367017 matches found
CVE-2026-7621
The SMTP2GO for WordPress – Email Made Easy plugin (WordPress) is vulnerable in all versions up to 1.16.0 due to improper authorization checks. Authenticated users with subscriber-level access or higher can truncate SMTP log records or export sensitive log data (recipient/sender addresses, subjec...
CVE-2026-6455
The CVE describes a CSRF-to-arbitrary-file-deletion vulnerability in WordPress WP Contact Form 7 DB Handler plugin
CVE-2026-7552
The CVE describes a vulnerability in the WordPress Geo Mashup plugin (versions
CVE-2026-6427
The WordPress plugin a3 Lazy Load (versions ≤ 2.7.6) is vulnerable to Stored XSS via crafted markup. A regex bug in _filter_videos() misquotes HTML attributes and, with unescaped output in admin/views/form-data.php, allows an authenticated Contributor to inject a script that executes in any view...
CVE-2026-7651
CVE-2026-7651 describes an insecure direct object reference in the WordPress plugin “User Registration & Membership” (Free & Paid Memberships, Subscriptions, Content Restriction, User Profile, Custom User Registration & Login Builder) up to version 5.1.5. The bug arises from missing ownership val...
CVE-2026-9227
The connected CVE entries confirm a vulnerability in GutenBee ≤ 2.20.1 (WordPress plugin): an Arbitrary File Upload via the function gutenbee_file_and_ext_json. The root cause is a flawed strpos() check that only tests for the presence of ".json" in the filename, not that it ends with a .json ext...
CVE-2026-9618
The CVE-2026-9618 entry concerns the PeachPay for WooCommerce plugin (WordPress) with versions up to and including 1.120.46. Affected component: peachpay_stripe_handle_admin_actions function, where missing/incorrect nonce validation enables Cross-Site Request Forgery. Impact: unauthenticated atta...
CVE-2026-7634
Technical details are not publicly available in the provided documents. Monitor for updates.
CVE-2026-9806
CTI Transmute is affected by a stored XSS in the notification panel prior to the patched release. The issue occurs when notification messages include user-controlled convert names that are rendered via innerHTML without sanitization, allowing arbitrary JavaScript execution in the authenticated us...
CVE-2026-7862
The CVE-2026-7862 entry concerns the Eupago Gateway For Woocommerce WordPress plugin (pre-4.7.2). The vulnerability allows unauthenticated attackers to initiate refunds against any WooCommerce order via the merchant’s payment gateway credentials, and for applicable payment methods, redirect refun...
CVE-2026-44604
CVE-2026-44604 affects the RPM rpmuncompress utility. The vulnerability arises when extracting ZIP, 7z, or GEM archives to a destination directory: the archive’s top-level folder name is inserted into a shell command without proper sanitization, allowing a crafted archive with shell metacharacter...
CVE-2026-7533
The CVE concerns the Easy Digital Downloads WordPress plugin (versions up to and including 3.6.7). The root cause is missing nonce verification in handle_oauth_redirect(), which runs on admin_init and processes Square OAuth tokens from a user-supplied GET parameter without CSRF token validation. ...
CVE-2026-9009
CVE-2026-9009 affects the Crawlomatic Multipage Scraper Post Generator plugin for WordPress (versions up to 2.7.2). The root cause is insecure handling of the attacker-supplied shortcode attributes callback_raw and callback, which are passed directly into call_user_func() after only an is_callabl...
CVE-2026-9644
The CVE pertains to the LiveSmart Video Chat WordPress plugin, affecting versions up to 1.2. The root cause is insufficient input sanitization and output escaping for attributes used by the livesmart_widget shortcode. This enables Stored Cross-Site Scripting where an attacker with contributor-lev...
CVE-2026-3173
The Meta Field Block plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to and including 1.5.1. Authenticated attackers with Contributor-level access or higher can read arbitrary user meta, post meta, and term meta from any object, potentially exposing PII (...
CVE-2026-9673
CVE-2026-9673 affects json-2-csv versions 3.15.0 and earlier up to 5.5.11, vulnerable to CSV Injection via the preventCsvInjection option, which can be bypassed. An attacker can inject formulas into CSV files that execute when opened in spreadsheet apps. The SNYK entry describes a PoC and recomme...
CVE-2026-9802
Keycloak contains a vulnerability where, with revokeRefreshToken=true and persistent session storage, a server restart can reset internal timing mechanisms, enabling a remote attacker who has captured a user’s refresh token to replay it after revocation. This can grant unauthorized access to the ...
CVE-2026-9803
CVE-2026-9803 describes a denial-of-service flaw in Keycloak’s ClientRegistrationAuth component. A remote, unauthenticated attacker can trigger an ArrayIndexOutOfBoundsException by sending a specially crafted POST request with a malformed Authorization: Bearer header to any client registration en...
