EUVD-2026-38937

In the Linux kernel, the following vulnerability has been resolved: net, bpf: fix null-ptr-deref in xdpmasterredirect for down master syzkaller reported a kernel panic in bondrrgenslaveid reached via xdpmasterredirect. Full decoded trace: https://syzkaller.appspot.com/bug?extid=80e046b8da2820b6ba...

WordPress EntreDroppers plugin <= 1.1.2 - Reflected Cross-Site Scripting vulnerability

Reflected Cross-Site Scripting vulnerability discovered by Abdulsamad Yusuf 0xVenus - Envorasec in WordPress Plugin EntreDroppers versions = 1.1.2...

Cost Calculator Builder <= 3.2.15 - SQL Injection

The Cost Calculator Builder plugin for WordPress is vulnerable to SQL Injection via discount codes in versions up to, and including, 3.2.15 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for...

TileServer API - Cross Site Scripting

tileserver-gl up to v4.4.10 was discovered to contain a cross-site scripting XSS vulnerability via the component /data/v3/?key. id: CVE-2024-35627 info: name: TileServer API - Cross Site Scripting author: DhiyaneshDK severity: medium description: | tileserver-gl up to v4.4.10 was discovered to...

WordPress Database for Contact Form 7, WPforms, Elementor forms plugin <= 1.5.1 - Unauthenticated Arbitrary File Deletion via CF7 File Field POST Value vulnerability

Unauthenticated Arbitrary File Deletion via CF7 File Field POST Value vulnerability discovered by daroo in WordPress Plugin Contact Form Entries versions = 1.5.1...

EUVD-2026-38198

A security vulnerability has been detected in Radware Cyber Controller up to 10.11.0. This affects an unknown part of the component HTML Report Generation. The manipulation leads to HTML injection. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be...

Astra Linux – Vulnerability in unbound

Before version 1.9.5, Unbound allowed an integer overflow in the regional allocator through the ALIGNUP macro. NOTE: The vendor denies that this is a vulnerability. Although the code may be vulnerable, an ongoing Unbound installation cannot be remotely or locally exploited...

Astra Linux – Vulnerability in Linux 5.10

In the Linux kernel, the following vulnerability has been resolved: sched/scs: The task stack state is reset in bringupcpu. When a CPU is hot-plugged, the idle task on that CPU calls several layers of C code before finally leaving the kernel. When KASAN is in use, a “poisoned” shadow is left behi...

Astra Linux – Vulnerability found in Linux 5.10, Linux 5.15

In the Linux kernel, the following vulnerability has been resolved: net: hinic: Avoid kernel hangs in hinicgetstats64 When using the hinic device as a bonding slave device and reading statistics from the master bonding device, the kernel may hang. The kernel panic call trace is as follows: Kernel...

Astra Linux – Vulnerability found in Linux 5.10, Linux 6.1, Linux, Linux 5.15

In the Linux kernel, the following vulnerabilities have been resolved: blk-rq-qos: fixed a crash that occurred during the race between rqqoswait and rqqoswakefunction. We are encountering crashes due to rqqoswakefunction, which manifest as follows: BUG: Unable to handle a page fault for address:...

Astra Linux – Vulnerabilities in Linux 5.10, Linux 5.15

In the Linux kernel, the following vulnerability has been resolved: Input: iforce – waits to complete the command after clearing the IFORCEXMITRUNNING flag. syzbot reports a hung task at inputunregisterdevice, with iforceclose waiting in waiteventinterruptible, while dev-mutex is held. This...

Astra Linux – Vulnerability in Linux 5.10

In the Linux kernel, the following vulnerability has been resolved: fscache: Use waitonbit to wait for the relinquished volume to be freed. The freeing of the relinquished volume will wake up the pending volume acquisition by using wakeupbit. However, this approach conflicts with waitvarevent,...

Astra Linux – Vulnerability found in Linux 5.10, Linux 6.1

In the Linux kernel, the following vulnerability has been resolved: misc: lis3lv02di2c: Fixed the issue where regulators were disabled twice during suspension/resumption. When lis3lv02di2csuspend is not configured for wakeup, it will call lis3lv02dpoweroff, even if the device has already been...

WordPress MapPress Maps for WordPress plugin <= 2.97.3 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by l3m3s in WordPress Plugin MapPress Maps for WordPress versions = 2.97.3...

CVE-2026-1856 Appointment Booking Calendar <= 1.4.4 - Authenticated (Author+) Stored Cross-Site Scripting via Custom Booking Field Label

The Appointment Booking Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom booking field labels in all versions up to, and including, 1.4.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with...

WordPress Media LIbrary Assistant plugin <= 3.35 - SQL Injection vulnerability

SQL Injection vulnerability discovered by daroo in WordPress Plugin Media LIbrary Assistant versions = 3.35...

CVE-2026-56007

CVE-2026-56007 affects WordPress Ocean Product Sharing plugin versions up to and including 2.2.2. The issue is a Stored Cross-Site Scripting (XSS) vulnerability caused by improper neutralization of input during web page generation in OceanWP Ocean Product Sharing. The vulnerability impact is limi...

EUVD-2025-210261

Unauthenticated Local File Inclusion in Preservation = 1.10 versions...

EUVD-2025-210256

Unauthenticated Local File Inclusion in Snow Club = 1.1 versions...

EUVD-2025-210262

Unauthenticated Local File Inclusion in Gamic = 1.15 versions...