High Vulnerabilities
| Primary Vendor — Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| Agatasoft–AgataSoft PingMaster Pro | AgataSoft PingMaster Pro 2.1 contains a denial of service vulnerability in the Trace Route feature that allows attackers to crash the application by overflowing the host name input field. Attackers can generate a 10,000-character buffer and paste it into the host name field to trigger an application crash and potential system instability. | 2026-01-23 | 7.5 | CVE-2021-47893 | ExploitDB-49567 Vendor Homepage VulnCheck Advisory: AgataSoft PingMaster Pro 2.1 – Denial of Service |
| Aida Computer Information Technology Inc.–Hotel Guest Hotspot | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in Aida Computer Information Technology Inc. Hotel Guest Hotspot allows SQL Injection. This issue affects Hotel Guest Hotspot: through 22012026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-22 | 8 | CVE-2025-4764 | https://www.usom.gov.tr/bildirim/tr-26-0001 |
| Altium–AES | AES contains a SQL injection vulnerability due to an inactive configuration that prevents the latest SQL parsing logic from being applied. When this configuration is not enabled, crafted input may be improperly handled, allowing attackers to inject and execute arbitrary SQL queries. | 2026-01-22 | 8.6 | CVE-2025-27378 | https://www.altium.com/platform/security-compliance/security-advisories |
| Altium–AES | HTML injection in Project Release in Altium Enterprise Server (AES) 7.0.3 on all platforms allows an authenticated attacker to execute arbitrary JavaScript in the victim’s browser via crafted HTML content. | 2026-01-22 | 7.6 | CVE-2025-27380 | https://www.altium.com/platform/security-compliance/security-advisories |
| Altium–Altium 365 | Altium 365 workspace endpoints were configured with an overly permissive Cross-Origin Resource Sharing (CORS) policy that allowed credentialed cross-origin requests from other Altium-controlled subdomains, including forum.live.altium.com. As a result, JavaScript executing on those origins could access authenticated workspace APIs in the context of a logged-in user. When chained with vulnerabilities in those external applications, this misconfiguration enables unauthorized access to workspace data, administrative actions, and bypass of IP allowlisting controls, including in GovCloud environments. | 2026-01-19 | 9 | CVE-2026-1181 | https://www.altium.com/platform/security-compliance/security-advisories |
| AMASTAR Technology–MeetingHub | MeetingHub developed by HAMASTAR Technology has an Arbitrary File Upload vulnerability, allowing unauthenticated remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server. | 2026-01-22 | 9.8 | CVE-2026-1331 | https://www.twcert.org.tw/tw/cp-132-10650-a5ee9-1.html https://www.twcert.org.tw/en/cp-139-10651-ff09c-2.html |
| appsmithorg–appsmith | Appsmith is a platform to build admin panels, internal tools, and dashboards. In versions 1.94 and below, publicly accessible apps allow unauthenticated users to execute unpublished (edit-mode) actions by sending viewMode=false (or omitting it) to POST /api/v1/actions/execute. This bypasses the expected publish boundary where public viewers should only execute published actions, not edit-mode versions. An attack can result in sensitive data exposure, execution of edit‑mode queries and APIs, development data access, and the ability to trigger side effect behavior. This issue does not have a released fix at the time of publication. | 2026-01-22 | 9.4 | CVE-2026-24042 | https://github.com/appsmithorg/appsmith/security/advisories/GHSA-j9qq-4fj9-9883 |
| Autodesk–Fusion | A maliciously crafted HTML payload in a design name, when displayed during the delete confirmation dialog and clicked by a user, can trigger a Stored Cross-site Scripting (XSS) vulnerability in the Autodesk Fusion desktop application. A malicious actor may leverage this vulnerability to read local files or execute arbitrary code in the context of the current process. | 2026-01-22 | 7.1 | CVE-2026-0533 | https://dl.appstreaming.autodesk.com/production/installers/Fusion%20Client%20Downloader.exe https://dl.appstreaming.autodesk.com/production/installers/Fusion%20Client%20Downloader.dmg https://www.autodesk.com/trust/security-advisories/adsk-sa-2026-0001 |
| Autodesk–Fusion | A maliciously crafted HTML payload, stored in a part’s attribute and clicked by a user, can trigger a Stored Cross-site Scripting (XSS) vulnerability in the Autodesk Fusion desktop application. A malicious actor may leverage this vulnerability to read local files or execute arbitrary code in the context of the current process. | 2026-01-22 | 7.1 | CVE-2026-0534 | https://dl.appstreaming.autodesk.com/production/installers/Fusion%20Client%20Downloader.exe https://dl.appstreaming.autodesk.com/production/installers/Fusion%20Client%20Downloader.dmg https://www.autodesk.com/trust/security-advisories/adsk-sa-2026-0001 |
| Autodesk–Fusion | A maliciously crafted HTML payload, stored in a component’s description and clicked by a user, can trigger a Stored Cross-site Scripting (XSS) vulnerability in the Autodesk Fusion desktop application. A malicious actor may leverage this vulnerability to read local files or execute arbitrary code in the context of the current process. | 2026-01-22 | 7.1 | CVE-2026-0535 | https://dl.appstreaming.autodesk.com/production/installers/Fusion%20Client%20Downloader.exe https://dl.appstreaming.autodesk.com/production/installers/Fusion%20Client%20Downloader.dmg https://www.autodesk.com/trust/security-advisories/adsk-sa-2026-0001 |
| Autonomy–OpenPLC | OpenPLC v3 contains an authenticated remote code execution vulnerability that allows attackers with valid credentials to inject malicious code through the hardware configuration interface. Attackers can upload a custom hardware layer with embedded reverse shell code that establishes a network connection to a specified IP and port, enabling remote command execution. | 2026-01-21 | 8.8 | CVE-2021-47770 | ExploitDB-49803 OpenPLC Project Official Homepage OpenPLC v3 GitHub Repository VulnCheck Advisory: OpenPLC 3 – Remote Code Execution |
| B&R Industrial Automation GmbH–B&R Automation Studio | An Improper Certificate Validation vulnerability in the OPC-UA client and ANSL over TLS client used in Automation Studio versions before 6.5 could allow an unauthenticated attacker on the network to position themselves to intercept and interfere with data exchanges. | 2026-01-19 | 7.4 | CVE-2025-11043 | https://www.br-automation.com/fileadmin/SA25P004-4f45197f.pdf |
| backstage–backstage | Backstage is an open framework for building developer portals. Multiple Scaffolder actions and archive extraction utilities were vulnerable to symlink-based path traversal attacks. An attacker with access to create and execute Scaffolder templates could exploit symlinks to read arbitrary files via the `debug:log` action by creating a symlink pointing to sensitive files (e.g., `/etc/passwd`, configuration files, secrets); delete arbitrary files via the `fs:delete` action by creating symlinks pointing outside the workspace, and write files outside the workspace via archive extraction (tar/zip) containing malicious symlinks. This affects any Backstage deployment where users can create or execute Scaffolder templates. This vulnerability is fixed in `@backstage/backend-defaults` versions 0.12.2, 0.13.2, 0.14.1, and 0.15.0; `@backstage/plugin-scaffolder-backend` versions 2.2.2, 3.0.2, and 3.1.1; and `@backstage/plugin-scaffolder-node` versions 0.11.2 and 0.12.3. Users should upgrade to these versions or later. Some workarounds are available. Follow the recommendation in the Backstage Threat Model to limit access to creating and updating templates, restrict who can create and execute Scaffolder templates using the permissions framework, audit existing templates for symlink usage, and/or run Backstage in a containerized environment with limited filesystem access. | 2026-01-21 | 7.1 | CVE-2026-24046 | https://github.com/backstage/backstage/security/advisories/GHSA-rq6q-wr2q-7pgp https://github.com/backstage/backstage/commit/c641c147ab371a9a8a2f5f67fdb7cb9c97ef345d |
| baptisteArno–typebot.io | Typebot is an open-source chatbot builder. In versions prior to 3.13.2, client-side script execution in Typebot allows stealing all stored credentials from any user. When a victim previews a malicious typebot by clicking “Run”, JavaScript executes in their browser and exfiltrates their OpenAI keys, Google Sheets tokens, and SMTP passwords. The `/api/trpc/credentials.getCredentials` endpoint returns plaintext API keys without verifying credential ownership. Version 3.13.2 fixes the issue. | 2026-01-22 | 7.4 | CVE-2025-65098 | https://github.com/baptisteArno/typebot.io/security/advisories/GHSA-4xc5-wfwc-jw47 |
| Birebirsoft Software and Technology Solutions–Sufirmam | Authentication Bypass by Primary Weakness, Weak Password Recovery Mechanism for Forgotten Password vulnerability in Birebirsoft Software and Technology Solutions Sufirmam allows Authentication Bypass, Password Recovery Exploitation. This issue affects Sufirmam: through 23012026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-23 | 10 | CVE-2025-4320 | https://www.usom.gov.tr/bildirim/tr-26-0005 |
| Birebirsoft Software and Technology Solutions–Sufirmam | Improper Restriction of Excessive Authentication Attempts, Weak Password Recovery Mechanism for Forgotten Password vulnerability in Birebirsoft Software and Technology Solutions Sufirmam allows Brute Force, Password Recovery Exploitation. This issue affects Sufirmam: through 23012026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-23 | 9.4 | CVE-2025-4319 | https://www.usom.gov.tr/bildirim/tr-26-0005 |
| Brother Industries, Ltd.–BRAdmin Professional | Brother BRAdmin Professional 3.75 contains an unquoted service path vulnerability in the BRA_Scheduler service that allows local users to potentially execute arbitrary code. Attackers can place a malicious executable named ‘BRAdmin’ in the C:Program Files (x86)Brother directory to gain local system privileges. | 2026-01-21 | 7.8 | CVE-2021-47869 | ExploitDB-49671 Brother Global Homepage Brother Software Download Page Vulnerability Technical Details VulnCheck Advisory: BRAdmin Professional 3.75 – ‘BRA_Scheduler’ Unquoted Service Path |
| BROWAN COMMUNICATIONS–PrismX MX100 AP controller | PrismX MX100 AP controller developed by BROWAN COMMUNICATIONS has a Use of Hard-coded Credentials vulnerability, allowing unauthenticated remote attackers to log in to the database using hardcoded database credentials stored in the firmware. | 2026-01-20 | 9.8 | CVE-2026-1221 | https://www.twcert.org.tw/tw/cp-132-10642-3b808-1.html https://www.twcert.org.tw/en/cp-139-10643-2f8d7-2.html |
| BROWAN COMMUNICATIONS–PrismX MX100 AP controller | PrismX MX100 AP controller developed by BROWAN COMMUNICATIONS has an Arbitrary File Upload vulnerability, allowing privileged remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server. | 2026-01-20 | 7.2 | CVE-2026-1222 | https://www.twcert.org.tw/tw/cp-132-10642-3b808-1.html https://www.twcert.org.tw/en/cp-139-10643-2f8d7-2.html |
| buddypress–BuddyPress | The The BuddyPress plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 14.3.3. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes. | 2026-01-23 | 7.3 | CVE-2024-11976 | https://www.wordfence.com/threat-intel/vulnerabilities/id/34c627c1-7838-468e-acb7-eb84ad1b4949?source=cve https://plugins.trac.wordpress.org/browser/buddypress/tags/14.3.1/bp-templates/bp-nouveau/includes/messages/ajax.php#L232 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3259392%40buddypress%2Ftrunk&old=3199645%40buddypress%2Ftrunk&sfp_email=&sfph_mail= |
| chattermate–chattermate.chat | ChatterMate is a no-code AI chatbot agent framework. In versions 1.0.8 and below, the chatbot accepts and executes malicious HTML/JavaScript payloads when supplied as chat input. Specifically, an <iframe> payload containing a javascript: URI can be processed and executed in the browser context. This allows access to sensitive client-side data such as localStorage tokens and cookies, resulting in client-side injection. This issue has been fixed in version 1.0.9. | 2026-01-24 | 9.3 | CVE-2026-24399 | https://github.com/chattermate/chattermate.chat/security/advisories/GHSA-72p3-w95w-q3j4 https://github.com/chattermate/chattermate.chat/commit/ff3398031abb97ae28546eaf993fed3619eaffdd https://github.com/chattermate/chattermate.chat/releases/tag/v1.0.9 |
| choijun–LA-Studio Element Kit for Elementor | The LA-Studio Element Kit for Elementor plugin for WordPress is vulnerable to Administrative User Creation in all versions up to, and including, 1.5.6.3. This is due to the ‘ajax_register_handle’ function not restricting what user roles a user can register with. This makes it possible for unauthenticated attackers to supply the ‘lakit_bkrole’ parameter during registration and gain administrator access to the site. | 2026-01-22 | 9.8 | CVE-2026-0920 | https://www.wordfence.com/threat-intel/vulnerabilities/id/65ebc744-6cc2-47ce-b225-81820e49d59c?source=cve https://plugins.trac.wordpress.org/browser/lastudio-element-kit/tags/1.5.6.3/includes/integrations/override.php#L301 https://plugins.trac.wordpress.org/changeset/3439121/lastudio-element-kit |
| Cisco–Cisco Unified Communications Manager | A vulnerability in Cisco Unified Communications Manager (Unified CM), Cisco Unified Communications Manager Session Management Edition (Unified CM SME), Cisco Unified Communications Manager IM & Presence Service (Unified CM IM&P), Cisco Unity Connection, and Cisco Webex Calling Dedicated Instance could allow an unauthenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected device. This vulnerability is due to improper validation of user-supplied input in HTTP requests. An attacker could exploit this vulnerability by sending a sequence of crafted HTTP requests to the web-based management interface of an affected device. A successful exploit could allow the attacker to obtain user-level access to the underlying operating system and then elevate privileges to root. Note: Cisco has assigned this security advisory a Security Impact Rating (SIR) of Critical rather than High as the score indicates. The reason is that exploitation of this vulnerability could result in an attacker elevating privileges to root. | 2026-01-21 | 8.2 | CVE-2026-20045 | cisco-sa-voice-rce-mORhqY4b |
| CRMEB–CRMEB | A security flaw has been discovered in CRMEB up to 5.6.3. The affected element is the function appleLogin of the file crmeb/app/api/controller/v1/LoginController.php. Performing a manipulation of the argument openId results in improper authentication. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-20 | 7.3 | CVE-2026-1202 | VDB-341788 | CRMEB LoginController.php appleLogin improper authentication VDB-341788 | CTI Indicators (IOB, IOC, IOA) Submit #734711 | Zhongbang CRMEB v5.6.3 Improper Authentication https://github.com/foeCat/CVE/blob/main/CRMEB/apple_login_auth_bypass.md |
| Data Device Corporation–dataSIMS Avionics ARINC | dataSIMS Avionics ARINC 664-1 version 4.5.3 contains a local buffer overflow vulnerability that allows attackers to overwrite memory by manipulating the milstd1553result.txt file. Attackers can craft a malicious file with carefully constructed payload and alignment sections to potentially execute arbitrary code on the Windows system. | 2026-01-23 | 8.4 | CVE-2021-47881 | ExploitDB-49577 Vendor Homepage Software Product Page VulnCheck Advisory: dataSIMS Avionics ARINC 664-1 – Local Buffer Overflow |
| Deepinstinct–Deep Instinct Windows Agent | Deep Instinct Windows Agent 1.2.24.0 contains an unquoted service path vulnerability in the DeepNetworkService that allows local users to potentially execute code with elevated privileges. Attackers can exploit the unquoted path in C:Program FilesHP Sure SenseDeepNetworkService.exe to inject malicious code that would execute with LocalSystem permissions during service startup. | 2026-01-25 | 7.8 | CVE-2020-36934 | ExploitDB-49020 Deep Instinct Official Homepage HP Collaboration Announcement VulnCheck Advisory: Deep Instinct Windows Agent 1.2.24.0 – ‘DeepNetworkService’ Unquoted Service Path |
| Dell–ObjectScale | Dell ECS, versions 3.8.1.0 through 3.8.1.7, and Dell ObjectScale versions prior to 4.2.0.0, contains an Use of Default Credentials vulnerability in the OS. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Elevation of privileges. | 2026-01-23 | 8.8 | CVE-2026-22273 | https://www.dell.com/support/kbdoc/en-us/000415880/dsa-2026-047-security-update-for-dell-ecs-and-objectscale-multiple-vulnerabilities |
| Dell–ObjectScale | Dell ECS, versions 3.8.1.0 through 3.8.1.7, and Dell ObjectScale versions prior to 4.2.0.0, contains a Cleartext Transmission of Sensitive Information vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to information exposure. | 2026-01-23 | 7.5 | CVE-2026-22271 | https://www.dell.com/support/kbdoc/en-us/000415880/dsa-2026-047-security-update-for-dell-ecs-and-objectscale-multiple-vulnerabilities |
| Dell–PowerScale OneFS | Dell PowerScale OneFS versions prior to 9.13.0.0 contains an improper restriction of excessive authentication attempts vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to Unauthorized access. | 2026-01-22 | 8.1 | CVE-2026-22278 | https://www.dell.com/support/kbdoc/en-us/000415586/dsa-2026-049-security-update-for-dell-powerscale-onefs-multiple-vulnerabilities |
| Dell–Unisphere for PowerMax | Dell Unisphere for PowerMax, version(s) 10.2.0.x, contain(s) an Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Command execution. | 2026-01-22 | 8.8 | CVE-2025-36588 | https://www.dell.com/support/kbdoc/en-us/000402262/dsa-2025-425-dell-powermaxos-dell-powermax-eem-dell-unisphere-for-powermax-dell-unisphere-for-powermax-virtual-appliance-dell-unisphere-360-dell-solutions-enabler-virtual-appliance-security-update-for-multiple-vulnerabilities |
| docling-project–docling-core | Docling Core (or docling-core) is a library that defines core data types and transformations in the document processing application Docling. A PyYAML-related Remote Code Execution (RCE) vulnerability, namely CVE-2020-14343, is exposed in docling-core starting in version 2.21.0 and prior to version 2.48.4, specifically only if the application uses pyyaml prior to version 5.4 and invokes `docling_core.types.doc.DoclingDocument.load_from_yaml()` passing it untrusted YAML data. The vulnerability has been patched in docling-core version 2.48.4. The fix mitigates the issue by switching `PyYAML` deserialization from `yaml.FullLoader` to `yaml.SafeLoader`, ensuring that untrusted data cannot trigger code execution. Users who cannot immediately upgrade docling-core can alternatively ensure that the installed version of PyYAML is 5.4 or greater. | 2026-01-22 | 8.1 | CVE-2026-24009 | https://github.com/docling-project/docling-core/security/advisories/GHSA-vqxf-v2gg-x3hc https://github.com/docling-project/docling-core/issues/482 https://github.com/docling-project/docling-core/commit/3e8d628eeeae50f0f8f239c8c7fea773d065d80c https://github.com/advisories/GHSA-8q59-q68h-6hv4 https://github.com/docling-project/docling-core/releases/tag/v2.48.4 |
| dokaninc–Dokan: AI Powered WooCommerce Multivendor Marketplace Solution Build Your Own Amazon, eBay, Etsy | The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution – Build Your Own Amazon, eBay, Etsy plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 4.2.4 via the `/wp-json/dokan/v1/settings` REST API endpoint due to missing validation on a user-controlled key. This makes it possible for authenticated attackers, with customer-level permissions and above, to read or modify other vendors’ store settings including sensitive payment information (PayPal email, bank account details, routing numbers, IBAN, SWIFT codes), phone numbers, and addresses, and change PayPal email addresses to attacker-controlled addresses, enabling financial theft when the marketplace processes payouts. | 2026-01-20 | 8.1 | CVE-2025-14977 | https://www.wordfence.com/threat-intel/vulnerabilities/id/4ab9d7e9-9a81-48f8-bc37-ad6de43a566f?source=cve https://plugins.trac.wordpress.org/browser/dokan-lite/trunk/includes/REST/StoreSettingController.php#L131 https://plugins.trac.wordpress.org/browser/dokan-lite/trunk/includes/REST/StoreSettingController.php#L152 https://plugins.trac.wordpress.org/browser/dokan-lite/trunk/includes/REST/StoreSettingController.php#L109 https://plugins.trac.wordpress.org/browser/dokan-lite/trunk/includes/REST/StoreSettingController.php#L85 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3432750%40dokan-lite%2Ftrunk&old=3427612%40dokan-lite%2Ftrunk&sfp_email=&sfph_mail=#file7 |
| embeDD GmbH–DD-WRT | DD-WRT version 45723 contains a buffer overflow vulnerability in the UPNP network discovery service that allows remote attackers to potentially execute arbitrary code. Attackers can send crafted M-SEARCH packets with oversized UUID payloads to trigger buffer overflow conditions on the target device. | 2026-01-21 | 9.8 | CVE-2021-47854 | ExploitDB-49730 DD-WRT Official Vendor Homepage DD-WRT Software Download Repository SSD Security Advisory for DD-WRT UPNP Buffer Overflow VulnCheck Advisory: DD-WRT 45723 – UPNP Buffer Overflow |
| Epiphany–Epiphany | A flaw was found in Epiphany, a tool that allows websites to open external URL handler applications with minimal user interaction. This design can be misused to exploit vulnerabilities within those handlers, making them appear remotely exploitable. The browser fails to properly warn or gate this action, resulting in potential code execution on the client device via trusted UI behavior. | 2026-01-23 | 8 | CVE-2025-3839 | https://access.redhat.com/security/cve/CVE-2025-3839 RHBZ#2361430 |
| Epson America, Inc.–Epson USB Display | Epson USB Display 1.6.0.0 contains an unquoted service path vulnerability in the EMP_UDSA service running with LocalSystem privileges. Attackers can exploit the unquoted path by placing malicious executables in intermediate directories to gain elevated system access. | 2026-01-23 | 7.8 | CVE-2021-47898 | ExploitDB-49548 Epson Official Homepage VulnCheck Advisory: Epson USB Display 1.6.0.0 Unquoted Service Path Vulnerability |
| EVerest–everest-core | EVerest is an EV charging software stack. Prior to version 2025.10.0, an integer overflow occurring in `SdpPacket::parse_header()` allows the current buffer length to be set to 7 after a complete header of size 8 has been read. The remaining length to read is computed using the current length subtracted by the header length which results in a negative value. This value is then interpreted as `SIZE_MAX` (or slightly less) because the expected type of the argument is `size_t`. Depending on whether the server is plain TCP or TLS, this leads to either an infinite loop or a stack buffer overflow. Version 2025.10.0 fixes the issue. | 2026-01-21 | 8.4 | CVE-2025-68137 | https://github.com/EVerest/everest-core/security/advisories/GHSA-7qq4-q9r8-wc7w |
| EVerest–everest-core | EVerest is an EV charging software stack. In versions 2025.9.0 and below, an attacker can exhaust the operating system’s memory and cause the module to terminate by initiating an unlimited number of TCP connections that never proceed to ISO 15118-2 communication. This is possible because a new thread is started for each incoming plain TCP or TLS socket connection before any verification occurs, and the verification performed is too permissive. The EVerest processes and all its modules shut down, affecting all EVSE functionality. This issue is fixed in version 2025.10.0. | 2026-01-21 | 7.4 | CVE-2025-68133 | https://github.com/EVerest/everest-core/security/advisories/GHSA-mv3w-pp85-5h7c https://github.com/EVerest/everest-core/commit/8127b8c54b296c4dd01b356ac26763f81f76a8fd https://github.com/EVerest/everest-core/commit/de504f0c11069010d26767b0952739e9a400cef3 |
| EVerest–everest-core | EVerest is an EV charging software stack. Prior to version 2025.10.0, the use of the `assert` function to handle errors frequently causes the module to crash. This is particularly critical because the manager shuts down all other modules and exits when any one of them terminates, leading to a denial of service. In a context where a manager handles multiple EVSE, this would also impact other users. Version 2025.10.0 fixes the issue. | 2026-01-21 | 7.4 | CVE-2025-68134 | https://github.com/EVerest/everest-core/security/advisories/GHSA-cxc5-rrj5-8pf3 |
| EVerest–everest-core | EVerest is an EV charging software stack. Prior to version 2025.10.0, once the module receives a SDP request, it creates a whole new set of objects like `Session`, `IConnection` which open new TCP socket for the ISO15118-20 communications and registers callbacks for the created file descriptor, without closing and destroying the previous ones. Previous `Session` is not saved and the usage of an `unique_ptr` is lost, destroying connection data. Latter, if the used socket and therefore file descriptor is not the last one, it will lead to a null pointer dereference. Version 2025.10.0 fixes the issue. | 2026-01-21 | 7.4 | CVE-2025-68136 | https://github.com/EVerest/everest-core/security/advisories/GHSA-4h8h-x5cp-g22r |
| EVerest–everest-core | EVerest is an EV charging software stack. Prior to version 2025.10.0, during the deserialization of a `DC_ChargeLoopRes` message that includes Receipt as well as TaxCosts, the vector `<DetailedTax>tax_costs` in the target `Receipt` structure is accessed out of bounds. This occurs in the method `template <> void convert(const struct iso20_dc_DetailedTaxType& in, datatypes::DetailedTax& out)` which leads to a null pointer dereference and causes the module to terminate. The EVerest processes and all its modules shut down, affecting all EVSE. Version 2025.10.0 fixes the issue. | 2026-01-21 | 7.4 | CVE-2025-68141 | https://github.com/EVerest/everest-core/security/advisories/GHSA-ph4w-r9q8-vm9h |
| EVMAPA–EVMAPA | This vulnerability occurs when a WebSocket endpoint does not enforce proper authentication mechanisms, allowing unauthorized users to establish connections. As a result, attackers can exploit this weakness to gain unauthorized access to sensitive data or perform unauthorized actions. Given that no authentication is required, this can lead to privilege escalation and potentially compromise the security of the entire system. | 2026-01-22 | 9.4 | CVE-2025-54816 | https://www.cisa.gov/news-events/ics-advisories/icsa-26-022-08 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-022-08.json |
| EVMAPA–EVMAPA | This vulnerability arises because there are no limitations on the number of authentication attempts a user can make. An attacker can exploit this weakness by continuously sending authentication requests, leading to a denial-of-service (DoS) condition. This can overwhelm the authentication system, rendering it unavailable to legitimate users and potentially causing service disruption. This can also allow attackers to conduct brute-force attacks to gain unauthorized access. | 2026-01-22 | 7.5 | CVE-2025-53968 | https://www.cisa.gov/news-events/ics-advisories/icsa-26-022-08 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-022-08.json |
| EVMAPA–EVMAPA | This vulnerability occurs when the system permits multiple simultaneous connections to the backend using the same charging station ID. This can result in unauthorized access, data inconsistency, or potential manipulation of charging sessions. The lack of proper session management and expiration control allows attackers to exploit this weakness by reusing valid charging station IDs to establish multiple sessions concurrently. | 2026-01-22 | 7.3 | CVE-2025-55705 | https://www.cisa.gov/news-events/ics-advisories/icsa-26-022-08 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-022-08.json |
| EXERT Computer Technologies Software Ltd. Co.–Education Management System | Authorization Bypass Through User-Controlled Key vulnerability in EXERT Computer Technologies Software Ltd. Co. Education Management System allows Parameter Injection. This issue affects Education Management System: through 23.09.2025. | 2026-01-22 | 7.5 | CVE-2025-10024 | https://www.usom.gov.tr/bildirim/tr-26-0002 |
| fastify–fastify-express | The @fastify/express plugin adds full Express compatibility to Fastify. A security vulnerability exists in @fastify/express prior to version 4.0.3 where middleware registered with a specific path prefix can be bypassed using URL-encoded characters (e.g., `/%61dmin` instead of `/admin`). While the middleware engine fails to match the encoded path and skips execution, the underlying Fastify router correctly decodes the path and matches the route handler, allowing attackers to access protected endpoints without the middleware constraints. The vulnerability is caused by how @fastify/express matches requests against registered middleware paths. This vulnerability is similar to, but differs from, CVE-2026-22031 because this is a different npm module with its own code. Version 4.0.3 of @fastify/express contains a patch fort the issue. | 2026-01-19 | 8.4 | CVE-2026-22037 | https://github.com/fastify/fastify-express/security/advisories/GHSA-g6q3-96cp-5r5m https://github.com/fastify/fastify-express/commit/dc02a3fe1387f945143f22597baa42557d549a40 |
| fastify–middie | @fastify/middie is the plugin that adds middleware support on steroids to Fastify. A security vulnerability exists in @fastify/middie prior to version 9.1.0 where middleware registered with a specific path prefix can be bypassed using URL-encoded characters (e.g., `/%61dmin` instead of `/admin`). While the middleware engine fails to match the encoded path and skips execution, the underlying Fastify router correctly decodes the path and matches the route handler, allowing attackers to access protected endpoints without the middleware constraints. Version 9.1.0 fixes the issue. | 2026-01-19 | 8.4 | CVE-2026-22031 | https://github.com/fastify/middie/security/advisories/GHSA-cxrg-g7r8-w69p https://github.com/fastify/middie/pull/245 https://github.com/fastify/middie/commit/d44cd56eb724490babf7b452fdbbdd37ea2effba https://github.com/fastify/middie/releases/tag/v9.1.0 |
| FOGProject–fogproject | FOG is a free open-source cloning/imaging/rescue suite/inventory management system. Versions 1.5.10.1754 and below contain an unauthenticated SSRF vulnerability in getversion.php which can be triggered by providing a user-controlled url parameter. It can be used to fetch both internal websites and files on the machine running FOG. This appears to be reachable without an authenticated web session when the request includes newService=1. The issue does not have a fixed release version at the time of publication. | 2026-01-23 | 7.5 | CVE-2026-24138 | https://github.com/FOGProject/fogproject/security/advisories/GHSA-79xw-c2qx-g7xj |
| franklioxygen–MyTube | MyTube is a self-hosted downloader and player for several video websites. A vulnerability present in version 1.7.65 and poetntially earlier versions allows unauthenticated users to bypass the mandatory authentication check in the roleBasedAuthMiddleware. By simply not providing an authentication cookie (making req.user undefined), a request is incorrectly passed through to downstream handlers. All users running MyTube with loginEnabled: true are impacted. This flaw allows an attacker to access and modify application settings via /api/settings, change administrative and visitor passwords, and access other protected routes that rely on this specific middleware. The problem is patched in v1.7.66. MyTube maintainers recommend all users upgrade to at least version v1.7.64 immediately to secure their instances. The fix ensures that the middleware explicitly blocks requests if a user is not authenticated, rather than defaulting to next(). Those who cannot upgrade immediately can mitigate risk by restricting network access by usi a firewall or reverse proxy (like Nginx) to restrict access to the /api/ endpoints to trusted IP addresses only or, if they are comfortable editing the source code, manually patch by locating roleBasedAuthMiddleware and ensuring that the logic defaults to an error (401 Unauthorized) when req.user is undefined, instead of calling next(). | 2026-01-19 | 9.8 | CVE-2026-23837 | https://github.com/franklioxygen/MyTube/security/advisories/GHSA-cmvj-g69f-8664 https://github.com/franklioxygen/MyTube/commit/f85ae9b0d6e4a6480c6af5b675a99069d08d496e |
| FreeLAN–FreeLAN | FreeLAN 2.2 contains an unquoted service path vulnerability in its Windows service configuration that allows local attackers to execute arbitrary code. Attackers can exploit the unquoted binary path to inject malicious executables that will be launched with elevated LocalSystem privileges during service startup. | 2026-01-21 | 7.8 | CVE-2021-47882 | ExploitDB-49630 FreeLAN GitHub Repository VulnCheck Advisory: FreeLAN 2.2 – ‘FreeLAN Service’ Unquoted Service Path |
| frustratedProton–http-server | C++ HTTP Server is an HTTP/1.1 server built to handle client connections and serve HTTP requests. Versions 1.0 and below are vulnerable to Path Traversal via the RequestHandler::handleRequest method. This flaw allows an unauthenticated, remote attacker to read arbitrary files from the server’s filesystem by crafting a malicious HTTP GET request containing ../ sequences. The application fails to sanitize the filename variable derived from the user-controlled URL path, directly concatenating it to the files_directory base path and enabling traversal outside the intended root. No patch was available at the time of publication. | 2026-01-24 | 7.5 | CVE-2026-24469 | https://github.com/frustratedProton/http-server/security/advisories/GHSA-qp54-6gfq-3gff |
| FSPro Labs–Event Log Explorer | Event Log Explorer 4.9.3 contains an unquoted service path vulnerability that allows local users to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted service path by placing malicious executables in specific file system locations that will be executed with LocalSystem account privileges during service startup. | 2026-01-21 | 7.8 | CVE-2021-47861 | ExploitDB-49704 Vendor Homepage VulnCheck Advisory: Event Log Explorer 4.9.3 – ‘ElodeaEventCollectorService’ Unquoted Service Path |
| Fyrolabs LLC.–Pingzapper | Pingzapper 2.3.1 contains an unquoted service path vulnerability in the PingzapperSvc service that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in ‘C:Program Files (x86)PingzapperPZService.exe’ to inject malicious executables and escalate privileges. | 2026-01-21 | 7.8 | CVE-2021-47886 | ExploitDB-49626 Vendor Homepage Software Download Page VulnCheck Advisory: Pingzapper 2.3.1 – ‘PingzapperSvc’ Unquoted Service Path |
| Genexis–Platinum-4410 | Genexis Platinum-4410 P4410-V2-1.31A contains a stored cross-site scripting vulnerability in the ‘start_addr’ parameter of the Security Management interface. Attackers can inject malicious scripts through the start source address field that will persist and trigger for privileged users when they access the security management page. | 2026-01-21 | 7.2 | CVE-2021-47858 | ExploitDB-49709 Genexis Product Page VulnCheck Advisory: Genexis Platinum-4410 P4410-V2-1.31A – ‘start_addr’ Persistent Cross-Site Scripting |
| GeoGebra–CAS Calculator | GeoGebra CAS Calculator 6.0.631.0 contains a denial of service vulnerability that allows attackers to crash the application by generating a large buffer overflow. Attackers can create a payload with 8000 repeated characters and paste it into the calculator’s input field to trigger an application crash. | 2026-01-21 | 9.8 | CVE-2021-47875 | ExploitDB-49655 GeoGebra Official Homepage VulnCheck Advisory: GeoGebra CAS Calculator 6.0.631.0 – Denial of Service |
| GeoGebra–GeoGebra Classic | GeoGebra Classic 5.0.631.0-d contains a denial of service vulnerability in the input field that allows attackers to crash the application by sending oversized buffer content. Attackers can generate a large buffer of 800,000 repeated characters and paste it into the ‘Entrada:’ input field to trigger an application crash. | 2026-01-21 | 7.5 | CVE-2021-47876 | ExploitDB-49654 Official Vendor Homepage VulnCheck Advisory: GeoGebra Classic 5.0.631.0-d – Denial of Service |
| GeoGebra–GeoGebra Graphing Calculator | GeoGebra Graphing Calculator 6.0.631.0 contains a denial of service vulnerability that allows attackers to crash the application by inputting an oversized buffer. Attackers can generate a payload of 8000 repeated characters to overwhelm the input field and cause the application to become unresponsive. | 2026-01-21 | 7.5 | CVE-2021-47877 | ExploitDB-49653 GeoGebra Official Homepage VulnCheck Advisory: GeoGebra Graphing Calculato‪r‬ 6.0.631.0 – Denial Of Service |
| getwpfunnels–Creator LMS The LMS for Creators, Coaches, and Trainers | The Creator LMS – The LMS for Creators, Coaches, and Trainers plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check in the get_items_permissions_check function in all versions up to, and including, 1.1.12. This makes it possible for authenticated attackers, with contributor level access and above, to update arbitrary WordPress options. | 2026-01-20 | 8.8 | CVE-2025-15347 | https://www.wordfence.com/threat-intel/vulnerabilities/id/4bddaefc-9ddc-4798-acb6-7b87f7c924a1?source=cve https://plugins.trac.wordpress.org/changeset/3433193/creatorlms/tags/1.1.13/includes/Rest/V1/SettingsController.php |
| GitLab–GitLab | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 11.9 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2 that could have allowed an unauthenticated user to create a denial of service condition by sending crafted requests with malformed authentication data. | 2026-01-22 | 7.5 | CVE-2025-13927 | GitLab Issue #582737 HackerOne Bug Bounty Report #3439683 https://about.gitlab.com/releases/2026/01/21/patch-release-gitlab-18-8-2-released/ |
| GitLab–GitLab | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.7 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2 that could have allowed an unauthenticated user to cause a denial of service condition by exploiting incorrect authorization validation in API endpoints. | 2026-01-22 | 7.5 | CVE-2025-13928 | GitLab Issue #582736 HackerOne Bug Bounty Report #3439441 https://about.gitlab.com/releases/2026/01/21/patch-release-gitlab-18-8-2-released/ |
| GitLab–GitLab | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.6 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2 that could have allowed an individual with existing knowledge of a victim’s credential ID to bypass two-factor authentication by submitting forged device responses. | 2026-01-22 | 7.4 | CVE-2026-0723 | GitLab Issue #585333 HackerOne Bug Bounty Report #3476052 https://about.gitlab.com/releases/2026/01/21/patch-release-gitlab-18-8-2-released/ |
| GNU–Inetutils | telnetd in GNU Inetutils through 2.7 allows remote authentication bypass via a “-f root” value for the USER environment variable. | 2026-01-21 | 9.8 | CVE-2026-24061 | https://www.openwall.com/lists/oss-security/2026/01/20/2 https://www.openwall.com/lists/oss-security/2026/01/20/8 https://www.gnu.org/software/inetutils/ |
| gristlabs–grist-core | Grist is spreadsheet software using Python as its formula language. Grist offers several methods for running those formulas in a sandbox, for cases where the user may be working with untrusted spreadsheets. One such method runs them in pyodide, but pyodide on node does not have a useful sandbox barrier. If a user of Grist sets `GRIST_SANDBOX_FLAVOR` to `pyodide` and opens a malicious document, that document could run arbitrary processes on the server hosting Grist. The problem has been addressed in Grist version 1.7.9 and up, by running pyodide under deno. As a workaround, a user can use the gvisor-based sandbox by setting `GRIST_SANDBOX_FLAVOR` to `gvisor`. | 2026-01-22 | 9.1 | CVE-2026-24002 | https://github.com/gristlabs/grist-core/security/advisories/GHSA-7xvx-8pf2-pv5g https://support.getgrist.com/self-managed/#how-do-i-sandbox-documents |
| gunthercox–ChatterBot | ChatterBot is a machine learning, conversational dialog engine for creating chat bots. ChatterBot versions up to 1.2.10 are vulnerable to a denial-of-service condition caused by improper database session and connection pool management. Concurrent invocations of the get_response() method can exhaust the underlying SQLAlchemy connection pool, resulting in persistent service unavailability and requiring a manual restart to recover. Version 1.2.11 fixes the issue. | 2026-01-19 | 7.5 | CVE-2026-23842 | https://github.com/gunthercox/ChatterBot/security/advisories/GHSA-v4w8-49pv-mf72 https://github.com/gunthercox/ChatterBot/pull/2432 https://github.com/gunthercox/ChatterBot/commit/de89fe648139f8eeacc998ad4524fab291a378cf https://github.com/gunthercox/ChatterBot/releases/tag/1.2.11 https://github.com/user-attachments/assets/4ee845c4-b847-4854-84ec-4b2fb2f7090f |
| h2o–quicly | Quicly, an IETF QUIC protocol implementation, is susceptible to a denial-of-service attack prior to commit d9d3df6a8530a102b57d840e39b0311ce5c9e14e. A remote attacker can exploit these bugs to trigger an assertion failure that crashes process using Quicly. Commit d9d3df6a8530a102b57d840e39b0311ce5c9e14e fixes the issue. | 2026-01-19 | 7.5 | CVE-2025-61684 | https://github.com/h2o/quicly/security/advisories/GHSA-wr3c-345m-43v9 https://github.com/h2o/quicly/commit/d9d3df6a8530a102b57d840e39b0311ce5c9e14e |
| HackUCF–OnboardLite | OnboardLite is a comprehensive membership lifecycle platform built for student organizations at the University of Central Florida. Versions of the software prior to commit 1d32081a66f21bcf41df1ecb672490b13f6e429f have a stored cross-site scripting vulnerability that can be rendered to an admin when they attempt to migrate a user’s discord account in the dashboard. Commit 1d32081a66f21bcf41df1ecb672490b13f6e429f patches the issue. | 2026-01-19 | 7.3 | CVE-2026-23880 | https://github.com/HackUCF/OnboardLite/security/advisories/GHSA-93w8-83cg-h89g https://github.com/HackUCF/OnboardLite/commit/1d32081a66f21bcf41df1ecb672490b13f6e429f |
| HAMASTAR Technology–MeetingHub | MeetingHub developed by HAMASTAR Technology has an Arbitrary File Read vulnerability, allowing unauthenticated remote attackers to exploit Absolute Path Traversal to download arbitrary system files. | 2026-01-22 | 7.5 | CVE-2026-1330 | https://www.twcert.org.tw/tw/cp-132-10650-a5ee9-1.html https://www.twcert.org.tw/en/cp-139-10651-ff09c-2.html |
| Hasura–GraphQL | Hasura GraphQL 1.3.3 contains a remote code execution vulnerability that allows attackers to execute arbitrary shell commands through SQL query manipulation. Attackers can inject commands into the run_sql endpoint by crafting malicious GraphQL queries that execute system commands through PostgreSQL’s COPY FROM PROGRAM functionality. | 2026-01-21 | 9.8 | CVE-2021-47748 | ExploitDB-49802 Hasura GraphQL Engine GitHub Repository VulnCheck Advisory: Hasura GraphQL 1.3.3 – Remote Code Execution |
| Hestia Control Panel–Hestia Control Panel | Hestia Control Panel 1.3.2 contains an arbitrary file write vulnerability that allows authenticated attackers to write files to arbitrary locations using the API index.php endpoint. Attackers can exploit the v-make-tmp-file command to write SSH keys or other content to specific file paths on the server. | 2026-01-21 | 8.8 | CVE-2021-47871 | ExploitDB-49667 Hestia Control Panel Official Homepage Hestia Control Panel GitHub Repository VulnCheck Advisory: Hestia Control Panel 1.3.2 – Arbitrary File Write |
| HI-REZ STUDIOS–HiPatchService | Hi-Rez Studios 5.1.6.3 contains an unquoted service path vulnerability in the HiPatchService that allows local attackers to execute code with elevated privileges. Attackers can exploit the unquoted path during system startup or reboot to inject and run malicious executables with LocalSystem permissions. | 2026-01-21 | 7.8 | CVE-2021-47862 | ExploitDB-49701 Hi-Rez Studios Official Homepage VulnCheck Advisory: Hi-Rez Studios 5.1.6.3 – ‘HiPatchService’ Unquoted Service Path |
| Hibernate–Hibernate | A flaw was found in Hibernate. A remote attacker with low privileges could exploit a second-order SQL injection vulnerability by providing specially crafted, unsanitized non-alphanumeric characters in the ID column when the InlineIdsOrClauseBuilder is used. This could lead to sensitive information disclosure, such as reading system files, and allow for data manipulation or deletion within the application’s database, resulting in an application level denial of service. | 2026-01-23 | 8.3 | CVE-2026-0603 | https://access.redhat.com/security/cve/CVE-2026-0603 RHBZ#2427147 |
| HID Global–ActivIdentity | ActivIdentity 8.2 contains an unquoted service path vulnerability in the ac.sharedstore service that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted binary path in C:Program FilesCommon FilesActivIdentity to inject malicious executables and escalate privileges. | 2026-01-21 | 7.8 | CVE-2021-47859 | ExploitDB-49703 HID Global Official Website VulnCheck Advisory: ActivIdentity 8.2 – ‘ac.sharedstore’ Unquoted Service Path |
| Honeywell–WIN-PACK PRO | WIN-PACK PRO 4.8 contains an unquoted service path vulnerability in the GuardTourService that allows local users to potentially execute code with elevated system privileges. Attackers can exploit the unquoted path in C:Program Files <x86>WINPAKPROWP GuardTour Service.exe to inject malicious code that would execute during service startup. | 2026-01-21 | 7.8 | CVE-2021-47866 | ExploitDB-49690 Honeywell Product Webpage VulnCheck Advisory: WIN-PACK PRO 4.8 – ‘GuardTourService’ Unquoted Service Path |
| Honeywell–WIN-PACK PRO | WIN-PACK PRO 4.8 contains an unquoted service path vulnerability in the WPCommandFileService that allows local users to potentially execute code with elevated privileges. Attackers can exploit the unquoted path in C:Program Files <x86>WINPAKPROWPCommandFileService Service.exe to inject malicious code that would execute with LocalSystem permissions. | 2026-01-21 | 7.8 | CVE-2021-47868 | ExploitDB-49692 Honeywell Product Webpage VulnCheck Advisory: WIN-PACK PRO 4.8 – ‘WPCommandFileService’ Unquoted Service Path |
| horilla-opensource–horilla | Horilla is a free and open source Human Resource Management System (HRMS). In version 1.4.0, the OTP handling logic has a flawed equality check that can be bypassed. When an OTP expires, the server returns None, and if an attacker omits the otp field from their POST request, the user-supplied OTP is also None, causing the comparison user_otp == otp to pass. This allows an attacker to bypass two-factor authentication entirely without ever providing a valid OTP. If administrative accounts are targeted, it could lead to compromise of sensitive HR data, manipulation of employee records, and further system-wide abuse. This issue has been fixed in version 1.5.0. | 2026-01-22 | 8.1 | CVE-2026-24038 | https://github.com/horilla-opensource/horilla/security/advisories/GHSA-hqpv-ff5v-3hwf https://github.com/horilla-opensource/horilla/releases/tag/1.5.0 |
| HTC–IPTInstaller | HTC IPTInstaller 4.0.9 contains an unquoted service path vulnerability in the PassThru Service configuration. Attackers can exploit the unquoted binary path to inject and execute malicious code with elevated LocalSystem privileges. | 2026-01-25 | 7.8 | CVE-2020-36933 | ExploitDB-49006 HTC Official Latin America Homepage VulnCheck Advisory: IPTInstaller 4.0.9 – ‘PassThru Service’ Unquoted Service Path |
| hwk-fr–Advanced Custom Fields: Extended | The Advanced Custom Fields: Extended plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 0.9.2.1. This is due to the ‘insert_user’ function not restricting the roles with which a user can register. This makes it possible for unauthenticated attackers to supply the ‘administrator’ role during registration and gain administrator access to the site. Note: The vulnerability can only be exploited if ‘role’ is mapped to the custom field. | 2026-01-20 | 9.8 | CVE-2025-14533 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d44f8af2-3525-4b00-afa8-a908250cc838?source=cve https://plugins.trac.wordpress.org/browser/acf-extended/tags/0.9.2.1/includes/modules/form/module-form-action-user.php#L636 https://plugins.trac.wordpress.org/browser/acf-extended/tags/0.9.2.2/includes/fields/field-user-roles.php#L437 https://plugins.trac.wordpress.org/browser/acf-extended/tags/0.9.2.2/includes/modules/form/module-form-action-user.php#L356 |
| I Want Source Codes–Digital Crime Report Management System | Digital Crime Report Management System 1.0 contains a critical SQL injection vulnerability affecting multiple login pages that allows unauthenticated attackers to bypass authentication. Attackers can exploit the vulnerability by sending crafted SQL injection payloads in email and password parameters across police, incharge, user, and HQ login endpoints. | 2026-01-21 | 8.2 | CVE-2021-47846 | ExploitDB-49761 Vendor Homepage Software Download Link VulnCheck Advisory: Digital Crime Report Management System 1.0 – SQL Injection |
| ibericode–koko-analytics | Koko Analytics is an open-source analytics plugin for WordPress. Versions prior to 2.1.3 are vulnerable to arbitrary SQL execution through unescaped analytics export/import and permissive admin SQL import. Unauthenticated visitors can submit arbitrary path (`pa`) and referrer (`r`) values to the public tracking endpoint in src/Resources/functions/collect.php, which stores those strings verbatim in the analytics tables. The admin export logic in src/Admin/Data_Export.php writes these stored values directly into SQL INSERT statements without escaping. A crafted path such as “),(‘999′,’x’);DROP TABLE wp_users;– breaks out of the value list. When an administrator later imports that export file, the import handler in src/Admin/Data_Import.php reads the uploaded SQL with file_get_contents, performs only a superficial header check, splits on semicolons, and executes each statement via $wpdb->query with no validation of table names or statement types. Additionally, any authenticated user with manage_koko_analytics can upload an arbitrary .sql file and have it executed in the same permissive way. Combined, attacker-controlled input flows from the tracking endpoint into exported SQL and through the import execution sink, or directly via malicious uploads, enabling arbitrary SQL execution. In a worst-case scenario, attackers can achieve arbitrary SQL execution on the WordPress database, allowing deletion of core tables (e.g., wp_users), insertion of backdoor administrator accounts, or other destructive/privilege-escalating actions. Version 2.1.3 patches the issue. | 2026-01-19 | 8.4 | CVE-2026-22850 | https://github.com/ibericode/koko-analytics/security/advisories/GHSA-jgfh-264m-xh3q https://github.com/ibericode/koko-analytics/commit/7b7d58f4a1838c8203cf4e7bb59847c982432119 https://drive.google.com/file/d/1HdQKf42prwrBUUG2CwbIkccTp2i6HR6d/view?usp=sharing |
| IBM–ApplinX | IBM ApplinX 11.1 is vulnerable due to a privilege escalation vulnerability due to improper verification of JWT tokens. An attacker may be able to craft or modify a JSON web token in order to impersonate another user or to elevate their privileges. | 2026-01-20 | 7.3 | CVE-2025-36418 | https://www.ibm.com/support/pages/node/7257446 |
| IBM–Concert | IBM Concert 1.0.0 through 2.1.0 is vulnerable to malicious file upload by not validating the content of the file uploaded to the web interface. | 2026-01-20 | 8.8 | CVE-2025-33015 | https://www.ibm.com/support/pages/node/7257006 |
| IBM–IBM Licensing Operator | IBM Licensing Operator incorrectly assigns privileges to security critical files which could allow a local root escalation inside a container running the IBM Licensing Operator image. | 2026-01-20 | 8.4 | CVE-2025-12985 | https://www.ibm.com/support/pages/license-service-privilege-escalation-vulnerability |
| IBM–Sterling Connect:Direct for UNIX Container | IBM Sterling Connect:Direct for UNIX Container 6.3.0.0 through 6.3.0.6 Interim Fix 016, and 6.4.0.0 through 6.4.0.3 Interim Fix 019 IBM® Sterling Connect:Direct for UNIX contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. | 2026-01-20 | 8.4 | CVE-2025-14115 | https://www.ibm.com/support/pages/node/7257143 |
| ImageMagick–ImageMagick | ImageMagick is free and open-source software used for editing and manipulating digital images. Prior to versions 7.1.2-13 and 6.9.13-38, a heap buffer overflow vulnerability in the XBM image decoder (ReadXBMImage) allows an attacker to write controlled data past the allocated heap buffer when processing a maliciously crafted image file. Any operation that reads or identifies an image can trigger the overflow, making it exploitable via common image upload and processing pipelines. Versions 7.1.2-13 and 6.9.13-38 fix the issue. | 2026-01-20 | 8.1 | CVE-2026-23876 | https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-r49w-jqq3-3gx8 https://github.com/ImageMagick/ImageMagick/commit/2fae24192b78fdfdd27d766fd21d90aeac6ea8b8 |