CVE-2026-9801
CVE-2026-9801 affects Keycloak. A remote attacker with high privileges (e.g., a realm administrator configuring a malicious LDAP server or compromising an upstream LDAP server) can trigger an OutOfMemoryError by sending a malformed LDAP password policy response during authentication, causing the ...
CVE-2026-9798
Keycloak is affected by a flaw where, after a user account is temporarily locked due to repeated failed logins, an attacker with valid client credentials can abuse the Client-Initiated Backchannel Authentication (CIBA) flow to bypass the lock. This allows continued authentication attempts and tok...
CVE-2026-9796
This CVE (CVE-2026-9796) affects Keycloak. An authenticated administrator with the manage-clients role can trigger a TOCTOU flaw in the name-based admin role checks, allowing escalation to realm-admin for all users in the realm. The compromised composite role relationship persists after the attac...
CVE-2026-32999
CVE-2026-32999 affects Comet Backup server; the issue is insufficient character filtering in the backup agent signing module. This vulnerability allows an authenticated tenant administrator to execute arbitrary code on behalf of a privileged user on the affected server and connected devices. The ...
CVE-2026-32998
Veeam Service Provider Console (VSPC) contains a critical remote code execution vulnerability (CVE-2026-32998) that affects versions prior to the fix. The CVE is addressed starting with VSPC 9.2.1.33875, per Veeam KB4853 and KB4788, which state the vulnerability was fixed and list the affected bu...
CVE-2026-32997
CVE-2026-32997 affects the Linux-based Veeam Software Appliance used by Veeam Backup & Replication. An authenticated user with the Backup Administrator role can write arbitrary files on the affected server. The issue is documented as high severity (CVSS 4.0 base 8.6) with network attack vector bu...
CVE-2026-32995
The CVE-2026-32995 entry affects Rocket.Chat: the DDP method autoTranslate.translateMessage in versions prior to 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.5, 7.13.8, and 7.10.12. The underlying issue is that the method accepts a client-supplied IMessage object and passes it directly to translateMess...
CVE-2026-32996
CVE-2026-32996 affects Veeam Agent for Microsoft Windows, enabling Local Privilege Escalation. The vulnerability is addressed in Veeam Agent for Windows releases, with fix noted in Security Fixes and Improvements: 13.0.3.1220. Public details in KB3108 indicate CVSS v3.1 score 7.3 (AV:L, AC:L, PR:...
CVE-2026-9795
The CVE-2026-9795 entries describe a flaw in Keycloak's Fine-Grained Admin Permissions (FGAPv2). An administrator with limited client-management perms can assign any realm role to a client's scope mapping, bypassing controls, causing the injected role to appear in a user’s authentication token an...
CVE-2026-9794
Keycloak contains an information-disclosure flaw (CVE-2026-9794) where a remote, unauthenticated attacker can send crafted SOAP requests to the SAML ECP endpoint and observe differing faultstrings to infer the client protocol type. This is the scoped impact reported across NVD/Red Hat CVE entries...
CVE-2026-9792
CVE-2026-9792 – Keycloak Client Policies bypass of ROPC block : A flaw in Keycloak’s Client Policies (org.keycloak.protocol.oidc) allows an unauthenticated attacker to obtain tokens via ROPC grants even when a policy blocks them. The issue occurs when certain condition providers (client-type, cli...
CVE-2026-9793
Keycloak vulnerability CVE-2026-9793: when a JSON Web Encryption (JWE) encrypted request object is submitted, Keycloak may incorrectly process unsigned claims if the decrypted content is raw JSON, bypassing the configured signature policy. This can lead to unauthorized claims and data integrity c...
CVE-2026-7802
The CVE-2026-7802 entry concerns the Frontend Admin by DynamiApps WordPress plugin. Affected versions up to 3.29.2 are vulnerable to an authorization bypass that lets authenticated users with subscriber-level access and higher overwrite administrator profile fields (e.g., user_pass, user_email, n...
CVE-2026-9228
The Timetable and Event Schedule by MotoPress plugin for WordPress (MP Timetable) is affected by an Insecure Direct Object Reference vulnerability (CVE-2026-9228) in all versions up to 2.4.16. The root cause is missing validation on a user-controlled key in the action_get_event_data endpoint, ena...
CVE-2026-2374
The CVE-2026-2374 entry applies to the Login No Captcha reCAPTCHA WordPress plugin (v <= 1.8.0). The vulnerability is a Stored Cross-Site Scripting (XSS) that occurs because authenticate() stores the unsanitized basename($_SERVER['PHP_SELF']) output in the login_nocaptcha_error WordPress optio...
