418139 matches found
EUVD-2026-37558
The LearnPress WordPress plugin before 4.3.7 does not gate the edit context on one of its REST endpoint behind the editusers capability, allowing unauthenticated visitors to retrieve each returned user's roles, full capabilities map, extra capabilities, locale, and registration date via a crafted...
EUVD-2026-37647
Unauthenticated Arbitrary File Download in WP Media folder Addon = 4.0.1 versions...
EUVD-2025-210258
Unauthenticated PHP Object Injection in Plumbing = 1.6 versions...
EUVD-2026-37640
Subscriber Broken Authentication in Melhor Envio = 2.16.3 versions...
EUVD-2026-37636
Unauthenticated Cross Site Scripting XSS in JetFormBuilder = 3.6.0.1 versions...
EUVD-2026-37643
Unauthenticated Privilege Escalation in Registration Form for WooCommerce = 1.0.9 versions...
EUVD-2026-37629
Unauthenticated Insecure Direct Object References IDOR in Clean Login = 1.15 versions...
EUVD-2026-37644
Unauthenticated SQL Injection in WP eMember v10.9.4 versions...
EUVD-2026-37642
Unauthenticated PHP Object Injection in WP Activity Log = 5.6.3.1 versions...
EUVD-2026-37634
Unauthenticated Cross Site Scripting XSS in JetEngine = 3.8.10 versions...
EUVD-2026-37637
Subscriber Privilege Escalation in JetFormBuilder = 3.6.1 versions...
EUVD-2026-37557
The weMail: Email Marketing, Email Automation, Newsletters, Subscribers & Email Optins for WooCommerce WordPress plugin before 2.1.3 does not properly escape a user-supplied parameter before reflecting it into an HTML attribute on a non-nonce-protected AJAX response, allowing unauthenticated...
EUVD-2026-37631
Unauthenticated SQL Injection in JobSearch = 3.2.9 versions...
EUVD-2026-37627
Unauthenticated Arbitrary File Upload in SigmaForms Pro – AI Generated Forms = 1.4.5 versions...
EUVD-2026-37625
Unauthenticated Sensitive Data Exposure in JetBlog = 2.4.8 versions...
EUVD-2026-37641
Subscriber Privilege Escalation in Falang multilanguage = 1.4.2 versions...
EUVD-2026-37553
RadiX AX6600 WiFi 6 Tri-Band Gaming Router contains an OS command injection vulnerability, which may lead to arbitrary command execution with the root privilege by a user who logs in to the web console as an administrator...
EUVD-2026-37556
The WP Magnific Popup WordPress plugin through 1.0 does not properly escape user-controlled link URLs before injecting them into the DOM when displaying image load error messages, allowing authenticated attackers with Author-level access or above to perform Stored Cross-Site Scripting attacks...
EUVD-2026-37632
Unauthenticated SQL Injection in JetEngine = 3.8.10.1 versions...
EUVD-2026-37626
Subscriber Sensitive Data Exposure in PushEngage – Web Push Notifications, eCommerce Automation & Chat Widget = 4.2.3 versions...
EUVD-2026-37521
sppppapinput in sys/net/ifspppsubr.c in OpenBSD before 076e2b1 allows authentication bypass via certain zero values for lengths...
EUVD-2026-37639
Subscriber Privilege Escalation in SMS Alert Order Notifications = 3.9.4 versions...
EUVD-2026-37509
Contributor PHP Object Injection in Fusion Builder = 3.15.4 versions...
EUVD-2026-37630
Subscriber SQL Injection in Cornerstone 7.8.8 versions...
EUVD-2026-37638
Unauthenticated Broken Authentication in SMS Alert Order Notifications = 3.9.3 versions...
EUVD-2026-37635
Unauthenticated Cross Site Scripting XSS in Popup box = 6.2.9 versions...
EUVD-2026-37628
Unauthenticated PHP Object Injection in JetEngine = 3.8.10 versions...
EUVD-2026-37633
Unauthenticated Cross Site Scripting XSS in JetEngine = 3.8.10 versions...
EUVD-2026-37613
Unauthenticated Privilege Escalation in LoginPress Pro = 6.2.2 versions...
EUVD-2026-37615
Unauthenticated Broken Access Control in WooCommerce Anti-Fraud = 7.2.6 versions...
EUVD-2026-37620
Unauthenticated Broken Access Control in User Registration Stripe = 1.3.12 versions...
EUVD-2026-37617
Contributor PHP Object Injection in JetEngine = 3.8.9.1 versions...
EUVD-2026-37621
Unauthenticated SQL Injection in JetEngine 3.8.9.1 versions...
EUVD-2026-37616
Unauthenticated Cross Site Scripting XSS in JetEngine = 3.8.9.1 versions...
EUVD-2026-37494
Unauthenticated Cross Site Scripting XSS in Enfold = 7.1.4 versions...
EUVD-2026-37614
Unauthenticated Broken Authentication in WooCommerce Dropshipping = 5.2.4 versions...
EUVD-2026-37497
Subscriber Arbitrary Code Execution in Cornerstone 7.8.8 versions...
EUVD-2026-37619
Unauthenticated SQL Injection in JetSearch = 3.5.17 versions...
EUVD-2026-37501
Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in wpWax Directorist Booking allows Blind SQL Injection. This issue affects Directorist Booking: from n/a through 3.0.3...
EUVD-2026-37611
Unauthenticated SQL Injection in JetSmartFilters = 3.8.1 versions...
EUVD-2026-37622
Unauthenticated PHP Object Injection in Thrive Apprentice 10.8.10.2 versions...
EUVD-2026-37610
Subscriber Broken Access Control in WPBakery Page Builder = 8.7.2 versions...
EUVD-2026-37496
Unauthenticated SQL Injection in wpDataTables = 7.3.6 versions...
EUVD-2026-37520
A path traversal in the SFTP provider SFTPHook.retrievedirectory / SFTPOperatoroperation=get let a malicious or compromised remote SFTP server write files outside the configured local destination directory via crafted directory-entry names. No Airflow account is required — the attack surface is a...
EUVD-2026-37513
Rocket.Chat in versions 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, 7.13.9, and 7.10.13 is vulnerable to unauthenticated file deletion. The deleteFileMessage Meteor method permanently deletes any uploaded file by ID without requiring authentication. When called via an unauthenticated DDP WebSocket...
EUVD-2026-37495
Unauthenticated Broken Access Control in JobSearch = 3.2.7 versions...
EUVD-2026-37514
Rocket.Chat versions 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, 7.13.9, 7.10.13 has an access control vulnerability in Livechat files. Protected file downloads at /file-upload/:fileId/:name authorize livechat access using rcroomtype=l with rcrid+rctoken, but the authorization path does not verify...
EUVD-2026-37584
Allow authenticated users to access alert instances associated with alert groups they do not have permission to access. in Apache DolphinScheduler. This issue affects Apache DolphinScheduler: before 3.4.2. Users are recommended to upgrade to version 3.4.2, which fixes the issue...
EUVD-2026-37624
Unauthenticated Cross Site Scripting XSS in WPFunnels Pro = 2.9.4 versions...
EUVD-2026-37618
Unauthenticated SQL Injection in JetEngine = 3.8.9.1 versions...