366590 matches found
CVE-2026-42685
The CVE-2026-42685 entry concerns the WordPress plugin WP Job Portal (versions up to 2.5.1). The issue is a Reflected Cross-Site Scripting (XSS) vulnerability caused by improper neutralization of input during page generation. Affected product: WP Job Portal. Root cause: insufficient input handlin...
CVE-2026-42684
CVE-2026-42684 affects WordPress WP Job Portal plugin versions up to 2.5.1. It is an SQL Injection due to improper neutralization of special elements in SQL commands, described as a blind SQL injection. According to the sources, the issue impacts the plugin in a network-inspired attack with high ...
CVE-2026-42670
CVE-2026-42670 concerns the WordPress plugin for Five Star Restaurant Reservations (versions
CVE-2026-42669
CVE-2026-42669 affects WordPress EventPrime plugin up to version 4.3.2.0, with a Missing Authorization/Broken Access Control vulnerability stemming from incorrectly configured access control security levels. CVSS v3.1 base score 7.5 (HIGH), impact to integrity is high while confidentiality/availa...
CVE-2025-58705
The CVE pertains to the WordPress Crafti theme (
CVE-2025-58024
CVE-2025-58024 affects the WordPress pluginPressapps Accordion FAQ (= 2.2.1) or official patch guidance when available.
CVE-2025-53440
CVE-2025-53440 describes a Local File Inclusion in the WordPress Confidant theme (versions <= 1.4) due to improper control of the filename for include/require in PHP. Affected component: Confidant WordPress theme. Root cause: PHP Local File Inclusion vulnerability enabling access to local file...
CVE-2025-53346
CVE-2025-53346 : WordPress Thim Core plugin
CVE-2025-53345
CVE-2025-53345: A Missing Authorization flaw in ThimPress Thim Core (WordPress plugin) allows arbitrary code execution when a malicious vulnerable plugin is installed, affecting Thim Core up to version 2.3.3. CVSS v3.1 metrics indicate Network attack vector, Low attack complexity, Privileges Requ...
CVE-2025-53302
CVE-2025-53302 in WordPress Theme Constructor (<= 1.6.5) is a Missing Authorization / Broken Access Control issue. Publicly disclosed details indicate unauthenticated access to restricted functionality due to ACL constraints, affecting Constructor versions up to 1.6.5. CVSS v3.1 base score is ...
CVE-2025-53209
Masteriyo LMS PRO (WordPress)
CVE-2025-52766
Summary: CVE-2025-52766 affects the WordPress plugin “Printeers Print & Ship” (versions up to 1.17.0). The issue is a Missing Authorization / Broken Access Control vulnerability caused by incorrectly configured access control security levels. The CVSS 3.1 base metrics indicate a network exploit, ...
CVE-2025-52759
CVE-2025-52759 describes a Reflected XSS in the WordPress Accordion FAQ plugin (UnboundStudio) for versions <= 2.2.1, caused by improper neutralization of input during web page generation. According to the connected records, the affected component is the plugin’s input handling (Accordion FAQ)...
CVE-2026-46718
Apache Calcite is affected by CVE-2026-46718: Unsafe Reflection via a user-controlled model can load arbitrary classes, enabling code execution. Affected: 1.5.0 up to
CVE-2026-5422
Affected software: jupyter-server 2.17.0. Root cause: path traversal due to an incorrect boundary check in _get_os_path() (uses startswith(root) without trailing separator) and to_os_path() not stripping '..' from path parts. Impact: unauthorized read/write access to files in sibling directories,...
CVE-2026-41115
Summary: CVE-2026-41115 describes an improper authorization issue in Apache Kafka related to the CONSUMER_GROUP_DESCRIBE API. The vulnerability discussion notes a discrepancy between ACLs and documented permissions, but states that the correct permission for the API is DESCRIBE GROUP and that the...
CVE-2026-34907
CVE-2026-34907 describes a Reflected Cross‑Site Scripting (XSS) vulnerability in Wirtualna Uczelnia caused by insecure handling of the locale parameter across multiple endpoints. An attacker can craft a URL with JavaScript in the locale parameter; when a victim opens the link, the injected script...
CVE-2026-34906
CVE-2026-34906 describes a Server-Side Template Injection (SSTI) in Wirtualna Uczelnia that allows an unauthenticated attacker to achieve Remote Code Execution (RCE) via insufficient input validation in the redirectToUrl endpoint and redirectUrlParameter. The payloades injected through these para...
CVE-2026-5191
The CVE-2026-5191 entry concerns the WordPress plugin “Tiled Gallery Carousel Without JetPack.” The vulnerability is a stored cross-site scripting flaw in the data-image-title parameter, present in all versions up to and including 3.1, caused by insufficient input sanitization and output escaping...
