

Subscriber Insecure Direct Object References IDOR in KiviCare = 4.2.1 versions...

CVE-2026-39524

Unauthenticated Broken Access Control in Masteriyo - LMS = 2.1.5 versions...

CVE-2026-49061 WordPress WPC Product Options for WooCommerce plugin <= 3.2.1 - Arbitrary File Download vulnerability

Unauthenticated Arbitrary File Download in WPC Product Options for WooCommerce = 3.2.1 versions...

CVE-2026-50011

Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, RedisArrayAggregator pre-allocates ArrayList with initial capacity equal to the RESP array element count declared in an array header. That count is taken fro...

EUVD-2026-36432

Netty is a network application framework for development of protocol servers and clients. In netty-codec-haproxy prior to versions 4.1.135.Final and 4.2.15.Final, when decoding a PP2TYPESSL TLV, HAProxyMessage.readNextTLV first calls header.retainedSliceheader.readerIndex, length and only then...

CVE-2026-36340

An issue in Krayin CRM v.2.1.5 and fixed in v.2.1.6 allows a remote attacker to execute arbitrary code via the compose email function...

CVE-2026-41244

Mojic is a CLI tool to transform readable C code into an unrecognizable chaotic stream of emojis. Prior to 2.1.4, the CipherEngine uses a standard equality operator !== to verify the HMAC-SHA256 integrity seal during the decryption phase. This creates an Observable Timing Discrepancy CWE-208,...

CVE-2026-6828

The Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'permissionmessage' parameter in all versions up to, and including, 6.2.1 due to insufficient input sanitization and output escaping...

CVE-2026-40939

The Data Sharing Framework DSF implements a distributed process engine based on the BPMN 2.0 and FHIR R4 standards. Prior to 2.1.0, OIDC-authenticated sessions had no configured maximum inactivity timeout. Sessions persisted indefinitely after login, even after the OIDC access token expired. This...

CVE-2026-43892

AntSword is a cross-platform website management toolkit. Prior to 2.1.16, incomplete noxss sanitization leads to 1-click RCE via jquery.terminal format code injection. This vulnerability is fixed in 2.1.16...