| InternationalColorConsortium–iccDEV | iccDEV provides libraries and tools for interacting with, manipulating, and applying ICC color management profiles. Versions 2.3.1.1 and below have a Heap Buffer Overflow vulnerability in CIccMpeCalculator::Read(). This occurs when user-controllable input is unsafely incorporated into ICC profile data or other structured binary blobs. Successful exploitation may allow an attacker to perform DoS, manipulate data, bypass application logic and Code Execution. This issue has been fixed in version 2.3.1.2. | 2026-01-24 | 8.8 | CVE-2026-24405 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-2r5c-5w66-47vv https://github.com/InternationalColorConsortium/iccDEV/issues/479 https://github.com/InternationalColorConsortium/iccDEV/commit/d22fc174866e2521f8a5f9393fab5be306329f62 |
| InternationalColorConsortium–iccDEV | iccDEV provides libraries and tools for interacting with, manipulating, and applying ICC color management profiles. Versions 2.3.1.1 and below have a Heap Buffer Overflow vulnerability in CIccTagNamedColor2::SetSize(). This occurs when user-controllable input is unsafely incorporated into ICC profile data or other structured binary blobs. Successful exploitation may allow an attacker to perform DoS, manipulate data, bypass application logic and Code Execution. This issue has been fixed in version 2.3.1.2. | 2026-01-24 | 8.8 | CVE-2026-24406 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-h9h3-45cm-j95f https://github.com/InternationalColorConsortium/iccDEV/issues/480 https://github.com/InternationalColorConsortium/iccDEV/commit/90c71cba2c563b1f5dc84197f827540d1baaea67 |
| InternationalColorConsortium–iccDEV | iccDEV provides libraries and tools for interacting with, manipulating, and applying ICC color management profiles. Versions 2.3.1.1 and below have aHeap Buffer Overflow vulnerability in the CIccTagXmlSegmentedCurve::ToXml() function. This occurs when user-controllable input is unsafely incorporated into ICC profile data or other structured binary blobs. Successful exploitation may allow an attacker to perform DoS, manipulate data, bypass application logic and Code Execution. This issue has been fixed in version 2.3.1.2. | 2026-01-24 | 8.8 | CVE-2026-24412 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-6rf4-63j2-cfrf https://github.com/InternationalColorConsortium/iccDEV/issues/518 https://github.com/InternationalColorConsortium/iccDEV/commit/2be3b125933a57fe8b6624e9dfd69d8e5360bf70 |
| InternationalColorConsortium–iccDEV | iccDEV provides libraries and tools for interacting with, manipulating, and applying ICC color management profiles. In versions 2.3.1.1 and below, an integer overflow vulnerability exists in icValidateStatus CIccProfile::CheckHeader() when user-controllable input is incorporated into profile data unsafely. Tampering with tag tables, offsets, or size fields can trigger parsing errors, memory corruption, or DoS, potentially enabling arbitrary Code Execution or bypassing application logic. This issue has been fixed in version 2.3.1.2. | 2026-01-24 | 7.1 | CVE-2026-24403 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-ph33-qp8j-5q34 https://github.com/InternationalColorConsortium/iccDEV/issues/505 https://github.com/InternationalColorConsortium/iccDEV/commits/d993997005449a0a6958e65b057bd25e17dff89 |
| InternationalColorConsortium–iccDEV | iccDEV provides libraries and tools for interacting with, manipulating, and applying ICC color management profiles. In versions 2.3.1.1 and below, CIccXmlArrayType() contains a Null Pointer Dereference and Undefined Behavior vulnerability. This occurs when user-controllable input is unsafely incorporated into ICC profile data or other structured binary blobs. Successful exploitation may allow an attacker to perform DoS, manipulate data, bypass application logic and Code Execution. This issue has been fixed in version 2.3.1.2. | 2026-01-24 | 7.1 | CVE-2026-24404 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-hqfg-45jp-hp9f https://github.com/InternationalColorConsortium/iccDEV/issues/488 https://github.com/InternationalColorConsortium/iccDEV/commit/cd637eb33f0c8055fa54d8776e00555d3d39ef0c |
| InternationalColorConsortium–iccDEV | iccDEV provides libraries and tools for interacting with, manipulating, and applying ICC color management profiles. Versions 2.3.1.1 and below have Undefined Behavior in icSigCalcOp(). This occurs when user-controllable input is unsafely incorporated into ICC profile data or other structured binary blobs. Successful exploitation may allow an attacker to perform DoS, manipulate data, bypass application logic and Code Execution. This issue has been fixed in version 2.3.1.2. | 2026-01-24 | 7.1 | CVE-2026-24407 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-m6gx-93cp-4855 https://github.com/InternationalColorConsortium/iccDEV/issues/481 https://github.com/InternationalColorConsortium/iccDEV/commit/881802931a71c4b0dfc28bc80ee55b2cb84dab90 |
| InternationalColorConsortium–iccDEV | iccDEV provides libraries and tools for interacting with, manipulating, and applying ICC color management profiles. Versions 2.3.1.1 and below have Undefined Behavior and Null Pointer Deference in CIccTagXmlFloatNum<>::ParseXml(). This occurs when user-controllable input is unsafely incorporated into ICC profile data or other structured binary blobs. Successful exploitation may allow an attacker to perform DoS, manipulate data, bypass application logic and Code Execution. This issue has been fixed in version 2.3.1.2. | 2026-01-24 | 7.1 | CVE-2026-24409 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-398v-jvcg-p8f3 https://github.com/InternationalColorConsortium/iccDEV/issues/484 https://github.com/InternationalColorConsortium/iccDEV/commit/9f134c44895edd2edca4bcb97e15c0ba9aa77382 |
| InternationalColorConsortium–iccDEV | iccDEV provides libraries and tools for interacting with, manipulating, and applying ICC color management profiles. Versions 2.3.1.1 and below have Undefined Behavior and Null Pointer Deference in CIccProfileXml::ParseBasic(). This occurs when user-controllable input is unsafely incorporated into ICC profile data or other structured binary blobs. Successful exploitation may allow an attacker to perform DoS, manipulate data, bypass application logic and Code Execution. This issue has been fixed in version 2.3.1.2. | 2026-01-24 | 7.1 | CVE-2026-24410 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-398q-4rpv-3v9r https://github.com/InternationalColorConsortium/iccDEV/issues/507 https://github.com/InternationalColorConsortium/iccDEV/commit/3cf522b13832692b107322cd51c4ae5c3a21f366 |
| InternationalColorConsortium–iccDEV | iccDEV provides libraries and tools for interacting with, manipulating, and applying ICC color management profiles. Versions 2.3.1.1 and below have Undefined Behavior in CIccTagXmlSegmentedCurve::ToXml(). This occurs when user-controllable input is unsafely incorporated into ICC profile data or other structured binary blobs. Successful exploitation may allow an attacker to perform DoS, manipulate data, bypass application logic and Code Execution. This issue has been fixed in version 2.3.1.2. | 2026-01-24 | 7.1 | CVE-2026-24411 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-x53f-7h27-9fc8 https://github.com/InternationalColorConsortium/iccDEV/issues/499 https://github.com/InternationalColorConsortium/iccDEV/commit/d6d6f51a999d4266ec09347cac7e0930d6e02eec |
| irisideatechsolutions–Kalrav AI Agent | The Kalrav AI Agent plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the kalrav_upload_file AJAX action in all versions up to, and including, 2.3.3. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site’s server which may make remote code execution possible. | 2026-01-24 | 9.8 | CVE-2025-13374 | https://www.wordfence.com/threat-intel/vulnerabilities/id/5dc8feae-fc89-4152-b9b2-2b70e6ccb30b?source=cve https://plugins.trac.wordpress.org/browser/kalrav-ai-agent/trunk/kalrav-ai-agent.php#L967 https://plugins.trac.wordpress.org/browser/kalrav-ai-agent/tags/2.3.3/kalrav-ai-agent.php#L967 https://github.com/d0n601/CVE-2025-13374 https://ryankozak.com/posts/cve-2025-13374 |
| isaacs–node-tar | node-tar,a Tar for Node.js, has a race condition vulnerability in versions up to and including 7.5.3. This is due to an incomplete handling of Unicode path collisions in the `path-reservations` system. On case-insensitive or normalization-insensitive filesystems (such as macOS APFS, In which it has been tested), the library fails to lock colliding paths (e.g., `ß` and `ss`), allowing them to be processed in parallel. This bypasses the library’s internal concurrency safeguards and permits Symlink Poisoning attacks via race conditions. The library uses a `PathReservations` system to ensure that metadata checks and file operations for the same path are serialized. This prevents race conditions where one entry might clobber another concurrently. This is a Race Condition which enables Arbitrary File Overwrite. This vulnerability affects users and systems using node-tar on macOS (APFS/HFS+). Because of using `NFD` Unicode normalization (in which `ß` and `ss` are different), conflicting paths do not have their order properly preserved under filesystems that ignore Unicode normalization (e.g., APFS (in which `ß` causes an inode collision with `ss`)). This enables an attacker to circumvent internal parallelization locks (`PathReservations`) using conflicting filenames within a malicious tar archive. The patch in version 7.5.4 updates `path-reservations.js` to use a normalization form that matches the target filesystem’s behavior (e.g., `NFKD`), followed by first `toLocaleLowerCase(‘en’)` and then `toLocaleUpperCase(‘en’)`. As a workaround, users who cannot upgrade promptly, and who are programmatically using `node-tar` to extract arbitrary tarball data should filter out all `SymbolicLink` entries (as npm does) to defend against arbitrary file writes via this file system entry name collision issue. | 2026-01-20 | 8.8 | CVE-2026-23950 | https://github.com/isaacs/node-tar/security/advisories/GHSA-r6q2-hw4h-h46w https://github.com/isaacs/node-tar/commit/3b1abfae650056edfabcbe0a0df5954d390521e6 |
| ISC–BIND 9 | Malformed BRID/HHIT records can cause `named` to terminate unexpectedly. This issue affects BIND 9 versions 9.18.40 through 9.18.43, 9.20.13 through 9.20.17, 9.21.12 through 9.21.16, 9.18.40-S1 through 9.18.43-S1, and 9.20.13-S1 through 9.20.17-S1. | 2026-01-21 | 7.5 | CVE-2025-13878 | CVE-2025-13878 https://downloads.isc.org/isc/bind9/9.18.44 https://downloads.isc.org/isc/bind9/9.20.18 https://downloads.isc.org/isc/bind9/9.21.17 |
| itsourcecode–Online Frozen Foods Ordering System | A weakness has been identified in itsourcecode Online Frozen Foods Ordering System 1.0. This issue affects some unknown processing of the file /order_online.php. Executing a manipulation of the argument product_name can lead to sql injection. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks. | 2026-01-19 | 7.3 | CVE-2026-1159 | VDB-341753 | itsourcecode Online Frozen Foods Ordering System order_online.php sql injection VDB-341753 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #736332 | itsourcecode Online Frozen Foods Ordering System V1.0 SQL Injection https://github.com/YouSeeYouOneDayDayDe/Nick_1321_vuls/issues/1 https://itsourcecode.com/ |
| itsourcecode–School Management System | A security flaw has been discovered in itsourcecode School Management System 1.0. Affected is an unknown function of the file /subject/index.php. Performing a manipulation of the argument ID results in sql injection. It is possible to initiate the attack remotely. The exploit has been released to the public and may be used for attacks. | 2026-01-19 | 7.3 | CVE-2026-1176 | VDB-341770 | itsourcecode School Management System index.php sql injection VDB-341770 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #736477 | itsourcecode School Management System V1.0 SQL Injection https://github.com/ltranquility/CVE/issues/32 https://itsourcecode.com/ |
| jaraco–jaraco.context | jaraco.context, an open-source software package that provides some useful decorators and context managers, has a Zip Slip path traversal vulnerability in the `jaraco.context.tarball()` function starting in version 5.2.0 and prior to version 6.1.0. The vulnerability may allow attackers to extract files outside the intended extraction directory when malicious tar archives are processed. The strip_first_component filter splits the path on the first `/` and extracts the second component, while allowing `../` sequences. Paths like `dummy_dir/../../etc/passwd` become `../../etc/passwd`. Note that this suffers from a nested tarball attack as well with multi-level tar files such as `dummy_dir/inner.tar.gz`, where the inner.tar.gz includes a traversal `dummy_dir/../../config/.env` that also gets translated to `../../config/.env`. Version 6.1.0 contains a patch for the issue. | 2026-01-20 | 8.6 | CVE-2026-23949 | https://github.com/jaraco/jaraco.context/security/advisories/GHSA-58pv-8j8x-9vj2 https://github.com/jaraco/jaraco.context/commit/7b26a42b525735e4085d2e994e13802ea339d5f9 https://github.com/jaraco/jaraco.context/blob/main/jaraco/context/__init__.py#L74-L91 https://github.com/pypa/setuptools/blob/main/setuptools/_vendor/jaraco/context.py#L55-L76 |
| JNC–IAQS | IAQS and I6 developed by JNC has a Client-Side Enforcement of Server-Side Security vulnerability, allowing unauthenticated remote attackers to gain administrator privileges by manipulating the web front-end. | 2026-01-23 | 9.8 | CVE-2026-1363 | https://www.twcert.org.tw/tw/cp-132-10652-4cdca-1.html https://www.twcert.org.tw/en/cp-139-10653-117a1-2.html |
| JNC–IAQS | IAQS and I6 developed by JNC has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to directly operate system administrative functionalities. | 2026-01-23 | 9.8 | CVE-2026-1364 | https://www.twcert.org.tw/tw/cp-132-10652-4cdca-1.html https://www.twcert.org.tw/en/cp-139-10653-117a1-2.html |
| JuneAndGreen–sm-crypto | sm-crypto provides JavaScript implementations of the Chinese cryptographic algorithms SM2, SM3, and SM4. A private key recovery vulnerability exists in the SM2 decryption logic of sm-crypto prior to version 0.3.14. By interacting with the SM2 decryption interface multiple times, an attacker can fully recover the private key within approximately several hundred interactions. Version 0.3.14 patches the issue. | 2026-01-22 | 9.1 | CVE-2026-23966 | https://github.com/JuneAndGreen/sm-crypto/security/advisories/GHSA-pgx9-497m-6c4v https://github.com/JuneAndGreen/sm-crypto/commit/b1c824e58fdf1eaa73692c124a095819a8c45707 |
| JuneAndGreen–sm-crypto | sm-crypto provides JavaScript implementations of the Chinese cryptographic algorithms SM2, SM3, and SM4. A signature forgery vulnerability exists in the SM2 signature verification logic of sm-crypto prior to version 0.4.0. Under default configurations, an attacker can forge valid signatures for arbitrary public keys. If the message space contains sufficient redundancy, the attacker can fix the prefix of the message associated with the forged signature to satisfy specific formatting requirements. Version 0.4.0 patches the issue. | 2026-01-22 | 7.5 | CVE-2026-23965 | https://github.com/JuneAndGreen/sm-crypto/security/advisories/GHSA-hpwg-xg7m-3p6m https://github.com/JuneAndGreen/sm-crypto/commit/85295a859d0766222d12ce2be3e6fce7b438b510 |
| JuneAndGreen–sm-crypto | sm-crypto provides JavaScript implementations of the Chinese cryptographic algorithms SM2, SM3, and SM4. A signature malleability vulnerability exists in the SM2 signature verification logic of the sm-crypto library prior to version 0.3.14. An attacker can derive a new valid signature for a previously signed message from an existing signature. Version 0.3.14 patches the issue. | 2026-01-22 | 7.5 | CVE-2026-23967 | https://github.com/JuneAndGreen/sm-crypto/security/advisories/GHSA-qv7w-v773-3xqm |
| KMSpico–Service KMSELDI | KMSpico 17.1.0.0 contains an unquoted service path vulnerability in the Service KMSELDI configuration that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted binary path in C:Program FilesKMSpicoService_KMS.exe to inject malicious executables and escalate privileges. | 2026-01-25 | 7.8 | CVE-2020-36935 | ExploitDB-49003 Official KMSpico Homepage VulnCheck Advisory: KMSpico 17.1.0.0 – ‘Service KMSELDI’ Unquoted Service Path |
| kodezen–Academy LMS WordPress LMS Plugin for Complete eLearning Solution | The Academy LMS – WordPress LMS Plugin for Complete eLearning Solution plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.5.0. This is due to the plugin not properly validating a user’s identity prior to updating their password and relying solely on a publicly-exposed nonce for authorization. This makes it possible for unauthenticated attackers to change arbitrary user’s password, including administrators, and gain access to their account. | 2026-01-21 | 9.8 | CVE-2025-15521 | https://www.wordfence.com/threat-intel/vulnerabilities/id/6687ebbe-fdf4-4ecb-bf59-034bb4b0104c?source=cve https://plugins.trac.wordpress.org/browser/academy/tags/3.5.0/includes/functions.php#L1581 |
| kohler–hotcrp | HotCRP is conference review software. A problem introduced in April 2024 in version 3.1 led to inadequately sanitized code generation for HotCRP formulas which allowed users to trigger the execution of arbitrary PHP code. The problem is patched in release version 3.2. | 2026-01-19 | 10 | CVE-2026-23836 | https://github.com/kohler/hotcrp/security/advisories/GHSA-hpqh-j6qx-x57h https://github.com/kohler/hotcrp/commit/4674fcfbb76511072a1145dad620756fc1d4b4e9 https://github.com/kohler/hotcrp/commit/bfc7e0db15df6ed6d544a639020d2ce05a5f0834 |
| Kozea–WeasyPrint | WeasyPrint helps web developers to create PDF documents. Prior to version 68.0, a server-side request forgery (SSRF) protection bypass exists in WeasyPrint’s `default_url_fetcher`. The vulnerability allows attackers to access internal network resources (such as `localhost` services or cloud metadata endpoints) even when a developer has implemented a custom `url_fetcher` to block such access. This occurs because the underlying `urllib` library follows HTTP redirects automatically without re-validating the new destination against the developer’s security policy. Version 68.0 contains a patch for the issue. | 2026-01-19 | 7.5 | CVE-2025-68616 | https://github.com/Kozea/WeasyPrint/security/advisories/GHSA-983w-rhvv-gwmv https://github.com/Kozea/WeasyPrint/commit/b6a14f0f3f4ce9c0c75c1a2d73cb1c5d43f0e565 |
| laravel–reverb | Laravel Reverb provides a real-time WebSocket communication backend for Laravel applications. In versions 1.6.3 and below, Reverb passes data from the Redis channel directly into PHP’s unserialize() function without restricting which classes can be instantiated, which leaves users vulnerable to Remote Code Execution. The exploitability of this vulnerability is increased because Redis servers are commonly deployed without authentication, but only affects Laravel Reverb when horizontal scaling is enabled (REVERB_SCALING_ENABLED=true). This issue has been fixed in version 1.7.0. As a workaround, require a strong password for Redis access and ensure the service is only accessible via a private network or local loopback, and/or set REVERB_SCALING_ENABLED=false to bypass the vulnerable logic entirely (if the environment uses only one Reverb node). | 2026-01-21 | 9.8 | CVE-2026-23524 | https://github.com/laravel/reverb/security/advisories/GHSA-m27r-m6rx-mhm4 https://github.com/laravel/reverb/commit/9ec26f8ffbb701f84920dd0bb9781a1797591f1a https://cwe.mitre.org/data/definitions/502.html https://github.com/laravel/reverb/releases/tag/v1.7.0 https://laravel.com/docs/12.x/reverb#scaling |
| leepeuker–movary | Movary is a web application to track, rate and explore your movie watch history. Due to insufficient input validation, attackers can trigger cross-site scripting payloads in versions prior to 0.70.0. The vulnerable parameter is `?categoryUpdated=`. Version 0.70.0 fixes the issue. | 2026-01-19 | 9.3 | CVE-2026-23839 | https://github.com/leepeuker/movary/security/advisories/GHSA-v32w-5qx7-p3vq https://github.com/leepeuker/movary/blob/main/public/js/settings-account-location.js#L237 https://github.com/leepeuker/movary/releases/tag/0.70.0 |
| leepeuker–movary | Movary is a web application to track, rate and explore your movie watch history. Due to insufficient input validation, attackers can trigger cross-site scripting payloads in versions prior to 0.70.0. The vulnerable parameter is `?categoryDeleted=`. Version 0.70.0 fixes the issue. | 2026-01-19 | 9.3 | CVE-2026-23840 | https://github.com/leepeuker/movary/security/advisories/GHSA-pj3m-gmq8-2r57 https://github.com/leepeuker/movary/blob/main/public/js/settings-account-location.js#L204 https://github.com/leepeuker/movary/releases/tag/0.70.0 |
| leepeuker–movary | Movary is a web application to track, rate and explore your movie watch history. Due to insufficient input validation, attackers can trigger cross-site scripting payloads in versions prior to 0.70.0. The vulnerable parameter is `?categoryCreated=`. Version 0.70.0 fixes the issue. | 2026-01-19 | 9.3 | CVE-2026-23841 | https://github.com/leepeuker/movary/security/advisories/GHSA-v877-x568-4v5v https://github.com/leepeuker/movary/releases/tag/0.70.0 |
| LiteSpeed Technologies Inc–LiteSpeed Web Server Enterprise | LiteSpeed Web Server Enterprise 5.4.11 contains an authenticated command injection vulnerability in the external app configuration interface. Authenticated administrators can inject shell commands through the ‘Command’ parameter in the server configuration, allowing remote code execution via path traversal and bash command injection. | 2026-01-23 | 8.8 | CVE-2021-47903 | ExploitDB-49523 LiteSpeed Technologies Official Homepage LiteSpeed Web Server Product Page VulnCheck Advisory: LiteSpeed Web Server Enterprise 5.4.11 – Command Injection |
| LiteSpeed Technologies–OpenLiteSpeed | Openlitespeed 1.7.9 contains a stored cross-site scripting vulnerability in the dashboard’s Notes parameter that allows administrators to inject malicious scripts. Attackers can craft a payload in the Notes field during listener configuration that will execute when an administrator clicks on the Default Icon. | 2026-01-21 | 7.2 | CVE-2021-47855 | ExploitDB-49727 OpenLiteSpeed Vendor Homepage VulnCheck Advisory: Openlitespeed 1.7.9 – ‘Notes’ Stored Cross-Site Scripting |
| Luidia–eBeam Education Suite | eBeam Education Suite 2.5.0.9 contains an unquoted service path vulnerability in the eBeam Device Service that allows local users to potentially execute code with elevated privileges. Attackers can exploit the unquoted path in the service configuration to inject malicious code that would execute with LocalSystem privileges during service startup. | 2026-01-21 | 7.8 | CVE-2021-47878 | ExploitDB-49647 Software Download Page VulnCheck Advisory: eBeam Education Suite 2.5.0.9 – ‘eBeam Device Service’ Unquoted Service Path |
| Luidia–eBeam Interactive Suite | eBeam Interactive Suite 3.6 contains an unquoted service path vulnerability in the eBeam Stylus Driver service that allows local users to potentially execute code with elevated privileges. Attackers can exploit the unquoted path in C:Program Files (x86)LuidiaeBeam Stylus Driver to inject malicious executables that would run with LocalSystem permissions. | 2026-01-21 | 7.8 | CVE-2021-47879 | ExploitDB-49648 Software Download Page VulnCheck Advisory: eBeam Interactive Suite 3.6 – ‘eBeam Stylus Driver’ Unquoted Service Path |
| lxc–incus | Incus is a system container and virtual machine manager. In versions 6.20.0 and below, a user with the ability to launch a container with a custom YAML configuration (e.g a member of the ‘incus’ group) can create an environment variable containing newlines, which can be used to add additional configuration items in the container’s lxc.conf due to newline injection. This can allow adding arbitrary lifecycle hooks, ultimately resulting in arbitrary command execution on the host. Exploiting this issue on IncusOS requires a slight modification of the payload to change to a different writable directory for the validation step (e.g /tmp). This can be confirmed with a second container with /tmp mounted from the host (A privileged action for validation only). A fix is planned for versions 6.0.6 and 6.21.0, but they have not been released at the time of publication. | 2026-01-22 | 8.7 | CVE-2026-23953 | https://github.com/lxc/incus/security/advisories/GHSA-x6jc-phwx-hp32 https://github.com/lxc/incus/blob/HEAD/internal/server/instance/drivers/driver_lxc.go#L1081 https://github.com/user-attachments/files/24473682/environment_newline_injection.sh https://github.com/user-attachments/files/24473685/environment_newline_injection.patch |
| lxc–incus | Incus is a system container and virtual machine manager. Versions 6.21.0 and below allow a user with the ability to launch a container with a custom image (e.g a member of the ‘incus’ group) to use directory traversal or symbolic links in the templating functionality to achieve host arbitrary file read, and host arbitrary file write. This ultimately results in arbitrary command execution on the host. When using an image with a metadata.yaml containing templates, both the source and target paths are not checked for symbolic links or directory traversal. This can also be exploited in IncusOS. A fix is planned for versions 6.0.6 and 6.21.0, but they have not been released at the time of publication. | 2026-01-22 | 8.7 | CVE-2026-23954 | https://github.com/lxc/incus/security/advisories/GHSA-7f67-crqm-jgh7 https://github.com/lxc/incus/blob/HEAD/internal/server/instance/drivers/driver_lxc.go#L7215 https://github.com/lxc/incus/blob/HEAD/internal/server/instance/drivers/driver_lxc.go#L7294 https://github.com/user-attachments/files/24473599/template_arbitrary_write.sh https://github.com/user-attachments/files/24473601/templates_arbitrary_write.patch |
| lxsmnsyc–seroval | seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0 and below, due to improper input validation, a malicious object key can lead to prototype pollution during JSON deserialization. This vulnerability affects only JSON deserialization functionality. This issue is fixed in version 1.4.1. | 2026-01-21 | 7.3 | CVE-2026-23736 | https://github.com/lxsmnsyc/seroval/security/advisories/GHSA-hj76-42vx-jwp4 https://github.com/lxsmnsyc/seroval/commit/ce9408ebc87312fcad345a73c172212f2a798060 |
| lxsmnsyc–seroval | seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0 and below, improper input handling in the JSON deserialization component can lead to arbitrary JavaScript code execution. Exploitation is possible via overriding constant value and error deserialization, allowing indirect access to unsafe JS evaluation. At minimum, attackers need the ability to perform 4 separate requests on the same function, and partial knowledge of how the serialized data is used during later runtime processing. This vulnerability affects the fromJSON and fromCrossJSON functions in a client-to-server transmission scenario. This issue has been fixed in version 1.4.0. | 2026-01-21 | 7.5 | CVE-2026-23737 | https://github.com/lxsmnsyc/seroval/security/advisories/GHSA-3rxj-6cgf-8cfw https://github.com/lxsmnsyc/seroval/commit/ce9408ebc87312fcad345a73c172212f2a798060 |
| lxsmnsyc–seroval | seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0 and below, overriding RegExp serialization with extremely large patterns can exhaust JavaScript runtime memory during deserialization. Additionally, overriding RegExp serialization with patterns that trigger catastrophic backtracking can lead to ReDoS (Regular Expression Denial of Service). This issue has been fixed in version 1.4.1. | 2026-01-22 | 7.5 | CVE-2026-23956 | https://github.com/lxsmnsyc/seroval/security/advisories/GHSA-hx9m-jf43-8ffr https://github.com/lxsmnsyc/seroval/commit/ce9408ebc87312fcad345a73c172212f2a798060 |
| lxsmnsyc–seroval | seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0 and below, overriding encoded array lengths by replacing them with an excessively large value causes the deserialization process to significantly increase processing time. This issue has been fixed in version 1.4.1. | 2026-01-22 | 7.5 | CVE-2026-23957 | https://github.com/lxsmnsyc/seroval/security/advisories/GHSA-66fc-rw6m-c2q6 https://github.com/lxsmnsyc/seroval/commit/ce9408ebc87312fcad345a73c172212f2a798060 |
| lxsmnsyc–seroval | Seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0 and below, serialization of objects with extreme depth can exceed the maximum call stack limit. In version 1.4.1, Seroval introduces a `depthLimit` parameter in serialization/deserialization methods. An error will be thrown if the depth limit is reached. | 2026-01-22 | 7.5 | CVE-2026-24006 | https://github.com/lxsmnsyc/seroval/security/advisories/GHSA-3j22-8qj3-26mx https://github.com/lxsmnsyc/seroval/commit/ce9408ebc87312fcad345a73c172212f2a798060 |
| MacPaw Way Ltd.–Encrypto | MacPaw Encrypto 1.0.1 contains an unquoted service path vulnerability in its Encrypto Service configuration that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in C:Program FilesEncrypto to inject malicious executables and escalate privileges on Windows systems. | 2026-01-21 | 7.8 | CVE-2021-47863 | ExploitDB-49694 MacPaw Encrypto Official Homepage VulnCheck Advisory: MacPaw Encrypto 1.0.1 – ‘Encrypto Service’ Unquoted Service Path |
| Magic Utilities–Magic Mouse 2 utilities | Magic Mouse 2 Utilities 2.20 contains an unquoted service path vulnerability in its Windows service configuration. Attackers can exploit the unquoted path to inject malicious executables and gain elevated system privileges by placing a malicious file in the service path. | 2026-01-25 | 7.8 | CVE-2020-36936 | ExploitDB-49017 Magic Utilities Vendor Homepage VulnCheck Advisory: Magic Mouse 2 utilities 2.20 – ‘magicmouse2service’ Unquoted Service Path |
| mastodon–mastodon | Mastodon is a free, open-source social network server based on ActivityPub. Mastodon versions before v4.3.18, v4.4.12, and v4.5.5 do not have a limit on the maximum number of poll options for remote posts, allowing attackers to create polls with a very large amount of options, greatly increasing resource consumption. Depending on the number of poll options, an attacker can cause disproportionate resource usage in both Mastodon servers and clients, potentially causing Denial of Service either server-side or client-side. Mastodon versions v4.5.5, v4.4.12, v4.3.18 are patched. | 2026-01-22 | 7.5 | CVE-2026-23962 | https://github.com/mastodon/mastodon/security/advisories/GHSA-gg8q-rcg7-p79g https://github.com/mastodon/mastodon/releases/tag/v4.3.18 https://github.com/mastodon/mastodon/releases/tag/v4.4.12 https://github.com/mastodon/mastodon/releases/tag/v4.5.5 |
| MedDream–MedDream PACS Premium | An arbitrary file read vulnerability exists in the encapsulatedDoc functionality of MedDream PACS Premium 7.3.6.870. A specially crafted HTTP request can lead to an arbitrary file read. An attacker can send http request to trigger this vulnerability. | 2026-01-20 | 9.6 | CVE-2025-53912 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2273 |
| melapress–Melapress Role Editor | The Melapress Role Editor plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.1.1. This is due to a misconfigured capability check on the ‘save_secondary_roles_field’ function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to assign themselves additional roles including Administrator. | 2026-01-23 | 8.8 | CVE-2025-14866 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0509aaf1-8aae-42e5-84d3-ea9b431703f3?source=cve https://plugins.trac.wordpress.org/browser/melapress-role-editor/tags/1.1.0/classes/admin/ajax/class-admin-ajax.php https://plugins.trac.wordpress.org/browser/melapress-role-editor/tags/1.1.0/classes/admin/additional-form-fields/class-user-profile.php#L103 https://plugins.trac.wordpress.org/changeset/3439348/ |
| Microsoft–Azure Data Explorer | Exposure of sensitive information to an unauthorized actor in Azure Data Explorer allows an unauthorized attacker to disclose information over a network. | 2026-01-22 | 7.4 | CVE-2026-21524 | Azure Data Explorer Information Disclosure Vulnerability |
| Microsoft–Azure Front Door | Improper access control in Azure Front Door (AFD) allows an unauthorized attacker to elevate privileges over a network. | 2026-01-22 | 9.8 | CVE-2026-24306 | Azure Front Door Elevation of Privilege Vulnerability |
| Microsoft–Azure Logic Apps | Improper limitation of a pathname to a restricted directory (‘path traversal’) in Azure Logic Apps allows an unauthorized attacker to elevate privileges over a network. | 2026-01-22 | 8.2 | CVE-2026-21227 | Azure Logic Apps Elevation of Privilege Vulnerability |
| Microsoft–Azure Resource Manager | Improper access control in Azure Resource Manager allows an authorized attacker to elevate privileges over a network. | 2026-01-23 | 9.9 | CVE-2026-24304 | Azure Resource Manager Elevation of Privilege Vulnerability |
| Microsoft–Microsoft 365 Copilot | Improper validation of specified type of input in M365 Copilot allows an unauthorized attacker to disclose information over a network. | 2026-01-22 | 9.3 | CVE-2026-24307 | M365 Copilot Information Disclosure Vulnerability |
| Microsoft–Microsoft 365 Word Copilot | Improper neutralization of escape, meta, or control sequences in Copilot allows an unauthorized attacker to disclose information over a network. | 2026-01-22 | 7.4 | CVE-2026-21521 | Word Copilot Information Disclosure Vulnerability |
| Microsoft–Microsoft Account | Improper neutralization of input during web page generation (‘cross-site scripting’) in Microsoft Account allows an unauthorized attacker to perform spoofing over a network. | 2026-01-22 | 9.3 | CVE-2026-21264 | Microsoft Account Spoofing Vulnerability |
| Microsoft–Microsoft Copilot Studio | Exposure of Sensitive Information to an Unauthorized Actor in Copilot Studio allows a unauthenticated attacker to view sensitive information through network attack vector | 2026-01-22 | 7.5 | CVE-2026-21520 | Copilot Studio Information Disclosure Vulnerability |
| Microsoft–Microsoft Entra | Azure Entra ID Elevation of Privilege Vulnerability | 2026-01-22 | 9.3 | CVE-2026-24305 | Azure Entra ID Elevation of Privilege Vulnerability |
| Microvirt–MEMU PLAY | Microvirt MEMU Play 3.7.0 contains an unquoted service path vulnerability in the MEmusvc Windows service that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted binary path to inject malicious executables that will be run with elevated LocalSystem privileges. | 2026-01-25 | 7.8 | CVE-2020-36937 | ExploitDB-49016 Official MEMU Play Product Homepage VulnCheck Advisory: MEMU PLAY 3.7.0 – ‘MEmusvc’ Unquoted Service Path |
| Moodle–Moodle | A flaw was found in Moodle. An attacker with access to the restore interface could trigger server-side execution of arbitrary code. This is due to insufficient validation of restore input, which leads to unintended interpretation by core restore routines. Successful exploitation could result in a full compromise of the Moodle application. | 2026-01-23 | 8.8 | CVE-2025-67847 | https://access.redhat.com/security/cve/CVE-2025-67847 |
| Moodle–Moodle | Moodle 3.10.3 contains a persistent cross-site scripting vulnerability in the calendar event subtitle field that allows attackers to inject malicious scripts. Attackers can craft a calendar event with malicious JavaScript in the subtitle track label to execute arbitrary code when users view the event. | 2026-01-21 | 7.2 | CVE-2021-47857 | ExploitDB-49714 Official Moodle Project Homepage VulnCheck Advisory: Moodle 3.10.3 – ‘label’ Persistent Cross Site Scripting |
| nanbingxyz–5ire | 5ire is a cross-platform desktop artificial intelligence assistant and model context protocol client. Prior to version 0.15.3, an unsafe HTML rendering permits untrusted HTML (including on* event attributes) to execute in the renderer context. An attacker can inject an `<img onerror=…>` payload to run arbitrary JavaScript in the renderer, which can call exposed bridge APIs such as `window.bridge.mcpServersManager.createServer`. This enables unauthorized creation of MCP servers and lead to remote command execution. Version 0.15.3 fixes the issue. | 2026-01-21 | 9.7 | CVE-2026-22792 | https://github.com/nanbingxyz/5ire/security/advisories/GHSA-p5fm-wm8g-rffx https://github.com/nanbingxyz/5ire/releases/tag/v0.15.3 |
| nanbingxyz–5ire | 5ire is a cross-platform desktop artificial intelligence assistant and model context protocol client. Prior to version 0.15.3, an unsafe option parsing vulnerability in the ECharts Markdown plugin allows any user able to submit ECharts code blocks to execute arbitrary JavaScript code in the renderer context. This can lead to Remote Code Execution (RCE) in environments where privileged APIs (such as Electron’s electron.mcp) are exposed, resulting in full compromise of the host system. Version 0.15.3 patches the issue. | 2026-01-21 | 9.7 | CVE-2026-22793 | https://github.com/nanbingxyz/5ire/security/advisories/GHSA-wg3x-7c26-97wj https://github.com/nanbingxyz/5ire/releases/tag/v0.15.3 |
| NodeBB–NodeBB Plugin Emoji | NodeBB Plugin Emoji 3.2.1 contains an arbitrary file write vulnerability that allows administrative users to write files to arbitrary system locations through the emoji upload API. Attackers with admin access can craft file upload requests with directory traversal to overwrite system files by manipulating the file path parameter. | 2026-01-21 | 7.5 | CVE-2021-47746 | ExploitDB-49813 Official NodeBB Homepage NodeBB Emoji Plugin GitHub Repository VulnCheck Advisory: NodeBB Plugin Emoji 3.2.1 – Arbitrary File Write |
| Northwest Performance Software, Inc.–Managed Switch Port Mapping Tool | Managed Switch Port Mapping Tool 2.85.2 contains a denial of service vulnerability that allows attackers to crash the application by creating an oversized buffer. Attackers can generate a 10,000-character buffer and paste it into the IP Address and SNMP Community Name fields to trigger the application crash. | 2026-01-23 | 7.5 | CVE-2021-47894 | ExploitDB-49566 Vendor Homepage Software Download Page VulnCheck Advisory: Managed Switch Port Mapping Tool 2.85.2 – Denial of Service |
| Nsauditor–Nsauditor | Nsauditor 3.2.2.0 contains a denial of service vulnerability that allows attackers to crash the application by overwriting the Event Description field with a large buffer. Attackers can generate a 10,000-character ‘U’ buffer and paste it into the Event Description field to trigger an application crash. | 2026-01-23 | 7.5 | CVE-2021-47895 | ExploitDB-49568 Official Vendor Homepage VulnCheck Advisory: Nsauditor 3.2.2.0 – ‘Event Description’ Denial of Service |
| NVIDIA–CUDA Toolkit | NVIDIA Nsight Systems contains a vulnerability in the gfx_hotspot recipe, where an attacker could cause an OS command injection by supplying a malicious string to the process_nsys_rep_cli.py script if the script is invoked manually. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, data tampering, denial of service, and information disclosure. | 2026-01-20 | 7.3 | CVE-2025-33228 | https://nvd.nist.gov/vuln/detail/CVE-2025-33228 https://www.cve.org/CVERecord?id=CVE-2025-33228 https://nvidia.custhelp.com/app/answers/detail/a_id/5755 |
| NVIDIA–CUDA Toolkit | NVIDIA Nsight Visual Studio for Windows contains a vulnerability in Nsight Monitor where an attacker can execute arbitrary code with the same privileges as the NVIDIA Nsight Visual Studio Edition Monitor application. A successful exploit of this vulnerability may lead to escalation of privileges, code execution, data tampering, denial of service, and information disclosure. | 2026-01-20 | 7.3 | CVE-2025-33229 | https://nvd.nist.gov/vuln/detail/CVE-2025-33229 https://www.cve.org/CVERecord?id=CVE-2025-33229 https://nvidia.custhelp.com/app/answers/detail/a_id/5755 |
| NVIDIA–CUDA Toolkit | NVIDIA Nsight Systems for Linux contains a vulnerability in the .run installer, where an attacker could cause an OS command injection by supplying a malicious string to the installation path. A successful exploit of this vulnerability might lead to escalation of privileges, code execution, data tampering, denial of service, and information disclosure. | 2026-01-20 | 7.3 | CVE-2025-33230 | https://nvd.nist.gov/vuln/detail/CVE-2025-33230 https://www.cve.org/CVERecord?id=CVE-2025-33230 https://nvidia.custhelp.com/app/answers/detail/a_id/5755 |
| NVIDIA–Merlin Transformers4Rec | NVIDIA Merlin Transformers4Rec for all platforms contains a vulnerability where an attacker could cause code injection. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure, and data tampering. | 2026-01-20 | 7.8 | CVE-2025-33233 | https://nvd.nist.gov/vuln/detail/CVE-2025-33233 https://www.cve.org/CVERecord?id=CVE-2025-33233 https://nvidia.custhelp.com/app/answers/detail/a_id/5761 |
| OKI–Configuration Tool | OKI Configuration Tool 1.6.53 contains an unquoted service path vulnerability in the OKI Local Port Manager service that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in ‘C:Program FilesOkidataCommonextend3portmgrsrv.exe’ to inject malicious executables and escalate privileges. | 2026-01-21 | 7.8 | CVE-2021-47884 | ExploitDB-49624 Archived OKI Product Webpage VulnCheck Advisory: Configuration Tool 1.6.53 – ‘OpLclSrv’ Unquoted Service Path |
| OKI–Print Job Accounting | OKI Print Job Accounting 4.4.10 contains an unquoted service path vulnerability in the OkiJaSvc service that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in ‘C:Program FilesOkidataPrint Job Accounting’ to inject malicious executables and escalate privileges. | 2026-01-21 | 7.8 | CVE-2021-47887 | ExploitDB-49623 Archived OKI Product Webpage VulnCheck Advisory: Print Job Accounting 4.4.10 – ‘OkiJaSvc’ Unquoted Service Path |
| OpenStack–keystonemiddleware | An issue was discovered in OpenStack keystonemiddleware 10.5 through 10.7 before 10.7.2, 10.8 and 10.9 before 10.9.1, and 10.10 through 10.12 before 10.12.1. The external_oauth2_token middleware fails to sanitize incoming authentication headers before processing OAuth 2.0 tokens. By sending forged identity headers such as X-Is-Admin-Project, X-Roles, or X-User-Id, an authenticated attacker may escalate privileges or impersonate other users. All deployments using the external_oauth2_token middleware are affected. | 2026-01-19 | 9.9 | CVE-2026-22797 | https://launchpad.net/bugs/2129018 https://www.openwall.com/lists/oss-security/2026/01/16/9 |
| opf–openproject | OpenProject is an open-source, web-based project management software. Versions 16.3.0 through 16.6.4 are affected by a stored cross-site scripting vulnerability in the Roadmap view. OpenProject’s roadmap view renders the “Related work packages” list for each version. When a version contains work packages from a different project (e.g., a subproject), the helper link_to_work_package prepends package.project.to_s to the link and returns the entire string with .html_safe. Because project names are user-controlled and no escaping happens before calling html_safe, any HTML placed in a subproject name is injected verbatim into the page. The underlying issue is mitigated in versions 16.6.5 and 17.0.0 by setting a `X-Content-Type-Options: nosniff` header, which was in place until a refactoring move to Rails standard content-security policy, which did not properly apply this header in the new configuration since OpenProject 16.3.0. Those who cannot upgrade their installations should ensure that they add a X-Content-Type-Options: nosniff header in their proxying web application server. | 2026-01-19 | 8.7 | CVE-2026-23625 | https://github.com/opf/openproject/security/advisories/GHSA-cvpq-cc56-gwxx https://github.com/opf/openproject/releases/tag/v16.6.5 https://github.com/opf/openproject/releases/tag/v17.0.0 |
| Oracle Corporation–Oracle Agile PLM | Vulnerability in the Oracle Agile PLM product of Oracle Supply Chain (component: User and User Group). The supported version that is affected is 9.3.6. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Agile PLM. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Agile PLM accessible data. CVSS 3.1 Base Score 7.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). | 2026-01-20 | 7.5 | CVE-2026-21940 | Oracle Advisory |
| Oracle Corporation–Oracle Agile Product Lifecycle Management for Process | Vulnerability in the Oracle Agile Product Lifecycle Management for Process product of Oracle Supply Chain (component: Supplier Portal). The supported version that is affected is 6.2.4. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Agile Product Lifecycle Management for Process. Successful attacks of this vulnerability can result in takeover of Oracle Agile Product Lifecycle Management for Process. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). | 2026-01-20 | 9.8 | CVE-2026-21969 | Oracle Advisory |
| Oracle Corporation–Oracle Business Intelligence Enterprise Edition | Vulnerability in the Oracle Business Intelligence Enterprise Edition product of Oracle Analytics (component: Oracle Analytics Cloud). Supported versions that are affected are 7.6.0.0.0 and 8.2.0.0.0. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Business Intelligence Enterprise Edition executes to compromise Oracle Business Intelligence Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Business Intelligence Enterprise Edition accessible data as well as unauthorized access to critical data or complete access to all Oracle Business Intelligence Enterprise Edition accessible data. CVSS 3.1 Base Score 7.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N). | 2026-01-20 | 7.1 | CVE-2026-21976 | Oracle Advisory |
| Oracle Corporation–Oracle Database Server | Vulnerability in the SQLcl component of Oracle Database Server. Supported versions that are affected are 23.4.0-23.26.0. Difficult to exploit vulnerability allows unauthenticated attacker with logon to the infrastructure where SQLcl executes to compromise SQLcl. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of SQLcl. CVSS 3.1 Base Score 7.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H). | 2026-01-20 | 7 | CVE-2026-21939 | Oracle Advisory |
| Oracle Corporation–Oracle FLEXCUBE Investor Servicing | Vulnerability in the Oracle FLEXCUBE Investor Servicing product of Oracle Financial Services Applications (component: Security Management System). Supported versions that are affected are 14.5.0.15.0, 14.7.0.8.0 and 14.8.0.1.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle FLEXCUBE Investor Servicing. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle FLEXCUBE Investor Servicing accessible data as well as unauthorized access to critical data or complete access to all Oracle FLEXCUBE Investor Servicing accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N). | 2026-01-20 | 8.1 | CVE-2026-21973 | Oracle Advisory |
| Oracle Corporation–Oracle Hospitality OPERA 5 | Vulnerability in the Oracle Hospitality OPERA 5 product of Oracle Hospitality Applications (component: Opera Servlet). Supported versions that are affected are 5.6.19.23, 5.6.25.17, 5.6.26.10 and 5.6.27.4. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Hospitality OPERA 5. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Hospitality OPERA 5 accessible data as well as unauthorized update, insert or delete access to some of Oracle Hospitality OPERA 5 accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Hospitality OPERA 5. CVSS 3.1 Base Score 8.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L). | 2026-01-20 | 8.6 | CVE-2026-21967 | Oracle Advisory |
| Oracle Corporation–Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in | Vulnerability in the Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in product of Oracle Fusion Middleware (component: Weblogic Server Proxy Plug-in for Apache HTTP Server, Weblogic Server Proxy Plug-in for IIS). Supported versions that are affected are 12.2.1.4.0, 14.1.1.0.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in. While the vulnerability is in Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in accessible data as well as unauthorized access to critical data or complete access to all Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in accessible data. Note: Affected version for Weblogic Server Proxy Plug-in for IIS is 12.2.1.4.0 only. CVSS 3.1 Base Score 10.0 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N). | 2026-01-20 | 10 | CVE-2026-21962 | Oracle Advisory |
| Oracle Corporation–Oracle Java SE | Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: AWT, JavaFX). Supported versions that are affected are Oracle Java SE: 8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, 25.0.1; Oracle GraalVM for JDK: 17.0.17 and 21.0.9; Oracle GraalVM Enterprise Edition: 21.3.16. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 7.4 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N). | 2026-01-20 | 7.4 | CVE-2026-21932 | Oracle Advisory |
| Oracle Corporation–Oracle Java SE | Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security). Supported versions that are affected are Oracle Java SE: 8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, 25.0.1; Oracle GraalVM for JDK: 17.0.17 and 21.0.9; Oracle GraalVM Enterprise Edition: 21.3.16. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). | 2026-01-20 | 7.5 | CVE-2026-21945 | Oracle Advisory |
| Oracle Corporation–Oracle VM VirtualBox | Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 8.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H). | 2026-01-20 | 8.2 | CVE-2026-21955 | Oracle Advisory |
| Oracle Corporation–Oracle VM VirtualBox | Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 8.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H). | 2026-01-20 | 8.2 | CVE-2026-21956 | Oracle Advisory |
| Oracle Corporation–Oracle VM VirtualBox | Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 8.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H). | 2026-01-20 | 8.2 | CVE-2026-21987 | Oracle Advisory |
| Oracle Corporation–Oracle VM VirtualBox | Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 8.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H). | 2026-01-20 | 8.2 | CVE-2026-21988 | Oracle Advisory |
| Oracle Corporation–Oracle VM VirtualBox | Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle VM VirtualBox accessible data as well as unauthorized access to critical data or complete access to all Oracle VM VirtualBox accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle VM VirtualBox. CVSS 3.1 Base Score 8.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L). | 2026-01-20 | 8.1 | CVE-2026-21989 | Oracle Advisory |
| Oracle Corporation–Oracle VM VirtualBox | Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 8.2 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H). | 2026-01-20 | 8.2 | CVE-2026-21990 | Oracle Advisory |
| Oracle Corporation–Oracle VM VirtualBox | Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H). | 2026-01-20 | 7.5 | CVE-2026-21957 | Oracle Advisory |
| Oracle Corporation–Oracle VM VirtualBox | Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Difficult to exploit vulnerability allows unauthenticated attacker with access to the physical communication segment attached to the hardware where the Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H). | 2026-01-20 | 7.5 | CVE-2026-21982 | Oracle Advisory |
| Oracle Corporation–Oracle VM VirtualBox | Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H). | 2026-01-20 | 7.5 | CVE-2026-21983 | Oracle Advisory |
| Oracle Corporation–Oracle VM VirtualBox | Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H). | 2026-01-20 | 7.5 | CVE-2026-21984 | Oracle Advisory |
| Oracle Corporation–Oracle VM VirtualBox | Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Easily exploitable vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle VM VirtualBox. Note: This vulnerability applies to Windows VMs only. CVSS 3.1 Base Score 7.1 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H). | 2026-01-20 | 7.1 | CVE-2026-21986 | Oracle Advisory |
| Oracle Corporation–Siebel CRM Deployment | Vulnerability in the Siebel CRM Deployment product of Oracle Siebel CRM (component: Server Infrastructure). Supported versions that are affected are 17.0-25.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via TLS to compromise Siebel CRM Deployment. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Siebel CRM Deployment. CVSS 3.1 Base Score 7.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). | 2026-01-20 | 7.5 | CVE-2026-21926 | Oracle Advisory |
