Nokri – Job Board WordPress Theme <= 1.6.2 - Unauthenticated Arbitrary Password Change

The Nokri – Job Board WordPress Theme theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.6.2. This is due to the plugin not properly checking for an empty token value prior updating their details like password. This makes it...

WPMobile.App <= 11.56 - Open Redirect

The WPMobile.App plugin for WordPress is vulnerable to Open Redirect in all versions up to, and including, 11.56. This is due to insufficient validation on the redirect URL supplied via the 'redirect' parameter. This makes it possible for unauthenticated attackers to redirect users to potentially...

CVE-2026-9719 LatePoint <= 5.6.0 - Cross-Site Request Forgery via invoices__change_status Action

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.6.0. This is due to missing or incorrect nonce validation on the changestatus function. This makes it possible for...

CVE-2026-9719

CVE-2026-9719 concerns the LatePoint WordPress plugin (versions up to 5.6.0). The issue is a Cross‑Site Request Forgery caused by missing/incorrect nonce validation in the change_status function, enabling unauthenticated actors to alter invoice statuses (e.g., mark unpaid as paid) via forged requ...

CVE-2026-1673

The BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.5. This is due to missing nonce validation on the woobedeletetaxterm function. This makes it possible...

CVE-2026-40137

SAP TAFAPPLAUNCHER within Business Server Pages allows an unauthenticated attacker to craft malicious links that, when clicked by a victim, redirects them to attacker?controlled sites, potentially exposing or altering sensitive information in the victim�s browser. This results in a low impact on...

CVE-2026-43967

Inefficient Algorithmic Complexity vulnerability in absinthe-graphql absinthe allows unauthenticated denial of service via quadratic fragment-name uniqueness validation. 'Elixir.Absinthe.Phase.Document.Validation.UniqueFragmentNames':run/2 iterates over all fragments and for each one calls...

CVE-2026-24467

OpenAEV is an open source platform allowing organizations to plan, schedule and conduct cyber adversary simulation campaign and tests. Starting in version 1.0.0 and prior to version 2.0.13, OpenAEV's password reset implementation contains multiple security weaknesses that together allow reliable...

CVE-2026-7888

CVE-2026-7888 affects Concrete CMS versions below 9.5.2. The vulnerability arises from PHP Object Injection via unserialize() calls in the Workflow, Form block, and File/Set components that do not enforce allowed_classes. An unauthenticated attacker could trigger arbitrary PHP object instantiatio...

CVE-2026-45685 OpenTelemetry eBPF Instrumentation: MongoDB parser panics on malformed wire messages

OpenTelemetry eBPF Instrumentation provides eBPF instrumentation based on the OpenTelemetry standard. From version 0.1.0 to before version 0.9.0, malformed MongoDB wire messages can trigger uncaught panics in the MongoDB TCP parser, allowing a remote unauthenticated attacker to crash the telemetr...

Ivanti EPM - Remote Code Execution

An unspecified SQL Injection vulnerability in Core server of Ivanti EPM 2022 SU5 and prior allows an unauthenticated attacker within the same network to execute arbitrary code. id: CVE-2024-29824 info: name: Ivanti EPM - Remote Code Execution author: DhiyaneshDK severity: critical description: | ...

CVE-2026-44328 free5GC: SMF UPI DELETE /upi/v1/upNodesLinks/{ref} panics on AN-node deletion via nil UPF dereference; unauthenticated, state-mutating

free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's SMF mounts the UPI management route group without inbound OAuth2 middleware. On top of that, the DELETE /upi/v1/upNodesLinks/upNodeRef handler unconditionally dereferences upNode.UPF after the type-guarded...

CVE-2026-40817

An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getAlarmProfiles function due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality...

EUVD-2026-32112

An unauthenticated remote attacker can exploit an unauthenticated SQL Injection vulnerability in the getLiveValues functions sn parameter due to improper neutralization of special elements in a SQL SELECT command. This can result in a total loss of confidentiality...

CVE-2018-25351 Joomla! Component EkRishta 2.10 SQL Injection via username

Joomla! Component EkRishta 2.10 contains an error-based SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code into the username parameter. Attackers can submit POST requests to the login endpoint with SQL injection payloads ...

EUVD-2026-31445

An improper certificate validation vulnerability in Ivanti Secure Access Client before 22.8R6 allows a remote unauthenticated attacker to execute arbitrary code...

CVE-2026-42626

HP ENVY 5000 series printers VERBASPP1N003.2237A.00 do not properly manage concurrent TCP connections to port 9100 JetDirect/RAW printing. An unauthenticated remote attacker on the same network can establish a persistent connection to port 9100 and send keep-alive packets, causing the printer's...

CVE-2026-6401

The Bottom Bar plugin for WordPress (versions

CVE-2026-8423

The JaviBola Custom Theme Test plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in all versions up to and including 2.0.5 due to missing/incorrect nonce validation on the options page. This allows unauthenticated attackers to change the site’s active theme by modifying the ...

CVE-2026-8423

The JaviBola Custom Theme Test plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.5. This is due to missing or incorrect nonce validation on the options page. This makes it possible for unauthenticated attackers to change the site's active...