CVE-2026-9241
The FOX – Currency Switcher Professional for WooCommerce WordPress plugin (up to version 1.4.6) is affected by an Authorization Bypass through a user-controlled key. The flaw resides in get_value() in classes/fixed/fixed_user_role.php, which trusts the attacker-controlled $_REQUEST['wooc_order_us...
CVE-2026-5737
CVE-2026-5737 concerns the Independent Analytics plugin for WordPress, vulnerable through an unauthenticated SSRF in versions up to 2.14.9. A public tracking route at /wp-json/iawp/search accepts attacker-controlled referrer_url values when signatures match, compounded by a scheduled favicon fetc...
CVE-2026-9791
CVE-2026-9791 describes a flaw in Keycloak where an authenticated user with existing organization membership can access user-facing APIs (e.g., the account API) or request an OpenID Connect token with the organization scope. This can lead to leakage of organization metadata in tokens even after a...
CVE-2026-9789
The CVE-2026-9789 entry describes a Local Privilege Escalation affecting Acer NitroSense software prior to 3.01.3052. The root cause is a PSAdminAgent service that creates a Named Pipe with a weak ACL, allowing any authenticated local user to connect and issue commands. The service does not verif...
CVE-2026-8915
Technical details about CVE-2026-8915 are not publicly available in the provided documents. Monitor for updates from Samsung Escargot advisories and NVD entries for affected versions, impact, and remediation.
CVE-2026-30760
CVE-2026-30760 affects SourceBans Material Admin prior to v1.1.6. A crafted XAJAX call allows an attacker to manipulate arbitrary user data in the web application. The root cause is related to insufficient validation/authorization in handling XAJAX requests, leading to data integrity impacts (arb...
CVE-2026-38707
Affects InHand Networks IR302 firmware v3.5.108, IR305 v1.0.118, IR315 v1.0.118, IR615 v1.0.118 (and earlier). The issue is a command injection in the IPSec VPN feature that can grant ROOT privileges on remote targets. CVSS 3.1: 9.8 (CRITICAL) with network access, no user interaction, and high im...
CVE-2026-38702
CVE-2026-38702 is a command injection vulnerability in InHand Networks’ Admin Access feature affecting IR302 (V3.5.108) and IR305/IR315/IR615 (V1.0.118) and earlier firmware. The issue could allow remote attackers to gain ROOT privileges on target devices. The connected sources confirm affected m...
CVE-2026-37266
CVE-2026-37266 : The issue affects Responsive File Manager’s Web application (Version 9.14.0). A vulnerability in the force_download.php component allows a remote attacker to execute arbitrary code. The publicly documented impact is significant (base CVSS v3.1: AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H...
CVE-2026-37579
CVE-2026-37579 affects SMSGate sms-core
CVE-2026-48004
Technical details for CVE-2026-48004 are not publicly available in the provided documents; monitor for updates.
CVE-2026-38703
CVE-2026-38703 describes a command injection in the ZeroTier VPN feature of InHand Networks IR302 firmware V3.5.108, IR305 V1.0.118, IR315 V1.0.118, IR615 V1.0.118 and earlier versions. Exploitation could yield ROOT privileges on remote devices. Affected component: ZeroTier VPN on the InHand IR s...
CVE-2026-38704
CVE-2026-38704 describes a command injection vulnerability in the WireGuard VPN feature of InHand Networks firmware. Affected devices include IR302 (V3.5.108), IR305 (V1.0.118), IR315 (V1.0.118), IR615 (V1.0.118), and earlier versions. Successful exploitation can yield ROOT privileges on remote t...
CVE-2026-40710
Dell Container Storage Modules are affected by CVE-2026-40710, a critical vulnerability caused by hardcoded credentials exposed in public repositories. This allows remote attackers to access sessions, exfiltrate data, and move laterally. The PT-2026-44502 entry confirms CVSS 10.0. The provided do...
CVE-2026-42998
Summary of CVE-2026-42998 (OpenStack Keystone) : The Keystone application credential authentication plugin fails to verify that the requester owns the credential, allowing an attacker to authenticate with their own application credential and specify another user in the request. The resulting toke...
CVE-2026-48824
CVE-2026-48824 is reserved in Initial Description; connected FreeBSD entry reports a memory-exhaustion DoS affecting mail/mailpit caused by unbounded JSON bodies on /api/v1/messages, /api/v1/tags, and /api/v1/message/{id}/release. No vendor/version details or patches are provided in the documents...
CVE-2026-43000
CVE-2026-43000 affects OpenStack Keystone (identity service). Affected: Keystone before 29.0.2. The issue arises when an impersonation vulnerability in application credentials is chained with Keystone trusts, allowing a user with member role to escalate to admin by delegating the victim's admin r...