| OSAS–OSAS Traverse Extension | OSAS Traverse Extension 11 contains an unquoted service path vulnerability in the TravExtensionHostSvc service running with LocalSystem privileges. Attackers can exploit the unquoted path to inject and execute malicious code by placing executable files in the service’s path, potentially gaining elevated system access. | 2026-01-21 | 7.8 | CVE-2021-47864 | ExploitDB-49698 Archived Vendor Homepage VulnCheck Advisory: OSAS Traverse Extension 11 – ‘travextensionhostsvc’ Unquoted Service Path |
| pbatard–rufus | Rufus is a utility that helps format and create bootable USB flash drives. Versions 4.11 and below contain a race condition (TOCTOU) in src/net.c during the creation, validation, and execution of the Fido PowerShell script. Since Rufus runs with elevated privileges (Administrator) but writes the script to the %TEMP% directory (writeable by standard users) without locking the file, a local attacker can replace the legitimate script with a malicious one between the file write operation and the execution step. This allows arbitrary code execution with Administrator privileges. This issue has been fixed in version 4.12_BETA. | 2026-01-22 | 7.3 | CVE-2026-23988 | https://github.com/pbatard/rufus/security/advisories/GHSA-hcx5-hrhj-xhq9 https://github.com/pbatard/rufus/commit/460cc5768aa45be07941b9e4ebc9bee02d282873 https://github.com/pbatard/rufus/releases/tag/v4.12_BETA |
| PDF Complete, Inc.–PDFCOMPLETE Corporate Edition | PDF Complete Corporate Edition 4.1.45 contains an unquoted service path vulnerability in the pdfcDispatcher service that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in the service binary location to inject malicious executables that will be run with elevated LocalSystem privileges. | 2026-01-23 | 7.8 | CVE-2021-47896 | ExploitDB-49558 Vendor Homepage Software Download Page VulnCheck Advisory: PDFCOMPLETE Corporate Edition 4.1.45 – ‘pdfcDispatcher’ Unquoted Service Path |
| PEEL eCommerce–PEEL Shopping | PEEL Shopping 9.3.0 contains a stored cross-site scripting vulnerability in the ‘Comments / Special Instructions’ parameter of the purchase page. Attackers can inject malicious JavaScript payloads that will execute when the page is refreshed, potentially allowing client-side script execution. | 2026-01-23 | 7.2 | CVE-2021-47892 | ExploitDB-49574 Archived Vendor Homepage VulnCheck Advisory: PEEL Shopping 9.3.0 – ‘Comments/Special Instructions’ Stored Cross-Site Scripting |
| PEEL eCommerce–PEEL Shopping | PEEL Shopping 9.3.0 contains a stored cross-site scripting vulnerability in the address parameter of the change_params.php script. Attackers can inject malicious JavaScript payloads that execute when users interact with the address text box, potentially enabling client-side script execution. | 2026-01-23 | 7.2 | CVE-2021-47897 | ExploitDB-49553 Archived Vendor Homepage VulnCheck Advisory: PEEL Shopping 9.3.0 – ‘address’ Stored Cross-Site Scripting |
| PHPGurukul–Directory Management System | A security vulnerability has been detected in PHPGurukul Directory Management System 1.0. Impacted is an unknown function of the file /index.php of the component Search. The manipulation of the argument searchdata leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. | 2026-01-19 | 7.3 | CVE-2026-1160 | VDB-341754 | PHPGurukul Directory Management System Search index.php sql injection VDB-341754 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #736333 | itsourcecode Directory Management System V1.0 SQL Injection https://github.com/YouSeeYouOneDayDayDe/Nick_1321_vuls/issues/2 https://phpgurukul.com/ |
| phppgadmin–phpPgAdmin | phpPgAdmin 7.13.0 contains a remote command execution vulnerability that allows authenticated attackers to execute arbitrary system commands through SQL query manipulation. Attackers can create a custom table, upload a malicious .txt file, and use the COPY FROM PROGRAM command to execute operating system commands with the application’s privileges. | 2026-01-21 | 8.8 | CVE-2021-47853 | ExploitDB-49736 phpPgAdmin Official Release Page VulnCheck Advisory: phpPgAdmin 7.13.0 – COPY FROM PROGRAM Command Execution |
| Phreesoft–PhreeBooks | PhreeBooks 5.2.3 contains an authenticated file upload vulnerability in the Image Manager that allows remote code execution. Attackers can upload a malicious PHP web shell by exploiting unrestricted file type uploads to gain command execution on the server. | 2026-01-23 | 8.8 | CVE-2021-47904 | ExploitDB-49524 Official Vendor Homepage ExploitDB-46645 Web Shell Payload Gist VulnCheck Advisory: PhreeBooks 5.2.3 – Remote Code Execution |
| posimyththemes–Nexter Extension Site Enhancements Toolkit | The Nexter Extension – Site Enhancements Toolkit plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.4.6 via deserialization of untrusted input in the ‘nxt_unserialize_replace’ function. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present. | 2026-01-20 | 8.1 | CVE-2026-0726 | https://www.wordfence.com/threat-intel/vulnerabilities/id/02de9287-68e4-46ce-a491-3f6cbb7fc0ed?source=cve https://plugins.trac.wordpress.org/changeset?old_path=/nexter-extension/tags/4.4.6/include/panel-settings/extensions/nexter-ext-replace-url.php&new_path=/nexter-extension/tags/4.4.7/include/panel-settings/extensions/nexter-ext-replace-url.php |
| ProFTPD–ProFTPD | ProFTPD 1.3.7a contains a denial of service vulnerability that allows attackers to overwhelm the server by creating multiple simultaneous FTP connections. Attackers can repeatedly establish connections using threading to exhaust server connection limits and block legitimate user access. | 2026-01-21 | 7.5 | CVE-2021-47865 | ExploitDB-49697 ProFTPD Official Website ProFTPD GitHub Repository VulnCheck Advisory: ProFTPD 1.3.7a – Remote Denial of Service |
| pypa–wheel | wheel is a command line tool for manipulating Python wheel files, as defined in PEP 427. In versions 0.40.0 through 0.46.1, the unpack function is vulnerable to file permission modification through mishandling of file permissions after extraction. The logic blindly trusts the filename from the archive header for the chmod operation, even though the extraction process itself might have sanitized the path. Attackers can craft a malicious wheel file that, when unpacked, changes the permissions of critical system files (e.g., /etc/passwd, SSH keys, config files), allowing for Privilege Escalation or arbitrary code execution by modifying now-writable scripts. This issue has been fixed in version 0.46.2. | 2026-01-22 | 7.1 | CVE-2026-24049 | https://github.com/pypa/wheel/security/advisories/GHSA-8rrh-rw8j-w5fx https://github.com/pypa/wheel/commit/7a7d2de96b22a9adf9208afcc9547e1001569fef https://github.com/pypa/wheel/releases/tag/0.46.2 |
| Quenary–tugtainer | Tugtainer is a self-hosted app for automating updates of Docker containers. In versions prior to 1.16.1, the password authentication mechanism transmits passwords via URL query parameters instead of the HTTP request body. This causes passwords to be logged in server access logs and potentially exposed through browser history, Referer headers, and proxy logs. Version 1.16.1 patches the issue. | 2026-01-19 | 8.1 | CVE-2026-23846 | https://github.com/Quenary/tugtainer/security/advisories/GHSA-f2qf-f544-xm4p https://github.com/Quenary/tugtainer/commit/9d23bf40ac1d39005582abfcf0a84753a4e29d52 |
| Realtek Semiconductor Corp.–Realtek Wireless LAN Utility | Realtek Wireless LAN Utility 700.1631 contains an unquoted service path vulnerability that allows local users to potentially execute code with elevated system privileges. Attackers can exploit the unquoted service path by inserting malicious code in the system root path that would execute during application startup or system reboot. | 2026-01-21 | 7.8 | CVE-2021-47880 | ExploitDB-49646 Realtek Official Homepage VulnCheck Advisory: Realtek Wireless LAN Utility 700.1631 – ‘Realtek11nSU’ Unquoted Service Path |
| Rockstar Games–Rockstar Games Launcher | Rockstar Games Launcher 1.0.37.349 contains a privilege escalation vulnerability that allows authenticated users to modify the service executable with weak permissions. Attackers can replace the RockstarService.exe with a malicious binary to create a new administrator user and gain elevated system access. | 2026-01-21 | 8.8 | CVE-2021-47852 | ExploitDB-49739 Rockstar Games Launcher Official Site VulnCheck Advisory: Rockstar Service – Insecure File Permissions |
| runtipi–runtipi | Runtipi is a Docker-based, personal homeserver orchestrator that facilitates multiple services on a single server. Versions 3.7.0 and above allow an authenticated user to execute arbitrary system commands on the host server by injecting shell metacharacters into backup filenames. The BackupManager fails to sanitize the filenames of uploaded backups. The system persists user-uploaded files directly to the host filesystem using the raw originalname provided in the request. This allows an attacker to stage a file containing shell metacharacters (e.g., $(id).tar.gz) at a predictable path, which is later referenced during the restore process. The successful storage of the file is what allows the subsequent restore command to reference and execute it. This issue has been fixed in version 4.7.0. | 2026-01-22 | 8.1 | CVE-2026-24129 | https://github.com/runtipi/runtipi/security/advisories/GHSA-vrgf-rcj5-6gv9 https://github.com/runtipi/runtipi/commit/c3aa948885554a370d374692158a3bfe1cfdc85a https://github.com/runtipi/runtipi/releases/tag/v4.7.0 |
| Sandboxie-Plus–Sandboxie Plus | Sandboxie Plus 0.7.2 contains an unquoted service path vulnerability in the SbieSvc service that allows local attackers to execute code with elevated privileges. Attackers can exploit the unquoted binary path to inject malicious executables that will be launched with LocalSystem permissions during service startup. | 2026-01-21 | 7.8 | CVE-2021-47883 | ExploitDB-49631 Vendor Homepage VulnCheck Advisory: Sandboxie Plus v0.7.2 – ‘SbieSvc’ Unquoted Service Path |
| Sangfor–Operation and Maintenance Management System | A vulnerability was identified in Sangfor Operation and Maintenance Management System up to 3.0.12. Affected by this issue is the function SessionController of the file /isomp-protocol/protocol/session of the component SSH Protocol Handler. The manipulation of the argument keypassword leads to os command injection. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-22 | 8.8 | CVE-2026-1324 | VDB-342300 | Sangfor Operation and Maintenance Management System SSH Protocol session SessionController os command injection VDB-342300 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #735716 | Sangfor Operation and Maintenance Management System (OSM / è¿ç»´å®‰å…¨ç®¡ç†ç³»ç»Ÿ) 3.0.8 OS Command Injection https://github.com/LX-LX88/cve/issues/20 |
| satndy–Aplikasi-Biro-Travel | Blitar Tourism 1.0 contains an authentication bypass vulnerability that allows attackers to bypass login by injecting SQL code through the username parameter. Attackers can manipulate the login request by sending a crafted username with SQL injection techniques to gain unauthorized administrative access. | 2026-01-21 | 8.2 | CVE-2021-47848 | ExploitDB-49759 Aplikasi Biro Travel GitHub Repository VulnCheck Advisory: Blitar Tourism 1.0 – Authentication Bypass SQLi |
| Security–Winpakpro | WIN-PACK PRO4.8 contains an unquoted service path vulnerability in the ScheduleService that allows local users to potentially execute code with elevated system privileges. Attackers can exploit the unquoted path in ‘C:Program Files <x86>WINPAKPROScheduleService Service.exe’ to inject malicious code that would execute during service startup. | 2026-01-21 | 7.8 | CVE-2021-47867 | ExploitDB-49691 Honeywell Product Webpage VulnCheck Advisory: WIN-PACK PRO 4.8 – ‘ScheduleService’ Unquoted Service Path |
| SEO Panel–SEO Panel | SEO Panel versions prior to 4.9.0 contain a blind SQL injection vulnerability in the archive.php page that allows authenticated attackers to manipulate database queries through the ‘order_col’ parameter. Attackers can use sqlmap to exploit the vulnerability and extract database information by injecting malicious SQL code into the order column parameter. | 2026-01-21 | 7.1 | CVE-2021-47872 | ExploitDB-49666 Official SEO Panel Homepage SEO Panel 4.9.0 Release GitHub Issue #209 VulnCheck Advisory: SEO Panel < 4.9.0 – ‘order_col’ Blind SQL Injection |
| shazdeh–Administrative Shortcodes | The Administrative Shortcodes plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 0.3.4 via the ‘slug’ attribute of the ‘get_template’ shortcode. This is due to insufficient path validation on user-supplied input passed to the get_template_part() function. This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included. | 2026-01-24 | 7.5 | CVE-2026-1257 | https://www.wordfence.com/threat-intel/vulnerabilities/id/119fe499-88c4-413f-a44a-2b3acfdbdeb5?source=cve https://plugins.trac.wordpress.org/browser/administrative-shortcodes/trunk/administrative-shortcodes.php#L144 https://wordpress.org/plugins/administrative-shortcodes https://plugins.trac.wordpress.org/browser/administrative-shortcodes/tags/0.3.4/administrative-shortcodes.php#L144 |
| Shenzhen Tenda Technology Co.,Ltd.–Tenda D151 & D301 | Tenda D151 and D301 routers contain an unauthenticated configuration download vulnerability that allows remote attackers to retrieve router configuration files. Attackers can send a request to /goform/getimage endpoint to download configuration data including admin credentials without authentication. | 2026-01-21 | 7.5 | CVE-2021-47802 | ExploitDB-49782 Tenda Official Vendor Homepage VulnCheck Advisory: Tenda D151 & D301 – Configuration Download |
| sibercii6-crypto–teklifolustur_app | teklifolustur_app is a web-based PHP application that allows users to create, manage, and track quotes for their clients. Prior to commit dd082a134a225b8dcd401b6224eead4fb183ea1c, an Insecure Direct Object Reference (IDOR) vulnerability exists in the offer view functionality. Authenticated users can manipulate the offer_id parameter to access offers belonging to other users. The issue is caused by missing authorization checks ensuring that the requested offer belonged to the currently authenticated user. Commit dd082a134a225b8dcd401b6224eead4fb183ea1c contains a patch. | 2026-01-19 | 7.1 | CVE-2026-23843 | https://github.com/sibercii6-crypto/teklifolustur_app/security/advisories/GHSA-6h9r-mmg3-cg7m https://github.com/sibercii6-crypto/teklifolustur_app/commit/dd082a134a225b8dcd401b6224eead4fb183ea1c |
| SIPp–SIPp | A flaw was found in SIPp. A remote attacker could exploit this by sending specially crafted Session Initiation Protocol (SIP) messages during an active call. This vulnerability, a NULL pointer dereference, can cause the application to crash, leading to a denial of service. Under specific conditions, it may also allow an attacker to execute unauthorized code, compromising the system’s integrity and availability. | 2026-01-23 | 8.4 | CVE-2026-0710 | https://access.redhat.com/security/cve/CVE-2026-0710 RHBZ#2427788 |
| Softros Systems–LAN Messenger | Softros LAN Messenger 9.6.4 contains an unquoted service path vulnerability in the SoftrosSpellChecker service that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in ‘C:Program Files (x86)Softros SystemsSoftros MessengerSpell Checker’ to inject malicious executables and escalate privileges. | 2026-01-23 | 7.8 | CVE-2021-47889 | ExploitDB-49588 Vendor Homepage VulnCheck Advisory: Softros LAN Messenger 9.6.4 – ‘SoftrosSpellChecker’ Unquoted Service Path |
| Softros Systems–LogonExpert | LogonExpert 8.1 contains an unquoted service path vulnerability in the LogonExpertSvc service running with LocalSystem privileges. Attackers can exploit the unquoted path to place malicious executables in intermediate directories, potentially gaining elevated system access during service startup. | 2026-01-23 | 7.8 | CVE-2021-47890 | ExploitDB-49586 Vendor Homepage Software Download Link VulnCheck Advisory: LogonExpert 8.1 – ‘LogonExpertSvc’ Unquoted Service Path |
| Solvera Software Services Trade Inc.–Teknoera | Unrestricted Upload of File with Dangerous Type vulnerability in Solvera Software Services Trade Inc. Teknoera allows File Content Injection. This issue affects Teknoera: through 01102025. | 2026-01-22 | 8.1 | CVE-2025-10856 | https://www.usom.gov.tr/bildirim/tr-26-0003 |
| Solvera Software Services Trade Inc.–Teknoera | Authorization Bypass Through User-Controlled Key vulnerability in Solvera Software Services Trade Inc. Teknoera allows Exploitation of Trusted Identifiers. This issue affects Teknoera: through 01102025. | 2026-01-22 | 7.5 | CVE-2025-10855 | https://www.usom.gov.tr/bildirim/tr-26-0003 |
| specialk–User Submitted Posts Enable Users to Submit Posts from the Front End | The User Submitted Posts – Enable Users to Submit Posts from the Front End plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the custom fields in all versions up to, and including, 20251210 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-24 | 7.2 | CVE-2026-0800 | https://www.wordfence.com/threat-intel/vulnerabilities/id/1ec907bc-bd10-4dc5-be35-4f2aaf5ef444?source=cve https://plugins.trac.wordpress.org/changeset/3436859/user-submitted-posts |
| Tenda–AX1803 | A flaw has been found in Tenda AX1803 1.0.0.1. The affected element is the function fromGetWifiGuestBasic of the file /goform/WifiGuestSet. Executing a manipulation of the argument guestWrlPwd/guestEn/guestSsid/hideSsid/guestSecurity can lead to stack-based buffer overflow. The attack may be launched remotely. The exploit has been published and may be used. | 2026-01-22 | 8.8 | CVE-2026-1329 | VDB-342305 | Tenda AX1803 WifiGuestSet fromGetWifiGuestBasic stack-based overflow VDB-342305 | CTI Indicators (IOB, IOC, IOA) Submit #736063 | Tenda AX1803 V1.0.0.1 Stack-based Buffer Overflow Submit #736064 | Tenda AX1803 V1.0.0.1 Stack-based Buffer Overflow (Duplicate) Submit #736065 | Tenda AX1803 V1.0.0.1 Stack-based Buffer Overflow (Duplicate) Submit #736066 | Tenda AX1803 V1.0.0.1 Stack-based Buffer Overflow (Duplicate) Submit #736067 | Tenda AX1803 V1.0.0.1 Stack-based Buffer Overflow (Duplicate) https://river-brow-763.notion.site/Tenda-AX1803-Buffer-Overflow-in-fromGetWifiGusetBasic-2e3a595a7aef80a78225db34317daa40#2e3a595a7aef801ab517e4af5631227a https://www.tenda.com.cn/ |
| The Textpattern Development Team–Textpattern | Textpattern versions prior to 4.8.3 contain an authenticated remote code execution vulnerability that allows logged-in users to upload malicious PHP files. Attackers can upload a PHP file with a shell command execution payload and execute arbitrary commands by accessing the uploaded file through a specific URL parameter. | 2026-01-23 | 8.8 | CVE-2021-47888 | ExploitDB-49620 Official Vendor Homepage Textpattern Software Download Page VulnCheck Advisory: Textpattern 4.8.3 – Remote code execution |
| Tosei–Online Store Management System | A vulnerability was determined in Tosei Online Store Management System ãƒãƒƒãƒˆåº—舗管ç†ã‚·ã‚¹ãƒ†ãƒ 1.01. The affected element is an unknown function of the file /cgi-bin/imode_alldata.php. Executing a manipulation of the argument DevId can lead to command injection. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-19 | 7.3 | CVE-2026-1192 | VDB-341777 | Tosei Online Store Management System ãƒãƒƒãƒˆåº—舗管ç†ã‚·ã‚¹ãƒ†ãƒ imode_alldata.php command injection VDB-341777 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #734205 | Tosei Tosei Online Store Management System ãƒãƒƒãƒˆåº—舗管ç†ã‚·ã‚¹ãƒ†ãƒ 1.01 Command Injection https://www.yuque.com/yuqueyonghuexlgkz/zepczx/keenhf9u2bnw5o6g |
| TOTOLINK–A3700R | A weakness has been identified in TOTOLINK A3700R 9.1.2u.5822_B20200513. This affects the function setWiFiEasyGuestCfg of the file /cgi-bin/cstecgi.cgi. Executing a manipulation of the argument ssid can lead to buffer overflow. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks. | 2026-01-19 | 8.8 | CVE-2026-1143 | VDB-341735 | TOTOLINK A3700R cstecgi.cgi setWiFiEasyGuestCfg buffer overflow VDB-341735 | CTI Indicators (IOB, IOC, IOA) Submit #735502 | TOTOLINK A3700R V9.1.2u.5822_B20200513 Buffer Overflow https://lavender-bicycle-a5a.notion.site/TOTOLINK-A3700R-setWiFiEasyGuestCfg-2e353a41781f8057a244ead07d5eaaff?source=copy_link https://www.totolink.net/ |
| Totolink–LR350 | A vulnerability was found in Totolink LR350 9.3.5u.6369_B20220309. Affected by this vulnerability is the function setWiFiEasyGuestCfg of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument ssid results in buffer overflow. The attack may be performed from remote. The exploit has been made public and could be used. | 2026-01-19 | 8.8 | CVE-2026-1155 | VDB-341749 | Totolink LR350 cstecgi.cgi setWiFiEasyGuestCfg buffer overflow VDB-341749 | CTI Indicators (IOB, IOC, IOA) Submit #735718 | TOTOLINK LR350 LR350 V9.3.5u.6369_B20220309 Buffer Overflow https://lavender-bicycle-a5a.notion.site/TOTOLINK-LR350-setWiFiEasyGuestCfg-2e453a41781f8034bae3d1a11066a8fb?source=copy_link https://www.totolink.net/ |
| Totolink–LR350 | A vulnerability was determined in Totolink LR350 9.3.5u.6369_B20220309. Affected by this issue is the function setWiFiBasicCfg of the file /cgi-bin/cstecgi.cgi. This manipulation of the argument ssid causes buffer overflow. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. | 2026-01-19 | 8.8 | CVE-2026-1156 | VDB-341750 | Totolink LR350 cstecgi.cgi setWiFiBasicCfg buffer overflow VDB-341750 | CTI Indicators (IOB, IOC, IOA) Submit #735722 | TOTOLINK LR350 LR350 V9.3.5u.6369_B20220309 Buffer Overflow https://lavender-bicycle-a5a.notion.site/TOTOLINK-LR350-setWiFiBasicCfg-2e453a41781f80a2ad43e85bf5d46659?source=copy_link https://www.totolink.net/ |
| Totolink–LR350 | A vulnerability was identified in Totolink LR350 9.3.5u.6369_B20220309. This affects the function setWiFiEasyCfg of the file /cgi-bin/cstecgi.cgi. Such manipulation of the argument ssid leads to buffer overflow. It is possible to launch the attack remotely. The exploit is publicly available and might be used. | 2026-01-19 | 8.8 | CVE-2026-1157 | VDB-341751 | Totolink LR350 cstecgi.cgi setWiFiEasyCfg buffer overflow VDB-341751 | CTI Indicators (IOB, IOC, IOA) Submit #735726 | TOTOLINK LR350 LR350 V9.3.5u.6369_B20220309 Buffer Overflow https://lavender-bicycle-a5a.notion.site/TOTOLINK-LR350-setWiFiEasyCfg-2e453a41781f80b7b53cef33c6a782aa?source=copy_link https://www.totolink.net/ |
| Totolink–LR350 | A security flaw has been discovered in Totolink LR350 9.3.5u.6369_B20220309. This vulnerability affects the function setWizardCfg of the file /cgi-bin/cstecgi.cgi of the component POST Request Handler. Performing a manipulation of the argument ssid results in buffer overflow. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks. | 2026-01-19 | 8.8 | CVE-2026-1158 | VDB-341752 | Totolink LR350 POST Request cstecgi.cgi setWizardCfg buffer overflow VDB-341752 | CTI Indicators (IOB, IOC, IOA) Submit #735728 | TOTOLINK LR350 LR350 V9.3.5u.6369_B20220309 Buffer Overflow https://lavender-bicycle-a5a.notion.site/TOTOLINK-LR350-setWizardCfg-2e453a41781f80ce89cfc1d25049e279?source=copy_link https://www.totolink.net/ |
| Totolink–NR1800X | A vulnerability was detected in Totolink NR1800X 9.1.0u.6279_B20210910. Impacted is the function setWizardCfg of the file /cgi-bin/cstecgi.cgi of the component POST Request Handler. Performing a manipulation of the argument ssid results in buffer overflow. The attack may be initiated remotely. The exploit is now public and may be used. | 2026-01-22 | 8.8 | CVE-2026-1328 | VDB-342304 | Totolink NR1800X POST Request cstecgi.cgi setWizardCfg buffer overflow VDB-342304 | CTI Indicators (IOB, IOC, IOA) Submit #735792 | TOTOLINK NR1800X NR1800X_Firmware V9.1.0u.6279_B20210910 Buffer Overflow https://lavender-bicycle-a5a.notion.site/TOTOLINK-NR1800X-setWizardCfg-2e453a41781f80568a54c9368082fbe9?source=copy_link https://www.totolink.net/ |
| Unified Intents AB–Unified Remote | Unified Remote 3.9.0.2463 contains a remote code execution vulnerability that allows attackers to send crafted network packets to execute arbitrary commands. Attackers can exploit the service by connecting to port 9512 and sending specially crafted packets to open a command prompt and download and execute malicious payloads. | 2026-01-23 | 9.8 | CVE-2021-47891 | ExploitDB-49587 Unified Remote Official Homepage Unified Remote Download Page VulnCheck Advisory: Unified Remote 3.9.0.2463 – Remote Code Execution |
| UTT– 520W | A vulnerability was detected in UTT è¿›å– 520W 1.7.7-180627. Affected by this issue is the function strcpy of the file /goform/formWebAuthGlobalConfig. Performing a manipulation results in buffer overflow. The attack is possible to be carried out remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-19 | 8.8 | CVE-2026-1137 | VDB-341728 | UTT è¿›å– 520W formWebAuthGlobalConfig strcpy buffer overflow VDB-341728 | CTI Indicators (IOB, IOC, IOA) Submit #735296 | UTT è¿›å– 520W v3v1.7.7-180627 Buffer Overflow https://github.com/cymiao1978/cve/blob/main/new/32.md |
| UTT– 520W | A flaw has been found in UTT è¿›å– 520W 1.7.7-180627. This affects the function strcpy of the file /goform/ConfigExceptQQ. Executing a manipulation can lead to buffer overflow. The attack may be performed from remote. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-19 | 8.8 | CVE-2026-1138 | VDB-341729 | UTT è¿›å– 520W ConfigExceptQQ strcpy buffer overflow VDB-341729 | CTI Indicators (IOB, IOC, IOA) Submit #735298 | UTT è¿›å– 520W v3v1.7.7-180627 Buffer Overflow https://github.com/cymiao1978/cve/blob/main/new/33.md |
| UTT– 520W | A vulnerability has been found in UTT è¿›å– 520W 1.7.7-180627. This vulnerability affects the function strcpy of the file /goform/ConfigExceptMSN. The manipulation leads to buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-19 | 8.8 | CVE-2026-1139 | VDB-341730 | UTT è¿›å– 520W ConfigExceptMSN strcpy buffer overflow VDB-341730 | CTI Indicators (IOB, IOC, IOA) Submit #735299 | UTT è¿›å– 520W v3v1.7.7-180627 Buffer Overflow https://github.com/cymiao1978/cve/blob/main/new/34.md |
| UTT– 520W | A vulnerability was found in UTT è¿›å– 520W 1.7.7-180627. This issue affects the function strcpy of the file /goform/ConfigExceptAli. The manipulation results in buffer overflow. It is possible to launch the attack remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-19 | 8.8 | CVE-2026-1140 | VDB-341731 | UTT è¿›å– 520W ConfigExceptAli strcpy buffer overflow VDB-341731 | CTI Indicators (IOB, IOC, IOA) Submit #735300 | UTT è¿›å– 520W v3v1.7.7-180627 Buffer Overflow https://github.com/cymiao1978/cve/blob/main/new/35.md |
| UTT–HiPER 810 | A flaw has been found in UTT HiPER 810 1.7.4-141218. The impacted element is the function strcpy of the file /goform/setSysAdm. This manipulation of the argument passwd1 causes buffer overflow. Remote exploitation of the attack is possible. The exploit has been published and may be used. | 2026-01-19 | 9.8 | CVE-2026-1162 | VDB-341756 | UTT HiPER 810 setSysAdm strcpy buffer overflow VDB-341756 | CTI Indicators (IOB, IOC, IOA) Submit #736511 | UTT HiPER 810 / nv810v4 nv810v4v1.7.4-141218 Buffer Overflow https://github.com/cha0yang1/UTT810/blob/main/1.md https://github.com/cha0yang1/UTT810/blob/main/1.md#poc |
| VestaCP–VestaCP | VestaCP versions prior to 0.9.8-25 contain a cross-site scripting vulnerability in the IP interface configuration that allows attackers to inject malicious scripts. Attackers can exploit the ‘v_interface’ parameter by sending a crafted POST request to the add/ip/ endpoint with a stored XSS payload. | 2026-01-21 | 7.2 | CVE-2021-47873 | ExploitDB-49662 VestaCP Official Vendor Homepage VestaCP Alternative Download Site VulnCheck Advisory: VestaCP < 0.9.8-25 – Stored Cross-Site Scripting |
| Vfsforgit–VFS for Git | VFS for Git 1.0.21014.1 contains an unquoted service path vulnerability in the GVFS.Service Windows service that allows local attackers to execute code with elevated privileges. Attackers can exploit the unquoted binary path to inject malicious executables that will be launched with LocalSystem privileges during service startup or system reboot. | 2026-01-21 | 7.8 | CVE-2021-47874 | ExploitDB-49661 Vendor Homepage VulnCheck Advisory: VFS for Git 1.0.21014.1 – ‘GVFS.Service’ Unquoted Service Path |
| vllm-project–vllm | vLLM is an inference and serving engine for large language models (LLMs). Starting in version 0.10.1 and prior to version 0.14.0, vLLM loads Hugging Face `auto_map` dynamic modules during model resolution without gating on `trust_remote_code`, allowing attacker-controlled Python code in a model repo/path to execute at server startup. An attacker who can influence the model repo/path (local directory or remote Hugging Face repo) can achieve arbitrary code execution on the vLLM host during model load. This happens before any request handling and does not require API access. Version 0.14.0 fixes the issue. | 2026-01-21 | 8.8 | CVE-2026-22807 | https://github.com/vllm-project/vllm/security/advisories/GHSA-2pc9-4j83-qjmr https://github.com/vllm-project/vllm/pull/32194 https://github.com/vllm-project/vllm/commit/78d13ea9de4b1ce5e4d8a5af9738fea71fb024e5 https://github.com/vllm-project/vllm/releases/tag/v0.14.0 |
| wpdevteam–NotificationX FOMO, Live Sales Notification, WooCommerce Sales Popup, GDPR, Social Proof, Announcement Banner & Floating Notification Bar | The NotificationX – FOMO, Live Sales Notification, WooCommerce Sales Popup, GDPR, Social Proof, Announcement Banner & Floating Notification Bar plugin for WordPress is vulnerable to DOM-Based Cross-Site Scripting via the ‘nx-preview’ POST parameter in all versions up to, and including, 3.2.0. This is due to insufficient input sanitization and output escaping when processing preview data. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute when a user visits a malicious page that auto-submits a form to the vulnerable site. | 2026-01-20 | 7.2 | CVE-2025-15380 | https://www.wordfence.com/threat-intel/vulnerabilities/id/9ca12315-380b-4251-b637-4e9d29df35e0?source=cve https://research.cleantalk.org/cve-2025-15380/ https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3433555%40notificationx&old=3426659%40notificationx&sfp_email=&sfph_mail= |
| wpmessiah–Frontis Blocks Block Library for the Block Editor | The Frontis Blocks plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.1.6. This is due to insufficient restriction on the ‘url’ parameter in the ‘template_proxy’ function. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application via the ‘/template-proxy/’ and ‘/proxy-image/’ endpoint. | 2026-01-24 | 7.2 | CVE-2026-0807 | https://www.wordfence.com/threat-intel/vulnerabilities/id/322e0a27-9119-4b46-a043-d3a68c4fcdc4?source=cve https://plugins.trac.wordpress.org/browser/frontis-blocks/trunk/includes/Admin/Admin.php#L910 https://plugins.trac.wordpress.org/browser/frontis-blocks/tags/1.1.4/includes/Admin/Admin.php#L910 https://plugins.trac.wordpress.org/changeset/3444616/ |
| wpmudev–Hustle Email Marketing, Lead Generation, Optins, Popups | The Hustle – Email Marketing, Lead Generation, Optins, Popups plugin for WordPress is vulnerable to arbitrary file uploads due to incorrect file type validation in the action_import_module() function in all versions up to, and including, 7.8.9.2. This makes it possible for authenticated attackers, with a lower-privileged role (e.g., Subscriber-level access and above), to upload arbitrary files on the affected site’s server which may make remote code execution possible. Successful exploitation requires an admin to grant Hustle module permissions (or module edit access) to the low-privileged user so they can access the Hustle admin page and obtain the required nonce. | 2026-01-24 | 7.5 | CVE-2026-0911 | https://www.wordfence.com/threat-intel/vulnerabilities/id/22be5fb5-143e-4934-9f93-e17def18e883?source=cve https://plugins.trac.wordpress.org/changeset/3440956/wordpress-popup |
| Yodinfo–Mini Mouse | Mini Mouse 9.2.0 contains a remote code execution vulnerability that allows attackers to execute arbitrary commands through an unauthenticated HTTP endpoint. Attackers can leverage the /op=command endpoint to download and execute payloads by sending crafted JSON requests with malicious script commands. | 2026-01-21 | 9.8 | CVE-2021-47851 | ExploitDB-49743 Mini Mouse Apple Store VulnCheck Advisory: Mini Mouse 9.2.0 – Remote Code Execution |
| Yodinfo–Mini Mouse | Mini Mouse 9.2.0 contains a path traversal vulnerability that allows remote attackers to access arbitrary system files and directories through crafted HTTP requests. Attackers can retrieve sensitive files like win.ini and list contents of system directories such as C:UsersPublic by manipulating file and path parameters. | 2026-01-21 | 7.5 | CVE-2021-47850 | ExploitDB-49744 Mini Mouse Apple Store VulnCheck Advisory: Mini Mouse 9.2.0 – Path Traversal |
| Yonyou–KSOA | A vulnerability was detected in Yonyou KSOA 9.0. This vulnerability affects unknown code of the file /worksheet/worksadd.jsp of the component HTTP GET Parameter Handler. The manipulation of the argument ID results in sql injection. The attack may be performed from remote. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-19 | 7.3 | CVE-2026-1129 | VDB-341719 | Yonyou KSOA HTTP GET Parameter worksadd.jsp sql injection VDB-341719 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #734557 | Yonyou KSOA v9.0 SQL Injection https://github.com/LX-66-LX/cve/issues/11 |
| Yonyou–KSOA | A flaw has been found in Yonyou KSOA 9.0. This issue affects some unknown processing of the file /worksheet/worksadd_plan.jsp of the component HTTP GET Parameter Handler. This manipulation of the argument ID causes sql injection. It is possible to initiate the attack remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-19 | 7.3 | CVE-2026-1130 | VDB-341720 | Yonyou KSOA HTTP GET Parameter worksadd_plan.jsp sql injection VDB-341720 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #734565 | Yonyou KSOA v9.0 SQL Injection https://github.com/LX-66-LX/cve/issues/12 |
| Yonyou–KSOA | A vulnerability has been found in Yonyou KSOA 9.0. Impacted is an unknown function of the file /kmc/save_catalog.jsp of the component HTTP GET Parameter Handler. Such manipulation of the argument catalogid leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-19 | 7.3 | CVE-2026-1131 | VDB-341721 | Yonyou KSOA HTTP GET Parameter save_catalog.jsp sql injection VDB-341721 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #734566 | Yonyou KSOA v9.0 SQL Injection https://github.com/LX-66-LX/cve/issues/13 |
| Yonyou–KSOA | A vulnerability was found in Yonyou KSOA 9.0. The affected element is an unknown function of the file /kmf/edit_folder.jsp of the component HTTP GET Parameter Handler. Performing a manipulation of the argument folderid results in sql injection. The attack can be initiated remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-19 | 7.3 | CVE-2026-1132 | VDB-341722 | Yonyou KSOA HTTP GET Parameter edit_folder.jsp sql injection VDB-341722 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #734568 | Yonyou KSOA v9.0 SQL Injection https://github.com/LX-66-LX/cve/issues/15 |
| Yonyou–KSOA | A vulnerability was determined in Yonyou KSOA 9.0. The impacted element is an unknown function of the file /kmf/folder.jsp of the component HTTP GET Parameter Handler. Executing a manipulation of the argument folderid can lead to sql injection. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-19 | 7.3 | CVE-2026-1133 | VDB-341723 | Yonyou KSOA HTTP GET Parameter folder.jsp sql injection VDB-341723 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #734576 | Yonyou KSOA v9.0 SQL Injection https://github.com/LX-66-LX/cve/issues/16 |
| Yonyou–KSOA | A weakness has been identified in Yonyou KSOA 9.0. Affected by this vulnerability is an unknown functionality of the file /kmf/save_folder.jsp of the component HTTP GET Parameter Handler. Executing a manipulation of the argument folderid can lead to sql injection. It is possible to launch the attack remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-19 | 7.3 | CVE-2026-1177 | VDB-341771 | Yonyou KSOA HTTP GET Parameter save_folder.jsp sql injection VDB-341771 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #734577 | Yonyou KSOA v9.0 SQL Injection https://github.com/LX-66-LX/cve/issues/17 |
| Yonyou–KSOA | A security vulnerability has been detected in Yonyou KSOA 9.0. Affected by this issue is some unknown functionality of the file /kmf/select.jsp of the component HTTP GET Parameter Handler. The manipulation of the argument folderid leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-19 | 7.3 | CVE-2026-1178 | VDB-341772 | Yonyou KSOA HTTP GET Parameter select.jsp sql injection VDB-341772 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #734593 | Yonyou KSOA v9.0 SQL Injection https://github.com/LX-66-LX/cve/issues/18 |
| Yonyou–KSOA | A vulnerability was detected in Yonyou KSOA 9.0. This affects an unknown part of the file /kmf/user_popedom.jsp of the component HTTP GET Parameter Handler. The manipulation of the argument folderid results in sql injection. The attack can be launched remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-19 | 7.3 | CVE-2026-1179 | VDB-341773 | Yonyou KSOA HTTP GET Parameter user_popedom.jsp sql injection VDB-341773 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #734594 | Yonyou KSOA v9.0 SQL Injection https://github.com/LX-66-LX/cve/issues/19 |
| Zoom Communications Inc.–Zoom Node | A Command Injection vulnerability in Zoom Node Multimedia Routers (MMRs) before version 5.2.1716.0 may allow a meeting participant to conduct remote code execution of the MMR via network access. | 2026-01-20 | 9.9 | CVE-2026-22844 | https://www.zoom.com/en/trust/security-bulletin/zsb-26001 |
Medium Vulnerabilities
| Primary Vendor — Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| 10web–Photo Gallery by 10Web Mobile-Friendly Image Gallery | The Photo Gallery by 10Web – Mobile-Friendly Image Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the delete_comment() function in all versions up to, and including, 1.8.36. This makes it possible for unauthenticated attackers to delete arbitrary image comments. Note: comments functionality is only available in the Pro version of the plugin. | 2026-01-21 | 5.3 | CVE-2026-1036 | https://www.wordfence.com/threat-intel/vulnerabilities/id/4eb2ae42-584d-4da8-9184-461b5a37b7b6?source=cve https://plugins.trac.wordpress.org/browser/photo-gallery/tags/1.8.35/frontend/controllers/BWGControllerGalleryBox.php#L173 |
| adzbierajewski–Alex User Counter | The Alex User Counter plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.0. This is due to missing nonce validation on the alex_user_counter_function() function. This makes it possible for unauthenticated attackers to update the plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-01-24 | 4.3 | CVE-2026-1070 | https://www.wordfence.com/threat-intel/vulnerabilities/id/1a5ef5b3-2900-44f0-9e13-66fbdc937b38?source=cve https://plugins.trac.wordpress.org/browser/user-counter/trunk/user-counter.php#L41 https://plugins.trac.wordpress.org/browser/user-counter/tags/6.0/user-counter.php#L41 |
| Aida Computer Information Technology Inc.–Hotel Guest Hotspot | Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) vulnerability in Aida Computer Information Technology Inc. Hotel Guest Hotspot allows Reflected XSS. This issue affects Hotel Guest Hotspot: through 22012026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-22 | 5.5 | CVE-2025-4763 | https://www.usom.gov.tr/bildirim/tr-26-0001 |
| aiktp–AIKTP | The AIKTP plugin for WordPress is vulnerable to unauthorized modification of data due to missing authorization checks on the /aiktp/getToken REST API endpoint in all versions up to, and including, 5.0.04. The endpoint uses the ‘verify_user_logged_in’ as a permission callback, which only checks if a user is logged in, but fails to verify if the user has administrative capabilities. This makes it possible for authenticated attackers with Subscriber-level access and above to retrieve the administrator’s ‘aiktpz_token’ access token, which can then be used to create posts, upload media library files, and access private content as the administrator. | 2026-01-24 | 5.4 | CVE-2026-1103 | https://www.wordfence.com/threat-intel/vulnerabilities/id/84846d95-792d-4569-b0eb-876d82d0beee?source=cve https://plugins.trac.wordpress.org/browser/aiktp/tags/5.0.04/includes/aiktp-sync.php#L123 https://plugins.trac.wordpress.org/browser/aiktp/tags/5.0.04/includes/aiktp-sync.php#L143 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3445248%40aiktp&new=3445248%40aiktp |
| AlchemyCMS–alchemy_cms | Alchemy is an open source content management system engine written in Ruby on Rails. Prior to versions 7.4.12 and 8.0.3, the application uses the Ruby `eval()` function to dynamically execute a string provided by the `resource_handler.engine_name` attribute in `Alchemy::ResourcesHelper#resource_url_proxy`. The vulnerability exists in `app/helpers/alchemy/resources_helper.rb` at line 28. The code explicitly bypasses security linting with `# rubocop:disable Security/Eval`, indicating that the use of a dangerous function was known but not properly mitigated. Since `engine_name` is sourced from module definitions that can be influenced by administrative configurations, it allows an authenticated attacker to escape the Ruby sandbox and execute arbitrary system commands on the host OS. Versions 7.4.12 and 8.0.3 fix the issue by replacing `eval()` with `send()`. | 2026-01-19 | 6.4 | CVE-2026-23885 | https://github.com/AlchemyCMS/alchemy_cms/security/advisories/GHSA-2762-657x-v979 https://github.com/AlchemyCMS/alchemy_cms/commit/55d03ec600fd9e07faae1138b923790028917d26 https://github.com/AlchemyCMS/alchemy_cms/commit/563c4ce45bf5813b7823bf3403ca1fc32cb769e7 https://github.com/AlchemyCMS/alchemy_cms/releases/tag/v7.4.12 https://github.com/AlchemyCMS/alchemy_cms/releases/tag/v8.0.3 |
| Altium–AES | A stored cross-site scripting (XSS) vulnerability in the BOM Viewer in Altium AES 7.0.3 allows an authenticated attacker to inject arbitrary JavaScript into the Description field of a schematic, which is executed when the BOM Viewer renders the affected content. | 2026-01-22 | 6.8 | CVE-2025-27379 | https://www.altium.com/platform/security-compliance/security-advisories |
| Altium–Altium Designer | Altium Designer version 24.9.0 does not validate self-signed server certificates for cloud connections. An attacker capable of performing a man-in-the-middle (MITM) attack could exploit this issue to intercept or manipulate network traffic, potentially exposing authentication credentials or sensitive design data. | 2026-01-22 | 5.3 | CVE-2025-27377 | https://www.altium.com/platform/security-compliance/security-advisories |
| aminhashemy–GZSEO | The GZSEO plugin for WordPress is vulnerable to authorization bypass leading to Stored Cross-Site Scripting in all versions up to, and including, 2.0.11. This is due to missing capability checks on multiple AJAX handlers combined with insufficient input sanitization and output escaping on the embed_code parameter. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary content into any post on the site that will execute whenever a user accesses an injected page. | 2026-01-24 | 6.4 | CVE-2025-14941 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c91a4d4d-5bfa-42fd-80b4-7a75ee79db19?source=cve https://plugins.trac.wordpress.org/browser/gzseo/tags/2.0.11/includes/class-gzseo-video-update.php?marks=112,365,369,370,563#L112 |
| andddd–WP-ClanWars | The WP-ClanWars plugin for WordPress is vulnerable to SQL Injection via the ‘orderby’ parameter in all versions up to, and including, 2.0.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2026-01-24 | 4.9 | CVE-2026-0806 | https://www.wordfence.com/threat-intel/vulnerabilities/id/65aa20e2-efc1-481a-8ed4-423d2420c3db?source=cve https://plugins.trac.wordpress.org/browser/wp-clanwars/trunk/classes/teams.class.php#L92 https://plugins.trac.wordpress.org/browser/wp-clanwars/tags/2.0.1/classes/teams.class.php#L92 https://cwe.mitre.org/data/definitions/89.html |
| AutomationDirect–CLICK Programmable Logic Controller | An attacker could decrypt sensitive data, impersonate legitimate users or devices, and potentially gain access to network resources for lateral attacks. | 2026-01-22 | 6.1 | CVE-2025-25051 | https://www.cisa.gov/news-events/ics-advisories/icsa-26-022-02 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-022-02.json |
| AutomationDirect–CLICK Programmable Logic Controller | An attacker with access to the project file could use the exposed credentials to impersonate users, escalate privileges, or gain unauthorized access to systems and services. The absence of robust encryption or secure handling mechanisms increases the likelihood of this type of exploitation, leaving sensitive information more vulnerable. | 2026-01-22 | 6.1 | CVE-2025-67652 | https://www.cisa.gov/news-events/ics-advisories/icsa-26-022-02 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-022-02.json |
| avahi–avahi | Avahi is a system which facilitates service discovery on a local network via the mDNS/DNS-SD protocol suite. In versions 0.9rc2 and below, avahi-daemon can be crashed via a segmentation fault by sending an unsolicited mDNS response containing a recursive CNAME record, where the alias and canonical name point to the same domain (e.g., “h.local” as a CNAME for “h.local”). This causes unbounded recursion in the lookup_handle_cname function, leading to stack exhaustion. The vulnerability affects record browsers where AVAHI_LOOKUP_USE_MULTICAST is set explicitly, which includes record browsers created by resolvers used by nss-mdns. This issue is patched in commit 78eab31128479f06e30beb8c1cbf99dd921e2524. | 2026-01-24 | 6.5 | CVE-2026-24401 | https://github.com/avahi/avahi/security/advisories/GHSA-h4vp-5m8j-f6w3 https://github.com/avahi/avahi/issues/501 https://github.com/avahi/avahi/commit/78eab31128479f06e30beb8c1cbf99dd921e2524 |
| AWS–Firecracker | A UNIX symbolic link following issue in the jailer component in Firecracker version v1.13.1 and earlier and 1.14.0 on Linux may allow a local host user with write access to the pre-created jailer directories to overwrite arbitrary host files via a symlink attack during the initialization copy at jailer startup, if the jailer is executed with root privileges. To mitigate this issue, users should upgrade to version v1.13.2 or 1.14.1 or above. | 2026-01-23 | 6 | CVE-2026-1386 | https://aws.amazon.com/security/security-bulletins/2026-003-AWS/ https://github.com/firecracker-microvm/firecracker/releases/tag/v1.14.1 https://github.com/firecracker-microvm/firecracker/releases/tag/v1.13.2 https://github.com/firecracker-microvm/firecracker/security/advisories/GHSA-36j2-f825-qvgc |
| axllent–mailpit | Mailpit is an email testing tool and API for developers. Versions prior to 1.28.3 are vulnerable to Server-Side Request Forgery (SSRF) via HTML Check CSS Download. The HTML Check feature (`/api/v1/message/{ID}/html-check`) is designed to analyze HTML emails for compatibility. During this process, the `inlineRemoteCSS()` function automatically downloads CSS files from external `<link rel=”stylesheet” href=”…”>` tags to inline them for testing. Version 1.28.3 fixes the issue. | 2026-01-19 | 5.8 | CVE-2026-23845 | https://github.com/axllent/mailpit/security/advisories/GHSA-6jxm-fv7w-rw5j https://github.com/axllent/mailpit/commit/1679a0aba592ebc8487a996d37fea8318c984dfe https://github.com/axllent/mailpit/releases/tag/v1.28.3 |
| B&R Industrial Automation GmbH–Automation Runtime | An Allocation of Resources Without Limits or Throttling vulnerability in the ANSL-Server component of B&R Automation Runtime versions prior to 6.5 and prior to R4.93 could be exploited by an unauthenti-cated attacker on the network to win a race condition, resulting in permanent denial-of-service (DoS) conditions on affected devices. | 2026-01-19 | 6.8 | CVE-2025-11044 | https://www.br-automation.com/fileadmin/SA25P005-26597bd0.pdf |
| backstage–backstage | Backstage is an open framework for building developer portals, and @backstage/cli-common provides config loading functionality used by the backend and command line interface of Backstage. Prior to version 0.1.17, the `resolveSafeChildPath` utility function in `@backstage/backend-plugin-api`, which is used to prevent path traversal attacks, failed to properly validate symlink chains and dangling symlinks. An attacker could bypass the path validation via symlink chains (creating `link1 → link2 → /outside` where intermediate symlinks eventually resolve outside the allowed directory) and dangling symlinks (creating symlinks pointing to non-existent paths outside the base directory, which would later be created during file operations). This function is used by Scaffolder actions and other backend components to ensure file operations stay within designated directories. This vulnerability is fixed in `@backstage/backend-plugin-api` version 0.1.17. Users should upgrade to this version or later. Some workarounds are available. Run Backstage in a containerized environment with limited filesystem access and/or restrict template creation to trusted users. | 2026-01-21 | 6.3 | CVE-2026-24047 | https://github.com/backstage/backstage/security/advisories/GHSA-2p49-45hj-7mc9 https://github.com/backstage/backstage/commit/ae4dd5d1572a4f639e1a466fd982656b50f8e692 |
| Beckhoff Automation–TwinCAT.HMI.Server | On an instance of TwinCAT 3 HMI Server running on a device an authenticated administrator can inject arbitrary content into the custom CSS field which is persisted on the device and later returned via the login page and error page. | 2026-01-20 | 5.5 | CVE-2025-41768 | https://certvde.com/de/advisories/VDE-2025-106 |
| birkir–prime | A vulnerability was detected in birkir prime up to 0.4.0.beta.0. This issue affects some unknown processing of the file /graphql of the component GraphQL API. Performing a manipulation results in information disclosure. The attack may be initiated remotely. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-01-19 | 5.3 | CVE-2026-1170 | VDB-341764 | birkir prime GraphQL API graphql information disclosure VDB-341764 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #731100 | birkir prime <=0.4.0 Sensitive Information Disclosure https://github.com/birkir/prime/issues/541 |
| birkir–prime | A flaw has been found in birkir prime up to 0.4.0.beta.0. Impacted is an unknown function of the file /graphql of the component GraphQL Field Handler. Executing a manipulation can lead to denial of service. The attack may be launched remotely. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-01-19 | 5.3 | CVE-2026-1171 | VDB-341765 | birkir prime GraphQL Field graphql denial of service VDB-341765 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #731101 | birkir prime <=0.4.0 GraphQL Field Duplication Vulnerability https://github.com/birkir/prime/issues/542 |
| birkir–prime | A vulnerability has been found in birkir prime up to 0.4.0.beta.0. The affected element is an unknown function of the file /graphql of the component GraphQL Directive Handler. The manipulation leads to denial of service. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-01-19 | 5.3 | CVE-2026-1172 | VDB-341766 | birkir prime GraphQL Directive graphql denial of service VDB-341766 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #731103 | birkir prime <=0.4.0 Graphql Directive Overloading Vulnerability https://github.com/birkir/prime/issues/543 |
| birkir–prime | A vulnerability was found in birkir prime up to 0.4.0.beta.0. The impacted element is an unknown function of the file /graphql of the component GraphQL Array Based Query Batch Handler. The manipulation results in denial of service. The attack can be executed remotely. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-01-19 | 5.3 | CVE-2026-1173 | VDB-341767 | birkir prime GraphQL Array Based Query Batch graphql denial of service VDB-341767 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #731104 | birkir prime <=0.4.0 Graphql Array Based Query Batching Vulnerability https://github.com/birkir/prime/issues/544 |
| birkir–prime | A vulnerability was determined in birkir prime up to 0.4.0.beta.0. This affects an unknown function of the file /graphql of the component GraphQL Alias Handler. This manipulation causes resource consumption. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet. | 2026-01-19 | 5.3 | CVE-2026-1174 | VDB-341768 | birkir prime GraphQL Alias graphql resource consumption VDB-341768 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #731105 | birkir prime <=0.4.0 GraphQL Aliases Overloading Vulnerability https://github.com/birkir/prime/issues/545 |
| birkir–prime | A vulnerability was identified in birkir prime up to 0.4.0.beta.0. This impacts an unknown function of the file /graphql of the component GraphQL Directive Handler. Such manipulation leads to information exposure through error message. The attack may be performed from remote. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-01-19 | 5.3 | CVE-2026-1175 | VDB-341769 | birkir prime GraphQL Directive graphql information exposure VDB-341769 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #731106 | birkir prime <=0.4.0 GraphQL Directive Information Disclosure https://github.com/birkir/prime/issues/546 |