CVE-2026-10549
CVE-2026-10549 describes an LDAP filter injection in Yandex Database leading to bypass of group membership checks and unauthorized access for an attacker with valid LDAP credentials. Affected product: Yandex Database before version 25.3.1.25. Root cause: LDAP filter injection in the authenticatio...
CVE-2026-9722
The CVE-2026-9722 entry concerns the WordPress plugin Laiser Tag, affected versions ≤ 1.2.5. The root cause is missing or incorrect nonce validation in the addOptionsPageFields function, enabling Cross-Site Request Forgery. This allows unauthenticated attackers to modify plugin settings (API key,...
CVE-2026-1451
Product/Component: WordPress plugin rognone (versions up to and including 0.6.2). Vulnerability: Reflected Cross-Site Scripting via the 'a' parameter caused by insufficient input sanitization and output escaping. Impact (as stated): unauthenticated attackers can inject arbitrary web scripts into ...
CVE-2026-9730
The Remove NoFollow Commenter URL plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to 1.0 due to missing/incorrect nonce validation on gmz_comment_settings_save, allowing unauthenticated attackers to modify the plugin’s comment-display setting via a forged reque...
CVE-2026-8422
CVE-2026-8422 concerns the WordPress plugin Remove meta boxes per user role (versions up to and including 1.01). The vulnerability stems from missing or incorrect nonce validation on the remove-meta-boxes-per-user-role page, enabling CSRF. This could allow unauthenticated attackers to modify or r...
CVE-2026-9599
The CVE-2026-9599 entry describes a CSRF vulnerability in the WordPress Tectite Forms plugin (versions up to and including 1.3) caused by missing or incorrect nonce validation in admin_init. This allows unauthenticated attackers to modify plugin settings (e.g., tectite_forms_button) through forge...
CVE-2026-3620
CVE-2026-3620 – Word Replacer (WordPress) is vulnerable to Stored Cross-Site Scripting via the replacement parameter in all versions up to 0.4. The root cause is insufficient input sanitization and output escaping, allowing authenticated attackers with Administrator-level access and above to inje...
CVE-2026-8885
The CVE-2026-8885 entry concerns the WordPress plugin DeMomentSomTres Shortcodes (versions
CVE-2026-4080
The CVE concerns the WordPress Easy Cart plugin (versions ≤ 1.8). The vulnerability is Stored Cross-Site Scripting via the add_to_cart shortcode attributes, due to insufficient input sanitization and output escaping in ectp_add_to_cart(). Specifically, sanitize_text_field() is applied to shortcod...
CVE-2026-2425
The WordPress plugin hiWeb Migration Simple (WordPress) is affected by a Reflected Cross-Site Scripting (XSS) vulnerability via the new_domain parameter in all versions up to 2.0.0.1. Root cause: insufficient input sanitization and output escaping. Impact: unauthenticated attackers can lure an ad...
CVE-2026-9723
CVE-2026-9723 affects the WordPress plugin Google Plus One Bottom (versions
CVE-2025-5085
CVE-2025-5085 affects the WP Nano AD WordPress plugin (versions up to 1.31). It enables Stored Cross-Site Scripting via the blogrole_link parameter due to insufficient input sanitization/escaping. Impact: authenticated attackers with administrator rights can inject scripts that run for users on i...
CVE-2026-1450
The rognone WordPress plugin is affected by a Reflected XSS via the 'mode' parameter in versions up to and including 0.6.2, caused by insufficient input sanitization and output escaping. Unauthenticated attackers can exploit this if a user is tricked into a action link. A fix is available in late...
CVE-2026-4071
The BirdSeed WordPress plugin is affected by a Cross-Site Request Forgery in all versions up to and including 2.2.0. The root cause is missing nonce validation in the birdseed_plugin_settings_page() function, which processes the birdseed_token GET parameter and saves it via update_option() withou...
CVE-2026-2382
The FPW Category Thumbnails plugin for WordPress is affected by a Stored Cross-Site Scripting (Stored XSS) issue in all versions up to and including 1.9.5. The vulnerability arises from insufficient input sanitization and output escaping in the id parameter of the fpw_fs_get_file AJAX action, all...
CVE-2026-9234
The CVE-2026-9234 entry identifies a vulnerability in the WordPress plugin JTL-Connector for WooCommerce (versions up to and including 2.4.1). The issue is Missing Authorization on three actions: admin_post_settings_save_woo-jtl-connector, and the AJAX actions wp_ajax_downloadJTLLogs and wp_ajax_...
