CVE-2026-42647

CVE-2026-42647 affects the WordPress plugin JoomSport

CVE-2026-49060

The CVE-2026-49060 entry concerns the WordPress plugin Hippoo Mobile App for WooCommerce. Affected: Hippoo Mobile App for WooCommerce plugin versions up to 1.9.4. Issue: Incorrect Privilege Assignment leading to Privilege Escalation. Impact: high risk across confidentiality, integrity, and availa...

CVE-2026-10795

CVE-2026-10795 concerns UpdraftPlus: WP Backup & Migration Plugin for WordPress, affected up to version 1.26.4. The root cause is insufficient validation of the remote communications message format in UpdraftPlus_Remote_Communications_V2::wp_loaded, allowing an unauthenticated attacker to bypass ...

CVE-2026-35273

CVE-2026-35273 is a remote, unauthenticated RCE in Oracle PeopleSoft Enterprise PeopleTools Updates Environment Management (PSEMHUB) affecting PeopleTools 8.61 and 8.62. Vendor advisories describe the flaw as a high-severity, network-exposed vulnerability with CVSS v3.1 score 9.8. Exploitation ha...

CVE-2026-10520

Ivanti Sentry (formerly MobileIron Sentry) is affected by CVE-2026-10520, an OS Command Injection vulnerability that allows an unauthenticated remote attacker to execute arbitrary commands as root. The issue resides in the ConfigServiceController via the unauthenticated POST to /mics/api/v2/sentr...

CVE-2026-11645

CVE-2026-11645 is an out-of-bounds read/write in Google Chrome’s V8 engine (pre-149.0.7827.103). A remote attacker could trigger arbitrary code execution inside the browser sandbox via a crafted HTML page. The vulnerability was identified as high severity and is being actively exploited in the wi...

CVE-2026-50751

CVE-2026-50751 is a logic-flow weakness in certificate validation during the deprecated IKEv1 key exchange used by Check Point Remote Access VPN, Mobile Access, and Spark Firewall. The flaw allows an unauthenticated attacker to bypass user authentication and establish a VPN session without a vali...

CVE-2026-7473

CVE-2026-7473 affects Arista EOS devices where a tunnel decapsulation config (VXLAN, decap-groups, GRE) can cause the switch to decapsulate and forward unintended tunneled packets whose destination matches the decap IP. Root cause: lack of verification of the tunnel protocol type leading to proce...

CVE-2026-49777

CVE-2026-49777 affects the WordPress plugin Product Slider Pro for WooCommerce by ShapedPlugin, LLC. The issue is described as improper validation of a specified quantity in input, enabling potential malicious software implantation. Affected product/version: Product Slider Pro for WooCommerce pri...

CVE-2026-20245

Cisco Catalyst SD-WAN Manager (formerly SD-WAN vManage) is affected by CVE-2026-20245. The vulnerability arises from insufficient validation of user-supplied input in the CLI, enabling an authenticated, local attacker to upload a crafted file and perform command injection, potentially elevating p...

CVE-2026-28318

SolarWinds Serv-U is affected by an unauthenticated Denial of Service vulnerability triggered by specially crafted POST requests with Content-Encoding: deflate. The issue can crash the Serv-U service, with exploitation observed in reports and advisories. SolarWinds has released a hotfix and mitig...

CVE-2021-27137

CVE-2021-27137 is a UPnP buffer overflow in DD-WRT firmware that allows remote code execution when an oversized uuid is processed in M-SEARCH over UDP port 1900. The vulnerability affects DD-WRT builds (change set 45723 and earlier; Buffalo devices with DD-WRT are noted as vulnerable). Exploitati...

CVE-2026-5073

The ARMember Premium plugin for WordPress is vulnerable to SQL Injection via the order parameter of the arm_directory_paging_action AJAX action in all versions up to and including 7.3.1. Root cause: insufficient escaping on user-supplied order and orderby parameters and inadequate preparation of ...

CVE-2026-8206

The Kirki plugin for WordPress (Kirki – Freeform Page Builder, Website Builder & Customizer) versions 6.0.0–6.0.6 contain an unauthenticated privilege-escalation flaw in the password-reset flow. When a username is provided, the code ignores the target user’s email and uses the email supplied in t...

CVE-2025-48595

CVE-2025-48595 is an Android Framework vulnerability involving an integer overflow that could enable code execution and local privilege escalation without user interaction. The Android Security Bulletin (June 2026) lists this CVE under Framework in the 2026-06-01 patch level with an overall high/...

CVE-2026-7465

The CVE concerns the Spectra Gutenberg Blocks – Website Builder for the WordPress Block Editor plugin. It is vulnerable to Remote Code Execution in all versions up to and including 2.19.25. Exploitation requires authenticated access at Contributor level or higher and a crafted two-block payload i...

CVE-2025-11262

The CVE-2025-11262 entry concerns WordPress “Link Whisper Free” plugin vulnerable to stored XSS via the user_id parameter in all versions up to and including 0.9.0. Insufficient input sanitization and output escaping enables unauthenticated attackers to inject scripts in pages that execute for us...

CVE-2026-8732

Summary (concrete details): CVE-2026-8732 affects WP Maps Pro (WordPress plugin) up to and including version 6.1.0. The weakness arises from an unauthenticated privilege escalation via the wpgmp_temp_access_ajax AJAX action, which was publicly exposed and only nonce-protected. An unauthenticated ...

CVE-2026-48027

Summary: CVE-2026-48027 affects Nx Console, a UI for Nx & Lerna. A malicious copy of Nx Console version 18.95.0 was published briefly in Visual Studio Marketplace (and OpenVSX) around 12:30–12:48 UTC (≈18 minutes) and 12:33–13:09 UTC (≈36 minutes) respectively. The compromised package allowed cod...

CVE-2026-45247

Summary: CVE-2026-45247 affects Mirasvit Full Page Cache Warmer for Magento 2 (pre‑1.11.12). The vulnerability arises from an unsafe PHP deserialization: a crafted serialized object placed in the CacheWarmer cookie is passed to PHP’s unserialize() without class restrictions, enabling unauthentica...