| birkir–prime | A security vulnerability has been detected in birkir prime up to 0.4.0.beta.0. This vulnerability affects unknown code. Such manipulation leads to cross-site request forgery. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-01-19 | 4.3 | CVE-2026-1169 | VDB-341763 | birkir prime cross-site request forgery VDB-341763 | CTI Indicators (IOB, IOC) Submit #731287 | birkir prime <=0.4.0 CSRF https://github.com/birkir/prime/issues/547 |
| Bjskzy–Zhiyou ERP | A vulnerability was detected in Bjskzy Zhiyou ERP up to 11.0. Impacted is the function initRCForm of the file RichClientService.class of the component com.artery.richclient.RichClientService. Performing a manipulation results in xml external entity reference. The attack is possible to be carried out remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-20 | 6.3 | CVE-2026-1218 | VDB-341908 | Bjskzy Zhiyou ERP com.artery.richclient.RichClientService RichClientService.class initRCForm xml external entity reference VDB-341908 | CTI Indicators (IOB, IOC, IOA) Submit #735201 | Bjskzy Enterprise Resource Planning Software 11.0 XML External Entity Reference https://github.com/dingpotian/cve-vul/blob/main/Shikong-Zhiyou-ERP/Shikong-Zhiyou-ERP-XXE-RichClientService-initRCForm.md |
| BloofoxCMS–BloofoxCMS | BloofoxCMS 0.5.2.1 contains a stored cross-site scripting vulnerability in the articles text parameter that allows authenticated attackers to inject malicious scripts. Attackers can insert malicious javascript payloads in the text field to execute scripts and potentially steal authenticated users’ cookies. | 2026-01-23 | 6.4 | CVE-2021-47906 | ExploitDB-49492 Official Vendor Homepage BloofoxCMS Software Releases VulnCheck Advisory: BloofoxCMS 0.5.2.1 – ‘text’ Stored Cross Site Scripting |
| Bosch–Infotainment system ECU | The Infotainment ECU manufactured by Bosch which is installed in Nissan Leaf ZE1 – 2020 uses a Redbend service for over-the-air provisioning and updates. HTTPS is used for communication with the back-end server. Due to usage of the default configuration for the underlying SSL engine, the server root certificate is not verified. As a result, an attacker may be able to impersonate a Redbend backend server using a self-signed certificate. First identified on Nissan Leaf ZE1 manufactured in 2020. | 2026-01-22 | 6.5 | CVE-2025-32057 | https://www.nissan.co.uk/vehicles/new-vehicles/leaf.html http://i.blackhat.com/Asia-25/Asia-25-Evdokimov-Remote-Exploitation-of-Nissan-Leaf.pdf https://pcacybersecurity.com/resources/advisory/vulnerabilities-in-nissan-infotainment-manufactured-by-bosch |
| Bosch–Infotainment system ECU | The anti-theft protection mechanism can be bypassed by attackers due to weak response generation algorithms for the head unit. It is possible to reveal all 32 corresponding responses by sniffing CAN traffic or by pre-calculating the values, which allow to bypass the protection. First identified on Nissan Leaf ZE1 manufactured in 2020. | 2026-01-22 | 4 | CVE-2025-32056 | https://www.nissan.co.uk/vehicles/new-vehicles/leaf.html http://i.blackhat.com/Asia-25/Asia-25-Evdokimov-Remote-Exploitation-of-Nissan-Leaf.pdf https://pcacybersecurity.com/resources/advisory/vulnerabilities-in-nissan-infotainment-manufactured-by-bosch |
| brainstormforce–Custom Fonts Host Your Fonts Locally | The Custom Fonts – Host Your Fonts Locally plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the ‘BCF_Google_Fonts_Compatibility’ class constructor function in all versions up to, and including, 2.1.16. This makes it possible for unauthenticated attackers to delete font directory and rewrite theme.json file. | 2026-01-20 | 5.3 | CVE-2025-14351 | https://www.wordfence.com/threat-intel/vulnerabilities/id/60e3a506-8811-4e7d-a16c-02f91c757705?source=cve https://plugins.trac.wordpress.org/browser/custom-fonts/trunk/includes/class-bcf-google-fonts-compatibility.php#L88 https://plugins.trac.wordpress.org/changeset/3442237/custom-fonts |
| bramdnl–Star Review Manager | The Star Review Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.2. This is due to missing nonce validation on the settings page. This makes it possible for unauthenticated attackers to update the plugin’s CSS settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-01-24 | 4.3 | CVE-2026-1076 | https://www.wordfence.com/threat-intel/vulnerabilities/id/54b6a141-eb4c-4cf0-a078-5b3aeda25466?source=cve https://plugins.trac.wordpress.org/browser/star-review-manager/trunk/admin/settings.php#L3 https://plugins.trac.wordpress.org/browser/star-review-manager/tags/1.2.2/admin/settings.php#L3 |
| BROWAN COMMUNICATIONS–PrismX MX100 AP controller | PrismX MX100 AP controller developed by BROWAN COMMUNICATIONS has an Insufficiently Protected Credentials vulnerability, allowing privileged remote attackers to allowing authenticated remote attackers to obtain SMTP plaintext passwords through the web frontend. | 2026-01-20 | 4.9 | CVE-2026-1223 | https://www.twcert.org.tw/tw/cp-132-10642-3b808-1.html https://www.twcert.org.tw/en/cp-139-10643-2f8d7-2.html |
| cantothemes–Canto Testimonials | The Canto Testimonials plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘fx’ shortcode attribute in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-24 | 6.4 | CVE-2026-1095 | https://www.wordfence.com/threat-intel/vulnerabilities/id/6f2ef250-f951-4408-ac42-3272ddf46530?source=cve https://plugins.trac.wordpress.org/browser/canto-testimonials/trunk/canto-testimonials.php#L132 https://plugins.trac.wordpress.org/browser/canto-testimonials/tags/1.0/canto-testimonials.php#L132 |
| Cisco–Cisco Intersight Virtual Appliance | A vulnerability in the read-only maintenance shell of Cisco Intersight Virtual Appliance could allow an authenticated, local attacker with administrative privileges to elevate privileges to root on the virtual appliance. This vulnerability is due to improper file permissions on configuration files for system accounts within the maintenance shell of the virtual appliance. An attacker could exploit this vulnerability by accessing the maintenance shell as a read-only administrator and manipulating system files to grant root privileges. A successful exploit could allow the attacker to elevate their privileges to root on the virtual appliance and gain full control of the appliance, giving them the ability to access sensitive information, modify workloads and configurations on the host system, and cause a denial of service (DoS). | 2026-01-21 | 6 | CVE-2026-20092 | cisco-sa-intersight-privesc-p6tBm6jk |
| Cisco–Cisco Packaged Contact Center Enterprise | Multiple vulnerabilities in the web-based management interface of Cisco Packaged Contact Center Enterprise (Packaged CCE) and Cisco Unified Contact Center Enterprise (Unified CCE) could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. These vulnerabilities exist because the web-based management interface does not properly validate user-supplied input. An attacker could exploit these vulnerabilities by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit these vulnerabilities, the attacker must have valid administrative credentials. | 2026-01-21 | 4.8 | CVE-2026-20055 | cisco-sa-ucce-pcce-xss-2JVyg3uD |
| Cisco–Cisco Packaged Contact Center Enterprise | Multiple vulnerabilities in the web-based management interface of Cisco Packaged Contact Center Enterprise (Packaged CCE) and Cisco Unified Contact Center Enterprise (Unified CCE) could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. These vulnerabilities exist because the web-based management interface does not properly validate user-supplied input. An attacker could exploit these vulnerabilities by injecting malicious code into specific pages of the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit these vulnerabilities, the attacker must have valid administrative credentials. | 2026-01-21 | 4.8 | CVE-2026-20109 | cisco-sa-ucce-pcce-xss-2JVyg3uD |
| Cisco–Cisco Ultra-Reliable Wireless Backhaul | A vulnerability in the SSH service of Cisco IEC6400 Wireless Backhaul Edge Compute Software could allow an unauthenticated, remote attacker to cause the SSH service to stop responding. This vulnerability exists because the SSH service lacks effective flood protection. An attacker could exploit this vulnerability by initiating a denial of service (DoS) attack against the SSH port. A successful exploit could allow the attacker to cause the SSH service to be unresponsive during the period of the DoS attack. All other operations remain stable during the attack. | 2026-01-21 | 5.3 | CVE-2026-20080 | cisco-sa-iec6400-Pem5uQ7v |
| Click2Magic–Click2Magic | Click2Magic 1.1.5 contains a stored cross-site scripting vulnerability that allows attackers to inject malicious scripts in the chat name input. Attackers can craft a malicious payload in the chat name to capture administrator cookies when the admin processes user requests. | 2026-01-25 | 6.4 | CVE-2020-36931 | ExploitDB-49347 Vendor Homepage Official Product Website VulnCheck Advisory: Click2Magic 1.1.5 – Stored Cross-Site Scripting |
| codemacher–CM CSS Columns | The CM CSS Columns plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘tag’ shortcode attribute in all versions up to, and including, 1.2.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-24 | 6.4 | CVE-2026-1098 | https://www.wordfence.com/threat-intel/vulnerabilities/id/dabcc606-04ab-4fb0-bf3c-d3ad915b8904?source=cve https://plugins.trac.wordpress.org/browser/cm-css-columns/trunk/includes/Shortcoder.php#L109 https://plugins.trac.wordpress.org/browser/cm-css-columns/tags/1.2.1/includes/Shortcoder.php#L109 |
| controlplaneio-fluxcd–flux-operator | The Flux Operator is a Kubernetes CRD controller that manages the lifecycle of CNCF Flux CD and the ControlPlane enterprise distribution. Starting in version 0.36.0 and prior to version 0.40.0, a privilege escalation vulnerability exists in the Flux Operator Web UI authentication code that allows an attacker to bypass Kubernetes RBAC impersonation and execute API requests with the operator’s service account privileges. In order to be vulnerable, cluster admins must configure the Flux Operator with an OIDC provider that issues tokens lacking the expected claims (e.g., `email`, `groups`), or configure custom CEL expressions that can evaluate to empty values. After OIDC token claims are processed through CEL expressions, there is no validation that the resulting `username` and `groups` values are non-empty. When both values are empty, the Kubernetes client-go library does not add impersonation headers to API requests, causing them to be executed with the flux-operator service account’s credentials instead of the authenticated user’s limited permissions. This can result in privilege escalation, data exposure, and/or information disclosure. Version 0.40.0 patches the issue. | 2026-01-21 | 5.3 | CVE-2026-23990 | https://github.com/controlplaneio-fluxcd/flux-operator/security/advisories/GHSA-4xh5-jcj2-ch8q https://github.com/controlplaneio-fluxcd/flux-operator/pull/610 https://github.com/controlplaneio-fluxcd/flux-operator/commit/084540424f6de8ba5d88fb1fd1e8472ba29afd7e https://github.com/controlplaneio-fluxcd/flux-operator/releases/tag/v0.40.0 |
| CRMEB–CRMEB | A weakness has been identified in CRMEB up to 5.6.3. The impacted element is the function remoteRegister of the file crmeb/app/services/user/LoginServices.php of the component JSON Token Handler. Executing a manipulation of the argument uid can lead to improper authentication. The attack may be performed from remote. The attack requires a high level of complexity. The exploitability is regarded as difficult. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-20 | 5.6 | CVE-2026-1203 | VDB-341789 | CRMEB JSON Token LoginServices.php remoteRegister improper authentication VDB-341789 | CTI Indicators (IOB, IOC, IOA) Submit #735349 | Zhongbang CRMEB v5.6.3 Authentication Bypass by https://github.com/foeCat/CVE/blob/main/CRMEB/jwt_auth_bypass/remote_register_jwt_bypass.md |
| cubewp1211–CubeWP Framework | The CubeWP – All-in-One Dynamic Content Framework plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.1.27 via the search feature in class-cubewp-search-ajax-hooks.php due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract data from password protected, private, or draft posts that they should not have access to. | 2026-01-25 | 4.3 | CVE-2025-6461 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0edb6b7c-8a78-44b9-a5d6-b4a563c92484?source=cve https://plugins.trac.wordpress.org/changeset/3422640/cubewp-framework/trunk/cube/modules/search/class-cubewp-search-ajax-hooks.php |
| Dell–Data Protection Advisor | Dell Data Protection Advisor, versions prior to 19.12, contains an Improper Neutralization of Special Elements Used in a Template Engine vulnerability in the Server. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Information exposure. | 2026-01-23 | 4.3 | CVE-2025-46699 | https://www.dell.com/support/kbdoc/en-us/000281732/dsa-2025-075-security-update-for-dell-data-protection-advisor-for-multiple-component-vulnerabilities |
| Dell–ObjectScale | Dell ECS, versions 3.8.1.0 through 3.8.1.7, and Dell ObjectScale versions prior to 4.2.0.0, contains a Cleartext Transmission of Sensitive Information vulnerability in the Fabric Syslog. An unauthenticated attacker with remote access could potentially exploit this vulnerability to intercept and modify information in transit. | 2026-01-23 | 6.5 | CVE-2026-22274 | https://www.dell.com/support/kbdoc/en-us/000415880/dsa-2026-047-security-update-for-dell-ecs-and-objectscale-multiple-vulnerabilities |
| Dell–ObjectScale | Dell ECS, versions 3.8.1.0 through 3.8.1.7, and Dell ObjectScale versions prior to 4.2.0.0, contains a Cleartext Storage of Sensitive Information vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Information disclosure. | 2026-01-23 | 5.5 | CVE-2026-22276 | https://www.dell.com/support/kbdoc/en-us/000415880/dsa-2026-047-security-update-for-dell-ecs-and-objectscale-multiple-vulnerabilities |
| Dell–ObjectScale | Dell ECS, versions 3.8.1.0 through 3.8.1.7, and Dell ObjectScale versions prior to 4.2.0.0, contains an Inclusion of Sensitive Information in Source Code vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Information exposure. | 2026-01-23 | 4.4 | CVE-2026-22275 | https://www.dell.com/support/kbdoc/en-us/000415880/dsa-2026-047-security-update-for-dell-ecs-and-objectscale-multiple-vulnerabilities |
| Dell–PowerScale OneFS | Dell PowerScale OneFS, versions 9.5.0.0 through 9.5.1.5, versions 9.6.0.0 through 9.7.1.10, versions 9.8.0.0 through 9.10.1.3, versions starting from 9.11.0.0 and prior to 9.13.0.0, contains an incorrect permission assignment for critical resource vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to denial of service. | 2026-01-22 | 5 | CVE-2026-22280 | https://www.dell.com/support/kbdoc/en-us/000415586/dsa-2026-049-security-update-for-dell-powerscale-onefs-multiple-vulnerabilities |
| Dell–PowerScale OneFS | Dell PowerScale OneFS, versions prior 9.13.0.0, contains an insufficient logging vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to information tampering. | 2026-01-22 | 4.3 | CVE-2026-22279 | https://www.dell.com/support/kbdoc/en-us/000415586/dsa-2026-049-security-update-for-dell-powerscale-onefs-multiple-vulnerabilities |
| devsoftbaltic–SurveyJS: Drag & Drop Form Builder | The SurveyJS: Drag & Drop WordPress Form Builder plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.12.20. This is due to missing nonce validation on the SurveyJS_AddSurvey AJAX action. This makes it possible for unauthenticated attackers to create surveys via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-01-24 | 4.3 | CVE-2025-13139 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0c06880e-06cc-4204-a031-355de4de3af2?source=cve https://plugins.trac.wordpress.org/browser/surveyjs/tags/1.12.20/ajax_handlers/add_survey.php#L12 |
| devsoftbaltic–SurveyJS: Drag & Drop Form Builder | The SurveyJS: Drag & Drop WordPress Form Builder to create, style and embed multiple forms of any complexity plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.12.20. This is due to missing nonce verification on the ‘SurveyJS_RenameSurvey’ AJAX action. This makes it possible for unauthenticated attackers to rename surveys via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-01-24 | 4.3 | CVE-2025-13194 | https://www.wordfence.com/threat-intel/vulnerabilities/id/ab88f0cf-971f-43e1-b6b7-4eb55188ecc8?source=cve https://plugins.trac.wordpress.org/browser/surveyjs/tags/1.12.20/ajax_handlers/rename_survey.php#L12 |
| devsoftbaltic–SurveyJS: Drag & Drop Form Builder | The SurveyJS: Drag & Drop WordPress Form Builder to create, style and embed multiple forms of any complexity plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.12.20. This is due to missing or incorrect nonce validation on the `SurveyJS_CloneSurvey` AJAX action. This makes it possible for unauthenticated attackers to duplicate surveys via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-01-24 | 4.3 | CVE-2025-13205 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e1179303-fe7c-47f1-958c-2e4d2c574e4a?source=cve https://plugins.trac.wordpress.org/browser/surveyjs/tags/1.12.20/ajax_handlers/clone_survey.php#L8 |
| Discord–WebSocket API service | Discord through 2026-01-16 allows gathering information about whether a user’s client state is Invisible (and not actually offline) because the response to a WebSocket API request includes the user in the presences array (with “status”: “offline”), whereas offline users are omitted from the presences array. This is arguably inconsistent with the UI description of Invisible as “You will appear offline.” | 2026-01-22 | 4.3 | CVE-2026-24332 | https://xmrcat.org/discord-invisibility-bypass |
| EVerest–everest-core | EVerest is an EV charging software stack. Prior to version 2025.10.0, C++ exceptions are not properly handled for and by the `TbdController` loop, leading to its caller and itself to silently terminates. Thus, this leads to a denial of service as it is responsible of SDP and ISO15118-20 servers. Version 2025.10.0 fixes the issue. | 2026-01-21 | 6.5 | CVE-2025-68135 | https://github.com/EVerest/everest-core/security/advisories/GHSA-g7mm-r6qp-96vh |
| EVerest–everest-core | EVerest is an EV charging software stack, and EVerest libocpp is a C++ implementation of the Open Charge Point Protocol. In libocpp prior to version 0.30.1, pointers returned by the `strdup` calls are never freed. At each connection attempt, the newly allocated memory area will be leaked, potentially causing memory exhaustion and denial of service. Version 0.30.1 fixes the issue. | 2026-01-21 | 4.7 | CVE-2025-68138 | https://github.com/EVerest/everest-core/security/advisories/GHSA-f8c2-44c3-7v55 https://github.com/EVerest/libocpp/blob/89c7b62ec899db637f43b54f19af2c4af30cfa66/lib/ocpp/common/websocket/websocket_libwebsockets.cpp |
| EVerest–everest-core | EVerest is an EV charging software stack. In all versions up to and including 2025.12.1, the default value for `terminate_connection_on_failed_response` is `False`, which leaves the responsibility for session and connection termination to the EV. In this configuration, any errors encountered by the module are logged but do not trigger countermeasures such as session and connection reset or termination. This could be abused by a malicious user in order to exploit other weaknesses or vulnerabilities. While the default will stay at the setting that is described as potentially problematic in this reported issue, a mitigation is available by changing the `terminate_connection_on_failed_response` setting to `true`. However this cannot be set to this value by default since it can trigger errors in vehicle ECUs requiring ECU resets and lengthy unavailability in charging for vehicles. The maintainers judge this to be a much more important workaround then short-term unavailability of an EVSE, therefore this setting will stay at the current value. | 2026-01-21 | 4.3 | CVE-2025-68139 | https://github.com/EVerest/everest-core/security/advisories/GHSA-wqh4-pj54-6xv9 |
| EVerest–everest-core | EVerest is an EV charging software stack. Prior to version 2025.9.0, once the validity of the received V2G message has been verified, it is checked whether the submitted session ID matches the registered one. However, if no session has been registered, the default value is 0. Therefore, a message submitted with a session ID of 0 is accepted, as it matches the registered value. This could allow unauthorized and anonymous indirect emission of MQTT messages and communication with V2G messages handlers, updating a session context. Version 2025.9.0 fixes the issue. | 2026-01-21 | 4.3 | CVE-2025-68140 | https://github.com/EVerest/everest-core/security/advisories/GHSA-w385-3jwp-x47x |
| EVerest–everest-core | EVerest is an EV charging software stack. Prior to version 2025.9.0, in several places, integer values are concatenated to literal strings when throwing errors. This results in pointers arithmetic instead of printing the integer value as expected, like most of interpreted languages. This can be used by malicious operator to read unintended memory regions, including the heap and the stack. Version 2025.9.0 fixes the issue. | 2026-01-21 | 4.2 | CVE-2026-23955 | https://github.com/EVerest/everest-core/security/advisories/GHSA-px57-jx97-hrff |
| filebrowser–filebrowser | File Browser provides a file managing interface within a specified directory and can be used to upload, delete, preview, rename, and edit files. Prior to version 2.55.0, the JSONAuth. Auth function contains a logic flaw that allows unauthenticated attackers to enumerate valid usernames by measuring the response time of the /api/login endpoint. The vulnerability exists due to a “short-circuit” evaluation in the authentication logic. When a username is not found in the database, the function returns immediately. However, if the username does exist, the code proceeds to verify the password using bcrypt (users.CheckPwd), which is a computationally expensive operation designed to be slow. This difference in execution path creates a measurable timing discrepancy. Version 2.55.0 contains a patch for the issue. | 2026-01-19 | 5.3 | CVE-2026-23849 | https://github.com/filebrowser/filebrowser/security/advisories/GHSA-43mm-m3h2-3prc https://github.com/filebrowser/filebrowser/commit/24781badd413ee20333aba5cce1919d676e01889 |
| flatboy–FlatPM Ad Manager, AdSense and Custom Code | The FlatPM – Ad Manager, AdSense and Custom Code plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘rank_math_description’ custom field in all versions up to, and including, 3.2.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-20 | 6.4 | CVE-2026-0690 | https://www.wordfence.com/threat-intel/vulnerabilities/id/14b89618-8a30-4b8c-9490-f05e8fa8ca8a?source=cve https://plugins.trac.wordpress.org/changeset/3434760/flatpm-wp |
| Foxit Software Inc.–na1.foxitesign.foxit.com | URL parameters are directly embedded into JavaScript code or HTML attributes without proper encoding or sanitization. This allows attackers to inject arbitrary scripts when an authenticated user visits a crafted link. This issue affects na1.foxitesign.foxit.com: before 2026‑01‑16. | 2026-01-20 | 6.1 | CVE-2025-66523 | https://www.foxit.com/support/security-bulletins.html |
| franklioxygen–MyTube | MyTube is a self-hosted downloader and player for several video websites. Prior to version 1.7.71, a rate limiting bypass via `X-Forwarded-For` header spoofing allows unauthenticated attackers to bypass IP-based rate limiting on general API endpoints. Attackers can spoof client IPs by manipulating the `X-Forwarded-For` header, enabling unlimited requests to protected endpoints, including general API endpoints (enabling DoS) and other rate-limited functionality. Version 1.7.71 contains a patch for the issue. | 2026-01-19 | 6.5 | CVE-2026-23848 | https://github.com/franklioxygen/MyTube/security/advisories/GHSA-59gr-529g-x45h https://github.com/franklioxygen/MyTube/commit/bc057458804ae7ac70ea00605680512ed3d4257b |
| freemp–JavaScript Notifier | The JavaScript Notifier plugin for WordPress is vulnerable to Stored Cross-Site Scripting via plugin settings in all versions up to, and including, 1.2.8. This is due to insufficient input sanitization and output escaping on user-supplied attributes in the `wp_footer` action. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-24 | 4.4 | CVE-2026-1191 | https://www.wordfence.com/threat-intel/vulnerabilities/id/97696702-4d40-41dd-a25f-f2ee7681a2c9?source=cve https://plugins.trac.wordpress.org/browser/javascript-notifier/trunk/javascript-notifier.php#L75 https://plugins.trac.wordpress.org/browser/javascript-notifier/tags/1.2.8/javascript-notifier.php#L75 |
| GetSimple CMS–Custom JS Plugin | GetSimple CMS Custom JS 0.1 plugin contains a cross-site request forgery vulnerability that allows unauthenticated attackers to inject arbitrary client-side code into administrator browsers. Attackers can craft a malicious website that triggers a cross-site scripting payload to execute remote code on the hosting server when an authenticated administrator visits the page. | 2026-01-21 | 5.3 | CVE-2021-47860 | ExploitDB-49816 Vendor Homepage GetSimple CMS GitHub Repository Researcher Disclosure ExploitDB-49712 VulnCheck Advisory: GetSimple CMS Custom JS 0.1 – CSRF to XSS to RCE |
| GitLab–GitLab | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.1 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2 that under certain circumstances could have allowed an authenticated user to create a denial of service condition by configuring malformed Wiki documents that bypass cycle detection. | 2026-01-22 | 6.5 | CVE-2025-13335 | GitLab Issue #581060 HackerOne Bug Bounty Report #3418023 https://about.gitlab.com/releases/2026/01/21/patch-release-gitlab-18-8-2-released/ |
| GitLab–GitLab | GitLab has remediated an issue in GitLab CE/EE affecting all versions from 12.3 before 18.6.4, 18.7 before 18.7.2, and 18.8 before 18.8.2 that could have allowed an unauthenticated user to create a denial of service condition by sending repeated malformed SSH authentication requests. | 2026-01-22 | 5.3 | CVE-2026-1102 | GitLab Issue #579746 https://about.gitlab.com/releases/2026/01/21/patch-release-gitlab-18-8-2-released/ |
| hallsofmontezuma–Moderate Selected Posts | The Moderate Selected Posts plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.4. This is due to missing nonce verification on the msp_admin_page() function. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-01-24 | 4.3 | CVE-2025-14907 | https://www.wordfence.com/threat-intel/vulnerabilities/id/4bc23291-1b73-4e92-83ba-0c7f455ac126?source=cve https://plugins.trac.wordpress.org/browser/moderate-selected-posts/tags/1.4/inc/admin.php#L71 |
| HAMASTAR Technology–MeetingHub | MeetingHub developed by HAMASTAR Technology has a Missing Authentication vulnerability, allowing unauthenticated remote attackers to access specific API functions and obtain meeting-related information. | 2026-01-22 | 5.3 | CVE-2026-1332 | https://www.twcert.org.tw/tw/cp-132-10650-a5ee9-1.html https://www.twcert.org.tw/en/cp-139-10651-ff09c-2.html |
| horilla-opensource–horilla | Horilla is a free and open source Human Resource Management System (HRMS). In versions prior to 1.5.0, a cross-site scripting vulnerability can be triggered because the extension and content-type are not checked during the profile photo update step. Version 1.5.0 fixes the issue. | 2026-01-22 | 5.4 | CVE-2026-24034 | https://github.com/horilla-opensource/horilla/security/advisories/GHSA-mvwg-7c8w-qw2p https://github.com/horilla-opensource/horilla/releases/tag/1.5.0 |
| horilla-opensource–horilla | Horilla is a free and open source Human Resource Management System (HRMS). Versions 1.4.0 and above expose unpublished job postings through the /recruitment/recruitment-details// endpoint without authentication. The response includes draft job titles, descriptions and application link allowing unauthenticated users to view unpublished roles and access the application workflow for unpublished jobs. Unauthorized access to unpublished job posts can leak sensitive internal hiring information and cause confusion among candidates. This issue has been fixed in version 1.5.0. | 2026-01-22 | 5.3 | CVE-2026-24036 | https://github.com/horilla-opensource/horilla/security/advisories/GHSA-q4xr-w96p-3vg7 https://github.com/horilla-opensource/horilla/commit/9a585a1588431499092a49d7e82cb77daa4d99ee https://github.com/horilla-opensource/horilla/releases/tag/1.5.0 |
| horilla-opensource–horilla | Horilla is a free and open source Human Resource Management System (HRMS). An Improper Access Control vulnerability exists in Horilla HR Software starting in version 1.4.0 and prior to version 1.5.0, allowing any authenticated employee to upload documents on behalf of another employee without proper authorization. This occurs due to insufficient server-side validation of the employee_id parameter during file upload operations, allowing any authenticated employee to upload document in behalf of any employee. Version 1.5.0 fixes the issue. | 2026-01-22 | 4.3 | CVE-2026-24035 | https://github.com/horilla-opensource/horilla/security/advisories/GHSA-fm3f-xpgx-8xr3 https://drive.google.com/file/d/1i00-NnipvxH8bGY-SyqEjnDQfxIbVGRR/view?usp=sharing https://github.com/horilla-opensource/horilla/releases/tag/1.5.0 |
| horilla-opensource–horilla | Horilla is a free and open source Human Resource Management System (HRMS). In version 1.4.0, the has_xss() function attempts to block XSS by matching input against a set of regex patterns. However, the regexes are incomplete and context-agnostic, making them easy to bypass. Attackers are able to redirect users to malicious domains, run external JavaScript, and steal CSRF tokens that can be used to craft CSRF attacks against admins. This issue has been fixed in version 1.5.0. | 2026-01-22 | 4.8 | CVE-2026-24037 | https://github.com/horilla-opensource/horilla/security/advisories/GHSA-rqw5-fjm4-rgvm https://github.com/horilla-opensource/horilla/releases/tag/1.5.0 |
| horilla-opensource–horilla | Horilla is a free and open source Human Resource Management System (HRMS). Version 1.4.0 has Improper Access Control, allowing low-privileged employees to self-approve documents they have uploaded. The document-approval UI is intended to be restricted to administrator or high-privilege roles only; however, an insufficient server-side authorization check on the approval endpoint lets a standard employee modify the approval status of their own uploaded document. A successful exploitation allows users with only employee-level permissions to alter application state reserved for administrators. This undermines the integrity of HR processes (for example, acceptance of credentials, certifications, or supporting materials), and may enable submission of unvetted documents. This issue is fixed in version 1.5.0. | 2026-01-22 | 4.3 | CVE-2026-24039 | https://github.com/horilla-opensource/horilla/security/advisories/GHSA-99mq-mhwv-w9qx https://github.com/horilla-opensource/horilla/releases/tag/1.5.0 |
| IBM–Application Gateway | IBM Application Gateway 23.10 through 25.09 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | 2026-01-20 | 5.4 | CVE-2025-36396 | https://www.ibm.com/support/pages/node/7256857 |
| IBM–Application Gateway | IBM Application Gateway 23.10 through 25.09 is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim’s Web browser within the security context of the hosting site. | 2026-01-20 | 5.4 | CVE-2025-36397 | https://www.ibm.com/support/pages/node/7256857 |
| IBM–ApplinX | IBM ApplinX 11.1 is vulnerable to stored cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | 2026-01-20 | 6.4 | CVE-2025-36408 | https://www.ibm.com/support/pages/node/7257446 |
| IBM–ApplinX | IBM ApplinX 11.1 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | 2026-01-20 | 5.4 | CVE-2025-36409 | https://www.ibm.com/support/pages/node/7257446 |
| IBM–ApplinX | IBM ApplinX 11.1 could disclose sensitive information about server architecture that could aid in further attacks against the system. | 2026-01-20 | 5.3 | CVE-2025-36419 | https://www.ibm.com/support/pages/node/7257446 |
| IBM–Aspera Console | IBM Aspera Console 3.4.7 stores potentially sensitive information in log files that could be read by a local privileged user. | 2026-01-20 | 4.9 | CVE-2025-13925 | https://www.ibm.com/support/pages/node/7256544 |
| IBM–Business Automation Workflow containers | IBM Business Automation Workflow containers 25.0.0 through 25.0.0 Interim Fix 002, 24.0.1 through 24.0.1 Interim Fix 005, and 24.0.0 through 24.0.0 Interim Fix 006. IBM Cloud Pak for Business Automation and IBM Business Automation Workflow containers may disclose sensitve configuration information in a config map. | 2026-01-20 | 5.5 | CVE-2025-36058 | https://www.ibm.com/support/pages/node/7256777 |
| IBM–Business Automation Workflow containers | IBM Business Automation Workflow containers 25.0.0 through 25.0.0 Interim Fix 002, 24.0.1 through 24.0.1 Interim Fix 005, and 24.0.0 through 24.0.0 Interim Fix 006. IBM Cloud Pak for Business Automation could allow a local user with access to the container to execute OS system calls. | 2026-01-20 | 4.7 | CVE-2025-36059 | https://www.ibm.com/support/pages/node/7256777 |
| IBM–Concert | IBM Concert 1.0.0 through 2.1.0 could allow a remote attacker to obtain sensitive information from allocated memory due to improper clearing of heap memory. | 2026-01-20 | 5.9 | CVE-2025-1719 | https://www.ibm.com/support/pages/node/7257006 |
| IBM–Concert | IBM Concert 1.0.0 through 2.1.0 could allow a remote attacker to obtain sensitive information from allocated memory due to improper clearing of heap memory. | 2026-01-20 | 5.9 | CVE-2025-1722 | https://www.ibm.com/support/pages/node/7257006 |
| IBM–Sterling Connect:Express Adapter for Sterling B2B Integrator 5.2.0 | IBM Sterling Connect:Express Adapter for Sterling B2B Integrator 5.2.0 5.2.0.00 through 5.2.0.12 does not invalidate session after a logout which could allow an authenticated user to impersonate another user on the system. | 2026-01-20 | 6.3 | CVE-2025-36063 | https://www.ibm.com/support/pages/node/7257244 |
| IBM–Sterling Connect:Express Adapter for Sterling B2B Integrator 5.2.0 | IBM Sterling Connect:Express Adapter for Sterling B2B Integrator 5.2.0 5.2.0.00 through 5.2.0.12 does not invalidate session after a browser closure which could allow an authenticated user to impersonate another user on the system. | 2026-01-20 | 6.3 | CVE-2025-36065 | https://www.ibm.com/support/pages/node/7257244 |
| IBM–Sterling Connect:Express Adapter for Sterling B2B Integrator 5.2.0 | IBM Sterling Connect:Express Adapter for Sterling B2B Integrator 5.2.0 5.2.0.00 through 5.2.0.12 is vulnerable to cross-site scripting. This vulnerability allows an unauthenticated attacker to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | 2026-01-20 | 6.1 | CVE-2025-36066 | https://www.ibm.com/support/pages/node/7257244 |
| IBM–Sterling Connect:Express Adapter for Sterling B2B Integrator 5.2.0 | IBM Sterling Connect:Express Adapter for Sterling B2B Integrator 5.2.0.00 through 5.2.0.12 does not disallow the session id after use which could allow an authenticated user to impersonate another user on the system. | 2026-01-20 | 6.3 | CVE-2025-36115 | https://www.ibm.com/support/pages/node/7257244 |
| IBM–Sterling Connect:Express Adapter for Sterling B2B Integrator 5.2.0 | IBM Sterling Connect:Express Adapter for Sterling B2B Integrator 5.2.0 5.2.0.00 through 5.2.0.12 is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | 2026-01-20 | 5.4 | CVE-2025-36113 | https://www.ibm.com/support/pages/node/7257244 |
| ImageMagick–ImageMagick | ImageMagick is free and open-source software used for editing and manipulating digital images. The BilateralBlurImage method will allocate a set of double buffers inside AcquireBilateralTLS. But, in versions prior to 7.1.2-13, the last element in the set is not properly initialized. This will result in a release of an invalid pointer inside DestroyBilateralTLS when the memory allocation fails. Version 7.1.2-13 contains a patch for the issue. | 2026-01-20 | 6.5 | CVE-2026-22770 | https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-39h3-g67r-7g3c https://github.com/ImageMagick/ImageMagick/commit/3e0330721020e0c5bb52e4b77c347527dd71658e |
| ImageMagick–ImageMagick | ImageMagick is free and open-source software used for editing and manipulating digital images. Versions 14.10.1 and below have a NULL pointer dereference vulnerability in the MSL (Magick Scripting Language) parser when processing <comment> tags before images are loaded. This can lead to DoS attack due to assertion failure (debug builds) or NULL pointer dereference (release builds). This issue is fixed in version 14.10.2. | 2026-01-22 | 6.5 | CVE-2026-23952 | https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-5vx3-wx4q-6cj8 https://github.com/dlemstra/Magick.NET/releases/tag/14.10.2 |
| ImageMagick–ImageMagick | ImageMagick is free and open-source software used for editing and manipulating digital images. Versions prior to 7.1.2-13 have a stack overflow via infinite recursion in MSL (Magick Scripting Language) `<write>` command when writing to MSL format. Version 7.1.2-13 fixes the issue. | 2026-01-20 | 5.5 | CVE-2026-23874 | https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-9vj4-wc7r-p844 |
| iqonicdesign–KiviCare Clinic & Patient Management System (EHR) | The KiviCare – Clinic & Patient Management System (EHR) plugin for WordPress is vulnerable to arbitrary file uploads due to missing authorization checks in the uploadMedicalReport() function in all versions up to, and including, 3.6.15. This makes it possible for unauthenticated attackers to upload text files and PDF documents to the affected site’s server which may be leveraged for further attacks such as hosting malicious content or phishing pages via PDF files. | 2026-01-23 | 5.3 | CVE-2026-0927 | https://www.wordfence.com/threat-intel/vulnerabilities/id/489931ef-bac3-4de8-84ec-6f226d96f778?source=cve https://plugins.trac.wordpress.org/browser/kivicare-clinic-management-system/trunk/app/controllers/KCAppointmentController.php#L1328 https://plugins.trac.wordpress.org/browser/kivicare-clinic-management-system/tags/3.6.15/app/controllers/KCAppointmentController.php#L1328 https://plugins.trac.wordpress.org/changeset/3443088/kivicare-clinic-management-system/trunk/app/controllers/KCAppointmentController.php |
| itsourcecode–Society Management System | A vulnerability was identified in itsourcecode Society Management System 1.0. This affects an unknown function of the file /admin/expenses.php. The manipulation of the argument detail leads to cross site scripting. The attack may be initiated remotely. The exploit is publicly available and might be used. | 2026-01-19 | 4.3 | CVE-2026-1134 | VDB-341724 | itsourcecode Society Management System expenses.php cross site scripting VDB-341724 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #735156 | itsourcecode Society Management System V1.0 cross site scripting https://github.com/TEhS411/cve/issues/7 https://itsourcecode.com/ |
| itsourcecode–Society Management System | A security flaw has been discovered in itsourcecode Society Management System 1.0. This impacts an unknown function of the file /admin/activity.php. The manipulation of the argument Title results in cross site scripting. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks. | 2026-01-19 | 4.3 | CVE-2026-1135 | VDB-341725 | itsourcecode Society Management System activity.php cross site scripting VDB-341725 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #735157 | itsourcecode Society Management System V1.0 cross site scripting https://github.com/TEhS411/cve/issues/8 https://itsourcecode.com/ |
| jamiesage123–MyBB Thread Redirect Plugin | MyBB Thread Redirect Plugin 0.2.1 contains a cross-site scripting vulnerability in the custom text input field for thread redirects. Attackers can inject malicious SVG scripts that will execute when other users view the thread, allowing arbitrary script execution. | 2026-01-23 | 6.1 | CVE-2018-25116 | ExploitDB-49505 Thread Redirect Plugin GitHub Repository VulnCheck Advisory: MyBB Thread Redirect Plugin 0.2.1 – Cross-Site Scripting |
| kohler–hotcrp | HotCRP is conference review software. Starting in commit aa20ef288828b04550950cf67c831af8a525f508 and prior to commit ceacd5f1476458792c44c6a993670f02c984b4a0, authors with at least one submission on a HotCRP site could use the document API to download any documents (PDFs, attachments) associated with any submission. The problem was patched in commit ceacd5f1476458792c44c6a993670f02c984b4a0. | 2026-01-19 | 6.5 | CVE-2026-23878 | https://github.com/kohler/hotcrp/security/advisories/GHSA-vh3x-xwj4-jvqx https://github.com/kohler/hotcrp/commit/aa20ef288828b04550950cf67c831af8a525f508 https://github.com/kohler/hotcrp/commit/ceacd5f1476458792c44c6a993670f02c984b4a0 |
| kometschuh–Same Category Posts | The Same Category Posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the widget title placeholder functionality in all versions up to, and including, 1.1.19. This is due to the use of `htmlspecialchars_decode()` on taxonomy term names before output, which decodes HTML entities that WordPress intentionally encodes for safety. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-24 | 5.4 | CVE-2025-14797 | https://www.wordfence.com/threat-intel/vulnerabilities/id/70434876-4876-4da8-9af1-6f6ef5632f26?source=cve https://plugins.trac.wordpress.org/browser/same-category-posts/tags/1.1.19/same-category-posts.php#L665 https://plugins.trac.wordpress.org/browser/same-category-posts/tags/1.1.19/same-category-posts.php#L639 https://plugins.trac.wordpress.org/browser/same-category-posts/tags/1.1.19/same-category-posts.php#L707 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3444428%40same-category-posts&new=3444428%40same-category-posts&sfp_email=&sfph_mail= |
| leadbi–LeadBI Plugin for WordPress | The LeadBI Plugin for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘form_id’ parameter of the ‘leadbi_form’ shortcode in all versions up to, and including, 1.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-24 | 6.4 | CVE-2026-1189 | https://www.wordfence.com/threat-intel/vulnerabilities/id/3a196eaa-64c7-447b-9384-b58fcba57ec0?source=cve https://wordpress.org/plugins/leadbi/ https://plugins.trac.wordpress.org/browser/leadbi/trunk/includes/Plugin.php#L72 https://plugins.trac.wordpress.org/browser/leadbi/tags/1.7/includes/Plugin.php#L72 |
| legalweb–WP DSGVO Tools (GDPR) | The WP DSGVO Tools (GDPR) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s ‘lw_content_block’ shortcode in all versions up to, and including, 3.1.36 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-23 | 6.4 | CVE-2026-0914 | https://www.wordfence.com/threat-intel/vulnerabilities/id/4474c79b-f93a-4725-8345-ad5c5260913c?source=cve https://plugins.trac.wordpress.org/browser/shapepress-dsgvo/tags/3.1.35/public/shortcodes/content-block-shortcode.php#L17 https://plugins.trac.wordpress.org/changeset/3440083/ |
| lovor–Cookie consent for developers | The Cookie consent for developers plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple settings fields in all versions up to, and including, 1.7.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2026-01-24 | 4.4 | CVE-2026-1084 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c16918a9-7b73-418d-adbd-aa17cb1d8cf8?source=cve https://plugins.trac.wordpress.org/browser/cookie-consent-for-developers/trunk/admin/class-ntg-cookie-consent-admin.php#L112 https://plugins.trac.wordpress.org/browser/cookie-consent-for-developers/trunk/admin/partials/ntg-cookie-consent-admin-display.php#L108 https://plugins.trac.wordpress.org/browser/cookie-consent-for-developers/tags/1.7.1/admin/class-ntg-cookie-consent-admin.php#L112 https://plugins.trac.wordpress.org/browser/cookie-consent-for-developers/tags/1.7.1/admin/partials/ntg-cookie-consent-admin-display.php#L108 |
| magazine3–Schema & Structured Data for WP & AMP | The Schema & Structured Data for WP & AMP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘saswp_custom_schema_field’ profile field in all versions up to, and including, 1.54 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-23 | 6.4 | CVE-2025-14069 | https://www.wordfence.com/threat-intel/vulnerabilities/id/651a7036-d421-41b7-91db-102e60d8274e?source=cve https://plugins.trac.wordpress.org/browser/schema-and-structured-data-for-wp/tags/1.53/admin_section/common-function.php#L1874 https://plugins.trac.wordpress.org/browser/schema-and-structured-data-for-wp/tags/1.53/admin_section/structure-admin.php#L2605 https://plugins.trac.wordpress.org/browser/schema-and-structured-data-for-wp/tags/1.53/output/function.php#L171 https://plugins.trac.wordpress.org/changeset/3441582/schema-and-structured-data-for-wp/trunk?contextall=1&old=3429983&old_path=%2Fschema-and-structured-data-for-wp%2Ftrunk#file0 |
| mainichiweb–Friendly Functions for Welcart | The Friendly Functions for Welcart plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.5. This is due to missing or incorrect nonce validation on the settings page. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-01-24 | 4.3 | CVE-2026-1208 | https://www.wordfence.com/threat-intel/vulnerabilities/id/6cc709e0-870b-4d12-9ac8-55da498768a1?source=cve https://plugins.trac.wordpress.org/browser/friendly-functions-for-welcart/tags/1.2.5/ffw_function_settings.php#L53 https://plugins.trac.wordpress.org/browser/friendly-functions-for-welcart/tags/1.2.5/ffw_function_settings.php#L58 https://plugins.trac.wordpress.org/changeset/3445305/ |
| marcinlawrowski–Wise Analytics | The Wise Analytics plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.1.9. This is due to missing capability checks on the REST API endpoint ‘/wise-analytics/v1/report’. This makes it possible for unauthenticated attackers to access sensitive analytics data including administrator usernames, login timestamps, visitor tracking information, and business intelligence data via the ‘name’ parameter granted they can send unauthenticated requests. | 2026-01-24 | 5.3 | CVE-2025-14609 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d92c80cb-080b-4774-8c66-1d5cf68e771f?source=cve https://plugins.trac.wordpress.org/browser/wise-analytics/trunk/src/Endpoints/ReportsEndpoint.php#L43 https://plugins.trac.wordpress.org/browser/wise-analytics/tags/1.1.9/src/Endpoints/ReportsEndpoint.php#L43 |
| mastodon–mastodon | Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.5.5, 4.4.12, and 4.3.18, an insecure direct object reference in the web push subscription update endpoint lets any authenticated user update another user’s push subscription by guessing or obtaining the numeric subscription id. This can be used to disrupt push notifications for other users and also leaks the web push subscription endpoint. Any user with a web push subscription is impacted, because another authenticated user can tamper with their push subscription settings if they can guess or obtain the subscription id. This allows an attacker to disrupt push notifications by changing the policy (whether to filter notifications from non-followers or non-followed users) and subscribed notification types of their victims. Additionally, the endpoint returns the subscription object, which includes the push notification endpoint for this subscription, but not its keypair. Mastodon versions v4.5.5, v4.4.12, v4.3.18 are patched. | 2026-01-22 | 6.5 | CVE-2026-23964 | https://github.com/mastodon/mastodon/security/advisories/GHSA-f3q8-7vw3-69v4 https://github.com/mastodon/mastodon/releases/tag/v4.3.18 https://github.com/mastodon/mastodon/releases/tag/v4.4.12 https://github.com/mastodon/mastodon/releases/tag/v4.5.5 |
| mastodon–mastodon | Mastodon is a free, open-source social network server based on ActivityPub. Mastodon allows server administrators to suspend remote users to prevent interactions. However, some logic errors allow already-known posts from such suspended users to appear in timelines if boosted. Furthermore, under certain circumstances, previously-unknown posts from suspended users can be processed. This issue allows old posts from suspended users to occasionally end up on timelines on all Mastodon versions. Additionally, on Mastodon versions from v4.5.0 to v4.5.4, v4.4.5 to v4.4.11, v4.3.13 to v4.3.17, and v4.2.26 to v4.2.29, remote suspended users can partially bypass the suspension to get new posts in. Mastodon versions v4.5.5, v4.4.12, v4.3.18 are patched. | 2026-01-22 | 5.3 | CVE-2026-23961 | https://github.com/mastodon/mastodon/security/advisories/GHSA-5h2f-wg8j-xqwp https://github.com/mastodon/mastodon/releases/tag/v4.3.18 https://github.com/mastodon/mastodon/releases/tag/v4.4.12 https://github.com/mastodon/mastodon/releases/tag/v4.5.5 |
| mastodon–mastodon | Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.5.5, 4.4.12, and 4.3.18, the server does not enforce a maximum length for the names of lists or filters, or for filter keywords, allowing any user to set an arbitrarily long string as the name or keyword. Any local user can abuse the list or filter fields to cause disproportionate storage and computing resource usage. They can additionally cause their own web interface to be unusable, although they must intentionally do this to themselves or unknowingly approve a malicious API client. Mastodon versions v4.5.5, v4.4.12, v4.3.18 are patched. | 2026-01-22 | 4.3 | CVE-2026-23963 | https://github.com/mastodon/mastodon/security/advisories/GHSA-6x3w-9g92-gvf3 https://github.com/mastodon/mastodon/releases/tag/v4.3.18 https://github.com/mastodon/mastodon/releases/tag/v4.4.12 https://github.com/mastodon/mastodon/releases/tag/v4.5.5 |
| MedDream–MedDream PACS Premium | A reflected cross-site scripting (xss) vulnerability exists in the ldapUser functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability. | 2026-01-20 | 6.1 | CVE-2025-36556 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2272 |
| MedDream–MedDream PACS Premium | A reflected cross-site scripting (xss) vulnerability exists in the sendOruReport functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability. | 2026-01-20 | 6.1 | CVE-2025-44000 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2270 |
| MedDream–MedDream PACS Premium | A reflected cross-site scripting (xss) vulnerability exists in the fetchPriorStudies functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability. | 2026-01-20 | 6.1 | CVE-2025-46270 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2258 |
| MedDream–MedDream PACS Premium | A reflected cross-site scripting (xss) vulnerability exists in the downloadZip functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious url can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability. | 2026-01-20 | 6.1 | CVE-2025-53516 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2254 |
| MedDream–MedDream PACS Premium | A reflected cross-site scripting (xss) vulnerability exists in the modifyTranscript functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability. | 2026-01-20 | 6.1 | CVE-2025-53707 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2267 |
| MedDream–MedDream PACS Premium | A reflected cross-site scripting (xss) vulnerability exists in the modifyHL7Route functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability. | 2026-01-20 | 6.1 | CVE-2025-53854 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2265 |
| MedDream–MedDream PACS Premium | A reflected cross-site scripting (xss) vulnerability exists in the encapsulatedDoc functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability. | 2026-01-20 | 6.1 | CVE-2025-54157 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2256 |
| MedDream–MedDream PACS Premium | A reflected cross-site scripting (xss) vulnerability exists in the emailfailedjob functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious url can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability. | 2026-01-20 | 6.1 | CVE-2025-54495 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2255 |
| MedDream–MedDream PACS Premium | A reflected cross-site scripting (xss) vulnerability exists in the existingUser functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability. | 2026-01-20 | 6.1 | CVE-2025-54778 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2257 |
| MedDream–MedDream PACS Premium | A reflected cross-site scripting (xss) vulnerability exists in the modifyAutopurgeFilter functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability. | 2026-01-20 | 6.1 | CVE-2025-54814 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2261 |