CVE-2026-4081
The CVE concerns the ZeM STL plugin for WordPress, affected in all versions up to 1.0. The vulnerability is a Stored Cross-Site Scripting (XSS) via the [zemstl] shortcode caused by insufficient input sanitization and output escaping of user-supplied shortcode attributes, specifically 'url' , 'col...
CVE-2026-3514
The CVE-2026-3514 entry describes an authentication bypass in prefecthq/prefect v3.6.19 caused by the authentication middleware exempting URL paths ending with “health” or “ready” from authentication checks. This bypass enables unauthorized access to resources via name-based endpoints for variabl...
CVE-2026-1784
CVE-2026-1784 affects the Route OpenShift resource (OpenShift route definitions using HAProxy) where checks on the spec.path YAML stanza are insufficient, allowing controlled injection of the HAProxy configuration. The CVE description and linked records indicate this can lead to remote code execu...
CVE-2026-8293
CVE-2026-8293 affects the WordPress plugin Really Simple Security (before 9.5.10.1). The issue: two-factor authentication REST endpoints do not enforce the second-factor challenge, allowing an attacker who knows a user’s password to obtain a WordPress authentication session without completing the...
CVE-2026-8206
The CVE-2026-8206 entry documents an unauthenticated privilege-escalation vulnerability in the Kirki – Freeform Page Builder for WordPress, affecting versions 6.0.0–6.0.6. The root cause is in the password-reset flow: the vulnerable CompLibFormHandler.php reads an attacker-supplied email from the...
CVE-2026-3198
MLflow 3.9.0 with basic-auth fails authorization for multiple Gateway API 'list' endpoints. The BEFORE_REQUEST_HANDLERS dictionary in mlflow/server/auth/init .py lacks entries for ListGatewaySecretInfos, ListGatewayEndpoints, and ListGatewayModelDefinitions, allowing any authenticated user to enu...
CVE-2026-10583
A vulnerability in nextlevelbuilder GoClaw up to 3.11.3 affects the Import function in internal/http/tts_config.go (TTS Configuration Endpoint). The issue enables server-side request forgery (SSRF) and can be triggered remotely. Exploit details have been publicly disclosed, and the project charac...
CVE-2026-10581
CVE-2026-10581 affects DedeCMS 5.7.88. The vulnerability lies in the function base64_decode in /plus/download.php?open=1, where manipulation of the Link argument triggers a server-side request forgery (SSRF). Remote exploitation is possible, and the exploit has been published. The available docum...
CVE-2026-10568
CVE-2026-10568 affects itsourcecode Fees Management System 1.0. The vulnerability is an SQL injection in an unknown function of /manage_payment.php triggered by tampering with the ID parameter. Attackable remotely with network access; the exploit is public. Documentation provides CVSS-derived met...
CVE-2026-3871
CVE-2026-3871 describes a buffer overflow in the UPnP DeletePortMapping() command in Zyxel VMG4005-B50B firmware up to 5.13(ABRL.5.4)C0. An adjacent attacker could trigger a temporary DoS affecting UPnP functionality. The exposed impact is the availability of the UPnP service (CVSSv3.1: AV = Adja...
CVE-2026-10567
The CVE concerns 1Panel-dev CordysCRM up to version 1.4.1. The vulnerability is in ModuleFormController/ModuleFormService.java (Save function); manipulating the Description argument leads to cross-site scripting (XSS). Exploitation is possible remotely and the exploit has been disclosed publicly....
CVE-2026-10510
CVE-2026-10510 describes a Cross-Site Scripting (XSS) vulnerability in the GeniexWebView component of the Transsion AI Assistant Lifestyle app (package: com.transsion.aiassistantlifestyle) on Android. All versions appear affected. The underlying issue allows a remote attacker to execute arbitrary...
CVE-2026-3870
Zyxel VMG4005-B50B firmware versions up to 5.13(ABRL.5.4)C0 contain a buffer overflow in the UPnP AddPortMapping() command. This vulnerability could allow an adjacent attacker to trigger a temporary denial-of-service (DoS) condition affecting the UPnP function of the device. The available documen...
CVE-2026-10566
FoundationAgents MetaGPT (up to 0.8.2) contains a deserialization vulnerability in metagpt/schema.py: Message.check_instruct_content. By manipulating the argument mapping, an attacker can trigger deserialization with local access. An exploit has been publicly released; the project was informed vi...
CVE-2026-10565
CVE-2026-10565 affects Open5GS up to 2.7.6, in NGAP Handover’s function gmm_state_security_mode (src/amf/gmm-sm.c). The issue is a race condition caused by manipulation, exploitable remotely with high attack complexity and low likelihood of full compromise; impact includes partial availability. T...