WordPress Burst Statistics 3.4.0-3.4.1.1 - Authentication Bypass

Burst Statistics – Privacy-Friendly WordPress Analytics plugin 3.4.0 to 3.4.1.1 contains an authentication bypass caused by incorrect return-value handling in ismainwpauthenticated function, letting unauthenticated attackers impersonate administrators, exploit requires knowledge of an administrat...

UBUNTU-CVE-2026-55203

HAProxy through 3.4.0, fixed in commit 5985276, contains an integer overflow vulnerability in the fcgiconn structure's drl field that allows buffer misparse as new FCGI record headers. When contentLength is 65535 and paddingLength is 1 or more, the drl field wraps to 0, causing incorrect record...

CVE-2026-55203

HAProxy through 3.4.0, fixed in commit 5985276, contains an integer overflow vulnerability in the fcgiconn structure's drl field that allows buffer misparse as new FCGI record headers. When contentLength is 65535 and paddingLength is 1 or more, the drl field wraps to 0, causing incorrect record...

Security Bulletin: There is a vulnerability in dompurify-3.2.6.tgz used by IBM Maximo Manage application in IBM Maximo Application Suite (CVE-2026-41238)

Summary There is a vulnerability in dompurify-3.2.6.tgz used by IBM Maximo Manage application in IBM Maximo Application Suite. Vulnerability Details CVEID:CVE-2026-41238 DESCRIPTION: DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Versions 3.0.1 through 3.3.3 are...

Astra Linux - уязвимость в wireshark

An infinite loop in the RTMPT dissector in Wireshark 3.6.0 and 3.4.0 to 3.4.10 allows for denial of service through packet injection or crafted capture files...

Astra Linux - уязвимость в wireshark

A crash in the Sysdig Event dissector in Wireshark versions 3.6.0, 3.4.0 to 3.4.10 allows for denial of service through packet injection or crafted capture files...

CVE-2026-8181

The Burst Statistics – Privacy-Friendly WordPress Analytics Google Analytics Alternative plugin for WordPress is vulnerable to Authentication Bypass in versions 3.4.0 to 3.4.1.1. This is due to incorrect return-value handling in the ismainwpauthenticated function when validating application...

CVE-2026-8181

The Burst Statistics – Privacy-Friendly WordPress Analytics Google Analytics Alternative plugin for WordPress is vulnerable to Authentication Bypass in versions 3.4.0 to 3.4.1.1. This is due to incorrect return-value handling in the ismainwpauthenticated function when validating application...

CVE-2026-8181

CVE-2026-8181 affects Burst Statistics – Privacy-Friendly WordPress Analytics (v3.4.0–3.4.1.1). Root cause: is_mainwp_authenticated() passes authentication when wp_authenticate_application_password() returns null outside the REST API, because the code only checks for WP_Error. This allows an unau...

CVE-2025-62127

The CVE-2025-62127 entry describes a DOM-based Cross-Site Scripting (XSS) vulnerability in WordPress plugin WEN Logo Slider (WEN Themes) affecting versions up to 3.4.0. The underlying issue is improper input neutralization during web page generation, enabling XSS within the plugin’s rendering pip...

xxl-job has a Resource Injection issue

A security flaw has been discovered in Xuxueli xxl-job up to 3.3.2. Impacted is the function logDetailCat of the file xxl-job-admin/src/main/java/com/xxl/job/admin/controller/biz/JobLogController.java of the component Execution Log Handler. The manipulation of the argument logId results in improp...

CVE-2026-7303

The CVE-2026-7303 affects Xuxueli XXL-Job up to version 3.3.2, specifically the logDetailCat function in JobLogController.java (Execution Log Handler). Manipulating the logId argument can cause improper control of resource identifiers and may be exploitable remotely. Exploitability is described a...

CVE-2026-7303 Xuxueli xxl-job Execution Log JobLogController.java logDetailCat resource injection

A security flaw has been discovered in Xuxueli xxl-job up to 3.3.2. Impacted is the function logDetailCat of the file xxl-job-admin/src/main/java/com/xxl/job/admin/controller/biz/JobLogController.java of the component Execution Log Handler. The manipulation of the argument logId results in improp...

Security Bulletin: DevOps Test Performance contains a vulnerability related to use of DOMPurify

Summary Due to use of DOMPurify, DevOps Test Performance and Rational Performance Tester contain a potential Cros-Site Scripting XSS vulnerability. Vulnerability Details CVEID:CVE-2026-41238 DESCRIPTION: DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Versions...

CVE-2026-7219 Totolink N300RT formIpQoS buffer overflow

A flaw has been found in Totolink N300RT 3.4.0-B20250430. This affects an unknown function of the file /boafrm/formIpQoS. Executing a manipulation of the argument entryname can lead to buffer overflow. The attack may be performed from remote. The exploit has been published and may be used...

PT-2026-35651

A flaw has been found in Totolink N300RT 3.4.0-B20250430. This affects an unknown function of the file /boafrm/formIpQoS. Executing a manipulation of the argument entry name can lead to buffer overflow. The attack may be performed from remote. The exploit has been published and may be used...

CVE-2026-41240

DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Versions prior to 3.4.0 have an inconsistency between FORBIDTAGS and FORBIDATTR handling when function-based ADDTAGS is used. Commit c361baa added an early exit for FORBIDATTR at line 1214. The same fix was not...

CVE-2026-41240 DOMPurify: FORBID_TAGS bypassed by function-based ADD_TAGS predicate (asymmetry with FORBID_ATTR fix)

DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Versions prior to 3.4.0 have an inconsistency between FORBIDTAGS and FORBIDATTR handling when function-based ADDTAGS is used. Commit c361baa added an early exit for FORBIDATTR at line 1214. The same fix was not...

CVE-2026-41238 DOMPurify: Prototype Pollution to XSS Bypass via CUSTOM_ELEMENT_HANDLING Fallback

DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Versions 3.0.1 through 3.3.3 are vulnerable to a prototype pollution-based XSS bypass. When an application uses DOMPurify.sanitize with the default configuration no CUSTOMELEMENTHANDLING option, a prior prototype...

CVE-2026-41238

DOMPurify is a DOM-only cross-site scripting sanitizer for HTML, MathML, and SVG. Versions 3.0.1 through 3.3.3 are vulnerable to a prototype pollution-based XSS bypass. When an application uses DOMPurify.sanitize with the default configuration no CUSTOMELEMENTHANDLING option, a prior prototype...