| MedDream–MedDream PACS Premium | A reflected cross-site scripting (xss) vulnerability exists in the autoPurge functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious url can lead to arbitrary javascript code execution. An attacker can provide a URL to a malicious website to trigger this vulnerability. | 2026-01-20 | 6.1 | CVE-2025-54817 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2253 |
| MedDream–MedDream PACS Premium | A reflected cross-site scripting (xss) vulnerability exists in the modifyAeTitle functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability. | 2026-01-20 | 6.1 | CVE-2025-54852 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2260 |
| MedDream–MedDream PACS Premium | A reflected cross-site scripting (xss) vulnerability exists in the modifyUser functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability. | 2026-01-20 | 6.1 | CVE-2025-54853 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2268 |
| MedDream–MedDream PACS Premium | A reflected cross-site scripting (xss) vulnerability exists in the modifyCoercion functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability. | 2026-01-20 | 6.1 | CVE-2025-54861 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2262 |
| MedDream–MedDream PACS Premium | A reflected cross-site scripting (xss) vulnerability exists in the modifyAnonymize functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability. | 2026-01-20 | 6.1 | CVE-2025-55071 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2259 |
| MedDream–MedDream PACS Premium | A reflected cross-site scripting (xss) vulnerability exists in the notifynewstudy functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability. | 2026-01-20 | 6.1 | CVE-2025-57786 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2269 |
| MedDream–MedDream PACS Premium | A reflected cross-site scripting (xss) vulnerability exists in the modifyRoute functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability. | 2026-01-20 | 6.1 | CVE-2025-57787 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2266 |
| MedDream–MedDream PACS Premium | A reflected cross-site scripting (xss) vulnerability exists in the modifyEmail functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability. | 2026-01-20 | 6.1 | CVE-2025-57881 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2263 |
| MedDream–MedDream PACS Premium | A reflected cross-site scripting (xss) vulnerability exists in the modifyHL7App functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability. | 2026-01-20 | 6.1 | CVE-2025-58080 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2264 |
| MedDream–MedDream PACS Premium | Multiple reflected cross-site scripting (xss) vulnerabilities exist in the config.php functionality of MedDream PACS Premium 7.3.6.870. Specially crafted malicious URLs can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger these vulnerabilities. This vulnerability affects the status parameter. | 2026-01-20 | 6.1 | CVE-2025-58087 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2271 |
| MedDream–MedDream PACS Premium | Multiple reflected cross-site scripting (xss) vulnerabilities exist in the config.php functionality of MedDream PACS Premium 7.3.6.870. Specially crafted malicious URLs can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger these vulnerabilities. This vulnerability affects the archivedir parameter. | 2026-01-20 | 6.1 | CVE-2025-58088 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2271 |
| MedDream–MedDream PACS Premium | Multiple reflected cross-site scripting (xss) vulnerabilities exist in the config.php functionality of MedDream PACS Premium 7.3.6.870. Specially crafted malicious URLs can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger these vulnerabilities. This vulnerability affects the longtermdir parameter. | 2026-01-20 | 6.1 | CVE-2025-58089 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2271 |
| MedDream–MedDream PACS Premium | Multiple reflected cross-site scripting (xss) vulnerabilities exist in the config.php functionality of MedDream PACS Premium 7.3.6.870. Specially crafted malicious URLs can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger these vulnerabilities. This vulnerability affects the uploaddir parameter. | 2026-01-20 | 6.1 | CVE-2025-58090 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2271 |
| MedDream–MedDream PACS Premium | Multiple reflected cross-site scripting (xss) vulnerabilities exist in the config.php functionality of MedDream PACS Premium 7.3.6.870. Specially crafted malicious URLs can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger these vulnerabilities. This vulnerability affects the thumbnaildir parameter. | 2026-01-20 | 6.1 | CVE-2025-58091 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2271 |
| MedDream–MedDream PACS Premium | Multiple reflected cross-site scripting (xss) vulnerabilities exist in the config.php functionality of MedDream PACS Premium 7.3.6.870. Specially crafted malicious URLs can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger these vulnerabilities. This vulnerability affects the phpexe parameter. | 2026-01-20 | 6.1 | CVE-2025-58092 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2271 |
| MedDream–MedDream PACS Premium | Multiple reflected cross-site scripting (xss) vulnerabilities exist in the config.php functionality of MedDream PACS Premium 7.3.6.870. Specially crafted malicious URLs can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger these vulnerabilities. This vulnerability affects the phpdir parameter. | 2026-01-20 | 6.1 | CVE-2025-58093 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2271 |
| MedDream–MedDream PACS Premium | Multiple reflected cross-site scripting (xss) vulnerabilities exist in the config.php functionality of MedDream PACS Premium 7.3.6.870. Specially crafted malicious URLs can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger these vulnerabilities. This vulnerability affects the worklistsrc parameter. | 2026-01-20 | 6.1 | CVE-2025-58094 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2271 |
| MedDream–MedDream PACS Premium | Multiple reflected cross-site scripting (xss) vulnerabilities exist in the config.php functionality of MedDream PACS Premium 7.3.6.870. Specially crafted malicious URLs can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger these vulnerabilities. This vulnerability affects the imagedir parameter. | 2026-01-20 | 6.1 | CVE-2025-58095 | https://talosintelligence.com/vulnerability_reports/TALOS-2025-2271 |
| mehtevas–Responsive Header Plugin | The Responsive Header plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple plugin settings parameters in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2026-01-24 | 4.4 | CVE-2026-1300 | https://www.wordfence.com/threat-intel/vulnerabilities/id/30821418-48c0-4bc6-8bf1-f558671bff24?source=cve https://downloads.wordpress.org/plugin/responsive-header.1.0.zip https://wordpress.org/plugins/responsive-header/ https://plugins.trac.wordpress.org/browser/responsive-header/trunk/rhp-settings.php#L103 https://plugins.trac.wordpress.org/browser/responsive-header/tags/1.0/rhp-settings.php#L103 |
| Mfscripts–YetiShare File Hosting Script | YetiShare File Hosting Script 5.1.0 contains a server-side request forgery vulnerability that allows attackers to read local system files through the remote file upload feature. Attackers can exploit the url parameter in the url_upload_handler endpoint to access sensitive files like /etc/passwd by using file:/// protocol. | 2026-01-23 | 4 | CVE-2021-47899 | ExploitDB-49534 Vendor Homepage Software Product Page VulnCheck Advisory: YetiShare File Hosting Script 5.1.0 Remote File Upload SSRF Vulnerability |
| MineAdmin–MineAdmin | A vulnerability was identified in MineAdmin 1.x/2.x. The impacted element is an unknown function of the file /system/cache/view of the component View Interface. The manipulation leads to improper authorization. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-19 | 6.3 | CVE-2026-1193 | VDB-341778 | MineAdmin View view improper authorization VDB-341778 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #734270 | MineAdmin MineAdmin Enterprise Backend Management System MineAdmin v1.x MineAdmin v2.x Logical flaw and vulnerability https://github.com/SourByte05/MineAdmin-Vulnerability/issues/6 |
| MineAdmin–MineAdmin | A security flaw has been discovered in MineAdmin 1.x/2.x. This affects an unknown function of the component Swagger. The manipulation results in information disclosure. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-19 | 5.3 | CVE-2026-1194 | VDB-341779 | MineAdmin Swagger information disclosure VDB-341779 | CTI Indicators (IOB, IOC, TTP) Submit #734271 | MineAdmin MineAdmin Enterprise Backend Management System MineAdmin v1.x MineAdmin v2.x Swagger Information Leakage Vulnerability https://github.com/SourByte05/MineAdmin-Vulnerability/issues/5 |
| MineAdmin–MineAdmin | A weakness has been identified in MineAdmin 1.x/2.x. This impacts the function refresh of the file /system/refresh of the component JWT Token Handler. This manipulation causes insufficient verification of data authenticity. It is possible to initiate the attack remotely. The attack is considered to have high complexity. The exploitability is said to be difficult. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-20 | 5 | CVE-2026-1195 | VDB-341780 | MineAdmin JWT Token refresh data authenticity VDB-341780 | CTI Indicators (IOB, IOC, IOA) Submit #734272 | MineAdmin MineAdmin Enterprise Backend Management System MineAdmin v1.x MineAdmin v2.x Flaw Vulnerability https://github.com/SourByte05/MineAdmin-Vulnerability/issues/4 |
| neop–Postalicious | The Postalicious plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2026-01-24 | 4.4 | CVE-2026-1266 | https://www.wordfence.com/threat-intel/vulnerabilities/id/512c9a2f-b023-4e28-8dd8-35795e68a8b3?source=cve https://plugins.trac.wordpress.org/browser/postalicious/trunk/wp-postalicious.php#L316 https://plugins.trac.wordpress.org/browser/postalicious/tags/3.0.1/wp-postalicious.php#L316 https://plugins.trac.wordpress.org/browser/postalicious/trunk/wp-postalicious.php#L533 https://plugins.trac.wordpress.org/browser/postalicious/tags/3.0.1/wp-postalicious.php#L533 https://plugins.trac.wordpress.org/browser/postalicious/trunk/wp-postalicious.php#L541 https://plugins.trac.wordpress.org/browser/postalicious/tags/3.0.1/wp-postalicious.php#L541 https://plugins.trac.wordpress.org/browser/postalicious/trunk/wp-postalicious.php#L548 https://plugins.trac.wordpress.org/browser/postalicious/tags/3.0.1/wp-postalicious.php#L548 |
| nhomcaodem–Viet contact | The Viet contact plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.3.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2026-01-20 | 4.4 | CVE-2026-1045 | https://www.wordfence.com/threat-intel/vulnerabilities/id/131a6a35-e0d2-4613-8614-24bf11011098?source=cve https://plugins.trac.wordpress.org/browser/viet-contact/trunk/inc/vietcontact-admin.php#L34 https://plugins.trac.wordpress.org/browser/viet-contact/trunk/inc/vietcontact-content.php#L11 |
| norcross–WP Hello Bar | The WP Hello Bar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘digit_one’ and ‘digit_two’ parameters in all versions up to, and including, 1.02 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-20 | 4.4 | CVE-2026-1042 | https://www.wordfence.com/threat-intel/vulnerabilities/id/73b55486-adb8-40c6-9113-c98618d9cb00?source=cve https://downloads.wordpress.org/plugin/wp-hello-bar.1.02.zip https://wordpress.org/plugins/wp-hello-bar/ https://plugins.trac.wordpress.org/browser/wp-hello-bar/tags/1.02/wp-hello-bar.php#L214 https://plugins.trac.wordpress.org/browser/wp-hello-bar/tags/1.02/wp-hello-bar.php#L222 https://plugins.trac.wordpress.org/browser/wp-hello-bar/tags/1.02/wp-hello-bar.php#L152 |
| NVIDIA–CUDA Toolkit | NVIDIA Nsight Systems for Windows contains a vulnerability in the application’s DLL loading mechanism where an attacker could cause an uncontrolled search path element by exploiting insecure DLL search paths. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, data tampering, denial of service and information disclosure. | 2026-01-20 | 6.7 | CVE-2025-33231 | https://nvd.nist.gov/vuln/detail/CVE-2025-33231 https://www.cve.org/CVERecord?id=CVE-2025-33231 https://nvidia.custhelp.com/app/answers/detail/a_id/5755 |
| opencryptoki–opencryptoki | openCryptoki is a PKCS#11 library and provides tooling for Linux and AIX. Versions 2.3.2 and above are vulnerable to symlink-following when running in privileged contexts. A token-group user can redirect file operations to arbitrary filesystem targets by planting symlinks in group-writable token directories, resulting in privilege escalation or data exposure. Token and lock directories are 0770 (group-writable for token users), so any token-group member can plant files and symlinks inside them. When run as root, the base code handling token directory file access, as well as several openCryptoki tools used for administrative purposes, may reset ownership or permissions on existing files inside the token directories. An attacker with token-group membership can exploit the system when an administrator runs a PKCS#11 application or administrative tool that performs chown on files inside the token directory during normal maintenance. This issue is fixed in commit 5e6e4b4, but has not been included in a released version at the time of publication. | 2026-01-22 | 6.8 | CVE-2026-23893 | https://github.com/opencryptoki/opencryptoki/security/advisories/GHSA-j6c7-mvpx-jx5q https://github.com/opencryptoki/opencryptoki/commit/5e6e4b42f2b1fcc1e4ef1b920e463bfa55da8b45 |
| OpenEMR Foundation, Inc.–OpenEMR | OpenEMR 5.0.2.1 contains a cross-site scripting vulnerability that allows authenticated attackers to inject malicious JavaScript through user profile parameters. Attackers can exploit the vulnerability by crafting a malicious payload to download and execute a web shell, enabling remote command execution on the vulnerable OpenEMR instance. | 2026-01-21 | 5.4 | CVE-2021-47817 | ExploitDB-49784 OpenEMR Official Website OpenEMR 5.0.2.1 Download SonarSource Vulnerability Analysis Vulnerability Demonstration Video VulnCheck Advisory: OpenEMR 5.0.2.1 – Remote Code Execution |
| opf–openproject | OpenProject is an open-source, web-based project management software. Users of OpenProject versions prior to 16.6.5 and 17.0.1 have the ability to view and end their active sessions via Account Settings → Sessions. When deleting a session, it was not properly checked if the session belongs to the user. As the ID that is used to identify these session objects use incremental integers, users could iterate requests using `DELETE /my/sessions/:id` and thus unauthenticate other users. Users did not have access to any sensitive information (like browser identifier, IP addresses, etc) of other users that are stored in the session. The problem was patched in OpenProject versions 16.6.5 and 17.0.1. No known workarounds are available as this does not require any permissions or other that can temporarily be disabled. | 2026-01-19 | 6.5 | CVE-2026-23646 | https://github.com/opf/openproject/security/advisories/GHSA-w422-xf8f-v4vp https://github.com/opf/openproject/releases/tag/v16.6.5 https://github.com/opf/openproject/releases/tag/v17.0.1 |
| opf–openproject | OpenProject is an open-source, web-based project management software. When using groups in OpenProject to manage users, the group members should only be visible to users that have the View Members permission in any project that the group is also a member of. Prior to versions 17.0.1 and 16.6.5, due to a failed permission check, if a user had the View Members permission in any project, they could enumerate all Groups and view which other users are part of the group. The issue has been fixed in OpenProject 17.0.1 and 16.6.5. No known workarounds are available. | 2026-01-19 | 4.3 | CVE-2026-23721 | https://github.com/opf/openproject/security/advisories/GHSA-vj77-wrc2-5h5h |
| Oracle Corporation–JD Edwards EnterpriseOne Tools | Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Web Runtime SEC). Supported versions that are affected are 9.2.0.0-9.2.26.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise JD Edwards EnterpriseOne Tools. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in JD Edwards EnterpriseOne Tools, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of JD Edwards EnterpriseOne Tools accessible data as well as unauthorized read access to a subset of JD Edwards EnterpriseOne Tools accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N). | 2026-01-20 | 6.1 | CVE-2026-21946 | Oracle Advisory |
| Oracle Corporation–MySQL Cluster | Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are affected are 8.0.0-8.0.44, 8.4.0-8.4.7 and 9.0.0-9.5.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). | 2026-01-20 | 4.9 | CVE-2026-21936 | Oracle Advisory |
| Oracle Corporation–MySQL Server | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 9.0.0-9.5.0. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). | 2026-01-20 | 6.5 | CVE-2026-21949 | Oracle Advisory |
| Oracle Corporation–MySQL Server | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 9.0.0-9.5.0. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). | 2026-01-20 | 6.5 | CVE-2026-21950 | Oracle Advisory |
| Oracle Corporation–MySQL Server | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.44, 8.4.0-8.4.7 and 9.0.0-9.5.0. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 6.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H). | 2026-01-20 | 6.5 | CVE-2026-21968 | Oracle Advisory |
| Oracle Corporation–MySQL Server | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Parser). Supported versions that are affected are 9.0.0-9.5.0. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H). | 2026-01-20 | 5.3 | CVE-2026-21929 | Oracle Advisory |
| Oracle Corporation–MySQL Server | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DDL). Supported versions that are affected are 8.0.0-8.0.44, 8.4.0-8.4.7 and 9.0.0-9.5.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). | 2026-01-20 | 4.9 | CVE-2026-21937 | Oracle Advisory |
| Oracle Corporation–MySQL Server | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.44, 8.4.0-8.4.7 and 9.0.0-9.5.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). | 2026-01-20 | 4.9 | CVE-2026-21941 | Oracle Advisory |
| Oracle Corporation–MySQL Server | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.0-8.0.44, 8.4.0-8.4.7 and 9.0.0-9.5.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). | 2026-01-20 | 4.9 | CVE-2026-21948 | Oracle Advisory |
| Oracle Corporation–MySQL Server | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Parser). Supported versions that are affected are 9.0.0-9.5.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). | 2026-01-20 | 4.9 | CVE-2026-21952 | Oracle Advisory |
| Oracle Corporation–MySQL Server | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Thread Pooling). Supported versions that are affected are 8.0.0-8.0.44, 8.4.0-8.4.7 and 9.0.0-9.5.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H). | 2026-01-20 | 4.9 | CVE-2026-21964 | Oracle Advisory |
| Oracle Corporation–Oracle Agile Product Lifecycle Management for Process | Vulnerability in the Oracle Agile Product Lifecycle Management for Process product of Oracle Supply Chain (component: Product Quality Management). The supported version that is affected is 6.2.4. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Agile Product Lifecycle Management for Process. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Agile Product Lifecycle Management for Process accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N). | 2026-01-20 | 6.5 | CVE-2026-21944 | Oracle Advisory |
| Oracle Corporation–Oracle APEX Sample Applications | Vulnerability in the Oracle APEX Sample Applications product of Oracle APEX (component: Brookstrut Sample App). Supported versions that are affected are 23.2.0, 23.2.1, 24.1.0, 24.2.0 and 24.2.1. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle APEX Sample Applications. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle APEX Sample Applications, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle APEX Sample Applications accessible data as well as unauthorized read access to a subset of Oracle APEX Sample Applications accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N). | 2026-01-20 | 5.4 | CVE-2026-21931 | Oracle Advisory |
| Oracle Corporation–Oracle Applications DBA | Vulnerability in the Oracle Applications DBA product of Oracle E-Business Suite (component: Java utils). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Applications DBA. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Applications DBA accessible data as well as unauthorized access to critical data or complete access to all Oracle Applications DBA accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N). | 2026-01-20 | 6.5 | CVE-2026-21960 | Oracle Advisory |
| Oracle Corporation–Oracle Configurator | Vulnerability in the Oracle Configurator product of Oracle E-Business Suite (component: User Interface). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Configurator. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Configurator accessible data. CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N). | 2026-01-20 | 5.3 | CVE-2026-21972 | Oracle Advisory |
| Oracle Corporation–Oracle Database Server | Vulnerability in the Java VM component of Oracle Database Server. Supported versions that are affected are 19.3-19.29 and 21.3-21.20. Easily exploitable vulnerability allows high privileged attacker having Authenticated User privilege with network access via Oracle Net to compromise Java VM. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Java VM. CVSS 3.1 Base Score 4.5 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:N/A:H). | 2026-01-20 | 4.5 | CVE-2026-21975 | Oracle Advisory |
| Oracle Corporation–Oracle FLEXCUBE Universal Banking | Vulnerability in the Oracle FLEXCUBE Universal Banking product of Oracle Financial Services Applications (component: Relationship Pricing). Supported versions that are affected are 14.0.0.0.0-14.8.0.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle FLEXCUBE Universal Banking. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle FLEXCUBE Universal Banking accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N). | 2026-01-20 | 6.5 | CVE-2026-21978 | Oracle Advisory |
| Oracle Corporation–Oracle Hospitality OPERA 5 Property Services | Vulnerability in the Oracle Hospitality OPERA 5 Property Services product of Oracle Hospitality Applications (component: Opera). Supported versions that are affected are 5.6.19.23, 5.6.25.17, 5.6.26.10 and 5.6.27.4. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Hospitality OPERA 5 Property Services. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Hospitality OPERA 5 Property Services, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Hospitality OPERA 5 Property Services accessible data as well as unauthorized read access to a subset of Oracle Hospitality OPERA 5 Property Services accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N). | 2026-01-20 | 6.1 | CVE-2026-21966 | Oracle Advisory |
| Oracle Corporation–Oracle Java SE | Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Networking). Supported versions that are affected are Oracle Java SE: 8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, 25.0.1; Oracle GraalVM for JDK: 17.0.17 and 21.0.9; Oracle GraalVM Enterprise Edition: 21.3.16. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N). | 2026-01-20 | 6.1 | CVE-2026-21933 | Oracle Advisory |
| Oracle Corporation–Oracle Java SE | Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: RMI). Supported versions that are affected are Oracle Java SE: 8u471, 8u471-b50, 8u471-perf, 11.0.29, 17.0.17, 21.0.9, 25.0.1; Oracle GraalVM for JDK: 17.0.17 and 21.0.9; Oracle GraalVM Enterprise Edition: 21.3.16. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N). | 2026-01-20 | 4.8 | CVE-2026-21925 | Oracle Advisory |
| Oracle Corporation–Oracle Life Sciences Central Coding | Vulnerability in the Oracle Life Sciences Central Coding product of Oracle Health Sciences Applications (component: Platform). The supported version that is affected is 7.0.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Life Sciences Central Coding. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Life Sciences Central Coding accessible data as well as unauthorized read access to a subset of Oracle Life Sciences Central Coding accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N). | 2026-01-20 | 6.5 | CVE-2026-21980 | Oracle Advisory |
| Oracle Corporation–Oracle Life Sciences Central Designer | Vulnerability in the Oracle Life Sciences Central Designer product of Oracle Health Sciences Applications (component: Platform). The supported version that is affected is 7.0.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Life Sciences Central Designer. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Life Sciences Central Designer accessible data as well as unauthorized read access to a subset of Oracle Life Sciences Central Designer accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N). | 2026-01-20 | 6.5 | CVE-2026-21923 | Oracle Advisory |
| Oracle Corporation–Oracle Life Sciences Central Designer | Vulnerability in the Oracle Life Sciences Central Designer product of Oracle Health Sciences Applications (component: Platform). The supported version that is affected is 7.0.1.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Life Sciences Central Designer. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Life Sciences Central Designer accessible data. CVSS 3.1 Base Score 6.5 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N). | 2026-01-20 | 6.5 | CVE-2026-21970 | Oracle Advisory |
| Oracle Corporation–Oracle Life Sciences Central Designer | Vulnerability in the Oracle Life Sciences Central Designer product of Oracle Health Sciences Applications (component: Platform). The supported version that is affected is 7.0.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Life Sciences Central Designer. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Life Sciences Central Designer accessible data. CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N). | 2026-01-20 | 5.3 | CVE-2026-21974 | Oracle Advisory |
| Oracle Corporation–Oracle Planning and Budgeting Cloud Service | Vulnerability in the Oracle Planning and Budgeting Cloud Service product of Oracle Hyperion (component: EPM Agent). The supported version that is affected is 25.04.07. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle Planning and Budgeting Cloud Service executes to compromise Oracle Planning and Budgeting Cloud Service. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Planning and Budgeting Cloud Service accessible data. Note: Update EPM Agent. Please refer to <a href=”https://docs.oracle.com/en/cloud/saas/enterprise-performance-management-common/diepm/epm_agent_downloading_agent_110x80569d70.html”>Downloading the EPM Agent for more information. CVSS 3.1 Base Score 4.2 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:N/I:H/A:N). | 2026-01-20 | 4.2 | CVE-2026-21922 | Oracle Advisory |
| Oracle Corporation–Oracle Planning and Budgeting Cloud Service | Vulnerability in the Oracle Planning and Budgeting Cloud Service product of Oracle Hyperion (component: EPM Agent). The supported version that is affected is 25.04.07. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle Planning and Budgeting Cloud Service executes to compromise Oracle Planning and Budgeting Cloud Service. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Planning and Budgeting Cloud Service accessible data. Note: Update EPM Agent. Please refer to <a href=”https://docs.oracle.com/en/cloud/saas/enterprise-performance-management-common/diepm/epm_agent_downloading_agent_110x80569d70.html”>Downloading the EPM Agent for more information. CVSS 3.1 Base Score 4.2 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N). | 2026-01-20 | 4.2 | CVE-2026-21979 | Oracle Advisory |
| Oracle Corporation–Oracle Scripting | Vulnerability in the Oracle Scripting product of Oracle E-Business Suite (component: Scripting Admin). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Scripting. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Scripting, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Scripting accessible data as well as unauthorized read access to a subset of Oracle Scripting accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N). | 2026-01-20 | 6.1 | CVE-2026-21943 | Oracle Advisory |
| Oracle Corporation–Oracle Solaris | Vulnerability in the Oracle Solaris product of Oracle Systems (component: Driver). The supported version that is affected is 11. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle Solaris executes to compromise Oracle Solaris. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Solaris accessible data as well as unauthorized access to critical data or complete access to all Oracle Solaris accessible data. CVSS 3.1 Base Score 5.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N). | 2026-01-20 | 5.8 | CVE-2026-21927 | Oracle Advisory |
| Oracle Corporation–Oracle Solaris | Vulnerability in the Oracle Solaris product of Oracle Systems (component: Kernel). The supported version that is affected is 11. Easily exploitable vulnerability allows unauthenticated attacker with network access via TCP to compromise Oracle Solaris. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Solaris accessible data. CVSS 3.1 Base Score 5.3 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N). | 2026-01-20 | 5.3 | CVE-2026-21928 | Oracle Advisory |
| Oracle Corporation–Oracle Solaris | Vulnerability in the Oracle Solaris product of Oracle Systems (component: Driver). The supported version that is affected is 11. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle Solaris executes to compromise Oracle Solaris. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Solaris accessible data as well as unauthorized access to critical data or complete access to all Oracle Solaris accessible data. CVSS 3.1 Base Score 5.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N). | 2026-01-20 | 5.8 | CVE-2026-21935 | Oracle Advisory |
| Oracle Corporation–Oracle Solaris | Vulnerability in the Oracle Solaris product of Oracle Systems (component: Filesystems). Supported versions that are affected are 10 and 11. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Solaris executes to compromise Oracle Solaris. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Solaris. CVSS 3.1 Base Score 5.0 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H). | 2026-01-20 | 5 | CVE-2026-21942 | Oracle Advisory |
| Oracle Corporation–Oracle Utilities Application Framework | Vulnerability in the Oracle Utilities Application Framework product of Oracle Utilities Applications (component: General). Supported versions that are affected are 4.4.0.3.0, 4.5.0.0.0, 4.5.0.1.1, 4.5.0.1.3, 4.5.0.2.0, 25.4 and 25.10. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Utilities Application Framework. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Utilities Application Framework, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Utilities Application Framework accessible data as well as unauthorized read access to a subset of Oracle Utilities Application Framework accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N). | 2026-01-20 | 5.4 | CVE-2026-21924 | Oracle Advisory |
| Oracle Corporation–Oracle VM VirtualBox | Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle VM VirtualBox accessible data. CVSS 3.1 Base Score 6.0 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N). | 2026-01-20 | 6 | CVE-2026-21963 | Oracle Advisory |
| Oracle Corporation–Oracle VM VirtualBox | Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle VM VirtualBox accessible data. CVSS 3.1 Base Score 6.0 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N). | 2026-01-20 | 6 | CVE-2026-21985 | Oracle Advisory |
| Oracle Corporation–Oracle VM VirtualBox | Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). Supported versions that are affected are 7.1.14 and 7.2.4. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle VM VirtualBox accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Oracle VM VirtualBox. CVSS 3.1 Base Score 4.6 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:L). | 2026-01-20 | 4.6 | CVE-2026-21981 | Oracle Advisory |
| Oracle Corporation–Oracle Workflow | Vulnerability in the Oracle Workflow product of Oracle E-Business Suite (component: Workflow Loader). Supported versions that are affected are 12.2.3-12.2.15. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle Workflow. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Workflow accessible data. CVSS 3.1 Base Score 4.9 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N). | 2026-01-20 | 4.9 | CVE-2026-21959 | Oracle Advisory |
| Oracle Corporation–PeopleSoft Enterprise HCM Human Resources | Vulnerability in the PeopleSoft Enterprise HCM Human Resources product of Oracle PeopleSoft (component: Company Dir / Org Chart Viewer, Employee Snapshot). The supported version that is affected is 9.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise HCM Human Resources. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in PeopleSoft Enterprise HCM Human Resources, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of PeopleSoft Enterprise HCM Human Resources accessible data as well as unauthorized read access to a subset of PeopleSoft Enterprise HCM Human Resources accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N). | 2026-01-20 | 6.1 | CVE-2026-21961 | Oracle Advisory |
| Oracle Corporation–PeopleSoft Enterprise PeopleTools | Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Portal). Supported versions that are affected are 8.60, 8.61 and 8.62. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in PeopleSoft Enterprise PeopleTools, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of PeopleSoft Enterprise PeopleTools accessible data as well as unauthorized read access to a subset of PeopleSoft Enterprise PeopleTools accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N). | 2026-01-20 | 6.1 | CVE-2026-21938 | Oracle Advisory |
| Oracle Corporation–PeopleSoft Enterprise PeopleTools | Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Integration Broker). Supported versions that are affected are 8.60, 8.61 and 8.62. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in PeopleSoft Enterprise PeopleTools, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of PeopleSoft Enterprise PeopleTools accessible data as well as unauthorized read access to a subset of PeopleSoft Enterprise PeopleTools accessible data. CVSS 3.1 Base Score 6.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N). | 2026-01-20 | 6.1 | CVE-2026-21951 | Oracle Advisory |
| Oracle Corporation–PeopleSoft Enterprise PeopleTools | Vulnerability in the PeopleSoft Enterprise PeopleTools product of Oracle PeopleSoft (component: Push Notifications). Supported versions that are affected are 8.60, 8.61 and 8.62. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of PeopleSoft Enterprise PeopleTools accessible data as well as unauthorized read access to a subset of PeopleSoft Enterprise PeopleTools accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N). | 2026-01-20 | 5.4 | CVE-2026-21934 | Oracle Advisory |
| Oracle Corporation–PeopleSoft Enterprise SCM Purchasing | Vulnerability in the PeopleSoft Enterprise SCM Purchasing product of Oracle PeopleSoft (component: Purchasing). The supported version that is affected is 9.2. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise SCM Purchasing. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of PeopleSoft Enterprise SCM Purchasing accessible data as well as unauthorized read access to a subset of PeopleSoft Enterprise SCM Purchasing accessible data. CVSS 3.1 Base Score 5.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N). | 2026-01-20 | 5.4 | CVE-2026-21971 | Oracle Advisory |
| ostin654–JustClick registration plugin | The JustClick registration plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 0.1. This is due to insufficient input sanitization and output escaping on the `PHP_SELF` server variable. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2026-01-24 | 6.1 | CVE-2025-13676 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f1420ec8-55e4-448d-8230-228d1e566b97?source=cve https://plugins.trac.wordpress.org/browser/justclick-subscriber/trunk/justclick.php#L154 https://plugins.trac.wordpress.org/browser/justclick-subscriber/tags/0.1/justclick.php#L154 |
| Palantir–com.palantir.aries:aries | A vulnerability in Palantir’s Aries service allowed unauthenticated access to log viewing and management functionality on Apollo instances using default configuration. The defect resulted in both authentication and authorization checks being bypassed, potentially allowing any network-accessible client to view system logs and perform operations without valid credentials. No evidence of exploitation was identified during the vulnerability window. | 2026-01-22 | 6.6 | CVE-2025-68609 | https://palantir.safebase.us/?tcuUid=955a313a-1735-48a6-9fb4-e10404f14eb5 |
| pdfcrowd–Save as PDF Plugin by PDFCrowd | The Save as PDF Plugin by PDFCrowd plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘options’ parameter in all versions up to, and including, 4.5.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. NOTE: Successful exploitation of this vulnerability requires that the PDFCrowd API key is blank (also known as “demo mode”, which is the default configuration when the plugin is installed) or known. | 2026-01-24 | 6.1 | CVE-2026-0862 | https://www.wordfence.com/threat-intel/vulnerabilities/id/74172fcb-7428-464a-89f1-f1f3af50e361?source=cve https://plugins.trac.wordpress.org/changeset/3438577/save-as-pdf-by-pdfcrowd |
| peachpay–PeachPay Payments & Express Checkout for WooCommerce (supports Stripe, PayPal, Square, Authorize.net) | The PeachPay – Payments & Express Checkout for WooCommerce (supports Stripe, PayPal, Square, Authorize.net) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability checks on the ConvesioPay webhook REST endpoint in all versions up to, and including, 1.119.8. This makes it possible for unauthenticated attackers to modify the status of arbitrary WooCommerce orders. | 2026-01-20 | 5.3 | CVE-2025-14978 | https://www.wordfence.com/threat-intel/vulnerabilities/id/5480a151-3e3a-46ba-9712-6c61fba06812?source=cve https://plugins.trac.wordpress.org/browser/peachpay-for-woocommerce/tags/1.119.5/core/payments/convesiopay/routes/class-peachpay-convesiopay-webhook.php#L33 |
| PHPGurukul–News Portal | A vulnerability was identified in PHPGurukul News Portal 1.0. The affected element is an unknown function of the file /admin/add-subadmins.php of the component Add Sub-Admin Page. Such manipulation leads to improper authorization. The attack can be launched remotely. The exploit is publicly available and might be used. | 2026-01-19 | 6.3 | CVE-2026-1141 | VDB-341733 | PHPGurukul News Portal Add Sub-Admin add-subadmins.php improper authorization VDB-341733 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #735483 | PHPGurukul News Portal Project in PHP and MySql 1.0 Improper Access Controls https://github.com/Asim-QAZi/BrokenAccessControl-News-Portal-Project-in-PHP-and-MySQL-in-PHPGurukul https://phpgurukul.com/ |
| PHPGurukul–News Portal | A security flaw has been discovered in PHPGurukul News Portal 1.0. The impacted element is an unknown function. Performing a manipulation results in cross-site request forgery. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks. | 2026-01-19 | 4.3 | CVE-2026-1142 | VDB-341734 | PHPGurukul News Portal cross-site request forgery VDB-341734 | CTI Indicators (IOB, IOC) Submit #735498 | PHPGurukul News Portal Project in PHP and MySql 1.0 Cross-Site Request Forgery https://github.com/Asim-QAZi/CSRF-Add-Subadmin-in-News-Portal-Project-in-PHP-and-MySql-in-PHPGurukul https://phpgurukul.com/ |
| plugins360–All-in-One Video Gallery | The All-in-One Video Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `ajax_callback_create_bunny_stream_video`, `ajax_callback_get_bunny_stream_video`, and `ajax_callback_delete_bunny_stream_video` functions in all versions up to, and including, 4.6.4. This makes it possible for unauthenticated attackers to create and delete videos on the Bunny Stream CDN associated with the victim’s account, provided they can obtain a valid nonce which is exposed in public player templates. | 2026-01-23 | 6.5 | CVE-2025-14947 | https://www.wordfence.com/threat-intel/vulnerabilities/id/bedfb712-faf6-4131-b254-e6d7c367f49f?source=cve https://plugins.trac.wordpress.org/browser/all-in-one-video-gallery/trunk/includes/init.php#L373 https://plugins.trac.wordpress.org/browser/all-in-one-video-gallery/trunk/public/bunny-stream.php#L131 https://plugins.trac.wordpress.org/browser/all-in-one-video-gallery/trunk/public/bunny-stream.php#L285 https://plugins.trac.wordpress.org/changeset/3441541/ |
| plugins360–All-in-One Video Gallery | The All-in-One Video Gallery plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_callback_store_user_meta() function in versions 4.1.0 to 4.6.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary string-based user meta keys for their own account. | 2026-01-24 | 4.3 | CVE-2025-15516 | https://www.wordfence.com/threat-intel/vulnerabilities/id/218e4ed5-661b-49e1-8b23-457a93fd53fa?source=cve https://plugins.trac.wordpress.org/browser/all-in-one-video-gallery/tags/4.6.4/admin/admin.php#L1062 |
| pytest–pytest | pytest through 9.0.2 on UNIX relies on directories with the /tmp/pytest-of-{user} name pattern, which allows local users to cause a denial of service or possibly gain privileges. | 2026-01-22 | 6.8 | CVE-2025-71176 | https://github.com/pytest-dev/pytest/issues/13669 https://www.openwall.com/lists/oss-security/2026/01/21/5 |
| quickjs-ng–quickjs | A vulnerability was detected in quickjs-ng quickjs up to 0.11.0. Affected is an unknown function of the file quickjs.c of the component Atomics Ops Handler. The manipulation results in use after free. The attack can be executed remotely. The exploit is now public and may be used. The patch is identified as ea3e9d77454e8fc9cb3ef3c504e9c16af5a80141. Applying a patch is advised to resolve this issue. | 2026-01-19 | 6.3 | CVE-2026-1144 | VDB-341737 | quickjs-ng quickjs Atomics Ops quickjs.c use after free VDB-341737 | CTI Indicators (IOB, IOC, IOA) Submit #735537 | quickjs-ng quickjs v0.11.0 Use After Free Submit #735538 | quickjs-ng quickjs v0.11.0 Use After Free (Duplicate) https://github.com/quickjs-ng/quickjs/issues/1301 https://github.com/quickjs-ng/quickjs/pull/1303 https://github.com/quickjs-ng/quickjs/issues/1302 https://github.com/quickjs-ng/quickjs/commit/ea3e9d77454e8fc9cb3ef3c504e9c16af5a80141 |
| quickjs-ng–quickjs | A flaw has been found in quickjs-ng quickjs up to 0.11.0. Affected by this vulnerability is the function js_typed_array_constructor_ta of the file quickjs.c. This manipulation causes heap-based buffer overflow. The attack is possible to be carried out remotely. The exploit has been published and may be used. Patch name: 53aebe66170d545bb6265906fe4324e4477de8b4. It is suggested to install a patch to address this issue. | 2026-01-19 | 6.3 | CVE-2026-1145 | VDB-341738 | quickjs-ng quickjs quickjs.c js_typed_array_constructor_ta heap-based overflow VDB-341738 | CTI Indicators (IOB, IOC, IOA) Submit #735539 | quickjs-ng quickjs v0.11.0 Heap-based Buffer Overflow https://github.com/quickjs-ng/quickjs/issues/1305 https://github.com/quickjs-ng/quickjs/pull/1306 https://github.com/quickjs-ng/quickjs/issues/1305#issue-3785444372 https://github.com/paralin/quickjs/commit/53aebe66170d545bb6265906fe4324e4477de8b4 |
| rebelcode–RSS Aggregator RSS Import, News Feeds, Feed to Post, and Autoblogging | The RSS Aggregator – RSS Import, News Feeds, Feed to Post, and Autoblogging plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s ‘wp-rss-aggregator’ shortcode in all versions up to, and including, 5.0.10 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-23 | 6.4 | CVE-2025-14745 | https://www.wordfence.com/threat-intel/vulnerabilities/id/dd201949-d3a1-4fdb-bf98-252fbfd59380?source=cve https://plugins.trac.wordpress.org/browser/wp-rss-aggregator/trunk/core/src/Renderer.php#L209 https://plugins.trac.wordpress.org/changeset/3439384/wp-rss-aggregator/trunk/core/src/Renderer.php |
| Red Hat–Red Hat Build of Keycloak | A flaw was found in the keycloak-services component of Keycloak. This vulnerability allows the issuance of access and refresh tokens for disabled users, leading to unauthorized use of previously revoked privileges, via a business logic vulnerability in the Token Exchange implementation when a privileged client invokes the token exchange flow. | 2026-01-21 | 6.5 | CVE-2025-14559 | https://access.redhat.com/security/cve/CVE-2025-14559 RHBZ#2421711 |
| Red Hat–Red Hat Build of Keycloak | A flaw was identified in Keycloak’s OpenID Connect Dynamic Client Registration feature when clients authenticate using private_key_jwt. The issue allows a client to specify an arbitrary jwks_uri, which Keycloak then retrieves without validating the destination. This enables attackers to coerce the Keycloak server into making HTTP requests to internal or restricted network resources. As a result, attackers can probe internal services and cloud metadata endpoints, creating an information disclosure and reconnaissance risk. | 2026-01-20 | 5.8 | CVE-2026-1180 | https://access.redhat.com/security/cve/CVE-2026-1180 RHBZ#2430781 |
| robiulawal40–Alpha Blocks | The Alpha Blocks plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘alpha_block_css’ parameter in all versions up to, and including, 1.5.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-24 | 6.4 | CVE-2025-14985 | https://www.wordfence.com/threat-intel/vulnerabilities/id/745dcc4c-1c52-4ac7-9ac6-033770282a3b?source=cve https://plugins.trac.wordpress.org/browser/alpha-blocks/tags/1.5.0/class/block_inline_style.php#L175 |
| rtowebsites–AdminQuickbar | The AdminQuickbar plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.9.3. This is due to missing or incorrect nonce validation on the ‘saveSettings’ and ‘renamePost’ AJAX actions. This makes it possible for unauthenticated attackers to modify plugin settings and update post titles via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-01-24 | 4.3 | CVE-2025-14630 | https://www.wordfence.com/threat-intel/vulnerabilities/id/bb70ad52-b964-4c56-98a2-06be375a79af?source=cve https://plugins.trac.wordpress.org/browser/adminquickbar/tags/1.9.3/Lib/AdminQuickbar.php#L88 https://plugins.trac.wordpress.org/browser/adminquickbar/tags/1.9.3/Lib/Sidebar.php#L386 https://plugins.trac.wordpress.org/browser/adminquickbar/trunk/Lib/AdminQuickbar.php#L88 https://plugins.trac.wordpress.org/browser/adminquickbar/trunk/Lib/Sidebar.php#L386 |
| Sangfor–Operation and Maintenance Security Management System | A security flaw has been discovered in Sangfor Operation and Maintenance Security Management System up to 3.0.12. This affects the function edit_pwd_mall of the file /fort/login/edit_pwd_mall. The manipulation of the argument flag results in weak password recovery. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-22 | 5.3 | CVE-2026-1325 | VDB-342301 | Sangfor Operation and Maintenance Security Management System edit_pwd_mall password recovery VDB-342301 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #736208 | Sangfor Operation and Maintenance Security Management System (OSM / è¿ç»´å®‰å…¨ç®¡ç†ç³»ç»Ÿ) 3.0.12 Unauthenticated Arbitrary Password Reset https://github.com/LX-LX88/cve/issues/21 |
| satollo–Newsletter Send awesome emails from WordPress | The Newsletter – Send awesome emails from WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 9.1.0. This is due to missing or incorrect nonce validation on the hook_newsletter_action() function. This makes it possible for unauthenticated attackers to unsubscribe newsletter subscribers via a forged request granted they can trick a logged-in user into performing an action such as clicking on a link. | 2026-01-20 | 4.3 | CVE-2026-1051 | https://www.wordfence.com/threat-intel/vulnerabilities/id/8de2156f-5087-4c16-8e5d-93b5c72ec536?source=cve https://plugins.trac.wordpress.org/browser/newsletter/tags/9.1.0/unsubscription/unsubscription.php#L141 |
| sauravrox–Set Bulk Post Categories | The Set Bulk Post Categories plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing nonce validation on the bulk category update functionality. This makes it possible for unauthenticated attackers to modify post categories in bulk via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-01-24 | 4.3 | CVE-2026-1081 | https://www.wordfence.com/threat-intel/vulnerabilities/id/9503f908-ead2-4c34-89b9-1e2348b90f3c?source=cve https://plugins.trac.wordpress.org/browser/set-bulk-post-categories/trunk/set-bulk-categories.php#L36 https://plugins.trac.wordpress.org/browser/set-bulk-post-categories/tags/1.1/set-bulk-categories.php#L36 |
| Seacms–Seacms | SeaCMS 11.1 contains a stored cross-site scripting vulnerability in the checkuser parameter of the admin settings page. Attackers can inject malicious JavaScript payloads that will execute in users’ browsers when the page is loaded. | 2026-01-25 | 6.4 | CVE-2020-36932 | ExploitDB-49251 Official Seacms Product Homepage VulnCheck Advisory: Seacms 11.1 – ‘checkuser’ Stored XSS |
| shahinurislam–Meta-box GalleryMeta | The Meta-box GalleryMeta plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ‘mb_gallery’ custom post type in all versions up to, and including, 3.0.1. This makes it possible for authenticated attackers, with Author-level access and above, to create and publish galleries. | 2026-01-24 | 4.3 | CVE-2026-0687 | https://www.wordfence.com/threat-intel/vulnerabilities/id/872c61aa-c95c-4b86-8e39-8112bb117a0b?source=cve https://plugins.trac.wordpress.org/browser/meta-box-gallerymeta/tags/3.0.1/include/posttype.php#L29 https://plugins.trac.wordpress.org/browser/meta-box-gallerymeta/tags/3.0.1/gallerymetaboxes.php#L375 |
| shahinurislam–Meta-box GalleryMeta | The Meta-box GalleryMeta plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.0.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2026-01-24 | 4.4 | CVE-2026-1302 | https://www.wordfence.com/threat-intel/vulnerabilities/id/bb9ae252-7e5f-4dc0-a162-100493b81980?source=cve https://plugins.trac.wordpress.org/browser/meta-box-gallerymeta/tags/3.0.1/templates/single-mb_gallery.php#L31 https://plugins.trac.wordpress.org/browser/meta-box-gallerymeta/tags/3.0.1/templates/single-mb_gallery.php#L33 https://plugins.trac.wordpress.org/browser/meta-box-gallerymeta/tags/3.0.1/gallerymetaboxes.php#L119 https://plugins.trac.wordpress.org/browser/meta-box-gallerymeta/tags/3.0.1/gallerymetaboxes.php#L314 |
| shazdeh–Administrative Shortcodes | The Administrative Shortcodes plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘login’ and ‘logout’ shortcode attributes in all versions up to, and including, 0.3.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-24 | 6.4 | CVE-2026-1099 | https://www.wordfence.com/threat-intel/vulnerabilities/id/de931a65-c898-4b1d-99ce-20dd646bcbb0?source=cve https://plugins.trac.wordpress.org/browser/administrative-shortcodes/trunk/administrative-shortcodes.php#L196 https://plugins.trac.wordpress.org/browser/administrative-shortcodes/tags/0.3.4/administrative-shortcodes.php#L196 |
| sigstore–rekor | Rekor is a software supply chain transparency log. In versions 1.4.3 and below, the entry implementation can panic on attacker-controlled input when canonicalizing a proposed entry with an empty spec.message, causing nil Pointer Dereference. Function validate() returns nil (success) when message is empty, leaving sign1Msg uninitialized, and Canonicalize() later dereferences v.sign1Msg.Payload. A malformed proposed entry of the cose/v0.0.1 type can cause a panic on a thread within the Rekor process. The thread is recovered so the client receives a 500 error message and service still continues, so the availability impact of this is minimal. This issue has been fixed in version 1.5.0. | 2026-01-22 | 5.3 | CVE-2026-23831 | https://github.com/sigstore/rekor/security/advisories/GHSA-273p-m2cw-6833 https://github.com/sigstore/rekor/commit/39bae3d192bce48ef4ef2cbd1788fb5770fee8cd https://github.com/sigstore/rekor/releases/tag/v1.5.0 |
