Cockpit Web Console < 360 - Remote Code Execution

Cockpit's remote login feature passes user-supplied hostnames and usernames from the web interface to the SSH client without validation or sanitization. An attacker with network access to the Cockpit web service can craft a single HTTP request to the login endpoint that injects malicious SSH...

CVE-2025-15657

Unauthenticated Insecure Direct Object References IDOR in School Management = 93.1.0 versions...

CVE-2026-54811

Unauthenticated SQL Injection in WP eMember v10.9.4 versions...

CVE-2026-42629

Unauthenticated Broken Authentication in PowerPack Pro for Elementor v2.13.0 versions...

CVE-2025-15642

Netskope is notified about a potential gap in its Netskoped Client for Windows systems where a malicious insider with admin privileges can lead to bypassing the NSClient Tamper Protections due to weak Discretionary Access Control List DACLs on the service object and related registry keys,. Produc...

EUVD-2026-37685

Unauthenticated PHP Object Injection in Alukas 3.0.0 versions...

CVE-2026-54185

CVE-2026-54185 – WordPress Cornerstone plugin (

CVE-2026-39582

CVE-2026-39582 affects the WordPress Hitek theme prior to version 1.8.3, with an unauthenticated Local File Inclusion vulnerability in the theme. The CVSSv3.1 score is 8.1 (HIGH), driven by network access, high attack complexity, no privileges required, and impacts to confidentiality, integrity, ...

CVE-2025-69165 WordPress Choreo theme <= 1.6 - Local File Inclusion vulnerability

Unauthenticated Local File Inclusion in Choreo = 1.6 versions...

NPM: Astro: Host header SSRF in prerendered error page fetch

NPM: Astro: Host header SSRF in prerendered error page fetch vulnerability discovered by ? in WordPress Npm astro versions 6.4.6...

NPM: hono: Lambda@Edge adapter keeps only the last value of a repeated request header, dropping the rest

NPM: hono: Lambda@Edge adapter keeps only the last value of a repeated request header, dropping the rest vulnerability discovered by ? in WordPress Npm hono versions 4.12.25...

CVE-2026-40793 WordPress Groundhogg plugin < 4.4.1 - Broken Access Control vulnerability

Subscriber Broken Access Control in Groundhogg 4.4.1 versions...

CVE-2026-42012 affecting package gnutls for versions less than 3.8.13-1

CVE-2026-42012 affecting package gnutls for versions less than 3.8.13-1. An upgraded version of the package is available that resolves this issue...

CVE-2026-5223 affecting package rust for versions less than 1.75.0-30

CVE-2026-5223 affecting package rust for versions less than 1.75.0-30. A patched version of the package is available...

NPM: Fabric.js improper escaping in fabric.Gradient colorStops leads to XSS in SVG serialization

NPM: Fabric.js improper escaping in fabric.Gradient colorStops leads to XSS in SVG serialization vulnerability discovered by ? in WordPress Npm fabric versions 7.4.0...

WordPress Schema & Structured Data for WP & AMP plugin < 1.60 - Unauthenticated Arbitrary Media Upload vulnerability

Unauthenticated Arbitrary Media Upload vulnerability discovered by 0xBassia in WordPress Plugin Schema & Structured Data for WP & AMP versions 1.60...

CVE-2026-20251

In Splunk Enterprise versions below 10.2.4, 10.0.7, 9.4.12, and 9.3.13, Splunk Cloud Platform versions below 10.3.2512.12, 10.2.2510.14, 10.1.2507.22, and 9.3.2411.132, and Splunk Secure Gateway versions below 3.10.6, 3.9.20, and 3.8.67, a low-privileged user that does not hold the 'admin' or...

CVE-2026-20253 Unauthenticated Arbitrary File Creation and Truncation in a PostgreSQL Sidecar Service Endpoint in Splunk Enterprise

In Splunk Enterprise 10.2 versions below 10.2.4 and 10 versions below 10.0.7, an unauthenticated user could create or truncate arbitrary files through a PostgreSQL sidecar service endpoint. The vulnerability exists because the PostgreSQL sidecar service endpoint lacks authentication controls,...

CVE-2026-10721 Concrete CMS below 9.5.2 is vulnerable to PHP Object Injection via unserialize() calls in the in Permission, Cache, and Search components

Concrete CMS below 9.5.2 is vulnerable to PHP Object Injection via unserialize calls in the in Permission, Cache, and Search components. An unauthenticated attacker may trigger arbitrary PHP object instantiation if a malicious serialized payload has been placed in the database. Thanks XananasX7...

CVE-2026-46598 affecting package docker-compose for versions less than 2.27.0-13

CVE-2026-46598 affecting package docker-compose for versions less than 2.27.0-13. A patched version of the package is available...