crypto/tls: golang: Go crypto/tls: Denial of Service via multiple TLS 1.3 key update messages

A flaw was found in the crypto/tls package within the Go golang standard library, specifically affecting TLS 1.3 connections. A remote attacker can exploit this vulnerability by sending multiple key update messages in a single record after the handshake. This can cause the connection to deadlock,...

WordPress Orpheus theme <= 1.3 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by Bonds in WordPress Theme Orpheus versions = 1.3...

CVE-2026-8846

The Tuxquote plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'TUXQUOTE' shortcode in versions up to, and including, 1.3. This is due to insufficient input sanitization and output escaping on user supplied attributes 'title', 'align', and 'width' in the tuxquotebuildforma...

CVE-2026-8846

CVE-2026-8846 affects the WordPress Tuxquote plugin (versions ≤ 1.3). The vulnerability is a Stored Cross-Site Scripting (XSS) in the TUXQUOTE shortcode, caused by insufficient input sanitization and output escaping for attributes (title, align, width) in tuxquote_build_format(), which are concat...

PT-2026-43539

The WP Promoter plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the reset stats function in versions up to, and including, 1.3. The function is hooked to both the wp ajax wpp-reset stats and wp ajax nopriv wpp-reset stats actions and...

PT-2026-43514

The jQuery googleslides plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'googleslides' shortcode in all versions up to, and including, 1.3. This is due to insufficient input sanitization and output escaping on user supplied attributes userid, albumid, authkey, imgmax,...

WordPress WP Promoter plugin <= 1.3 - Missing Authorization to Unauthenticated Statistics Reset vulnerability

Missing Authorization to Unauthenticated Statistics Reset vulnerability discovered by Muhammad Nur Ibnu Hubab - Pondok Teknologi in WordPress Plugin WP Promoter versions = 1.3...

WordPress Tuxquote plugin <= 1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by MAJidox in WordPress Plugin Tuxquote versions = 1.3...

WordPress Food Drop theme <= 1.3 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Theme Food Drop versions = 1.3...

CVE-2026-44064

An out-of-bounds read in ASP session ID handling in Netatalk 1.3 through 4.4.2 allows an adjacent network attacker to obtain limited information or cause a denial of service via a crafted ASP request...

EUVD-2026-31240

An out-of-bounds read in ASP session ID handling in Netatalk 1.3 through 4.4.2 allows an adjacent network attacker to obtain limited information or cause a denial of service via a crafted ASP request...

crypto/tls: golang: Go crypto/tls: Denial of Service via multiple TLS 1.3 key update messages

A flaw was found in the crypto/tls package within the Go golang standard library, specifically affecting TLS 1.3 connections. A remote attacker can exploit this vulnerability by sending multiple key update messages in a single record after the handshake. This can cause the connection to deadlock,...

Astra Linux - уязвимость в json-smart

A vulnerability was discovered in the indexOf function of JSONParserByteArray in JSON Smart versions 1.3 and 2.4, which causes a denial of service DOS through a crafted web request...

WordPress AzonPost plugin <= 1.3 - Reflected Cross-Site Scripting vulnerability

Reflected Cross-Site Scripting vulnerability discovered by Julian Chibuike Nwadinobi Wackydawg - streamio in WordPress Plugin AzonPost versions = 1.3...

CVE-2026-7437

CVE-2026-7437: The AzonPost WordPress plugin is vulnerable to Reflected XSS via the editpos_hidden parameter in all versions up to 1.3 due to insufficient input sanitization and output escaping. Unauthenticated attackers can cause a victim administrator to execute scripts if they are tricked into...

PT-2026-39969

The AzonPost plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the editpos hidden parameter in all versions up to, and including, 1.3. This is due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrar...

crypto/tls: golang: Go crypto/tls: Denial of Service via multiple TLS 1.3 key update messages

A flaw was found in the crypto/tls package within the Go golang standard library, specifically affecting TLS 1.3 connections. A remote attacker can exploit this vulnerability by sending multiple key update messages in a single record after the handshake. This can cause the connection to deadlock,...

CVE-2026-1677

Zephyr sockets created with IPPROTOTLS13 can still negotiate a TLS 1.2 connection when both TLS versions are enabled in Kconfig, because the socket-level protocol selection is not propagated to mbedTLS e.g. via mbedtlssslconfmintlsversion. The ClientHello advertises both versions and the peer can...

CVE-2026-41471

The Easy PayPal Events & Tickets plugin for WordPress before version 1.4 contains an information disclosure vulnerability in the QR code scanning endpoint that allows unauthenticated attackers to enumerate and retrieve all customer order records. Attackers can iterate over sequential WordPress po...

CVE-2026-41471 Easy PayPal Events & Tickets < 1.4 Information Disclosure via QR Code Endpoint

The Easy PayPal Events & Tickets plugin for WordPress before version 1.4 contains an information disclosure vulnerability in the QR code scanning endpoint that allows unauthenticated attackers to enumerate and retrieve all customer order records. Attackers can iterate over sequential WordPress po...