| sigstore–rekor | Rekor is a software supply chain transparency log. In versions 1.4.3 and below, attackers can trigger SSRF to arbitrary internal services because /api/v1/index/retrieve supports retrieving a public key via user-provided URL. Since the SSRF only can trigger GET requests, the request cannot mutate state. The response from the GET request is not returned to the caller so data exfiltration is not possible. A malicious actor could attempt to probe an internal network through Blind SSRF. The issue has been fixed in version 1.5.0. To workaround this issue, disable the search endpoint with –enable_retrieve_api=false. | 2026-01-22 | 5.3 | CVE-2026-24117 | https://github.com/sigstore/rekor/security/advisories/GHSA-4c4x-jm2x-pf9j https://github.com/sigstore/rekor/commit/60ef2bceba192c5bf9327d003bceea8bf1f8275f https://github.com/sigstore/rekor/releases/tag/v1.5.0 |
| sigstore–sigstore | sigstore framework is a common go library shared across sigstore services and clients. In versions 1.10.3 and below, the legacy TUF client (pkg/tuf/client.go) supports caching target files to disk. It constructs a filesystem path by joining a cache base directory with a target name sourced from signed target metadata; however, it does not validate that the resulting path stays within the cache base directory. A malicious TUF repository can trigger arbitrary file overwriting, limited to the permissions that the calling process has. Note that this should only affect clients that are directly using the TUF client in sigstore/sigstore or are using an older version of Cosign. Public Sigstore deployment users are unaffected, as TUF metadata is validated by a quorum of trusted collaborators. This issue has been fixed in version 1.10.4. As a workaround, users can disable disk caching for the legacy client by setting SIGSTORE_NO_CACHE=true in the environment, migrate to https://github.com/sigstore/sigstore-go/tree/main/pkg/tuf, or upgrade to the latest sigstore/sigstore release. | 2026-01-23 | 5.8 | CVE-2026-24137 | https://github.com/sigstore/sigstore/security/advisories/GHSA-fcv2-xgw5-pqxf https://github.com/sigstore/sigstore/commit/8ec410a2993ea78083aecf0e473a85453039496e https://github.com/sigstore/sigstore/releases/tag/v1.10.4 |
| SourceCodester–E-Learning System | A flaw has been found in SourceCodester E-Learning System 1.0. This impacts an unknown function of the file /admin/modules/lesson/index.php of the component Lesson Module Handler. Executing a manipulation of the argument Title/Description can lead to basic cross site scripting. The attack can be executed remotely. The exploit has been published and may be used. | 2026-01-19 | 4.3 | CVE-2026-1154 | VDB-341747 | SourceCodester E-Learning System Lesson index.php cross site scripting VDB-341747 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #735855 | SourceCodester E-Learning System (CAIWL) 1.0 Stored HTML Injection Vulnerability https://gist.github.com/0xCaptainFahim/dada955760b424a851de12bccadee997 https://www.sourcecodester.com/ |
| SourceCodester–Patients Waiting Area Queue Management System | A vulnerability was determined in SourceCodester/Patrick Mvuma Patients Waiting Area Queue Management System 1.0. This vulnerability affects unknown code. Executing a manipulation can lead to cross-site request forgery. It is possible to launch the attack remotely. | 2026-01-19 | 4.3 | CVE-2026-1148 | VDB-341741 | SourceCodester/Patrick Mvuma Patients Waiting Area Queue Management System cross-site request forgery VDB-341741 | CTI Indicators (IOB, IOC) Submit #735545 | Patrick Mvuma Patients Waiting Area Queue Management System 1.0 Cross-Site Request Forgery |
| specialk–Head Meta Data | The Head Meta Data plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘head-meta-data’ post meta field in all versions up to, and including, 20251118 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-20 | 6.4 | CVE-2026-0608 | https://www.wordfence.com/threat-intel/vulnerabilities/id/9592bb6d-8e1d-4c89-addd-11c07272a628?source=cve https://plugins.trac.wordpress.org/changeset?old_path=/head-meta-data/tags/20251118&new_path=/head-meta-data/tags/20260105 |
| Spring–Spring Security | The fix applied in CVE-2025-22228 inadvertently broke the timing attack mitigation implemented in DaoAuthenticationProvider. This can allow attackers to infer valid usernames or other authentication behavior via response-time differences under certain configurations. | 2026-01-22 | 5.3 | CVE-2025-22234 | Spring Security Advisory: CVE-2025-22234 |
| stefanristic–Simple Crypto Shortcodes | The Simple Crypto Shortcodes plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.0.2. This is due to missing nonce validation on the scs_backend function. This makes it possible for unauthenticated attackers to update plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-01-24 | 4.3 | CVE-2025-14903 | https://www.wordfence.com/threat-intel/vulnerabilities/id/18bcd2ad-1989-4e2b-b82e-fddc4201c5a6?source=cve https://plugins.trac.wordpress.org/browser/simple-crypto-shortcodes/tags/1.0.2/simple_crypto_shortcodes.php#L46 https://plugins.trac.wordpress.org/browser/simple-crypto-shortcodes/tags/1.0.2/simple_crypto_shortcodes.php#L54 |
| stellarwp–The Events Calendar | The The Events Calendar plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the ‘start_migration’, ‘cancel_migration’, and ‘revert_migration’ functions in all versions up to, and including, 6.15.13. This makes it possible for authenticated attackers, with subscriber level access and above, to start, cancel, or revert the Custom Tables V1 database migration, including dropping the custom database tables entirely via the revert action. | 2026-01-20 | 5.4 | CVE-2025-15043 | https://www.wordfence.com/threat-intel/vulnerabilities/id/346a5b00-fb76-4413-a935-a2df4dc51984?source=cve https://plugins.trac.wordpress.org/changeset?old_path=/the-events-calendar/tags/6.15.13&new_path=/the-events-calendar/tags/6.15.13.1 |
| sumatrapdfreader–sumatrapdf | SumatraPDF is a multi-format reader for Windows. All versions contain an off-by-one error in the validation code that only triggers with exactly 2 records, causing an integer underflow in the size calculation. This bug exists in PalmDbReader::GetRecord when opening a crafted Mobi file, resulting in an out-of-bounds heap read that crashes the app. There are no published fixes at the time of publication. | 2026-01-22 | 5.5 | CVE-2026-23951 | https://github.com/sumatrapdfreader/sumatrapdf/security/advisories/GHSA-hj4w-c5x8-p2hv https://github.com/sumatrapdfreader/sumatrapdf/blob/master/src/PalmDbReader.cpp |
| swift-otel–swift-w3c-trace-context | Swift W3C TraceContext is a Swift implementation of the W3C Trace Context standard, and Swift OTel is an OpenTelemetry Protocol (OTLP) backend for Swift Log, Swift Metrics, and Swift Distributed Tracing. Prior to Swift W3C TraceContext version 1.0.0-beta.5 and Swift OTel version 1.0.4, a denial-of-service vulnerability due to improper input validation allows a remote attacker to crash the service via a malformed HTTP header. This allows crashing the process with data coming from the network when used with, for example, an HTTP server. Most common way of using Swift W3C Trace Context is through Swift OTel. Version 1.0.0-beta.5 of Swift W3C TraceContext and version 1.0.4 of Swift OTel contain a patch for this issue. As a workaround, disable either Swift OTel or the code that extracts the trace information from an incoming header (such as a `TracingMiddleware`). | 2026-01-19 | 5.3 | CVE-2026-23886 | https://github.com/swift-otel/swift-w3c-trace-context/security/advisories/GHSA-mvpq-2v8x-ww6g https://github.com/swift-otel/swift-w3c-trace-context/commit/5da9b143ba6046734de3fa51dafea28290174e4e https://github.com/swift-otel/swift-otel/releases/tag/1.0.4 https://github.com/swift-otel/swift-w3c-trace-context/releases/tag/1.0.0-beta.5 |
| tandubhai–Alchemist Ajax Upload | The Alchemist Ajax Upload plugin for WordPress is vulnerable to unauthorized media file deletion due to a missing capability check on the ‘delete_file’ function in all versions up to, and including, 1.1. This makes it possible for unauthenticated attackers to delete arbitrary WordPress media attachments. | 2026-01-24 | 5.3 | CVE-2025-14629 | https://www.wordfence.com/threat-intel/vulnerabilities/id/865dbcf5-7990-40f3-bb90-3ae359b52c6f?source=cve https://wordpress.org/plugins/alchemist-ajax-upload/ https://plugins.trac.wordpress.org/browser/alchemist-ajax-upload/tags/1.1/alchemist_ajax_upload.php#L231 https://plugins.trac.wordpress.org/browser/alchemist-ajax-upload/trunk/alchemist_ajax_upload.php#L231 |
| Tapandsign Technologies Software Inc.–Tap&Sign | Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) vulnerability in Tapandsign Technologies Software Inc. Tap&Sign allows Cross-Site Scripting (XSS). This issue affects Tap&Sign: through 23012026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-23 | 4.7 | CVE-2025-2204 | https://www.usom.gov.tr/bildirim/tr-26-0004 |
| teamzt–ZT Captcha | The ZT Captcha plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.4. This is due to improper nonce validation on the save_ztcpt_captcha_settings action where the nonce check can be bypassed by sending an empty token value. This makes it possible for unauthenticated attackers to modify the plugin’s settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-01-24 | 4.3 | CVE-2026-1075 | https://www.wordfence.com/threat-intel/vulnerabilities/id/9f9d6da5-1598-4df4-8efc-306370446443?source=cve https://plugins.trac.wordpress.org/browser/zt-captcha/trunk/request/CaptchaRequest.php#L37 https://plugins.trac.wordpress.org/browser/zt-captcha/tags/1.0.4/request/CaptchaRequest.php#L37 |
| technical-laohu–mpay | A security vulnerability has been detected in technical-laohu mpay up to 1.2.4. The impacted element is an unknown function of the component QR Code Image Handler. Such manipulation of the argument codeimg leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. | 2026-01-19 | 4.7 | CVE-2026-1152 | VDB-341745 | technical-laohu mpay QR Code Image unrestricted upload VDB-341745 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #735775 | https://gitee.com/technical-laohu/mpay mpay v1.2.4 Arbitrary file upload vulnerability https://github.com/bdkuzma/vuln/issues/17 |
| technical-laohu–mpay | A vulnerability was detected in technical-laohu mpay up to 1.2.4. This affects an unknown function. Performing a manipulation results in cross-site request forgery. Remote exploitation of the attack is possible. The exploit is now public and may be used. | 2026-01-19 | 4.3 | CVE-2026-1153 | VDB-341746 | technical-laohu mpay cross-site request forgery VDB-341746 | CTI Indicators (IOB, IOC) Submit #735789 | https://gitee.com/technical-laohu/mpay mpay v1.2.4 Cross-Site Request Forgery https://github.com/bdkuzma/vuln/issues/18 |
| tendenci–tendenci | Tendenci is an open source content management system built for non-profits, associations and cause-based sites. Versions 15.3.11 and below include a critical deserialization vulnerability in the Helpdesk module (which is not enabled by default). This vulnerability allows Remote Code Execution (RCE) by an authenticated user with staff security level due to using Python’s pickle module in helpdesk /reports/. The original CVE-2020-14942 was incompletely patched. While ticket_list() was fixed to use safe JSON deserialization, the run_report() function still uses unsafe pickle.loads(). The impact is limited to the permissions of the user running the application, typically www-data, which generally lacks write (except for upload directories) and execute permissions. This issue has been fixed in version 15.3.12. | 2026-01-22 | 6.8 | CVE-2026-23946 | https://github.com/tendenci/tendenci/security/advisories/GHSA-339m-4qw5-j2g3 https://github.com/tendenci/tendenci/issues/867 https://github.com/tendenci/tendenci/commit/23d9fd85ab7654e9c83cfc86cb4175c0bd7a77f1 https://github.com/tendenci/tendenci/commit/2ff0a457614944a1b417081c543ea4c5bb95d636 https://github.com/tendenci/tendenci/commit/63e1b84a5b163466d1d8d811d35e7021a7ca0d0e https://docs.python.org/3/library/pickle.html#restricting-globals https://github.com/advisories/GHSA-jqmc-fxxp-r589 https://github.com/tendenci/tendenci/releases/tag/v15.3.12 |
| themeruby–ThemeRuby Multi Authors Assign Multiple Writers to Posts | The ThemeRuby Multi Authors – Assign Multiple Writers to Posts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘before’ and ‘after’ shortcode attributes in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-24 | 6.4 | CVE-2026-1097 | https://www.wordfence.com/threat-intel/vulnerabilities/id/ca74bb1d-1954-4869-aaa9-bf66600cdf2a?source=cve https://plugins.trac.wordpress.org/browser/themeruby-multi-authors/trunk/includes/class-tma-shortcodes.php#L76 https://plugins.trac.wordpress.org/browser/themeruby-multi-authors/tags/1.0.0/includes/class-tma-shortcodes.php#L76 |
| themeum–Tutor LMS eLearning and online course solution | The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to unauthorized attachment deletion due to a missing capability check on the `delete_existing_user_photo` function in all versions up to, and including, 3.9.4. This makes it possible for authenticated attackers, with subscriber level access and above, to delete arbitrary attachments on the site. | 2026-01-20 | 5.4 | CVE-2026-0548 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0e475e02-494a-4ad0-a83c-d027c3a32989?source=cve https://plugins.trac.wordpress.org/changeset?old_path=/tutor/tags/3.9.4/classes/User.php&new_path=/tutor/tags/3.9.5/classes/User.php |
| theupdateframework–go-tuf | go-tuf is a Go implementation of The Update Framework (TUF). Starting in version 2.0.0 and prior to version 2.3.1, if the TUF repository (or any of its mirrors) returns invalid TUF metadata JSON (valid JSON but not well formed TUF metadata), the client will panic during parsing, causing a denial of service. The panic happens before any signature is validated. This means that a compromised repository/mirror/cache can DoS clients without having access to any signing key. Version 2.3.1 fixes the issue. No known workarounds are available. | 2026-01-22 | 5.9 | CVE-2026-23991 | https://github.com/theupdateframework/go-tuf/security/advisories/GHSA-846p-jg2w-w324 https://github.com/theupdateframework/go-tuf/commit/73345ab6b0eb7e59d525dac17a428f043074cef6 https://github.com/theupdateframework/go-tuf/releases/tag/v2.3.1 |
| theupdateframework–go-tuf | go-tuf is a Go implementation of The Update Framework (TUF). Starting in version 2.0.0 and prior to version 2.3.1, a compromised or misconfigured TUF repository can have the configured value of signature thresholds set to 0, which effectively disables signature verification. This can lead to unauthorized modification to TUF metadata files is possible at rest, or during transit as no integrity checks are made. Version 2.3.1 fixes the issue. As a workaround, always make sure that the TUF metadata roles are configured with a threshold of at least 1. | 2026-01-22 | 5.9 | CVE-2026-23992 | https://github.com/theupdateframework/go-tuf/security/advisories/GHSA-fphv-w9fq-2525 https://github.com/theupdateframework/go-tuf/commit/b38d91fdbc69dfe31fe9230d97dafe527ea854a0 |
| thimpress–LearnPress WordPress LMS Plugin for Create and Sell Online Courses | The LearnPress – WordPress LMS Plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 4.3.2.4 via the get_item_permissions_check function. This makes it possible for unauthenticated attackers to extract sensitive data including user first names and last names. Other information such as social profile links and enrollment are also included. | 2026-01-20 | 5.3 | CVE-2025-14798 | https://www.wordfence.com/threat-intel/vulnerabilities/id/6fb00ce4-aa82-4479-b7f6-79e7bde098c1?source=cve https://plugins.trac.wordpress.org/browser/learnpress/tags/4.3.2.1/inc/jwt/rest-api/version1/class-lp-rest-users-v1-controller.php#L134 https://plugins.trac.wordpress.org/browser/learnpress/tags/4.3.2.1/inc/jwt/rest-api/version1/class-lp-rest-users-v1-controller.php#L35 |
| thorsten–phpMyFAQ | phpMyFAQ is an open source FAQ web application. Versions 4.0.16 and below allow an authenticated user without the dlattachment permission to download FAQ attachments due to a incomprehensive permissions check. The presence of a right key is improperly validated as proof of authorization in attachment.php. Additionally, the group and user permission logic contains a flawed conditional expression that may allow unauthorized access. This issue has been fixed in version | 2026-01-24 | 6.5 | CVE-2026-24420 | https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-7p9h-m7m8-vhhv |
| thorsten–phpMyFAQ | phpMyFAQ is an open source FAQ web application. Versions 4.0.16 and below have flawed authorization logic which exposes the /api/setup/backup endpoint to any authenticated user despite their permissions. SetupController.php uses userIsAuthenticated() but does not verify that the requester has configuration/admin permissions. Non-admin users can trigger a configuration backup and retrieve its path. The endpoint only checks authentication, not authorization, and returns a link to the generated ZIP. This issue is fixed in version 4.0.17. | 2026-01-24 | 6.5 | CVE-2026-24421 | https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-wm8h-26fv-mg7g |
| thorsten–phpMyFAQ | phpMyFAQ is an open source FAQ web application. In versions 4.0.16 and below, multiple public API endpoints improperly expose sensitive user information due to insufficient access controls. The OpenQuestionController::list() endpoint calls Question::getAll() with showAll=true by default, returning records marked as non-public (isVisible=false) along with user email addresses, with similar exposures present in comment, news, and FAQ APIs. This information disclosure vulnerability could enable attackers to harvest email addresses for phishing campaigns or access content that was explicitly marked as private. This issue has been fixed in version 4.0.17. | 2026-01-24 | 5.3 | CVE-2026-24422 | https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-j4rc-96xj-gvqc |
| Totolink–LR350 | A vulnerability was identified in Totolink LR350 9.3.5u.6369_B20220309. This issue affects the function setDiagnosisCfg of the file /cgi-bin/cstecgi.cgi of the component POST Request Handler. The manipulation of the argument ip leads to command injection. The attack can be initiated remotely. The exploit is publicly available and might be used. | 2026-01-19 | 6.3 | CVE-2026-1149 | VDB-341742 | Totolink LR350 POST Request cstecgi.cgi setDiagnosisCfg command injection VDB-341742 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #735695 | TOTOLINK LR350 LR350 V9.3.5u.6369_B20220309 Command Injection https://lavender-bicycle-a5a.notion.site/TOTOLINK-LR350-setDiagnosisCfg-2e453a41781f800d9ba9c6da80b55276?source=copy_link https://www.totolink.net/ |
| Totolink–LR350 | A security flaw has been discovered in Totolink LR350 9.3.5u.6369_B20220309. Impacted is the function setTracerouteCfg of the file /cgi-bin/cstecgi.cgi of the component POST Request Handler. The manipulation of the argument command results in command injection. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks. | 2026-01-19 | 6.3 | CVE-2026-1150 | VDB-341743 | Totolink LR350 POST Request cstecgi.cgi setTracerouteCfg command injection VDB-341743 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #735696 | TOTOLINK LR350 LR350 V9.3.5u.6369_B20220309 Command Injection https://lavender-bicycle-a5a.notion.site/TOTOLINK-LR350-setTracerouteCfg-2e453a41781f803494e3e4161a393487?source=copy_link https://www.totolink.net/ |
| Totolink–NR1800X | A weakness has been identified in Totolink NR1800X 9.1.0u.6279_B20210910. This vulnerability affects the function setWanCfg of the file /cgi-bin/cstecgi.cgi of the component POST Request Handler. This manipulation of the argument Hostname causes command injection. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks. | 2026-01-22 | 6.3 | CVE-2026-1326 | VDB-342302 | Totolink NR1800X POST Request cstecgi.cgi setWanCfg command injection VDB-342302 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #735787 | TOTOLINK NR1800X NR1800X_Firmware V9.1.0u.6279_B20210910 Command Injection https://lavender-bicycle-a5a.notion.site/TOTOLINK-NR1800X-setWanCfg-2e453a41781f80b390f3e1ce0d9dd5b9?source=copy_link https://www.totolink.net/ |
| Totolink–NR1800X | A security vulnerability has been detected in Totolink NR1800X 9.1.0u.6279_B20210910. This issue affects the function setTracerouteCfg of the file /cgi-bin/cstecgi.cgi of the component POST Request Handler. Such manipulation of the argument command leads to command injection. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. | 2026-01-22 | 6.3 | CVE-2026-1327 | VDB-342303 | Totolink NR1800X POST Request cstecgi.cgi setTracerouteCfg command injection VDB-342303 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #735790 | TOTOLINK NR1800X NR1800X_Firmware V9.1.0u.6279_B20210910 Command Injection https://lavender-bicycle-a5a.notion.site/TOTOLINK-NR1800X-setTracerouteCfg-2e453a41781f80df8ef9d32983758502?source=copy_link https://www.totolink.net/ |
| typemill–typemill | Typemill is a flat-file, Markdown-based CMS designed for informational documentation websites. A reflected Cross-Site Scripting (XSS) exists in the login error view template `login.twig` of versions 2.19.1 and below. The `username` value can be echoed back without proper contextual encoding when authentication fails. An attacker can execute script in the login page context. This issue has been fixed in version 2.19.2. | 2026-01-23 | 5.4 | CVE-2026-24127 | https://github.com/typemill/typemill/security/advisories/GHSA-65×4-pjhj-r8wr https://github.com/typemill/typemill/commit/b506acd11e80fb9c8db5fa6c2c8ad73580b4e88c https://github.com/typemill/typemill/releases/tag/v2.19.2 |
| uncannyowl–Uncanny Automator Easy Automation, Integration, Webhooks & Workflow Builder Plugin | The Uncanny Automator – Easy Automation, Integration, Webhooks & Workflow Builder Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the automator_discord_user_mapping shortcode in all versions up to, and including, 6.10.0.2 due to insufficient input sanitization and output escaping on the verified_message parameter. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user with a verified Discord account accesses the injected page. | 2026-01-23 | 6.4 | CVE-2025-15522 | https://www.wordfence.com/threat-intel/vulnerabilities/id/41c54e1b-69b9-4594-8f1e-7ef17f120791?source=cve https://wordpress.org/plugins/uncanny-automator https://plugins.trac.wordpress.org/browser/uncanny-automator/tags/6.10.0.2/src/integrations/discord/shortcodes/discord-user-mapping-shortcode.php#L128 https://plugins.trac.wordpress.org/changeset/3440408/uncanny-automator/trunk/src/integrations/discord/shortcodes/discord-user-mapping-shortcode.php |
| vektor-inc–VK Google Job Posting Manager | The VK Google Job Posting Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Job Description field in versions up to, and including, 1.2.20 due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers with author-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-24 | 6.4 | CVE-2025-12836 | https://www.wordfence.com/threat-intel/vulnerabilities/id/4e0fd492-19ee-430e-a495-99ad28043bf9?source=cve https://plugins.trac.wordpress.org/browser/vk-google-job-posting-manager/tags/1.2.20/vk-google-job-posting-manager.php#L419 https://plugins.trac.wordpress.org/browser/vk-google-job-posting-manager/tags/1.2.20/vk-google-job-posting-manager.php#L468 |
| vintagedaddyo–MyBB Delete Account Plugin | MyBB Delete Account Plugin 1.4 contains a cross-site scripting vulnerability in the account deletion reason input field. Attackers can inject malicious scripts that will execute in the admin interface when viewing delete account reasons. | 2026-01-23 | 6.1 | CVE-2021-47905 | ExploitDB-49500 MyBB Delete Account Plugin Repository VulnCheck Advisory: MyBB Delete Account Plugin 1.4 – Cross-Site Scripting |
| waqasvickey0071–WP Youtube Video Gallery | The WP Youtube Video Gallery plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce verification on the wpYTVideoGallerySettingSave() function. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-01-24 | 4.3 | CVE-2025-14906 | https://www.wordfence.com/threat-intel/vulnerabilities/id/53709d2c-6522-40f0-9dc4-82517d3ee7b2?source=cve https://plugins.trac.wordpress.org/browser/wp-youtube-video-gallery/tags/1.0/admin/admin.php#L444 |
| wedevs–weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki & AI Chatbot | The weDocs: AI Powered Knowledge Base, Docs, Documentation, Wiki & AI Chatbot plugin for WordPress is vulnerable to unauthorized modification or loss of data due to a missing capability check on the ‘wedocs_user_documentation_handling_capabilities’ function in all versions up to, and including, 2.1.16. This makes it possible for authenticated attackers, with Subscriber-level access and above, to edit any documentation post. The vulnerability was partially patched in version 2.1.16. | 2026-01-23 | 4.3 | CVE-2025-13921 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c56234f3-7dd6-4dff-887d-5ddbf0cb7d3c?source=cve https://plugins.trac.wordpress.org/browser/wedocs/tags/2.1.14/includes/functions.php#L506 https://plugins.trac.wordpress.org/browser/wedocs/tags/2.1.14/includes/Installer.php#L21 https://plugins.trac.wordpress.org/changeset/3426704/ https://plugins.trac.wordpress.org/changeset/3440068/ |
| wedevs–weMail Email Marketing, Lead Generation, Optin Forms, Email Newsletters, A/B Testing, and Automation | The weMail – Email Marketing, Lead Generation, Optin Forms, Email Newsletters, A/B Testing, and Automation plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.0.7. This is due to the plugin’s REST API trusting the `x-wemail-user` HTTP header to identify users without verifying the request originates from an authenticated WordPress session. This makes it possible for unauthenticated attackers who know or can guess an admin email (easily enumerable via `/wp-json/wp/v2/users`) to impersonate that user and access the CSV subscriber endpoints, potentially exfiltrating subscriber PII (emails, names, phone numbers) from imported CSV files. | 2026-01-20 | 5.3 | CVE-2025-14348 | https://www.wordfence.com/threat-intel/vulnerabilities/id/59c0caa2-d0c2-472e-83c3-d11ad313720d?source=cve https://plugins.trac.wordpress.org/browser/wemail/tags/2.0.6/includes/Rest/Csv.php#L79 https://plugins.trac.wordpress.org/browser/wemail/tags/2.0.6/includes/Rest/Csv.php#L85 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3442404%40wemail%2Ftrunk&old=3423372%40wemail%2Ftrunk&sfp_email=&sfph_mail=#file1 |
| wizit–Wizit Gateway for WooCommerce | The Wizit Gateway for WooCommerce plugin for WordPress is vulnerable to Unauthenticated Arbitrary Order Cancellation in all versions up to, and including, 1.2.9. This is due to a lack of authentication and authorization checks in the ‘handle_checkout_redirecturl_response’ function. This makes it possible for unauthenticated attackers to cancel arbitrary WooCommerce orders by sending a crafted request with a valid order ID. | 2026-01-24 | 5.3 | CVE-2025-14843 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b6926c2c-79d4-477c-a2eb-ba62545f2e2b?source=cve https://plugins.trac.wordpress.org/browser/wizit-gateway-for-woocommerce/tags/1.2.9/class-wizit-gateway.php?marks=1249,1341-1349#L1249 |
| wpchill–Image Photo Gallery Final Tiles Grid | The Image Photo Gallery Final Tiles Grid plugin for WordPress is vulnerable to unauthorized access and modification of data due to missing capability checks on multiple AJAX actions in all versions up to, and including, 3.6.9. This makes it possible for authenticated attackers, with Contributor-level access and above, to view, create, modify, clone, delete, and reassign ownership of galleries created by other users, including administrators. | 2026-01-19 | 5.4 | CVE-2025-15466 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0afcfe15-2d7d-4c96-a408-28f35577a927?source=cve https://plugins.trac.wordpress.org/changeset/3435746/ |
| wpdevteam–NotificationX FOMO, Live Sales Notification, WooCommerce Sales Popup, GDPR, Social Proof, Announcement Banner & Floating Notification Bar | The NotificationX plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ‘regenerate’ and ‘reset’ REST API endpoints in all versions up to, and including, 3.1.11. This makes it possible for authenticated attackers, with Contributor-level access and above, to reset analytics for any NotificationX campaign, regardless of ownership. | 2026-01-20 | 4.3 | CVE-2026-0554 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e3cd843b-ab38-45c4-a661-78d4e6db5201?source=cve https://research.cleantalk.org/cve-2026-0554 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3433555%40notificationx&old=3426659%40notificationx&sfp_email=&sfph_mail= |
| wpdirectorykit–WP Directory Kit | The WP Directory Kit plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.4.9 via the wdk_public_action AJAX handler. This makes it possible for unauthenticated attackers to extract email addresses for users with Directory Kit-specific user roles. | 2026-01-24 | 5.3 | CVE-2025-13920 | https://www.wordfence.com/threat-intel/vulnerabilities/id/8905dcc7-d3c8-4ae8-818c-df3e6ed2ad9c?source=cve https://plugins.trac.wordpress.org/changeset/3435482/wpdirectorykit |
| wpdiscover–Timeline Event History | The Timeline Event History plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `id` parameter in all versions up to, and including, 3.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2026-01-24 | 6.1 | CVE-2026-1127 | https://www.wordfence.com/threat-intel/vulnerabilities/id/ba779595-2674-4d84-bc41-889ae60bd6a4?source=cve https://plugins.trac.wordpress.org/browser/timeline-event-history/tags/3.2/includes/admin/class-timeline-wp-field-builder.php#L540 |
| wpgmaps–WP Go Maps (formerly WP Google Maps) | The WP Go Maps (formerly WP Google Maps) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the processBackgroundAction() function in all versions up to, and including, 10.0.04. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify global map engine settings. | 2026-01-24 | 5.3 | CVE-2026-0593 | https://www.wordfence.com/threat-intel/vulnerabilities/id/7f0741c1-a5d7-41a4-a739-2cb7cb836509?source=cve https://plugins.trac.wordpress.org/changeset/3439283/wp-google-maps/trunk/includes/class.admin-notices.php |
| Yodinfo–Mini Mouse | Mini Mouse 9.3.0 contains a path traversal vulnerability that allows attackers to access sensitive system directories through the device information endpoint. Attackers can retrieve file lists from system directories like /usr, /etc, and /var by manipulating file path parameters in API requests. | 2026-01-21 | 6.2 | CVE-2021-47849 | ExploitDB-49747 Mini Mouse Apple Store VulnCheck Advisory: Mini Mouse 9.3.0 – Local File inclusion / Path Traversal |
| zainali99–MyBB Trending Widget Plugin | MyBB Trending Widget Plugin 1.2 contains a cross-site scripting vulnerability that allows attackers to inject malicious scripts through thread titles. Attackers can modify thread titles with script payloads that will execute when other users view the trending widget. | 2026-01-23 | 6.1 | CVE-2018-25132 | ExploitDB-49504 Trending Widget GitHub Repository VulnCheck Advisory: MyBB Trending Widget Plugin 1.2 – Cross-Site Scripting |
| zero1zerouk–Login Page Editor | The Login Page Editor plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2. This is due to missing nonce validation on the devotion_loginform_process() AJAX action. This makes it possible for unauthenticated attackers to update the plugin’s login page settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-01-24 | 4.3 | CVE-2026-1088 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f428b90d-8830-445d-b1f1-d8f860dae5cf?source=cve https://plugins.trac.wordpress.org/browser/login-page-editor/trunk/class/devotion.core.class.php#L50 https://plugins.trac.wordpress.org/browser/login-page-editor/tags/1.2/class/devotion.core.class.php#L50 |
Low Vulnerabilities
| Primary Vendor — Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| Athroniaeth–fastapi-api-key | FastAPI Api Key provides a backend-agnostic library that provides an API key system. Version 1.1.0 has a timing side-channel vulnerability in verify_key(). The method applied a random delay only on verification failures, allowing an attacker to statistically distinguish valid from invalid API keys by measuring response latencies. With enough repeated requests, an adversary could infer whether a key_id corresponds to a valid key, potentially accelerating brute-force or enumeration attacks. All users relying on verify_key() for API key authentication prior to the fix are affected. Users should upgrade to version 1.1.0 to receive a patch. The patch applies a uniform random delay (min_delay to max_delay) to all responses regardless of outcome, eliminating the timing correlation. Some workarounds are available. Add an application-level fixed delay or random jitter to all authentication responses (success and failure) before the fix is applied and/or use rate limiting to reduce the feasibility of statistical timing attacks. | 2026-01-21 | 3.7 | CVE-2026-23996 | https://github.com/Athroniaeth/fastapi-api-key/security/advisories/GHSA-95c6-p277-p87g https://github.com/Athroniaeth/fastapi-api-key/commit/310b2c5c77305f38c63c0b917539a0344071dfd8 https://github.com/Athroniaeth/fastapi-api-key/releases/tag/1.1.0 |
| backstage–backstage | Backstage is an open framework for building developer portals, and @backstage/backend-defaults provides the default implementations and setup for a standard Backstage backend app. Prior to versions 0.12.2, 0.13.2, 0.14.1, and 0.15.0, the `FetchUrlReader` component, used by the catalog and other plugins to fetch content from URLs, followed HTTP redirects automatically. This allowed an attacker who controls a host listed in `backend.reading.allow` to redirect requests to internal or sensitive URLs that are not on the allowlist, bypassing the URL allowlist security control. This is a Server-Side Request Forgery (SSRF) vulnerability that could allow access to internal resources, but it does not allow attackers to include additional request headers. This vulnerability is fixed in `@backstage/backend-defaults` version 0.12.2, 0.13.2, 0.14.1, and 0.15.0. Users should upgrade to this version or later. Some workarounds are available. Restrict `backend.reading.allow` to only trusted hosts that you control and that do not issue redirects, ensure allowed hosts do not have open redirect vulnerabilities, and/or use network-level controls to block access from Backstage to sensitive internal endpoints. | 2026-01-21 | 3.5 | CVE-2026-24048 | https://github.com/backstage/backstage/security/advisories/GHSA-q2x5-4xjx-c6p9 https://github.com/backstage/backstage/commit/27f9061d24affd1b9212fe0abd476bfc3fbaedcb |
| Beetel–777VR1 | A security flaw has been discovered in Beetel 777VR1 up to 01.00.09/01.00.09_55. This affects an unknown part of the component UART Interface. Performing a manipulation results in information disclosure. The attack may be carried out on the physical device. The attack is considered to have high complexity. It is indicated that the exploitability is difficult. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-25 | 2 | CVE-2026-1407 | VDB-342796 | Beetel 777VR1 UART information disclosure VDB-342796 | CTI Indicators (IOB, IOC, TTP) Submit #736322 | Beetel Beetel 777VR1 Broadband Router Firmware Version: V01.00.09 / V01.00.09_55 Cleartext Exposure of Sensitive Credentials in Boot Logs – UART https://gist.github.com/raghav20232023/253c041842f622d9c2cb6ee4111c2227 |
| Beetel–777VR1 | A weakness has been identified in Beetel 777VR1 up to 01.00.09/01.00.09_55. This vulnerability affects unknown code of the component UART Interface. Executing a manipulation can lead to weak password requirements. The physical device can be targeted for the attack. The attack requires a high level of complexity. It is stated that the exploitability is difficult. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-25 | 2 | CVE-2026-1408 | VDB-342797 | Beetel 777VR1 UART weak password VDB-342797 | CTI Indicators (IOB, IOC, TTP) Submit #739384 | Beetel Beetel 777VR1 Broadband Router Firmware Version: V01.00.09 / V01.00.09_55 CWE-521 — Weak Password Requirements https://gist.github.com/raghav20232023/9c51cbd91f3798b1c10f3f30fb631633 |
| Beetel–777VR1 | A security vulnerability has been detected in Beetel 777VR1 up to 01.00.09/01.00.09_55. This issue affects some unknown processing of the component UART Interface. The manipulation leads to improper restriction of excessive authentication attempts. It is possible to launch the attack on the physical device. The attack’s complexity is rated as high. The exploitability is assessed as difficult. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-25 | 2 | CVE-2026-1409 | VDB-342798 | Beetel 777VR1 UART excessive authentication VDB-342798 | CTI Indicators (IOB, IOC, TTP) Submit #739399 | Beetel Beetel 777VR1 Broadband Router Firmware Version: V01.00.09 / V01.00.09_55 CWE-307 Improper Restriction – Excessive Authentication Attempts https://gist.github.com/raghav20232023/19900b427445adf37f64ae953611bfce |
| Dell–PowerScale OneFS | Dell PowerScale OneFS, versions 9.5.0.0 through 9.5.1.5, versions 9.6.0.0 through 9.7.1.10, versions 9.8.0.0 through 9.10.1.3, versions starting from 9.11.0.0 and prior to 9.13.0.0, contains a Time-of-check Time-of-use (TOCTOU) race condition vulnerability. A low privileged attacker with adjacent network access could potentially exploit this vulnerability, leading to denial of service. | 2026-01-22 | 3.5 | CVE-2026-22281 | https://www.dell.com/support/kbdoc/en-us/000415586/dsa-2026-049-security-update-for-dell-powerscale-onefs-multiple-vulnerabilities |
| franklioxygen–MyTube | MyTube is a self-hosted downloader and player for several video websites. Versions 1.7.78 and below have a Mass Assignment vulnerability in the settings management functionality due to insufficient input validation. The application’s saveSettings() function accepts arbitrary key-value pairs without validating property names against allowed settings. The function uses Record<string, any> as input type and iterates over all entries using Object.entries() without filtering unauthorized properties. Any field sent by the attacker is directly persisted to the database, regardless of whether it corresponds to a legitimate application setting. This issue has been fixed in version 1.7.78. | 2026-01-23 | 2.7 | CVE-2026-24140 | https://github.com/franklioxygen/MyTube/security/advisories/GHSA-c938-x24g-fxcx https://github.com/franklioxygen/MyTube/commit/9d737cb373f7af3e5c92d458e2832caf817b6de6 |
| HCL Software–AION | HCL AION is affected by a Missing Security Response Headers vulnerability. The absence of standard security headers may weaken the application’s overall security posture and increase its susceptibility to common web-based attacks. | 2026-01-19 | 3.5 | CVE-2025-55249 | https://support.hcl-software.com/kb_view.do?sys_kb_id=4b92474633de7ad4159a05273e5c7b4b&searchTerm=kb0127995# |
| HCL Software–AION | HCL AION is affected by an Unrestricted File Upload vulnerability. This can allow malicious file uploads, potentially resulting in unauthorized code execution or system compromise. | 2026-01-19 | 3.1 | CVE-2025-55251 | https://support.hcl-software.com/kb_view.do?sys_kb_id=4b92474633de7ad4159a05273e5c7b4b&searchTerm=kb0127995# |
| HCL Software–AION | HCL AION version 2 is affected by a Weak Password Policy vulnerability. This can allow the use of easily guessable passwords, potentially resulting in unauthorized access | 2026-01-19 | 3.1 | CVE-2025-55252 | https://support.hcl-software.com/kb_view.do?sys_kb_id=4b92474633de7ad4159a05273e5c7b4b&searchTerm=kb0127995# |
| HCL Software–AION | HCL AION version 2 is affected by a Cacheable HTTP Response vulnerability. This may lead to unintended storage of sensitive or dynamic content, potentially resulting in unauthorized access or information disclosure. | 2026-01-19 | 2.8 | CVE-2025-52659 | https://support.hcl-software.com/kb_view.do?sys_kb_id=4b92474633de7ad4159a05273e5c7b4b&searchTerm=kb0127995# |
| HCL Software–AION | HCL AION is affected by an Unrestricted File Upload vulnerability. This can allow malicious file uploads, potentially resulting in unauthorized code execution or system compromise. | 2026-01-19 | 2.7 | CVE-2025-52660 | https://support.hcl-software.com/kb_view.do?sys_kb_id=4b92474633de7ad4159a05273e5c7b4b&searchTerm=kb0127995# |
| HCL Software–AION | HCL AION version 2 is affected by a JWT Token Expiry Too Long vulnerability. This may increase the risk of token misuse, potentially resulting in unauthorized access if the token is compromised. | 2026-01-19 | 2.4 | CVE-2025-52661 | https://support.hcl-software.com/kb_view.do?sys_kb_id=4b92474633de7ad4159a05273e5c7b4b&searchTerm=kb0127995# |
| HCL Software–AION | HCL AION version 2 is affected by a Technical Error Disclosure vulnerability. This can expose sensitive technical details, potentially resulting in information disclosure or aiding further attacks. | 2026-01-19 | 1.8 | CVE-2025-55250 | https://support.hcl-software.com/kb_view.do?sys_kb_id=4b92474633de7ad4159a05273e5c7b4b&searchTerm=kb0127995# |
| IBM–ApplinX | IBM ApplinX 11.1 could allow an authenticated user to perform unauthorized administrative actions on the server due to server-side enforcement of client-side security. | 2026-01-20 | 3.1 | CVE-2025-36410 | https://www.ibm.com/support/pages/node/7257446 |
| IBM–ApplinX | IBM ApplinX 11.1 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. | 2026-01-20 | 3.5 | CVE-2025-36411 | https://www.ibm.com/support/pages/node/7257446 |
| lcg0124–BootDo | A weakness has been identified in lcg0124 BootDo up to e93dd428ef6f5c881aa74d49a2099ab0cf1e0fcb. Affected is the function Save of the file /blog/bContent/save of the component ContentController. This manipulation of the argument content/author/title causes cross site scripting. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. | 2026-01-19 | 3.5 | CVE-2026-1136 | VDB-341726 | lcg0124 BootDo ContentController save cross site scripting VDB-341726 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #735164 | BootDo V1.0 Cross Site Scripting https://github.com/webzzaa/CVE-/issues/4 |
| lcg0124–BootDo | A vulnerability was determined in lcg0124 BootDo up to 5ccd963c74058036b466e038cff37de4056c1600. Affected by this vulnerability is the function redirectToLogin of the file AccessControlFilter.java of the component Host Header Handler. This manipulation of the argument Hostname causes open redirect. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. | 2026-01-25 | 3.5 | CVE-2026-1406 | VDB-342794 | lcg0124 BootDo Host Header AccessControlFilter.java redirectToLogin VDB-342794 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #736271 | BootDo web V1.0 Host header injection https://github.com/webzzaa/CVE-/issues/5 |
| libexpat project–libexpat | In libexpat before 2.7.4, XML_ExternalEntityParserCreate does not copy unknown encoding handler user data. | 2026-01-23 | 2.9 | CVE-2026-24515 | https://github.com/libexpat/libexpat/pull/1131 |
| lobehub–lobe-chat | LobeChat is an open source chat application platform. Prior to version 2.0.0-next.193, `knowledgeBase.removeFilesFromKnowledgeBase` tRPC ep allows authenticated users to delete files from any knowledge base without verifying ownership. `userId` filter in the database query is commented out, so it’s enabling attackers to delete other users’ KB files if they know the knowledge base ID and file ID. While the vulnerability is confirmed, practical exploitation requires knowing target’s KB ID and target’s file ID. These IDs are random and not easily enumerable. However, IDs may leak through shared links, logs, referrer headers and so on. Missing authorization check is a critical security flaw regardless. Users should upgrade to version 2.0.0-next.193 to receive a patch. | 2026-01-19 | 3.7 | CVE-2026-23522 | https://github.com/lobehub/lobe-chat/security/advisories/GHSA-j7xp-4mg9-x28r https://github.com/lobehub/lobe-chat/commit/2c1762b85acb84467ed5e799afe1499cd2f912e6 |
| MineAdmin–MineAdmin | A security vulnerability has been detected in MineAdmin 1.x/2.x. Affected is an unknown function of the file /system/getFileInfoById. Such manipulation of the argument ID leads to information disclosure. It is possible to launch the attack remotely. The attack requires a high level of complexity. The exploitability is told to be difficult. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-20 | 3.1 | CVE-2026-1196 | VDB-341781 | MineAdmin getFileInfoById information disclosure VDB-341781 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #734273 | MineAdmin MineAdmin Enterprise Backend Management System MineAdmin v1.x MineAdmin v2.x getFileInfoById Arbitrary File Read Vulnerability https://github.com/SourByte05/MineAdmin-Vulnerability/issues/3 |
| MineAdmin–MineAdmin | A vulnerability was detected in MineAdmin 1.x/2.x. Affected by this vulnerability is an unknown functionality of the file /system/downloadById. Performing a manipulation of the argument ID results in information disclosure. The attack can be initiated remotely. The attack’s complexity is rated as high. The exploitation appears to be difficult. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-20 | 3.1 | CVE-2026-1197 | VDB-341782 | MineAdmin downloadById information disclosure VDB-341782 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #734274 | MineAdmin MineAdmin Enterprise Backend Management System MineAdmin v1.x MineAdmin v2.x downloadById Arbitrary File Download Vulnerability https://github.com/SourByte05/MineAdmin-Vulnerability/issues/2 |
| Oracle Corporation–MySQL Server | Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Pluggable Auth). Supported versions that are affected are 9.0.0-9.5.0. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Server. CVSS 3.1 Base Score 2.7 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L). | 2026-01-20 | 2.7 | CVE-2026-21965 | Oracle Advisory |
| Oracle Corporation–Oracle Java SE | Vulnerability in Oracle Java SE (component: JavaFX). Supported versions that are affected are Oracle Java SE: 8u471-b50. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). CVSS 3.1 Base Score 3.1 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N). | 2026-01-20 | 3.1 | CVE-2026-21947 | Oracle Advisory |
| Oracle Corporation–Oracle Zero Data Loss Recovery Appliance Software | Vulnerability in the Oracle Zero Data Loss Recovery Appliance Software product of Oracle Zero Data Loss Recovery Appliance (component: Security). Supported versions that are affected are 23.1.0-23.1.202509. Difficult to exploit vulnerability allows unauthenticated attacker with network access via Oracle Net to compromise Oracle Zero Data Loss Recovery Appliance Software. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Zero Data Loss Recovery Appliance Software accessible data. CVSS 3.1 Base Score 3.1 (Confidentiality impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N). | 2026-01-20 | 3.1 | CVE-2026-21977 | Oracle Advisory |
| Oracle Corporation–Oracle ZFS Storage Appliance Kit | Vulnerability in the Oracle ZFS Storage Appliance Kit product of Oracle Systems (component: Filesystems). The supported version that is affected is 8.8. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle ZFS Storage Appliance Kit executes to compromise Oracle ZFS Storage Appliance Kit. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle ZFS Storage Appliance Kit accessible data. CVSS 3.1 Base Score 2.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N). | 2026-01-20 | 2.3 | CVE-2026-21930 | Oracle Advisory |
| pbrong–hrms | A vulnerability was detected in pbrong hrms 1.0.1. The affected element is the function UpdateRecruitmentById of the file /handler/recruitment.go. The manipulation results in cross site scripting. The attack may be launched remotely. The exploit is now public and may be used. | 2026-01-19 | 3.5 | CVE-2026-1161 | VDB-341755 | pbrong hrms recruitment.go UpdateRecruitmentById cross site scripting VDB-341755 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #736510 | Pbrong hrms 1.0.1 Stored Cross Site Scripting Vulnerability https://github.com/TheLiao233/cve/issues/1 |
| Red Hat–Red Hat Build of Keycloak | A flaw was found in the Keycloak server during refresh token processing, specifically in the TokenManager class responsible for enforcing refresh token reuse policies. When strict refresh token rotation is enabled, the validation and update of refresh token usage are not performed atomically. This allows concurrent refresh requests to bypass single-use enforcement and issue multiple access tokens from the same refresh token. As a result, Keycloak’s refresh token rotation hardening can be undermined. | 2026-01-21 | 3.1 | CVE-2026-1035 | https://access.redhat.com/security/cve/CVE-2026-1035 RHBZ#2430314 |
| Red Hat–Red Hat Build of Keycloak | A flaw was found in the Keycloak Admin REST API. This vulnerability allows the exposure of backend schema and rules, potentially leading to targeted attacks or privilege escalation via improper access control. | 2026-01-21 | 2.7 | CVE-2025-14083 | https://access.redhat.com/security/cve/CVE-2025-14083 RHBZ#2419086 |
| Red Hat–Red Hat Enterprise Linux 10 | A flaw was found in glib. Missing validation of offset and count parameters in the g_buffered_input_stream_peek() function can lead to an integer overflow during length calculation. When specially crafted values are provided, this overflow results in an incorrect size being passed to memcpy(), triggering a buffer overflow. This can cause application crashes, leading to a Denial of Service (DoS). | 2026-01-21 | 3.7 | CVE-2026-0988 | https://access.redhat.com/security/cve/CVE-2026-0988 RHBZ#2429886 |
| roxnor–MetForm Contact Form, Survey, Quiz, & Custom Form Builder for Elementor | The MetForm – Contact Form, Survey, Quiz, & Custom Form Builder for Elementor plugin for WordPress is vulnerable to Sensitive Information Exposure in versions up to, and including, 4.1.0. This is due to the use of a forgeable cookie value derived only from the entry ID and current user ID without a server-side secret. This makes it possible for unauthenticated attackers to access form submission entry data via MetForm shortcodes for entries created within the transient TTL (default is 15 minutes). | 2026-01-24 | 3.7 | CVE-2026-0633 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d72cc420-1ff5-403b-b4ea-7c820fdebcf3?source=cve https://plugins.trac.wordpress.org/changeset/3438419/metform |
| SourceCodester–Patients Waiting Area Queue Management System | A vulnerability has been found in SourceCodester/Patrick Mvuma Patients Waiting Area Queue Management System 1.0. Affected by this issue is some unknown functionality of the file /php/api_register_patient.php. Such manipulation of the argument firstName/lastName leads to cross site scripting. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. | 2026-01-19 | 3.5 | CVE-2026-1146 | VDB-341739 | SourceCodester/Patrick Mvuma Patients Waiting Area Queue Management System api_register_patient.php cross site scripting VDB-341739 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #735543 | Patrick Mvuma Patients Waiting Area Queue Management System 1.0 Cross Site Scripting |
| SourceCodester–Patients Waiting Area Queue Management System | A vulnerability was found in SourceCodester/Patrick Mvuma Patients Waiting Area Queue Management System 1.0. This affects an unknown part of the file /php/api_patient_schedule.php. Performing a manipulation of the argument Reason results in cross site scripting. It is possible to initiate the attack remotely. The exploit has been made public and could be used. | 2026-01-19 | 3.5 | CVE-2026-1147 | VDB-341740 | SourceCodester/Patrick Mvuma Patients Waiting Area Queue Management System api_patient_schedule.php cross site scripting VDB-341740 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #735544 | Patrick Mvuma Patients Waiting Area Queue Management System 1.0 Cross Site Scripting |
| technical-laohu–mpay | A weakness has been identified in technical-laohu mpay up to 1.2.4. The affected element is an unknown function of the component User Center. This manipulation of the argument Nickname causes cross site scripting. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks. | 2026-01-19 | 2.4 | CVE-2026-1151 | VDB-341744 | technical-laohu mpay User Center cross site scripting VDB-341744 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #735773 | https://gitee.com/technical-laohu/mpay mpay v1.2.4 Stored Cross-Site Scripting https://github.com/bdkuzma/vuln/issues/16 |
Severity Not Yet Assigned
| Primary Vendor — Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| 7-Zip–7-Zip | 7-Zip ZIP File Parsing Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of 7-Zip. Interaction with this product is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the handling of symbolic links in ZIP files. Crafted data in a ZIP file can cause the process to traverse to unintended directories. An attacker can leverage this vulnerability to execute code in the context of a service account. Was ZDI-CAN-26743. | 2026-01-23 | not yet calculated | CVE-2025-11002 | ZDI-25-950 |
| AA-Team–SearchAzon | Cross-Site Request Forgery (CSRF) vulnerability in AA-Team SearchAzon searchazon allows Cross Site Request Forgery. This issue affects SearchAzon: from n/a through <= 1.4. | 2026-01-22 | not yet calculated | CVE-2026-22360 | https://patchstack.com/database/Wordpress/Plugin/searchazon/vulnerability/wordpress-searchazon-plugin-1-4-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| AA-Team–Wordpress Movies Bulk Importer | Cross-Site Request Forgery (CSRF) vulnerability in AA-Team WordPress Movies Bulk Importer movies importer allows Cross Site Request Forgery. This issue affects WordPress Movies Bulk Importer: from n/a through <= 1.0. | 2026-01-22 | not yet calculated | CVE-2026-22359 | https://patchstack.com/database/Wordpress/Plugin/movies%20importer/vulnerability/wordpress-wordpress-movies-bulk-importer-plugin-1-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Abacre–Abacre | Abacre Retail Point of Sale 14.0.0.396 is vulnerable to content-based blind SQL injection. The vulnerability exists in the Search function of the Orders page. | 2026-01-20 | not yet calculated | CVE-2025-67261 | https://www.abacre.com/retailpointofsale/ https://packetstorm.news/files/id/214046/ |
| Abacre–Abacre | Abacre Retail Point of Sale 14.0.0.396 is affected by a stored cross-site scripting (XSS) vulnerability in the Clients module. The application fails to properly sanitize user-supplied input stored in the Name and Surname fields. An attacker can insert malicious HTML or script content into these fields, which, persisted in the database. | 2026-01-20 | not yet calculated | CVE-2025-67263 | https://www.abacre.com/retailpointofsale/ https://packetstorm.news/files/id/214045/ |
| ABCdatos–Proteccin de datos – RGPD | Missing Authorization vulnerability in ABCdatos Protección de datos – RGPD proteccion-datos-rgpd allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Protección de datos – RGPD: from n/a through <= 0.68. | 2026-01-23 | not yet calculated | CVE-2026-24539 | https://patchstack.com/database/Wordpress/Plugin/proteccion-datos-rgpd/vulnerability/wordpress-proteccion-de-datos-rgpd-plugin-0-68-broken-access-control-vulnerability?_s_id=cve |
| Ability, Inc–Web Accessibility with Max Access | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Ability, Inc Web Accessibility with Max Access accessibility-toolbar allows Stored XSS. This issue affects Web Accessibility with Max Access: from n/a through <= 2.1.0. | 2026-01-23 | not yet calculated | CVE-2026-24629 | https://patchstack.com/database/Wordpress/Plugin/accessibility-toolbar/vulnerability/wordpress-web-accessibility-with-max-access-plugin-2-1-0-cross-site-scripting-xss-vulnerability?_s_id=cve |
| AbsolutePlugins–Absolute Addons For Elementor | Missing Authorization vulnerability in AbsolutePlugins Absolute Addons For Elementor absolute-addons allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Absolute Addons For Elementor: from n/a through <= 1.0.14. | 2026-01-22 | not yet calculated | CVE-2026-22468 | https://patchstack.com/database/Wordpress/Plugin/absolute-addons/vulnerability/wordpress-absolute-addons-for-elementor-plugin-1-0-14-broken-access-control-vulnerability?_s_id=cve |
| adamlabs–WordPress Photo Gallery | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in adamlabs WordPress Photo Gallery photo-gallery-portfolio allows Reflected XSS. This issue affects WordPress Photo Gallery: from n/a through <= 1.1.0. | 2026-01-22 | not yet calculated | CVE-2025-53240 | https://patchstack.com/database/Wordpress/Plugin/photo-gallery-portfolio/vulnerability/wordpress-wordpress-photo-gallery-plugin-1-1-0-cross-site-scripting-xss-vulnerability?_s_id=cve |
| agmorpheus–Syntax Highlighter Compress | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in agmorpheus Syntax Highlighter Compress syntax-highlighter-compress allows Reflected XSS. This issue affects Syntax Highlighter Compress: from n/a through <= 3.0.83.3. | 2026-01-22 | not yet calculated | CVE-2025-68859 | https://patchstack.com/database/Wordpress/Plugin/syntax-highlighter-compress/vulnerability/wordpress-syntax-highlighter-compress-plugin-3-0-83-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| AivahThemes–Anona | Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) vulnerability in AivahThemes Anona anona allows Path Traversal. This issue affects Anona: from n/a through <= 8.0. | 2026-01-22 | not yet calculated | CVE-2025-68901 | https://patchstack.com/database/Wordpress/Theme/anona/vulnerability/wordpress-anona-theme-8-0-arbitrary-file-deletion-vulnerability?_s_id=cve |
| AivahThemes–Anona | Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) vulnerability in AivahThemes Anona anona allows Path Traversal. This issue affects Anona: from n/a through <= 8.0. | 2026-01-22 | not yet calculated | CVE-2025-68902 | https://patchstack.com/database/Wordpress/Theme/anona/vulnerability/wordpress-anona-theme-8-0-arbitrary-file-download-vulnerability?_s_id=cve |
| AivahThemes–Anona | Deserialization of Untrusted Data vulnerability in AivahThemes Anona anona allows Object Injection. This issue affects Anona: from n/a through <= 8.0. | 2026-01-22 | not yet calculated | CVE-2025-68903 | https://patchstack.com/database/Wordpress/Theme/anona/vulnerability/wordpress-anona-theme-8-0-php-object-injection-vulnerability?_s_id=cve |
| AivahThemes–Hostme v2 | Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) vulnerability in AivahThemes Hostme v2 hostmev2 allows Path Traversal. This issue affects Hostme v2: from n/a through <= 7.0. | 2026-01-22 | not yet calculated | CVE-2025-68907 | https://patchstack.com/database/Wordpress/Theme/hostmev2/vulnerability/wordpress-hostme-v2-theme-7-0-arbitrary-file-deletion-vulnerability?_s_id=cve |
| Alejandro–Quick Restaurant Reservations | Missing Authorization vulnerability in Alejandro Quick Restaurant Reservations quick-restaurant-reservations allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Quick Restaurant Reservations: from n/a through <= 1.6.7. | 2026-01-23 | not yet calculated | CVE-2026-24529 | https://patchstack.com/database/Wordpress/Plugin/quick-restaurant-reservations/vulnerability/wordpress-quick-restaurant-reservations-plugin-1-6-7-broken-access-control-vulnerability?_s_id=cve |
| ALGO–8180 IP Audio Alerter | ALGO 8180 IP Audio Alerter Ping Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is required to exploit this vulnerability. The specific flaw exists within the web-based user interface. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-25568. | 2026-01-23 | not yet calculated | CVE-2026-0779 | ZDI-26-001 |
| ALGO–8180 IP Audio Alerter | ALGO 8180 IP Audio Alerter Web UI Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is required to exploit this vulnerability. The specific flaw exists within the web-based user interface. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-28289. | 2026-01-23 | not yet calculated | CVE-2026-0780 | ZDI-26-002 |
| ALGO–8180 IP Audio Alerter | ALGO 8180 IP Audio Alerter Web UI Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is required to exploit this vulnerability. The specific flaw exists within the web-based user interface. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-28290. | 2026-01-23 | not yet calculated | CVE-2026-0781 | ZDI-26-003 |
| ALGO–8180 IP Audio Alerter | ALGO 8180 IP Audio Alerter Web UI Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is required to exploit this vulnerability. The specific flaw exists within the web-based user interface. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-28291. | 2026-01-23 | not yet calculated | CVE-2026-0782 | ZDI-26-004 |
| ALGO–8180 IP Audio Alerter | ALGO 8180 IP Audio Alerter Web UI Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is required to exploit this vulnerability. The specific flaw exists within the web-based user interface. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-28292. | 2026-01-23 | not yet calculated | CVE-2026-0783 | ZDI-26-005 |
| ALGO–8180 IP Audio Alerter | ALGO 8180 IP Audio Alerter Web UI Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is required to exploit this vulnerability. The specific flaw exists within the web-based user interface. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-28293. | 2026-01-23 | not yet calculated | CVE-2026-0784 | ZDI-26-006 |
| ALGO–8180 IP Audio Alerter | ALGO 8180 IP Audio Alerter API Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is required to exploit this vulnerability. The specific flaw exists within the API interface. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-28294. | 2026-01-23 | not yet calculated | CVE-2026-0785 | ZDI-26-007 |
| ALGO–8180 IP Audio Alerter | ALGO 8180 IP Audio Alerter SCI Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is required to exploit this vulnerability. The specific flaw exists within the SCI module. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-28295. | 2026-01-23 | not yet calculated | CVE-2026-0786 | ZDI-26-008 |
| ALGO–8180 IP Audio Alerter | ALGO 8180 IP Audio Alerter SAC Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the SAC module. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-28296. | 2026-01-23 | not yet calculated | CVE-2026-0787 | ZDI-26-009 |
| ALGO–8180 IP Audio Alerter | ALGO 8180 IP Audio Alerter Web UI Persistent Cross-Site Scripting Vulnerability. This vulnerability allows remote attackers to execute web requests with a target user’s privileges on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the functionality for viewing the syslog. The issue results from the lack of proper validation of user-supplied data, which can lead to the injection of an arbitrary script. An attacker can leverage this vulnerability to interact with the application in the context of the target user. Was ZDI-CAN-28298. | 2026-01-23 | not yet calculated | CVE-2026-0788 | ZDI-26-010 |
| ALGO–8180 IP Audio Alerter | ALGO 8180 IP Audio Alerter Web UI Inclusion of Authentication Cookie in Response Body Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the web-based user interface. The issue results from the lack of proper management of sensitive information. An attacker can leverage this vulnerability to disclose information in the context of the device. Was ZDI-CAN-28297. | 2026-01-23 | not yet calculated | CVE-2026-0789 | ZDI-26-011 |
| ALGO–8180 IP Audio Alerter | ALGO 8180 IP Audio Alerter Web UI Direct Request Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the web-based user interface. By navigating directly to a URL, a user can gain unauthorized access to data. An attacker can leverage this vulnerability to disclose information in the context of the device. Was ZDI-CAN-28299. | 2026-01-23 | not yet calculated | CVE-2026-0790 | ZDI-26-012 |
| ALGO–8180 IP Audio Alerter | ALGO 8180 IP Audio Alerter SIP INVITE Replaces Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of the Replaces header of SIP INVITE requests. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-28300. | 2026-01-23 | not yet calculated | CVE-2026-0791 | ZDI-26-013 |
| ALGO–8180 IP Audio Alerter | ALGO 8180 IP Audio Alerter SIP INVITE Alert-Info Stack-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of the Alert-Info header of SIP INVITE requests. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-28301. | 2026-01-23 | not yet calculated | CVE-2026-0792 | ZDI-26-014 |
| ALGO–8180 IP Audio Alerter | ALGO 8180 IP Audio Alerter InformaCast Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the InformaCast functionality. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-28302. | 2026-01-23 | not yet calculated | CVE-2026-0793 | ZDI-26-015 |
| ALGO–8180 IP Audio Alerter | ALGO 8180 IP Audio Alerter SIP Use-After-Free Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of SIP calls. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-28303. | 2026-01-23 | not yet calculated | CVE-2026-0794 | ZDI-26-016 |
| ALGO–8180 IP Audio Alerter | ALGO 8180 IP Audio Alerter Web UI Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is required to exploit this vulnerability. The specific flaw exists within the web-based user interface. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-28321. | 2026-01-23 | not yet calculated | CVE-2026-0795 | ZDI-26-017 |
| ALGO–8180 IP Audio Alerter | ALGO 8180 IP Audio Alerter Web UI Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ALGO 8180 IP Audio Alerter devices. Authentication is required to exploit this vulnerability. The specific flaw exists within the web-based user interface. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the device. Was ZDI-CAN-28322. | 2026-01-23 | not yet calculated | CVE-2026-0796 | ZDI-26-018 |
| AmentoTech–Workreap Core | Authentication Bypass Using an Alternate Path or Channel vulnerability in AmentoTech Workreap Core workreap_core allows Authentication Abuse. This issue affects Workreap Core: from n/a through <= 3.4.0. | 2026-01-22 | not yet calculated | CVE-2025-69101 | https://patchstack.com/database/Wordpress/Plugin/workreap_core/vulnerability/wordpress-workreap-core-plugin-3-4-0-account-takeover-vulnerability?_s_id=cve |
| AncoraThemes–DiveIt | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in AncoraThemes DiveIt diveit allows PHP Local File Inclusion. This issue affects DiveIt: from n/a through <= 1.4.3. | 2026-01-22 | not yet calculated | CVE-2025-69059 | https://patchstack.com/database/Wordpress/Theme/diveit/vulnerability/wordpress-diveit-theme-1-4-3-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes–Hobo | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in AncoraThemes Hobo hobo allows PHP Local File Inclusion. This issue affects Hobo: from n/a through <= 1.0.10. | 2026-01-22 | not yet calculated | CVE-2025-69077 | https://patchstack.com/database/Wordpress/Theme/hobo/vulnerability/wordpress-hobo-theme-1-0-10-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes–Indoor Plants | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in AncoraThemes Indoor Plants indoor-plants allows PHP Local File Inclusion. This issue affects Indoor Plants: from n/a through <= 1.2.7. | 2026-01-22 | not yet calculated | CVE-2025-69066 | https://patchstack.com/database/Wordpress/Theme/indoor-plants/vulnerability/wordpress-indoor-plants-theme-1-2-7-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes–Malta | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in AncoraThemes Malta malta allows PHP Local File Inclusion. This issue affects Malta: from n/a through <= 1.3.3. | 2026-01-22 | not yet calculated | CVE-2025-69078 | https://patchstack.com/database/Wordpress/Theme/malta/vulnerability/wordpress-malta-theme-1-3-3-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes–Modern Housewife | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in AncoraThemes Modern Housewife modernhousewife allows PHP Local File Inclusion. This issue affects Modern Housewife: from n/a through <= 1.0.12. | 2026-01-22 | not yet calculated | CVE-2025-69076 | https://patchstack.com/database/Wordpress/Theme/modernhousewife/vulnerability/wordpress-modern-housewife-theme-1-0-12-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes–MoveMe | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in AncoraThemes MoveMe moveme allows PHP Local File Inclusion. This issue affects MoveMe: from n/a through <= 1.2.15. | 2026-01-22 | not yet calculated | CVE-2025-69061 | https://patchstack.com/database/Wordpress/Theme/moveme/vulnerability/wordpress-moveme-theme-1-2-15-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes–Muji | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in AncoraThemes Muji muji allows PHP Local File Inclusion. This issue affects Muji: from n/a through <= 1.2.0. | 2026-01-22 | not yet calculated | CVE-2025-69068 | https://patchstack.com/database/Wordpress/Theme/muji/vulnerability/wordpress-muji-theme-1-2-0-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes–PartyMaker | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in AncoraThemes PartyMaker partymaker allows PHP Local File Inclusion. This issue affects PartyMaker: from n/a through <= 1.1.15. | 2026-01-22 | not yet calculated | CVE-2025-69058 | https://patchstack.com/database/Wordpress/Theme/partymaker/vulnerability/wordpress-partymaker-theme-1-1-15-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes–Pearson Specter | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in AncoraThemes Pearson Specter pearsonspecter allows PHP Local File Inclusion. This issue affects Pearson Specter: from n/a through <= 1.11.3. | 2026-01-22 | not yet calculated | CVE-2025-69074 | https://patchstack.com/database/Wordpress/Theme/pearsonspecter/vulnerability/wordpress-pearson-specter-theme-1-11-3-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes–Pets Land | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in AncoraThemes Pets Land petsland allows PHP Local File Inclusion. This issue affects Pets Land: from n/a through <= 1.2.8. | 2026-01-22 | not yet calculated | CVE-2025-69064 | https://patchstack.com/database/Wordpress/Theme/petsland/vulnerability/wordpress-pets-land-theme-1-2-8-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes–Piqes | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in AncoraThemes Piqes piqes allows PHP Local File Inclusion. This issue affects Piqes: from n/a through <= 1.0.11. | 2026-01-22 | not yet calculated | CVE-2025-69073 | https://patchstack.com/database/Wordpress/Theme/piqes/vulnerability/wordpress-piqes-theme-1-0-11-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes–Prider | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in AncoraThemes Prider prider allows PHP Local File Inclusion. This issue affects Prider: from n/a through <= 1.1.3.1. | 2026-01-22 | not yet calculated | CVE-2025-69072 | https://patchstack.com/database/Wordpress/Theme/prider/vulnerability/wordpress-prider-theme-1-1-3-1-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes–Snow Mountain | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in AncoraThemes Snow Mountain snowmountain allows PHP Local File Inclusion. This issue affects Snow Mountain: from n/a through <= 1.4.3. | 2026-01-22 | not yet calculated | CVE-2025-69065 | https://patchstack.com/database/Wordpress/Theme/snowmountain/vulnerability/wordpress-snow-mountain-theme-1-4-3-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes–Tails | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in AncoraThemes Tails tails allows PHP Local File Inclusion. This issue affects Tails: from n/a through <= 1.4.12. | 2026-01-22 | not yet calculated | CVE-2025-69067 | https://patchstack.com/database/Wordpress/Theme/tails/vulnerability/wordpress-tails-theme-1-4-12-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes–TanTum | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in AncoraThemes TanTum tantum allows PHP Local File Inclusion. This issue affects TanTum: from n/a through <= 1.1.13. | 2026-01-22 | not yet calculated | CVE-2025-69071 | https://patchstack.com/database/Wordpress/Theme/tantum/vulnerability/wordpress-tantum-theme-1-1-13-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes–Tornados | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in AncoraThemes Tornados tornados allows PHP Local File Inclusion. This issue affects Tornados: from n/a through <= 2.1. | 2026-01-22 | not yet calculated | CVE-2025-69070 | https://patchstack.com/database/Wordpress/Theme/tornados/vulnerability/wordpress-tornados-theme-2-1-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes–uReach | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in AncoraThemes uReach ureach allows PHP Local File Inclusion. This issue affects uReach: from n/a through <= 1.3.3. | 2026-01-22 | not yet calculated | CVE-2025-69060 | https://patchstack.com/database/Wordpress/Theme/ureach/vulnerability/wordpress-ureach-theme-1-3-3-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes–Weedles | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in AncoraThemes Weedles weedles allows PHP Local File Inclusion. This issue affects Weedles: from n/a through <= 1.1.12. | 2026-01-22 | not yet calculated | CVE-2025-69062 | https://patchstack.com/database/Wordpress/Theme/weedles/vulnerability/wordpress-weedles-theme-1-1-12-local-file-inclusion-vulnerability?_s_id=cve |
| AncoraThemes–Yolox | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in AncoraThemes Yolox yolox allows PHP Local File Inclusion. This issue affects Yolox: from n/a through <= 1.0.15. | 2026-01-22 | not yet calculated | CVE-2025-69075 | https://patchstack.com/database/Wordpress/Theme/yolox/vulnerability/wordpress-yolox-theme-1-0-15-local-file-inclusion-vulnerability?_s_id=cve |
| Angel Costa–WP SEO Search | Cross-Site Request Forgery (CSRF) vulnerability in Angel Costa WP SEO Search wp-seo-search allows Cross Site Request Forgery. This issue affects WP SEO Search: from n/a through <= 1.1. | 2026-01-22 | not yet calculated | CVE-2025-67626 | https://patchstack.com/database/Wordpress/Plugin/wp-seo-search/vulnerability/wordpress-wp-seo-search-plugin-1-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Anritsu–ShockLine | Anritsu ShockLine CHX File Parsing Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Anritsu ShockLine. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of CHX files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-27833. | 2026-01-23 | not yet calculated | CVE-2025-15348 | ZDI-25-1199 |
| Anritsu–ShockLine | Anritsu ShockLine SCPI Race Condition Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Anritsu ShockLine. Authentication is not required to exploit this vulnerability. The specific flaw exists within the SCPI component. The issue results from the lack of proper locking when performing operations on an object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-27315. | 2026-01-23 | not yet calculated | CVE-2025-15349 | ZDI-25-1200 |
| Anritsu–VectorStar | Anritsu VectorStar CHX File Parsing Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Anritsu VectorStar. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of CHX files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-27039. | 2026-01-23 | not yet calculated | CVE-2025-15350 | ZDI-25-1201 |
| Anritsu–VectorStar | Anritsu VectorStar CHX File Parsing Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Anritsu VectorStar. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of CHX files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-27040. | 2026-01-23 | not yet calculated | CVE-2025-15351 | ZDI-25-1202 |
| anthropics–claude-code | Claude Code is an agentic coding tool. Prior to version 2.0.65, vulnerability in Claude Code’s project-load flow allowed malicious repositories to exfiltrate data including Anthropic API keys before users confirmed trust. An attacker-controlled repository could include a settings file that sets ANTHROPIC_BASE_URL to an attacker-controlled endpoint and when the repository was opened, Claude Code would read the configuration and immediately issue API requests before showing the trust prompt, potentially leaking the user’s API keys. Users on standard Claude Code auto-update have received this fix already. Users performing manual updates are advised to update to version 2.0.65, which contains a patch, or to the latest version. | 2026-01-21 | not yet calculated | CVE-2026-21852 | https://github.com/anthropics/claude-code/security/advisories/GHSA-jh7p-qr78-84p7 |
| Antideo–Antideo Email Validator | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in Antideo Antideo Email Validator antideo-email-validator allows Blind SQL Injection. This issue affects Antideo Email Validator: from n/a through <= 1.0.10. | 2026-01-22 | not yet calculated | CVE-2025-68017 | https://patchstack.com/database/Wordpress/Plugin/antideo-email-validator/vulnerability/wordpress-antideo-email-validator-plugin-1-0-10-sql-injection-vulnerability?_s_id=cve |
| antoniobg–ABG Rich Pins | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in antoniobg ABG Rich Pins abg-rich-pins allows Stored XSS. This issue affects ABG Rich Pins: from n/a through <= 1.1. | 2026-01-23 | not yet calculated | CVE-2026-24558 | https://patchstack.com/database/Wordpress/Plugin/abg-rich-pins/vulnerability/wordpress-abg-rich-pins-plugin-1-1-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Apache Software Foundation–Apache Linkis | A vulnerability in Apache Linkis. Problem Description When using the JDBC engine and da When using the JDBC engine and data source functionality, if the URL parameter configured on the frontend has undergone multiple rounds of URL encoding, it may bypass the system’s checks. This bypass can trigger a vulnerability that allows unauthorized access to system files via JDBC parameters. Scope of Impact This issue affects Apache Linkis: from 1.3.0 through 1.7.0. Severity level moderate Solution Continuously check if the connection information contains the “%” character; if it does, perform URL decoding. Users are recommended to upgrade to version 1.8.0, which fixes the issue. More questions about this vulnerability can be discussed here: https://lists.apache.org/list?dev@linkis.apache.org:2025-9:cve | 2026-01-19 | not yet calculated | CVE-2025-29847 | https://lists.apache.org/thread/03l5rfkgdt022o75jp8x4tzpqxz8g057 |
| Apache Software Foundation–Apache Linkis | A vulnerability. When org.apache.linkis.metadata.util.HiveUtils.decode() fails to perform Base64 decoding, it records the complete input parameter string in the log via logger.error(str + “decode failed”, e). If the input parameter contains sensitive information such as Hive Metastore keys, plaintext passwords will be left in the log files when decoding fails, resulting in information leakage. Affected Scope Component: Sensitive fields in hive-site.xml (e.g., javax.jdo.option.ConnectionPassword) or other fields encoded in Base64. Version: Apache Linkis 1.0.0 – 1.7.0 Trigger Conditions The value of the configuration item is an invalid Base64 string. Log files are readable by users other than hive-site.xml administrators. Severity: Low The probability of Base64 decoding failure is low. The leakage is only triggered when logs at the Error level are exposed. Remediation Apache Linkis 1.8.0 and later versions have replaced the log with desensitized content. logger.error(“URL decode failed: {}”, e.getMessage()); // ä¸å†è¾“出 str Users are recommended to upgrade to version 1.8.0, which fixes the issue. | 2026-01-19 | not yet calculated | CVE-2025-59355 | https://lists.apache.org/thread/75z7vhftw6w1mllndgpkfmcj0fzo4lbj https://lists.apache.org/thread/4dcgmqdkk2p5y4k43ok5rgd4ylx8698h |
| Apache Software Foundation–Apache Solr | Deployments of Apache Solr 5.3.0 through 9.10.0 that rely on Solr’s “Rule Based Authorization Plugin” are vulnerable to allowing unauthorized access to certain Solr APIs, due to insufficiently strict input validation in those components. Only deployments that meet all of the following criteria are impacted by this vulnerability: * Use of Solr’s “RuleBasedAuthorizationPlugin” * A RuleBasedAuthorizationPlugin config (see security.json) that specifies multiple “roles” * A RuleBasedAuthorizationPlugin permission list (see security.json) that uses one or more of the following pre-defined permission rules: “config-read”, “config-edit”, “schema-read”, “metrics-read”, or “security-read”. * A RuleBasedAuthorizationPlugin permission list that doesn’t define the “all” pre-defined permission * A networking setup that allows clients to make unfiltered network requests to Solr. (i.e. user-submitted HTTP/HTTPS requests reach Solr as-is, unmodified or restricted by any intervening proxy or gateway) Users can mitigate this vulnerability by ensuring that their RuleBasedAuthorizationPlugin configuration specifies the “all” pre-defined permission and associates the permission with an “admin” or other privileged role. Users can also upgrade to a Solr version outside of the impacted range, such as the recently released Solr 9.10.1. | 2026-01-21 | not yet calculated | CVE-2026-22022 | https://lists.apache.org/thread/d59hqbgo7p62myq7mgfpz7or8n1j7wbn |
| Apache Software Foundation–Apache Solr | The “create core” API of Apache Solr 8.6 through 9.10.0 lacks sufficient input validation on some API parameters, which can cause Solr to check the existence of and attempt to read file-system paths that should be disallowed by Solr’s “allowPaths” security setting https://https://solr.apache.org/guide/solr/latest/configuration-guide/configuring-solr-xml.html#the-solr-element . These read-only accesses can allow users to create cores using unexpected configsets if any are accessible via the filesystem. On Windows systems configured to allow UNC paths this can additionally cause disclosure of NTLM “user” hashes. Solr deployments are subject to this vulnerability if they meet the following criteria: * Solr is running in its “standalone” mode. * Solr’s “allowPath” setting is being used to restrict file access to certain directories. * Solr’s “create core” API is exposed and accessible to untrusted users. This can happen if Solr’s RuleBasedAuthorizationPlugin https://solr.apache.org/guide/solr/latest/deployment-guide/rule-based-authorization-plugin.html is disabled, or if it is enabled but the “core-admin-edit” predefined permission (or an equivalent custom permission) is given to low-trust (i.e. non-admin) user roles. Users can mitigate this by enabling Solr’s RuleBasedAuthorizationPlugin (if disabled) and configuring a permission-list that prevents untrusted users from creating new Solr cores. Users should also upgrade to Apache Solr 9.10.1 or greater, which contain fixes for this issue. | 2026-01-21 | not yet calculated | CVE-2026-22444 | https://lists.apache.org/thread/qkrb9dd4xrlqmmq73lrhkbfkttto2d1m |
| Apple–Container | The ArchiveReader.extractContents() function used by cctl image load and container image load performs no pathname validation before extracting an archive member. This means that a carelessly or maliciously constructed archive can extract a file into any user-writable location on the system using relative pathnames. This issue is addressed in container 0.8.0 and containerization 0.21.0. | 2026-01-22 | not yet calculated | CVE-2026-20613 | https://github.com/apple/containerization/security/advisories/GHSA-cq3j-qj2h-6rv3 |
| Apryse–Apryse | A Local File Inclusion (LFI) and a Server-Side Request Forgery (SSRF) vulnerability was found in the InsertFromHtmlString() function of the Apryse HTML2PDF SDK thru 11.6.0. These vulnerabilities could allow an attacker to read local files on the server or make arbitrary HTTP requests to internal or external services. Both vulnerabilities could lead to the disclosure of sensitive data or potential system takeover. | 2026-01-22 | not yet calculated | CVE-2025-56589 | http://apryse.com https://www.stratascale.com/resource/apryse-server-module-ssrf-lfi/ |
| Apryse–Apryse | An issue was discovered in the InsertFromURL() function of the Apryse HTML2PDF SDK thru 11.10. This vulnerability could allow an attacker to execute arbitrary operating system commands on the local server. | 2026-01-22 | not yet calculated | CVE-2025-56590 | http://apryse.com https://www.stratascale.com/resource/apryse-server-argument-injection-rce/ |
| Aptsys–Aptsys | An information disclosure vulnerability exists in the /srvs/membersrv/getCashiers endpoint of the Aptsys gemscms backend platform thru 2025-05-28. This unauthenticated endpoint returns a list of cashier accounts, including names, email addresses, usernames, and passwords hashed using MD5. As MD5 is a broken cryptographic function, the hashes can be easily reversed using public tools, exposing user credentials in plaintext. This allows remote attackers to perform unauthorized logins and potentially gain access to sensitive POS operations or backend functions. | 2026-01-23 | not yet calculated | CVE-2025-52026 | http://aptsys.com https://gist.github.com/ReverseThatApp/4a6be2b9b2ba39d38c35c8753e0afd39 |
| ApusTheme–Drone | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in ApusTheme Drone drone allows Reflected XSS. This issue affects Drone: from n/a through <= 1.40. | 2026-01-22 | not yet calculated | CVE-2025-49249 | https://patchstack.com/database/Wordpress/Theme/drone/vulnerability/wordpress-drone-theme-1-40-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| arduino–ArduinoCore-avr | ArduinoCore-avr contains the source code and configuration files of the Arduino AVR Boards platform. A vulnerability in versions prior to 1.8.7 allows an attacker to trigger a stack-based buffer overflow when converting floating-point values to strings with high precision. By passing very large `decimalPlaces` values to the affected String constructors or concat methods, the `dtostrf` function writes beyond fixed-size stack buffers, causing memory corruption and denial of service. Under specific conditions, this could enable arbitrary code execution on AVR-based Arduino boards. ### Patches – The Fix is included starting from the `1.8.7` release available from the following link [ArduinoCore-avr v1.8.7](https://github.com/arduino/ArduinoCore-avr) – The Fixing Commit is available at the following link [1a6a417f89c8901dad646efce74ae9d3ddebfd59](https://github.com/arduino/ArduinoCore-avr/pull/613/commits/1a6a417f89c8901dad646efce74ae9d3ddebfd59) ### References – [ASEC-26-001 ArduinoCore-avr vXXXX Resolves Buffer Overflow Vulnerability](https://support.arduino.cc/hc/en-us/articles/XXXXX) ### Credits – Maxime Rossi Bellom and Ramtine Tofighi Shirazi from SecMate (https://secmate.dev/) | 2026-01-21 | not yet calculated | CVE-2025-69209 | https://github.com/arduino/ArduinoCore-avr/security/advisories/GHSA-pvx3-fm7w-6hjm https://github.com/arduino/ArduinoCore-avr/pull/613 https://github.com/arduino/ArduinoCore-avr/commit/82a8ad2fb33911d8927c7af22e0472b94325d1a7 https://github.com/arduino/ArduinoCore-avr/releases/tag/1.8.7 https://support.arduino.cc/hc/en-us/articles/24985906702748-ASEC-26-001-ArduinoCore-AVR-v1-8-7-Resolves-Stack-Based-Buffer-Overflow-Vulnerability |
| Arevico–WP Simple Redirect | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Arevico WP Simple Redirect wp-simple-redirect allows Reflected XSS. This issue affects WP Simple Redirect: from n/a through <= 1.1. | 2026-01-22 | not yet calculated | CVE-2025-68884 | https://patchstack.com/database/Wordpress/Plugin/wp-simple-redirect/vulnerability/wordpress-wp-simple-redirect-plugin-1-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| argoproj–argo-workflows | Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Prior to versions 3.6.17 and 3.7.8, stored XSS in the artifact directory listing allows any workflow author to execute arbitrary JavaScript in another user’s browser under the Argo Server origin, enabling API actions with the victim’s privileges. Versions 3.6.17 and 3.7.8 fix the issue. | 2026-01-21 | not yet calculated | CVE-2026-23960 | https://github.com/argoproj/argo-workflows/security/advisories/GHSA-cv78-6m8q-ph82 https://github.com/argoproj/argo-workflows/commit/159a5c56285ecd4d3bb0a67aeef4507779a44e17 https://github.com/argoproj/argo-workflows/blob/9872c296d29dcc5e9c78493054961ede9fc30797/server/artifacts/artifact_server.go#L194-L244 https://github.com/argoproj/argo-workflows/releases/tag/v3.6.17 https://github.com/argoproj/argo-workflows/releases/tag/v3.7.8 |
| Arksine–moonraker | Moonraker is a Python web server providing API access to Klipper 3D printing firmware. In versions 0.9.3 and below, instances configured with the “ldap” component enabled are vulnerable to LDAP search filter injection techniques via the login endpoint. The 401 error response message can be used to determine whether or not a search was successful, allowing for brute force methods to discover LDAP entries on the server such as user IDs and user attributes. This issue has been fixed in version 0.10.0. | 2026-01-22 | not yet calculated | CVE-2026-24130 | https://github.com/Arksine/moonraker/security/advisories/GHSA-3jqf-v4mv-747g https://github.com/Arksine/moonraker/commit/74c5d8e44c4a4abbfbb06fb991e7ebb9ac947f42 |
| Arraytics–Eventin | Deserialization of Untrusted Data vulnerability in Arraytics Eventin wp-event-solution allows Object Injection. This issue affects Eventin: from n/a through <= 4.1.1. | 2026-01-22 | not yet calculated | CVE-2025-68047 | https://patchstack.com/database/Wordpress/Plugin/wp-event-solution/vulnerability/wordpress-eventin-plugin-4-0-52-php-object-injection-vulnerability?_s_id=cve |
| artbees–JupiterX Core | Deserialization of Untrusted Data vulnerability in artbees JupiterX Core jupiterx-core allows Object Injection. This issue affects JupiterX Core: from n/a through <= 4.10.1. | 2026-01-22 | not yet calculated | CVE-2025-50004 | https://patchstack.com/database/Wordpress/Plugin/jupiterx-core/vulnerability/wordpress-jupiterx-core-plugin-4-10-1-php-object-injection-vulnerability?_s_id=cve |
| artplacer–ArtPlacer Widget | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in artplacer ArtPlacer Widget artplacer-widget allows Stored XSS. This issue affects ArtPlacer Widget: from n/a through <= 2.23.1. | 2026-01-23 | not yet calculated | CVE-2026-24555 | https://patchstack.com/database/Wordpress/Plugin/artplacer-widget/vulnerability/wordpress-artplacer-widget-plugin-2-23-1-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Arul Prasad J–WP Quick Post Duplicator | Missing Authorization vulnerability in Arul Prasad J WP Quick Post Duplicator wp-quick-post-duplicator allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Quick Post Duplicator: from n/a through <= 2.1. | 2026-01-22 | not yet calculated | CVE-2026-24387 | https://patchstack.com/database/Wordpress/Plugin/wp-quick-post-duplicator/vulnerability/wordpress-wp-quick-post-duplicator-plugin-2-1-broken-access-control-vulnerability?_s_id=cve |
| Ashan Perera–LifePress | Missing Authorization vulnerability in Ashan Perera LifePress lifepress allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects LifePress: from n/a through <= 2.1.3. | 2026-01-23 | not yet calculated | CVE-2026-24563 | https://patchstack.com/database/Wordpress/Plugin/lifepress/vulnerability/wordpress-lifepress-plugin-2-1-3-broken-access-control-vulnerability-2?_s_id=cve |
| Atomberg–Atomberg | An issue in Atomberg Atomberg Erica Smart Fan Firmware Version: V1.0.36 allows an attacker to obtain sensitive information and escalate privileges via a crafted deauth frame | 2026-01-22 | not yet calculated | CVE-2025-69822 | https://github.com/CipherX1802/CVE-2025-69822-Atomberg_Erica_SmatFan_Security_Assessment/blob/main/Atomberg_Erica_SmatFan_Security_Assessment_Report.pdf https://github.com/CipherX1802/CVE-2025-69822-Atomberg_Erica_SmatFan_Security_Assessment.git |
| Automated Logic–WebCTRL | Storing Passwords in a Recoverable Format vulnerability in Automated Logic WebCTRL on Windows, Carrier i-Vu on Windows. Storing Passwords in a Recoverable Format vulnerability (CWE-257) in the Web session management component allows an attacker to access stored passwords in a recoverable format which makes them subject to password reuse attacks by malicious users. This issue affects WebCTRL: from 6.0 through 9.0; i-Vu: from 6.0 through 9.0. | 2026-01-22 | not yet calculated | CVE-2025-14295 | https://www.corporate.carrier.com/product-security/advisories-resources/ |
| averta–Depicter Slider | Missing Authorization vulnerability in averta Depicter Slider depicter allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Depicter Slider: from n/a through <= 4.0.4. | 2026-01-22 | not yet calculated | CVE-2025-68558 | https://patchstack.com/database/Wordpress/Plugin/depicter/vulnerability/wordpress-depicter-slider-plugin-4-0-4-broken-access-control-vulnerability?_s_id=cve |
| axiomthemes–Amuli | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in axiomthemes Amuli amuli allows PHP Local File Inclusion. This issue affects Amuli: from n/a through <= 2.3.0. | 2026-01-22 | not yet calculated | CVE-2025-50003 | https://patchstack.com/database/Wordpress/Theme/amuli/vulnerability/wordpress-amuli-theme-2-3-0-local-file-inclusion-vulnerability?_s_id=cve |
| ayecode–Restaurante | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in ayecode Restaurante restaurante allows Reflected XSS. This issue affects Restaurante: from n/a through <= 3.0.7. | 2026-01-22 | not yet calculated | CVE-2025-52746 | https://patchstack.com/database/Wordpress/Theme/restaurante/vulnerability/wordpress-restaurante-theme-3-0-7-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Bdtask–Isshue | HTML Injection vulnerability in Isshue by Bdtask, consisting os an HTML injection due to a lack os proper validation of user input by sending a POST request to ‘/category_product_search’, affecting the ‘product_name’ parameter. | 2026-01-20 | not yet calculated | CVE-2025-40679 | https://www.incibe.es/en/incibe-cert/notices/aviso-sci/html-injection-isshue-bdtask |
| bdthemes–Element Pack Elementor Addons | Cross-Site Request Forgery (CSRF) vulnerability in bdthemes Element Pack Elementor Addons bdthemes-element-pack-lite allows Cross Site Request Forgery. This issue affects Element Pack Elementor Addons: from n/a through <= 8.3.13. | 2026-01-22 | not yet calculated | CVE-2025-31413 | https://patchstack.com/database/Wordpress/Plugin/bdthemes-element-pack-lite/vulnerability/wordpress-element-pack-elementor-addons-plugin-8-3-13-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Beam–Beam | Directory Traversal vulnerability in Beam beta9 v.0.1.552 allows a remote attacker to obtain sensitive information via the joinCleanPath function | 2026-01-22 | not yet calculated | CVE-2025-69820 | https://github.com/aws/aws-sdk-php/security/advisories/GHSA-557v-xcg6-rm5m https://github.com/ryotaromatsui/CVEs/tree/main/CVE-2025-69820 https://github.com/beam-cloud/beta9/blob/c1cd75e813cf7d53e916157d920099e89ef45caa/pkg/abstractions/volume/multipart.go#L45 |
| Beaver Builder–Beaver Builder | Improper Control of Generation of Code (‘Code Injection’) vulnerability in Beaver Builder Beaver Builder beaver-builder-lite-version allows Code Injection. This issue affects Beaver Builder: from n/a through <= 2.9.4.1. | 2026-01-22 | not yet calculated | CVE-2025-69319 | https://patchstack.com/database/Wordpress/Plugin/beaver-builder-lite-version/vulnerability/wordpress-beaver-builder-plugin-2-9-4-1-arbitrary-code-execution-vulnerability?_s_id=cve |
| Benjamin Intal–Stackable | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Benjamin Intal Stackable stackable-ultimate-gutenberg-blocks allows Stored XSS. This issue affects Stackable: from n/a through <= 3.19.5. | 2026-01-22 | not yet calculated | CVE-2025-47500 | https://patchstack.com/database/Wordpress/Plugin/stackable-ultimate-gutenberg-blocks/vulnerability/wordpress-stackable-plugin-3-19-5-cross-site-scripting-xss-vulnerability?_s_id=cve |
| bestwebsoft–Multilanguage by BestWebSoft | Missing Authorization vulnerability in bestwebsoft Multilanguage by BestWebSoft multilanguage allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Multilanguage by BestWebSoft: from n/a through <= 1.5.2. | 2026-01-23 | not yet calculated | CVE-2026-24598 | https://patchstack.com/database/Wordpress/Plugin/multilanguage/vulnerability/wordpress-multilanguage-by-bestwebsoft-plugin-1-5-2-broken-access-control-vulnerability?_s_id=cve |
| Binance–Binance | A buffer over-read in the PublicKey::verify() method of Binance – Trust Wallet Core before commit 5668c67 allows attackers to cause a Denial of Service (DoS) via a crafted input. | 2026-01-20 | not yet calculated | CVE-2025-66692 | https://github.com/trustwallet/wallet-core/commit/5668c67 https://gist.github.com/inkman97/b791189338f73b758c31a7db3cd50c2d |
| binary-parser–binary-parser | A code injection vulnerability in the binary-parser library prior to version 2.3.0 allows arbitrary JavaScript code execution when untrusted values are used in parser field names or encoding parameters. The library directly interpolates these values into dynamically generated code without sanitization, enabling attackers to execute arbitrary code in the context of the Node.js process. | 2026-01-20 | not yet calculated | CVE-2026-1245 | https://github.com/keichi/binary-parser/pull/283 https://github.com/keichi/binary-parser https://www.npmjs.com/package/binary-parser https://kb.cert.org/vuls/id/102648 |
| blazethemes–Blogistic | Unrestricted Upload of File with Dangerous Type vulnerability in blazethemes Blogistic blogistic allows Using Malicious Files. This issue affects Blogistic: from n/a through <= 1.0.5. | 2026-01-22 | not yet calculated | CVE-2025-68909 | https://patchstack.com/database/Wordpress/Theme/blogistic/vulnerability/wordpress-blogistic-theme-1-0-5-arbitrary-file-upload-vulnerability?_s_id=cve |
| blazethemes–Blogmatic | Unrestricted Upload of File with Dangerous Type vulnerability in blazethemes Blogmatic blogmatic. This issue affects Blogmatic: from n/a through <= 1.0.3. | 2026-01-22 | not yet calculated | CVE-2025-62050 | https://patchstack.com/database/Wordpress/Theme/blogmatic/vulnerability/wordpress-blogmatic-theme-1-0-3-arbitrary-file-upload-vulnerability?_s_id=cve |
| blazethemes–Blogzee | Unrestricted Upload of File with Dangerous Type vulnerability in blazethemes Blogzee blogzee allows Using Malicious Files. This issue affects Blogzee: from n/a through <= 1.0.5. | 2026-01-22 | not yet calculated | CVE-2025-68910 | https://patchstack.com/database/Wordpress/Theme/blogzee/vulnerability/wordpress-blogzee-theme-1-0-5-arbitrary-file-upload-vulnerability?_s_id=cve |
| blazethemes–News Event | Unrestricted Upload of File with Dangerous Type vulnerability in blazethemes News Event news-event. This issue affects News Event: from n/a through <= 1.0.1. | 2026-01-22 | not yet calculated | CVE-2025-62056 | https://patchstack.com/database/Wordpress/Theme/news-event/vulnerability/wordpress-news-event-theme-1-0-1-arbitrary-file-upload-vulnerability?_s_id=cve |
| Booking Activities Team–Booking Activities | Incorrect Privilege Assignment vulnerability in Booking Activities Team Booking Activities booking-activities allows Privilege Escalation. This issue affects Booking Activities: from n/a through <= 1.16.44. | 2026-01-22 | not yet calculated | CVE-2025-67953 | https://patchstack.com/database/Wordpress/Plugin/booking-activities/vulnerability/wordpress-booking-activities-plugin-1-16-44-privilege-escalation-vulnerability?_s_id=cve |
| bookingalgorithms–BA Book Everything | Missing Authorization vulnerability in bookingalgorithms BA Book Everything ba-book-everything allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects BA Book Everything: from n/a through <= 1.8.16. | 2026-01-22 | not yet calculated | CVE-2026-24371 | https://patchstack.com/database/Wordpress/Plugin/ba-book-everything/vulnerability/wordpress-ba-book-everything-plugin-1-8-16-broken-access-control-vulnerability?_s_id=cve |
| Boopathi Rajan–WP Test Email | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Boopathi Rajan WP Test Email wp-test-email allows Reflected XSS. This issue affects WP Test Email: from n/a through <= 1.1.7. | 2026-01-22 | not yet calculated | CVE-2025-69102 | https://patchstack.com/database/Wordpress/Plugin/wp-test-email/vulnerability/wordpress-wp-test-email-plugin-1-1-7-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Botble–TransP | HTML injection vulnerability in multiple Botble products such as TransP, Athena, Martfury, and Homzen, consisting of an HTML injection due to a lack of proper validation of user input by sending a request to ‘/search’ using the ‘q’ parameter. | 2026-01-20 | not yet calculated | CVE-2026-1183 | https://www.incibe.es/en/incibe-cert/notices/aviso/html-injection-multiple-botble-products |
| boxnow–BOX NOW Delivery | Missing Authorization vulnerability in boxnow BOX NOW Delivery box-now-delivery allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects BOX NOW Delivery: from n/a through <= 3.0.2. | 2026-01-23 | not yet calculated | CVE-2026-24571 | https://patchstack.com/database/Wordpress/Plugin/box-now-delivery/vulnerability/wordpress-box-now-delivery-plugin-3-0-2-broken-access-control-vulnerability?_s_id=cve |
| bPlugins–B Accordion | Insertion of Sensitive Information Into Sent Data vulnerability in bPlugins B Accordion b-accordion allows Retrieve Embedded Sensitive Data. This issue affects B Accordion: from n/a through <= 2.0.0. | 2026-01-23 | not yet calculated | CVE-2026-24565 | https://patchstack.com/database/Wordpress/Plugin/b-accordion/vulnerability/wordpress-b-accordion-plugin-2-0-0-sensitive-data-exposure-vulnerability?_s_id=cve |
| bPlugins–B Slider | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in bPlugins B Slider b-slider allows DOM-Based XSS. This issue affects B Slider: from n/a through <= 2.0.6. | 2026-01-22 | not yet calculated | CVE-2026-24383 | https://patchstack.com/database/Wordpress/Plugin/b-slider/vulnerability/wordpress-b-slider-plugin-2-0-6-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Brecht–WP Recipe Maker | Missing Authorization vulnerability in Brecht WP Recipe Maker wp-recipe-maker allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Recipe Maker: from n/a through <= 10.2.4. | 2026-01-22 | not yet calculated | CVE-2026-24357 | https://patchstack.com/database/Wordpress/Plugin/wp-recipe-maker/vulnerability/wordpress-wp-recipe-maker-plugin-10-2-4-broken-access-control-vulnerability?_s_id=cve |
| briarinc–Anything Order by Terms | Missing Authorization vulnerability in briarinc Anything Order by Terms anything-order-by-terms allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Anything Order by Terms: from n/a through <= 1.4.0. | 2026-01-23 | not yet calculated | CVE-2026-24567 | https://patchstack.com/database/Wordpress/Plugin/anything-order-by-terms/vulnerability/wordpress-anything-order-by-terms-plugin-1-4-0-broken-access-control-vulnerability?_s_id=cve |
| Broadstreet–Broadstreet Ads | Missing Authorization vulnerability in Broadstreet Broadstreet Ads broadstreet allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Broadstreet Ads: from n/a through <= 1.52.1. | 2026-01-22 | not yet calculated | CVE-2025-69311 | https://patchstack.com/database/Wordpress/Plugin/broadstreet/vulnerability/wordpress-broadstreet-ads-plugin-1-52-1-broken-access-control-vulnerability?_s_id=cve |
| bslthemes–Myour | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in bslthemes Myour myour allows PHP Local File Inclusion. This issue affects Myour: from n/a through <= 1.5.1. | 2026-01-22 | not yet calculated | CVE-2025-67615 | https://patchstack.com/database/Wordpress/Theme/myour/vulnerability/wordpress-myour-theme-1-5-1-local-file-inclusion-vulnerability?_s_id=cve |
| BZOTheme–Mella | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in BZOTheme Mella mella allows PHP Local File Inclusion. This issue affects Mella: from n/a through <= 1.2.29. | 2026-01-22 | not yet calculated | CVE-2025-67616 | https://patchstack.com/database/Wordpress/Theme/mella/vulnerability/wordpress-mella-theme-1-2-29-local-file-inclusion-vulnerability?_s_id=cve |
| cardpaysolutions–Payment Gateway Authorize.Net CIM for WooCommerce | Missing Authorization vulnerability in cardpaysolutions Payment Gateway Authorize.Net CIM for WooCommerce authnet-cim-for-woo allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Payment Gateway Authorize.Net CIM for WooCommerce: from n/a through <= 2.1.2. | 2026-01-22 | not yet calculated | CVE-2025-68013 | https://patchstack.com/database/Wordpress/Plugin/authnet-cim-for-woo/vulnerability/wordpress-payment-gateway-authorize-net-cim-for-woocommerce-plugin-2-1-2-arbitrary-content-deletion-vulnerability?_s_id=cve |
| Cargus eCommerce–Cargus | Insertion of Sensitive Information Into Sent Data vulnerability in Cargus eCommerce Cargus cargus allows Retrieve Embedded Sensitive Data. This issue affects Cargus: from n/a through <= 1.5.8. | 2026-01-23 | not yet calculated | CVE-2026-24589 | https://patchstack.com/database/Wordpress/Plugin/cargus/vulnerability/wordpress-cargus-plugin-1-5-8-sensitive-data-exposure-vulnerability?_s_id=cve |
| Casey Bisson–wpCAS | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Casey Bisson wpCAS wpcas allows Reflected XSS. This issue affects wpCAS: from n/a through <= 1.07. | 2026-01-22 | not yet calculated | CVE-2025-68858 | https://patchstack.com/database/Wordpress/Plugin/wpcas/vulnerability/wordpress-wpcas-plugin-1-0-7-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Chainlit–Chainlit | Chainlit versions prior to 2.9.4 contain an arbitrary file read vulnerability in the /project/element update flow. An authenticated client can send a custom Element with a user-controlled path value, causing the server to copy the referenced file into the attacker’s session. The resulting element identifier (chainlitKey) can then be used to retrieve the file contents via /project/file/<chainlitKey>, allowing disclosure of any file readable by the Chainlit service. | 2026-01-19 | not yet calculated | CVE-2026-22218 | https://github.com/Chainlit/chainlit/releases/tag/2.9.4 https://www.zafran.io/resources/chainleak-critical-ai-framework-vulnerabilities-expose-data-enable-cloud-takeover https://www.vulncheck.com/advisories/chainlit-arbitrary-file-read-via-project-element |
| Chainlit–Chainlit | Chainlit versions prior to 2.9.4 contain a server-side request forgery (SSRF) vulnerability in the /project/element update flow when configured with the SQLAlchemy data layer backend. An authenticated client can provide a user-controlled url value in an Element, which is fetched by the SQLAlchemy element creation logic using an outbound HTTP GET request. This allows an attacker to make arbitrary HTTP requests from the Chainlit server to internal network services or cloud metadata endpoints and store the retrieved responses via the configured storage provider. | 2026-01-19 | not yet calculated | CVE-2026-22219 | https://github.com/Chainlit/chainlit/releases/tag/2.9.4 https://www.zafran.io/resources/chainleak-critical-ai-framework-vulnerabilities-expose-data-enable-cloud-takeover https://www.vulncheck.com/advisories/chainlit-sqlalchemy-data-layer-ssrf-via-project-element |
| Chandni Patel–WP MapIt | Missing Authorization vulnerability in Chandni Patel WP MapIt wp-mapit allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP MapIt: from n/a through <= 3.0.3. | 2026-01-22 | not yet calculated | CVE-2026-22466 | https://patchstack.com/database/Wordpress/Plugin/wp-mapit/vulnerability/wordpress-wp-mapit-plugin-3-0-3-broken-access-control-vulnerability?_s_id=cve |
| charmbracelet–soft-serve | Soft Serve is a self-hostable Git server for the command line. Versions 0.11.2 and below have a critical authentication bypass vulnerability that allows an attacker to impersonate any user (including admin) by “offering” the victim’s public key during the SSH handshake before authenticating with their own valid key. This occurs because the user identity is stored in the session context during the “offer” phase and is not cleared if that specific authentication attempt fails. This issue has been fixed in version 0.11.3. | 2026-01-22 | not yet calculated | CVE-2026-24058 | https://github.com/charmbracelet/soft-serve/security/advisories/GHSA-pchf-49fh-w34r https://github.com/charmbracelet/soft-serve/commit/8539f9ad39918b67d612a35785a2b4326efc8741 https://github.com/charmbracelet/soft-serve/releases/tag/v0.11.3 |
| Chris Simmons–WP BackItUp | Missing Authorization vulnerability in Chris Simmons WP BackItUp wp-backitup allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP BackItUp: from n/a through <= 2.0.0. | 2026-01-22 | not yet calculated | CVE-2025-68039 | https://patchstack.com/database/Wordpress/Plugin/wp-backitup/vulnerability/wordpress-wp-backitup-plugin-2-0-0-broken-access-control-vulnerability?_s_id=cve |
| cjjparadoxmax–Synergy Project Manager | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in cjjparadoxmax Synergy Project Manager synergy-project-manager allows Stored XSS. This issue affects Synergy Project Manager: from n/a through <= 1.5. | 2026-01-22 | not yet calculated | CVE-2025-68898 | https://patchstack.com/database/Wordpress/Plugin/synergy-project-manager/vulnerability/wordpress-synergy-project-manager-plugin-1-5-cross-site-scripting-xss-vulnerability?_s_id=cve |
| cleverplugins–SEO Booster | Missing Authorization vulnerability in cleverplugins SEO Booster seo-booster allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects SEO Booster: from n/a through <= 6.1.8. | 2026-01-22 | not yet calculated | CVE-2025-68019 | https://patchstack.com/database/Wordpress/Plugin/seo-booster/vulnerability/wordpress-seo-booster-plugin-6-1-8-broken-access-control-vulnerability?_s_id=cve |
| CleverReach–CleverReach WP | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in CleverReach® CleverReach® WP cleverreach-wp allows SQL Injection. This issue affects CleverReach® WP: from n/a through <= 1.5.22. | 2026-01-22 | not yet calculated | CVE-2025-68034 | https://patchstack.com/database/Wordpress/Plugin/cleverreach-wp/vulnerability/wordpress-cleverreach-wp-plugin-1-5-22-sql-injection-vulnerability?_s_id=cve |
| CleverSoft–Anon | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in CleverSoft Anon anon2x allows Reflected XSS. This issue affects Anon: from n/a through <= 2.2.10. | 2026-01-22 | not yet calculated | CVE-2025-67620 | https://patchstack.com/database/Wordpress/Theme/anon2x/vulnerability/wordpress-anon-theme-2-2-10-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Cloudflare–Wrangler | SummaryA command injection vulnerability (CWE-78) has been found to exist in the `wrangler pages deploy` command. The issue occurs because the `–commit-hash` parameter is passed directly to a shell command without proper validation or sanitization, allowing an attacker with control of `–commit-hash` to execute arbitrary commands on the system running Wrangler. Root causeThe commitHash variable, derived from user input via the –commit-hash CLI argument, is interpolated directly into a shell command using template literals (e.g., execSync(`git show -s –format=%B ${commitHash}`)). Shell metacharacters are interpreted by the shell, enabling command execution. ImpactThis vulnerability is generally hard to exploit, as it requires –commit-hash to be attacker controlled. The vulnerability primarily affects CI/CD environments where `wrangler pages deploy` is used in automated pipelines and the –commit-hash parameter is populated from external, potentially untrusted sources. An attacker could exploit this to: * Run any shell command. * Exfiltrate environment variables. * Compromise the CI runner to install backdoors or modify build artifacts. Credits Disclosed responsibly by kny4hacker. Mitigation * Wrangler v4 users are requested to upgrade to Wrangler v4.59.1 or higher. * Wrangler v3 users are requested to upgrade to Wrangler v3.114.17 or higher. * Users on Wrangler v2 (EOL) should upgrade to a supported major version. | 2026-01-20 | not yet calculated | CVE-2026-0933 | https://github.com/cloudflare/workers-sdk |
| Cloudinary–Cloudinary | Missing Authorization vulnerability in Cloudinary Cloudinary cloudinary-image-management-and-manipulation-in-the-cloud-cdn allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Cloudinary: from n/a through <= 3.3.0. | 2026-01-23 | not yet calculated | CVE-2026-24560 | https://patchstack.com/database/Wordpress/Plugin/cloudinary-image-management-and-manipulation-in-the-cloud-cdn/vulnerability/wordpress-cloudinary-plugin-3-3-0-broken-access-control-vulnerability?_s_id=cve |
| CloudPanel–CLP Varnish Cache | Missing Authorization vulnerability in CloudPanel CLP Varnish Cache clp-varnish-cache allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects CLP Varnish Cache: from n/a through <= 1.0.2. | 2026-01-23 | not yet calculated | CVE-2026-24525 | https://patchstack.com/database/Wordpress/Plugin/clp-varnish-cache/vulnerability/wordpress-clp-varnish-cache-plugin-1-0-2-broken-access-control-vulnerability?_s_id=cve |
| Codeless–Slider Templates | Missing Authorization vulnerability in Codeless Slider Templates slider-templates allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Slider Templates: from n/a through <= 1.0.3. | 2026-01-22 | not yet calculated | CVE-2025-68009 | https://patchstack.com/database/Wordpress/Plugin/slider-templates/vulnerability/wordpress-slider-templates-plugin-1-0-3-broken-access-control-vulnerability?_s_id=cve |
| codisto–Omnichannel for WooCommerce | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in codisto Omnichannel for WooCommerce codistoconnect allows Stored XSS. This issue affects Omnichannel for WooCommerce: from n/a through <= 1.3.65. | 2026-01-22 | not yet calculated | CVE-2025-68041 | https://patchstack.com/database/Wordpress/Plugin/codistoconnect/vulnerability/wordpress-omnichannel-for-woocommerce-plugin-1-3-65-cross-site-scripting-xss-vulnerability?_s_id=cve |
| COP–UX Flat | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in COP UX Flat ux-flat allows Stored XSS. This issue affects UX Flat: from n/a through <= 5.4.0. | 2026-01-23 | not yet calculated | CVE-2026-24576 | https://patchstack.com/database/Wordpress/Plugin/ux-flat/vulnerability/wordpress-ux-flat-plugin-5-4-0-cross-site-scripting-xss-vulnerability?_s_id=cve |
| copier-org–copier | Copier is a library and CLI app for rendering project templates. Prior to version 9.11.2, Copier suggests that it’s safe to generate a project from a safe template, i.e. one that doesn’t use unsafe features like custom Jinja extensions which would require passing the `–UNSAFE,–trust` flag. As it turns out, a safe template can currently include arbitrary files/directories outside the local template clone location by using symlinks along with `_preserve_symlinks: false` (which is Copier’s default setting). Version 9.11.2 patches the issue. | 2026-01-21 | not yet calculated | CVE-2026-23968 | https://github.com/copier-org/copier/security/advisories/GHSA-xjhm-gp88-8pfx https://github.com/copier-org/copier/commit/b3a7b3772d17cf0e7a4481978188c9f536c8d8f6 |
| copier-org–copier | Copier is a library and CLI app for rendering project templates. Prior to version 9.11.2, Copier suggests that it’s safe to generate a project from a safe template, i.e. one that doesn’t use unsafe features like custom Jinja extensions which would require passing the `–UNSAFE,–trust` flag. As it turns out, a safe template can currently write to arbitrary directories outside the destination path by using directory a symlink along with `_preserve_symlinks: true` and a generated directory structure whose rendered path is inside the symlinked directory. This way, a malicious template author can create a template that overwrites arbitrary files (according to the user’s write permissions), e.g., to cause havoc. Version 9.11.2 patches the issue. | 2026-01-21 | not yet calculated | CVE-2026-23986 | https://github.com/copier-org/copier/security/advisories/GHSA-4fqp-r85r-hxqh https://github.com/copier-org/copier/commit/b3a7b3772d17cf0e7a4481978188c9f536c8d8f6 https://github.com/copier-org/copier/releases/tag/v9.11.2 |
| coreshop–CoreShop | CoreShop is a Pimcore enhanced eCommerce solution. An error-based SQL Injection vulnerability was identified in versions prior to 4.1.9 in the `CustomerTransformerController` within the CoreShop admin panel. The affected endpoint improperly interpolates user-supplied input into a SQL query, leading to database error disclosure and potential data extraction. Version 4.1.9 fixes the issue. | 2026-01-22 | not yet calculated | CVE-2026-23959 | https://github.com/coreshop/CoreShop/security/advisories/GHSA-fqcv-8859-86×2 https://github.com/coreshop/CoreShop/commit/af80b8f5c7df5f02f44e9c5e0a4a564de274eec2 https://github.com/coreshop/CoreShop/releases/tag/4.1.9 |
| cozythemes–HomeLancer | Missing Authorization vulnerability in cozythemes HomeLancer homelancer allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects HomeLancer: from n/a through <= 1.0.1. | 2026-01-22 | not yet calculated | CVE-2025-49375 | https://patchstack.com/database/Wordpress/Theme/homelancer/vulnerability/wordpress-homelancer-theme-1-0-1-broken-access-control-vulnerability?_s_id=cve |
| Craig Hewitt–Seriously Simple Podcasting | Server-Side Request Forgery (SSRF) vulnerability in Craig Hewitt Seriously Simple Podcasting seriously-simple-podcasting allows Server Side Request Forgery. This issue affects Seriously Simple Podcasting: from n/a through <= 3.14.1. | 2026-01-22 | not yet calculated | CVE-2026-24360 | https://patchstack.com/database/Wordpress/Plugin/seriously-simple-podcasting/vulnerability/wordpress-seriously-simple-podcasting-plugin-3-14-1-server-side-request-forgery-ssrf-vulnerability?_s_id=cve |
| crawlchat–crawlchat | CrawlChat is an open-source, AI-powered platform that transforms technical documentation into intelligent chatbots. Prior to version 0.0.8, a non-existing permission check for the CrawlChat’s Discord bot allows non-manage guild users to put malicious content onto the collection knowledge base. Usually, admin / mods of a Discord guild use the `jigsaw` emoji to save a specific message (chain) onto the collection’s knowledge base of CrawlChat. Unfortunately an permission check (for e.g. MANAGE_SERVER; MANAGE_MESSAGES etc.) was not done, allowing normal users of the guild to information to the knowledge base. With targeting specific parts that are commonly asked, users can manipulate the content given out by the bot (on all integrations), to e.g. redirect users to a malicious site, or send information to a malicious user. Version 0.0.8 patches the issue. | 2026-01-19 | not yet calculated | CVE-2026-23875 | https://github.com/crawlchat/crawlchat/security/advisories/GHSA-f484-62p4-6w4p https://github.com/crawlchat/crawlchat/commit/f90ebb93c6a830f6cf609d683f6425af8434573a https://github.com/crawlchat/crawlchat/releases/tag/v0.0.8 |
| CridioStudio–ListingPro Reviews | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in CridioStudio ListingPro Reviews listingpro-reviews allows Reflected XSS. This issue affects ListingPro Reviews: from n/a through <= 1.7. | 2026-01-22 | not yet calculated | CVE-2025-69051 | https://patchstack.com/database/Wordpress/Plugin/listingpro-reviews/vulnerability/wordpress-listingpro-reviews-theme-1-7-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| CRM Perks–Integration for Contact Form 7 HubSpot | Insertion of Sensitive Information Into Sent Data vulnerability in CRM Perks Integration for Contact Form 7 HubSpot cf7-hubspot allows Retrieve Embedded Sensitive Data. This issue affects Integration for Contact Form 7 HubSpot: from n/a through <= 1.4.3. | 2026-01-23 | not yet calculated | CVE-2026-24559 | https://patchstack.com/database/Wordpress/Plugin/cf7-hubspot/vulnerability/wordpress-integration-for-contact-form-7-hubspot-plugin-1-4-3-sensitive-data-exposure-vulnerability?_s_id=cve |
| Crocoblock–JetEngine | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Crocoblock JetEngine jet-engine allows Reflected XSS. This issue affects JetEngine: from n/a through <= 3.7.7. | 2026-01-22 | not yet calculated | CVE-2025-67923 | https://patchstack.com/database/Wordpress/Plugin/jet-engine/vulnerability/wordpress-jetengine-plugin-3-7-7-cross-site-scripting-xss-vulnerability?_s_id=cve |
| cvat-ai–cvat | CVAT is an open source interactive video and image annotation tool for computer vision. In versions 2.2.0 through 2.54.0, an attacker is able to execute arbitrary JavaScript in a victim user’s CVAT UI session, provided that they are able to create a maliciously crafted label in a CVAT task or project, then get the victim user to either edit that label, or view a shape that refers to that label; and/or get the victim user to upload a maliciously crafted SVG image when configuring a skeleton. This gives the attacker temporary access to all CVAT resources that the victim user can access. Version 2.55.0 fixes the issue. | 2026-01-21 | not yet calculated | CVE-2026-23516 | https://github.com/cvat-ai/cvat/security/advisories/GHSA-3m7p-wx65-c7mp https://github.com/cvat-ai/cvat/commit/40800707fe39e3ff76c8d036eb953eb12d764e70 |
| cvat-ai–cvat | CVAT is an open source interactive video and image annotation tool for computer vision. In versions 1.0.0 through 2.54.0, users that have the staff status may freely change their permissions, including giving themselves superuser status and joining the admin group, which gives them full access to the data in the CVAT instance. Version 2.55.0 fixes the issue. As a workaround, review the list of users with staff status and revoke it from any users that are not expected to have superuser privileges. | 2026-01-21 | not yet calculated | CVE-2026-23526 | https://github.com/cvat-ai/cvat/security/advisories/GHSA-7pvv-w55f-qmw7 https://github.com/cvat-ai/cvat/commit/88ac7aa4d5b52271a30f1aa387c0f5745f8f77d4 |
| D-Link–D-View 8 | D-Link D-View 8 versions 2.0.1.107 and below contain an improper access control vulnerability in backend API endpoints. Any authenticated user can supply an arbitrary user_id value to retrieve sensitive credential data belonging to other users, including super administrators. The exposed credential material can be reused directly as a valid authentication secret, allowing full impersonation of the targeted account. This results in complete account takeover and full administrative control over the D-View system. | 2026-01-21 | not yet calculated | CVE-2026-23754 | https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10471 https://www.vulncheck.com/advisories/dlink-dview-8-idor-allows-credential-disclosure-and-account-takeover |
| D-Link–D-View 8 | D-Link D-View 8 versions 2.0.1.107 and below contain an uncontrolled search path vulnerability in the installer. When executed with elevated privileges via UAC, the installer attempts to load version.dll from its execution directory, allowing DLL preloading. An attacker can supply a malicious version.dll alongside the legitimate installer so that, when a victim runs the installer and approves the UAC prompt, attacker-controlled code executes with administrator privileges. This can lead to full system compromise. | 2026-01-21 | not yet calculated | CVE-2026-23755 | https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10471 https://www.vulncheck.com/advisories/dlink-dview-8-installer-dll-preloading-via-uncontrolled-search-path |
| daap-daap | NULL pointer dereference in the daap_reply_groups function in src/httpd_daap.c in owntone-server through commit 5e6f19a (newer commit after version 28.2) allows remote attackers to cause a Denial of Service. | 2026-01-20 | not yet calculated | CVE-2025-57155 | https://github.com/owntone/owntone-server/commit/d857116e4143a500d6a1ea13f4baa057ba3b0028 https://github.com/archersec/security-advisories/blob/master/owntone-server/owntone-server-advisory-2025.md |
| dacp–dacp | NULL pointer dereference in the dacp_reply_playqueueedit_clear function in src/httpd_dacp.c in owntone-server through commit 6d604a1 (newer commit after version 28.12) allows remote attackers to cause a Denial of Service (crash). | 2026-01-20 | not yet calculated | CVE-2025-57156 | https://github.com/owntone/owntone-server/issues/1907 https://github.com/owntone/owntone-server/commit/5e4d40ee03ae22ab79534bb1410fa9db96c9fabd https://github.com/archersec/security-advisories/blob/master/owntone-server/owntone-server-advisory-2025.md |
| dacp–dacp | A NULL pointer dereference in the dacp_reply_playqueueedit_move function (src/httpd_dacp.c) of owntone-server commit b7e385f allows attackers to cause a Denial of Service (DoS) via sending a crafted DACP request to the server. | 2026-01-20 | not yet calculated | CVE-2025-63648 | https://github.com/owntone/owntone-server/issues/1933 https://github.com/owntone/owntone-server/commit/5f526c7a7e08c567a5c72421d74a79dafdd07621 https://github.com/archersec/security-advisories/blob/master/owntone-server/owntone-server-advisory-2025.md |
| Damian–WP Popups | Missing Authorization vulnerability in Damian WP Popups wp-popups-lite allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Popups: from n/a through <= 2.2.0.3. | 2026-01-23 | not yet calculated | CVE-2026-24616 | https://patchstack.com/database/Wordpress/Plugin/wp-popups-lite/vulnerability/wordpress-wp-popups-plugin-2-2-0-3-broken-access-control-vulnerability?_s_id=cve |
| Daniel Iser–Easy Modal | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Daniel Iser Easy Modal easy-modal allows Stored XSS. This issue affects Easy Modal: from n/a through <= 2.1.0. | 2026-01-23 | not yet calculated | CVE-2026-24617 | https://patchstack.com/database/Wordpress/Plugin/easy-modal/vulnerability/wordpress-easy-modal-plugin-2-1-0-cross-site-scripting-xss-vulnerability?_s_id=cve |
| dataease–dataease | Dataease is an open source data visualization analysis tool. Prior to version 2.10.19, DataEase uses the MD5 hash of the user’s password as the JWT signing secret. This deterministic secret derivation allows an attacker to brute-force the admin’s password by exploiting unmonitored API endpoints that verify JWT tokens. The vulnerability has been fixed in v2.10.19. No known workarounds are available. | 2026-01-22 | not yet calculated | CVE-2026-23958 | https://github.com/dataease/dataease/security/advisories/GHSA-5wvm-4m4q-rh7j |
| dataease–SQLBot | SQLBot is an intelligent data query system based on a large language model and RAG. Versions prior to 1.5.0 contain a missing authentication vulnerability in the /api/v1/datasource/uploadExcel endpoint, allowing a remote unauthenticated attacker to upload arbitrary Excel/CSV files and inject data directly into the PostgreSQL database. The endpoint is explicitly added to the authentication whitelist, causing the TokenMiddleware to bypass all token validation. Uploaded files are parsed by pandas and inserted into the database via to_sql() with if_exists=’replace’ mode. The vulnerability has been fixed in v1.5.0. No known workarounds are available. | 2026-01-21 | not yet calculated | CVE-2025-69285 | https://github.com/dataease/SQLBot/security/advisories/GHSA-crfm-cch4-hjpv https://github.com/dataease/SQLBot/releases/tag/v1.5.0 |
| Deetronix–Booking Ultra Pro | Insertion of Sensitive Information Into Sent Data vulnerability in Deetronix Booking Ultra Pro booking-ultra-pro allows Retrieve Embedded Sensitive Data. This issue affects Booking Ultra Pro: from n/a through <= 1.1.23. | 2026-01-22 | not yet calculated | CVE-2025-68006 | https://patchstack.com/database/Wordpress/Plugin/booking-ultra-pro/vulnerability/wordpress-booking-ultra-pro-plugin-1-1-23-sensitive-data-exposure-vulnerability?_s_id=cve |
| Design–Stylish Cost Calculator | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Design Stylish Cost Calculator stylish-cost-calculator allows Stored XSS. This issue affects Stylish Cost Calculator: from n/a through <= 8.1.8. | 2026-01-23 | not yet calculated | CVE-2026-24630 | https://patchstack.com/database/Wordpress/Plugin/stylish-cost-calculator/vulnerability/wordpress-stylish-cost-calculator-plugin-8-1-8-cross-site-scripting-xss-vulnerability?_s_id=cve |
| designingmedia–Hostiko | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in designingmedia Hostiko hostiko allows Reflected XSS. This issue affects Hostiko: from n/a through < 94.3.6. | 2026-01-22 | not yet calculated | CVE-2025-67949 | https://patchstack.com/database/Wordpress/Theme/hostiko/vulnerability/wordpress-hostiko-theme-94-3-6-cross-site-scripting-xss-vulnerability?_s_id=cve |
| designthemes–Kids Heaven | Deserialization of Untrusted Data vulnerability in designthemes Kids Heaven kids-world allows Object Injection. This issue affects Kids Heaven: from n/a through <= 3.2. | 2026-01-22 | not yet calculated | CVE-2025-67619 | https://patchstack.com/database/Wordpress/Theme/kids-world/vulnerability/wordpress-kids-heaven-theme-3-2-php-object-injection-vulnerability?_s_id=cve |
| designthemes–OneLife | Deserialization of Untrusted Data vulnerability in designthemes OneLife onelife allows Object Injection. This issue affects OneLife: from n/a through <= 3.9. | 2026-01-22 | not yet calculated | CVE-2025-69002 | https://patchstack.com/database/Wordpress/Theme/onelife/vulnerability/wordpress-onelife-theme-3-9-php-object-injection-vulnerability?_s_id=cve |
| designthemes–Reservation Plugin | Missing Authorization vulnerability in designthemes Reservation Plugin dt-reservation-plugin allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Reservation Plugin: from n/a through <= 1.7. | 2026-01-22 | not yet calculated | CVE-2025-69095 | https://patchstack.com/database/Wordpress/Plugin/dt-reservation-plugin/vulnerability/wordpress-reservation-plugin-plugin-1-7-settings-change-vulnerability?_s_id=cve |
| designthemes–Vivagh | Deserialization of Untrusted Data vulnerability in designthemes Vivagh vivagh allows Object Injection. This issue affects Vivagh: from n/a through <= 2.4. | 2026-01-22 | not yet calculated | CVE-2025-68899 | https://patchstack.com/database/Wordpress/Theme/vivagh/vulnerability/wordpress-vivagh-theme-2-4-php-object-injection-vulnerability?_s_id=cve |
| Devolutions–Server | SQL Injection vulnerability in remote-sessions in Devolutions Server. This issue affects Devolutions Server 2025.3.1 through 2025.3.12 | 2026-01-19 | not yet calculated | CVE-2026-0610 | https://devolutions.net/security/advisories/DEVO-2026-0003/ |
| Devolutions–Server | Incorrect Authorization vulnerability in virtual gateway component in Devolutions Server allows attackers to bypass deny IP rules. This issue affects Server: from 2025.3.1 through 2025.3.12. | 2026-01-19 | not yet calculated | CVE-2026-1007 | https://devolutions.net/security/advisories/DEVO-2026-0003/ |
| DevsBlink–EduBlink Core | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in DevsBlink EduBlink Core edublink-core allows PHP Local File Inclusion. This issue affects EduBlink Core: from n/a through <= 2.0.7. | 2026-01-23 | not yet calculated | CVE-2026-24635 | https://patchstack.com/database/Wordpress/Plugin/edublink-core/vulnerability/wordpress-edublink-core-plugin-2-0-7-local-file-inclusion-vulnerability?_s_id=cve |
| Devsbrain–Flex QR Code Generator | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Devsbrain Flex QR Code Generator flex-qr-code-generator allows DOM-Based XSS. This issue affects Flex QR Code Generator: from n/a through <= 1.2.8. | 2026-01-23 | not yet calculated | CVE-2026-24614 | https://patchstack.com/database/Wordpress/Plugin/flex-qr-code-generator/vulnerability/wordpress-flex-qr-code-generator-plugin-1-2-8-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Dimitri Grassi–Salon booking system | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Dimitri Grassi Salon booking system salon-booking-system allows Retrieve Embedded Sensitive Data. This issue affects Salon booking system: from n/a through <= 10.30.3. | 2026-01-22 | not yet calculated | CVE-2025-67954 | https://patchstack.com/database/Wordpress/Plugin/salon-booking-system/vulnerability/wordpress-salon-booking-system-plugin-10-30-3-sensitive-data-exposure-vulnerability?_s_id=cve |
| DioxusLabs–components | Dioxus Components is a shadcn-style component library for the Dioxus app framework. Prior to commit 41e4242ecb1062d04ae42a5215363c1d9fd4e23a, `use_animated_open` formats a string for `eval` with an `id` that can be user supplied. Commit 41e4242ecb1062d04ae42a5215363c1d9fd4e23a patches the issue. | 2026-01-23 | not yet calculated | CVE-2026-24474 | https://github.com/DioxusLabs/components/security/advisories/GHSA-34pj-292j-xr69 https://github.com/DioxusLabs/components/commit/41e4242ecb1062d04ae42a5215363c1d9fd4e23a |
| Discord–Client | Discord Client Uncontrolled Search Path Element Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of Discord Client. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the discord_rpc module. The product loads a file from an unsecured location. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of a target user. Was ZDI-CAN-27057. | 2026-01-23 | not yet calculated | CVE-2026-0776 | ZDI-26-040 |
| Dmytro Shteflyuk–CodeColorer | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Dmytro Shteflyuk CodeColorer codecolorer allows Stored XSS. This issue affects CodeColorer: from n/a through <= 0.10.1. | 2026-01-22 | not yet calculated | CVE-2025-68012 | https://patchstack.com/database/Wordpress/Plugin/codecolorer/vulnerability/wordpress-codecolorer-plugin-0-10-1-stored-cross-site-scripting-xss-vulnerability?_s_id=cve |
| docmost–docmost | Docmost is open-source collaborative wiki and documentation software. In versions 0.3.0 through 0.23.2, Mermaid code block rendering is vulnerable to stored Cross-Site Scripting (XSS). The frontend can render attacker-controlled Mermaid diagrams using mermaid.render(), then inject the returned SVG/HTML into the DOM via dangerouslySetInnerHTML without sanitization. Mermaid per-diagram %%{init}%% directives allow overriding securityLevel and enabling htmlLabels, permitting arbitrary HTML/JS execution for any viewer. This issue has been fixed in version 0.24.0. | 2026-01-21 | not yet calculated | CVE-2026-23630 | https://github.com/docmost/docmost/security/advisories/GHSA-r4hj-mc62-jmwj https://github.com/docmost/docmost/commit/cb9f27da9a8b4940760e37e5238a1eb91e427daf https://github.com/docmost/docmost/releases/tag/v0.24.0 |
| docopt.cpp–docopt.cpp | A signed integer overflow in docopt.cpp v0.6.2 (LeafPattern::match in docopt_private.h) when merging occurrence counters (e.g., default LONG_MAX + first user “-v/–verbose”) can cause counter wrap (negative/unbounded semantics) and lead to logic/policy bypass in applications that rely on occurrence-based limits, rate-gating, or safety toggles. In hardened builds (e.g., UBSan or -ftrapv), the overflow may also result in process abort (DoS). | 2026-01-23 | not yet calculated | CVE-2025-67125 | https://gist.github.com/thesmartshadow/672afe8828844c833f46f8ebe2f5f3bd https://github.com/docopt/docopt.cpp |
| Doogee–Doogee | An OS command injection vulnerability in the com.sprd.engineermode component in Doogee Note59, Note59 Pro, and Note59 Pro+ allows a local attacker to execute arbitrary code and escalate privileges via the EngineerMode ADB shell, due to incomplete patching of CVE-2025-31710 | 2026-01-23 | not yet calculated | CVE-2025-67264 | http://doogee.com https://github.com/Skorpion96/unisoc-su/blob/main/CVE-2025-67264.md |
| Dotstore–Fraud Prevention For Woocommerce | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Dotstore Fraud Prevention For Woocommerce woo-blocker-lite-prevent-fake-orders-and-blacklist-fraud-customers allows Retrieve Embedded Sensitive Data. This issue affects Fraud Prevention For Woocommerce: from n/a through <= 2.3.1. | 2026-01-23 | not yet calculated | CVE-2026-24553 | https://patchstack.com/database/Wordpress/Plugin/woo-blocker-lite-prevent-fake-orders-and-blacklist-fraud-customers/vulnerability/wordpress-fraud-prevention-for-woocommerce-plugin-2-3-1-sensitive-data-exposure-vulnerability?_s_id=cve |
| dragonflyoss–dragonfly | Dragonfly is an open source P2P-based file distribution and image acceleration system. In versions 2.4.1-rc.0 and below, the Job API endpoints (/api/v1/jobs) lack JWT authentication middleware and RBAC authorization checks in the routing configuration. This allows any unauthenticated user with access to the Manager API to view, update and delete jobs. The issue is fixed in version 2.4.1-rc.1. | 2026-01-22 | not yet calculated | CVE-2026-24124 | https://github.com/dragonflyoss/dragonfly/security/advisories/GHSA-j8hf-cp34-g4j7 https://github.com/dragonflyoss/dragonfly/commit/9fb9a2dfde3100f32dc7f48eabee4c2b64eac55f |
| Dynamicweb–Dynamicweb | An issue was discovered in Dynamicweb before 9.12.8. An attacker can add a new administrator user without authentication. This flaw exists due to a logic issue when determining if the setup phases of the product can be run again. Once an attacker is authenticated as the new admin user they have added, it is possible to upload an executable file and achieve command execution. This is fixed in 9.5.9, 9.6.16, 9.7.8, 9.8.11, 9.9.8, 9.10.18, 9.12.8, and 9.13.0 (and later). | 2026-01-23 | not yet calculated | CVE-2022-25369 | https://www.dynamicweb.com/resources/downloads?Category=Releases https://www.assetnote.io/resources/research/advisory-dynamicweb-logic-flaw-leading-to-rce-cve-2022-25369 |
| e-plugins–Final User | Missing Authorization vulnerability in e-plugins Final User final-user allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Final User: from n/a through <= 1.2.5. | 2026-01-22 | not yet calculated | CVE-2025-69187 | https://patchstack.com/database/Wordpress/Plugin/final-user/vulnerability/wordpress-final-user-plugin-1-2-5-broken-access-control-vulnerability?_s_id=cve |
| e-plugins–Final User | Incorrect Privilege Assignment vulnerability in e-plugins Final User final-user allows Privilege Escalation. This issue affects Final User: from n/a through <= 1.2.5. | 2026-01-22 | not yet calculated | CVE-2025-69293 | https://patchstack.com/database/Wordpress/Plugin/final-user/vulnerability/wordpress-final-user-plugin-1-2-5-privilege-escalation-vulnerability?_s_id=cve |
| e-plugins–fitness-trainer | Missing Authorization vulnerability in e-plugins fitness-trainer fitness-trainer allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects fitness-trainer: from n/a through <= 1.7.1. | 2026-01-22 | not yet calculated | CVE-2025-69188 | https://patchstack.com/database/Wordpress/Plugin/fitness-trainer/vulnerability/wordpress-fitness-trainer-plugin-1-7-1-broken-access-control-vulnerability?_s_id=cve |
| e-plugins–Hospital Doctor Directory | Missing Authorization vulnerability in e-plugins Hospital Doctor Directory hospital-doctor-directory allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Hospital Doctor Directory: from n/a through <= 1.3.9. | 2026-01-22 | not yet calculated | CVE-2025-68057 | https://patchstack.com/database/Wordpress/Plugin/hospital-doctor-directory/vulnerability/wordpress-hospital-doctor-directory-plugin-1-3-9-broken-access-control-vulnerability-2?_s_id=cve |
| e-plugins–Hospital Doctor Directory | Incorrect Privilege Assignment vulnerability in e-plugins Hospital Doctor Directory hospital-doctor-directory allows Privilege Escalation. This issue affects Hospital Doctor Directory: from n/a through <= 1.3.9. | 2026-01-22 | not yet calculated | CVE-2025-69183 | https://patchstack.com/database/Wordpress/Plugin/hospital-doctor-directory/vulnerability/wordpress-hospital-doctor-directory-plugin-1-3-9-privilege-escalation-vulnerability?_s_id=cve |
| e-plugins–Hospital Doctor Directory | Missing Authorization vulnerability in e-plugins Hospital Doctor Directory hospital-doctor-directory allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Hospital Doctor Directory: from n/a through <= 1.3.9. | 2026-01-22 | not yet calculated | CVE-2025-69186 | https://patchstack.com/database/Wordpress/Plugin/hospital-doctor-directory/vulnerability/wordpress-hospital-doctor-directory-plugin-1-3-9-broken-access-control-vulnerability?_s_id=cve |
| e-plugins–Hotel Listing | Missing Authorization vulnerability in e-plugins Hotel Listing hotel-listing allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Hotel Listing: from n/a through <= 1.4.2. | 2026-01-22 | not yet calculated | CVE-2025-68059 | https://patchstack.com/database/Wordpress/Plugin/hotel-listing/vulnerability/wordpress-hotel-listing-plugin-1-4-2-broken-access-control-vulnerability-2?_s_id=cve |
| e-plugins–Hotel Listing | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in e-plugins Hotel Listing hotel-listing allows Reflected XSS. This issue affects Hotel Listing: from n/a through <= 1.4.0. | 2026-01-22 | not yet calculated | CVE-2025-69056 | https://patchstack.com/database/Wordpress/Plugin/hotel-listing/vulnerability/wordpress-hotel-listing-plugin-1-4-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| e-plugins–Hotel Listing | Missing Authorization vulnerability in e-plugins Hotel Listing hotel-listing allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Hotel Listing: from n/a through <= 1.4.2. | 2026-01-22 | not yet calculated | CVE-2025-69185 | https://patchstack.com/database/Wordpress/Plugin/hotel-listing/vulnerability/wordpress-hotel-listing-plugin-1-4-2-broken-access-control-vulnerability?_s_id=cve |
| e-plugins–Institutions Directory | Missing Authorization vulnerability in e-plugins Institutions Directory institutions-directory allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Institutions Directory: from n/a through <= 1.3..4. | 2026-01-22 | not yet calculated | CVE-2025-68058 | https://patchstack.com/database/Wordpress/Plugin/institutions-directory/vulnerability/wordpress-institutions-directory-plugin-1-3-4-broken-access-control-vulnerability-2?_s_id=cve |
| e-plugins–Institutions Directory | Incorrect Privilege Assignment vulnerability in e-plugins Institutions Directory institutions-directory allows Privilege Escalation. This issue affects Institutions Directory: from n/a through <= 1.3.4. | 2026-01-22 | not yet calculated | CVE-2025-69182 | https://patchstack.com/database/Wordpress/Plugin/institutions-directory/vulnerability/wordpress-institutions-directory-plugin-1-3-4-privilege-escalation-vulnerability?_s_id=cve |
| e-plugins–Institutions Directory | Missing Authorization vulnerability in e-plugins Institutions Directory institutions-directory allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Institutions Directory: from n/a through <= 1.3.4. | 2026-01-22 | not yet calculated | CVE-2025-69184 | https://patchstack.com/database/Wordpress/Plugin/institutions-directory/vulnerability/wordpress-institutions-directory-plugin-1-3-4-broken-access-control-vulnerability?_s_id=cve |
| e-plugins–Lawyer Directory | Incorrect Privilege Assignment vulnerability in e-plugins Lawyer Directory lawyer-directory allows Privilege Escalation. This issue affects Lawyer Directory: from n/a through <= 1.3.3. | 2026-01-22 | not yet calculated | CVE-2025-67966 | https://patchstack.com/database/Wordpress/Plugin/lawyer-directory/vulnerability/wordpress-lawyer-directory-plugin-1-3-3-privilege-escalation-vulnerability?_s_id=cve |
| e-plugins–Lawyer Directory | Missing Authorization vulnerability in e-plugins Lawyer Directory lawyer-directory allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Lawyer Directory: from n/a through <= 1.3.3. | 2026-01-22 | not yet calculated | CVE-2025-67967 | https://patchstack.com/database/Wordpress/Plugin/lawyer-directory/vulnerability/wordpress-lawyer-directory-plugin-1-3-3-broken-access-control-vulnerability?_s_id=cve |
| e-plugins–Lawyer Directory | Missing Authorization vulnerability in e-plugins Lawyer Directory lawyer-directory allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Lawyer Directory: from n/a through <= 1.3.4. | 2026-01-22 | not yet calculated | CVE-2025-69181 | https://patchstack.com/database/Wordpress/Plugin/lawyer-directory/vulnerability/wordpress-lawyer-directory-plugin-1-3-4-broken-access-control-vulnerability?_s_id=cve |
| e-plugins–Listihub | Missing Authorization vulnerability in e-plugins Listihub listihub allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Listihub: from n/a through <= 1.0.6. | 2026-01-22 | not yet calculated | CVE-2025-69190 | https://patchstack.com/database/Wordpress/Theme/listihub/vulnerability/wordpress-listihub-theme-1-0-6-broken-access-control-vulnerability?_s_id=cve |
| e-plugins–ListingHub | Missing Authorization vulnerability in e-plugins ListingHub listinghub allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects ListingHub: from n/a through <= 1.2.7. | 2026-01-22 | not yet calculated | CVE-2025-69191 | https://patchstack.com/database/Wordpress/Plugin/listinghub/vulnerability/wordpress-listinghub-plugin-1-2-7-broken-access-control-vulnerability?_s_id=cve |
| e-plugins–Real Estate Pro | Missing Authorization vulnerability in e-plugins Real Estate Pro real-estate-pro allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Real Estate Pro: from n/a through <= 2.1.5. | 2026-01-22 | not yet calculated | CVE-2025-69192 | https://patchstack.com/database/Wordpress/Plugin/real-estate-pro/vulnerability/wordpress-real-estate-pro-plugin-2-1-5-broken-access-control-vulnerability?_s_id=cve |
| e-plugins–WP Membership | Missing Authorization vulnerability in e-plugins WP Membership wp-membership allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Membership: from n/a through <= 1.6.4. | 2026-01-22 | not yet calculated | CVE-2025-69193 | https://patchstack.com/database/Wordpress/Plugin/wp-membership/vulnerability/wordpress-wp-membership-plugin-1-6-4-broken-access-control-vulnerability?_s_id=cve |
| e-plugins–WP Membership | Incorrect Privilege Assignment vulnerability in e-plugins WP Membership wp-membership allows Privilege Escalation. This issue affects WP Membership: from n/a through <= 1.6.4. | 2026-01-22 | not yet calculated | CVE-2025-69292 | https://patchstack.com/database/Wordpress/Plugin/wp-membership/vulnerability/wordpress-wp-membership-plugin-1-6-4-privilege-escalation-vulnerability?_s_id=cve |
| Ecwid by Lightspeed Ecommerce Shopping Cart–Ecwid Shopping Cart | Missing Authorization vulnerability in Ecwid by Lightspeed Ecommerce Shopping Cart Ecwid Shopping Cart ecwid-shopping-cart allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Ecwid Shopping Cart: from n/a through <= 7.0.5. | 2026-01-23 | not yet calculated | CVE-2026-24580 | https://patchstack.com/database/Wordpress/Plugin/ecwid-shopping-cart/vulnerability/wordpress-ecwid-shopping-cart-plugin-7-0-5-broken-access-control-vulnerability?_s_id=cve |
| Ecwid by Lightspeed Ecommerce Shopping Cart–Ecwid Shopping Cart | Missing Authorization vulnerability in Ecwid by Lightspeed Ecommerce Shopping Cart Ecwid Shopping Cart ecwid-shopping-cart allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Ecwid Shopping Cart: from n/a through <= 7.0.5. | 2026-01-23 | not yet calculated | CVE-2026-24613 | https://patchstack.com/database/Wordpress/Plugin/ecwid-shopping-cart/vulnerability/wordpress-ecwid-shopping-cart-plugin-7-0-5-broken-access-control-vulnerability-2?_s_id=cve |
| Edge-Themes–Eldon | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in Edge-Themes Eldon eldon allows PHP Local File Inclusion. This issue affects Eldon: from n/a through <= 1.0. | 2026-01-22 | not yet calculated | CVE-2025-69057 | https://patchstack.com/database/Wordpress/Theme/eldon/vulnerability/wordpress-eldon-theme-1-0-local-file-inclusion-vulnerability?_s_id=cve |
| Edge-Themes–Overworld | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in Edge-Themes Overworld overworld allows PHP Local File Inclusion. This issue affects Overworld: from n/a through <= 1.3. | 2026-01-22 | not yet calculated | CVE-2025-69050 | https://patchstack.com/database/Wordpress/Theme/overworld/vulnerability/wordpress-overworld-theme-1-3-local-file-inclusion-vulnerability?_s_id=cve |
| Elated-Themes–Laurent | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in Elated-Themes Laurent laurent allows PHP Local File Inclusion. This issue affects Laurent: from n/a through <= 3.1. | 2026-01-23 | not yet calculated | CVE-2026-24609 | https://patchstack.com/database/Wordpress/Theme/laurent/vulnerability/wordpress-laurent-theme-3-1-local-file-inclusion-vulnerability?_s_id=cve |
| Elated-Themes–Laurent Core | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in Elated-Themes Laurent Core laurent-core allows PHP Local File Inclusion. This issue affects Laurent Core: from n/a through <= 2.4.1. | 2026-01-23 | not yet calculated | CVE-2026-24608 | https://patchstack.com/database/Wordpress/Plugin/laurent-core/vulnerability/wordpress-laurent-core-plugin-2-4-1-local-file-inclusion-vulnerability?_s_id=cve |
| Elated-Themes–Search & Go | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in Elated-Themes Search & Go search-and-go allows PHP Local File Inclusion. This issue affects Search & Go: from n/a through <= 2.8. | 2026-01-22 | not yet calculated | CVE-2025-69005 | https://patchstack.com/database/Wordpress/Theme/search-and-go/vulnerability/wordpress-search-go-theme-2-8-local-file-inclusion-vulnerability?_s_id=cve |
| Elated-Themes–Sweet Jane | Authorization Bypass Through User-Controlled Key vulnerability in Elated-Themes Sweet Jane sweetjane allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Sweet Jane: from n/a through <= 1.2. | 2026-01-22 | not yet calculated | CVE-2026-22426 | https://patchstack.com/database/Wordpress/Theme/sweetjane/vulnerability/wordpress-sweet-jane-theme-1-2-insecure-direct-object-references-idor-vulnerability?_s_id=cve |
| Elated-Themes–Tbel | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in Elated-Themes Töbel tobel allows PHP Local File Inclusion. This issue affects Töbel: from n/a through <= 1.6. | 2026-01-22 | not yet calculated | CVE-2025-69049 | https://patchstack.com/database/Wordpress/Theme/tobel/vulnerability/wordpress-toebel-theme-1-6-local-file-inclusion-vulnerability?_s_id=cve |
| Elated-Themes–The Aisle | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in Elated-Themes The Aisle theaisle allows PHP Local File Inclusion. This issue affects The Aisle: from n/a through < 2.9.1. | 2026-01-22 | not yet calculated | CVE-2025-67941 | https://patchstack.com/database/Wordpress/Theme/theaisle/vulnerability/wordpress-the-aisle-theme-2-9-1-local-file-inclusion-vulnerability?_s_id=cve |
| Element Invader–Element Invader – Template Kits for Elementor | Missing Authorization vulnerability in Element Invader Element Invader – Template Kits for Elementor elementinvader allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Element Invader – Template Kits for Elementor: from n/a through <= 1.2.4. | 2026-01-22 | not yet calculated | CVE-2026-24386 | https://patchstack.com/database/Wordpress/Plugin/elementinvader/vulnerability/wordpress-element-invader-template-kits-for-elementor-plugin-1-2-4-broken-access-control-vulnerability?_s_id=cve |
| Enel X–JuiceBox 40 | Enel X JuiceBox 40 Telnet Service Missing Authentication Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Enel X JuiceBox 40 charging stations. Authentication is not required to exploit this vulnerability. The specific flaw exists within the telnet service, which listens on TCP port 2000 by default. The issue results from the lack of authentication prior to allowing remote connections. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-23285. | 2026-01-23 | not yet calculated | CVE-2026-0778 | ZDI-26-041 |
| esphome–esphome | ESPHome is a system to control microcontrollers remotely through Home Automation systems. In versions 2025.9.0 through 2025.12.6, an integer overflow in the API component’s protobuf decoder allows denial-of-service attacks when API encryption is not used. The bounds check `ptr + field_length > end` in `components/api/proto.cpp` can overflow when a malicious client sends a large `field_length` value. This affects all ESPHome device platforms (ESP32, ESP8266, RP2040, LibreTiny). The overflow bypasses the out-of-bounds check, causing the device to read invalid memory and crash. When using the plaintext API protocol, this attack can be performed without authentication. When noise encryption is enabled, knowledge of the encryption key is required. Users should upgrade to ESPHome 2025.12.7 or later to receive a patch, enable API encryption with a unique key per device, and follow the Security Best Practices. | 2026-01-19 | not yet calculated | CVE-2026-23833 | https://github.com/esphome/esphome/security/advisories/GHSA-4h3h-63v6-88qx https://github.com/esphome/esphome/pull/13306 https://github.com/esphome/esphome/commit/69d7b6e9210390051318bd8e6410727689de08d6 https://esphome.io/guides/security_best_practices |
| Essekia–Tablesome | Missing Authorization vulnerability in Essekia Tablesome tablesome allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Tablesome: from n/a through <= 1.1.35.2. | 2026-01-23 | not yet calculated | CVE-2026-24524 | https://patchstack.com/database/Wordpress/Plugin/tablesome/vulnerability/wordpress-tablesome-plugin-1-1-35-2-broken-access-control-vulnerability?_s_id=cve |
| Event Espresso–Event Espresso 4 Decaf | Missing Authorization vulnerability in Event Espresso Event Espresso 4 Decaf event-espresso-decaf allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Event Espresso 4 Decaf: from n/a through <= 5.0.37.decaf. | 2026-01-22 | not yet calculated | CVE-2025-68007 | https://patchstack.com/database/Wordpress/Plugin/event-espresso-decaf/vulnerability/wordpress-event-espresso-4-decaf-plugin-5-0-37-decaf-settings-change-vulnerability?_s_id=cve |
| EVerest–everest-core | EVerest is an EV charging software stack. Prior to version 2025.12.0, `is_message_crc_correct` in the DZG_GSH01 powermeter SLIP parser reads `vec[vec.size()-1]` and `vec[vec.size()-2]` without checking that at least two bytes are present. Malformed SLIP frames on the serial link can reach `is_message_crc_correct` with `vec.size() < 2` (only via the multi-message path), causing an out-of-bounds read before CRC verification and `pop_back` underflow. Therefore, an attacker controlling the serial input can reliably crash the process. Version 2025.12.0 fixes the issue. | 2026-01-21 | not yet calculated | CVE-2025-68132 | https://github.com/EVerest/everest-core/security/advisories/GHSA-79gc-m8w6-9hx5 https://github.com/EVerest/everest-core/commit/b8139b95144e3fe0082789b7fafe4e532ee494a1 |
| ExpressTech Systems–Quiz And Survey Master | Missing Authorization vulnerability in ExpressTech Systems Quiz And Survey Master quiz-master-next allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Quiz And Survey Master: from n/a through <= 10.3.3. | 2026-01-22 | not yet calculated | CVE-2026-24358 | https://patchstack.com/database/Wordpress/Plugin/quiz-master-next/vulnerability/wordpress-quiz-and-survey-master-plugin-10-3-3-broken-access-control-vulnerability?_s_id=cve |
| expresstechsoftware–MemberPress Discord Addon | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in expresstechsoftware MemberPress Discord Addon expresstechsoftwares-memberpress-discord-add-on allows Reflected XSS. This issue affects MemberPress Discord Addon: from n/a through <= 1.1.4. | 2026-01-22 | not yet calculated | CVE-2025-68838 | https://patchstack.com/database/Wordpress/Plugin/expresstechsoftwares-memberpress-discord-add-on/vulnerability/wordpress-memberpress-discord-addon-plugin-1-1-4-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| external-secrets–external-secrets | External Secrets Operator reads information from a third-party service and automatically injects the values as Kubernetes Secrets. Starting in version 0.20.2 and prior to version 1.2.0, the `getSecretKey` template function, while introduced for senhasegura Devops Secrets Management (DSM) provider, has the ability to fetch secrets cross-namespaces with the roleBinding of the external-secrets controller, bypassing our security mechanisms. This function was completely removed in version 1.2.0, as everything done with that templating function can be done in a different way while respecting External Secrets Operator’s safeguards As a workaround, use a policy engine such as Kubernetes, Kyverno, Kubewarden, or OPA to prevent the usage of `getSecretKey` in any ExternalSecret resource. | 2026-01-21 | not yet calculated | CVE-2026-22822 | https://github.com/external-secrets/external-secrets/security/advisories/GHSA-77v3-r3jw-j2v2 https://github.com/external-secrets/external-secrets/issues/5690 https://github.com/external-secrets/external-secrets/pull/3895 https://github.com/external-secrets/external-secrets/commit/17d3e22b8d3fbe339faf8515a95ec06ec92b1feb https://github.com/external-secrets/external-secrets/releases/tag/v1.2.0 |
| extremeidea–bidorbuy Store Integrator | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in extremeidea bidorbuy Store Integrator bidorbuystoreintegrator allows Reflected XSS. This issue affects bidorbuy Store Integrator: from n/a through <= 2.12.0. | 2026-01-22 | not yet calculated | CVE-2025-68883 | https://patchstack.com/database/Wordpress/Plugin/bidorbuystoreintegrator/vulnerability/wordpress-bidorbuy-store-integrator-plugin-2-12-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Farost–Energia | Unrestricted Upload of File with Dangerous Type vulnerability in Farost Energia energia allows Upload a Web Shell to a Web Server. This issue affects Energia: from n/a through <= 1.1.2. | 2026-01-22 | not yet calculated | CVE-2025-50002 | https://patchstack.com/database/Wordpress/Theme/energia/vulnerability/wordpress-energia-theme-1-1-2-arbitrary-file-upload-vulnerability?_s_id=cve |
| favethemes–Homey Core | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in favethemes Homey Core homey-core allows Reflected XSS. This issue affects Homey Core: from n/a through <= 2.4.3. | 2026-01-22 | not yet calculated | CVE-2025-67964 | https://patchstack.com/database/Wordpress/Plugin/homey-core/vulnerability/wordpress-homey-core-plugin-2-4-3-cross-site-scripting-xss-vulnerability?_s_id=cve |
| favethemes–Houzez Theme – Functionality | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in favethemes Houzez Theme – Functionality houzez-theme-functionality allows Stored XSS. This issue affects Houzez Theme – Functionality: from n/a through <= 4.2.6. | 2026-01-22 | not yet calculated | CVE-2026-24355 | https://patchstack.com/database/Wordpress/Plugin/houzez-theme-functionality/vulnerability/wordpress-houzez-theme-functionality-plugin-4-2-6-cross-site-scripting-xss-vulnerability?_s_id=cve |
| FireStorm Plugins–FireStorm Professional Real Estate | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in FireStorm Plugins FireStorm Professional Real Estate fs-real-estate-plugin allows Blind SQL Injection. This issue affects FireStorm Professional Real Estate: from n/a through <= 2.7.11. | 2026-01-22 | not yet calculated | CVE-2026-22470 | https://patchstack.com/database/Wordpress/Plugin/fs-real-estate-plugin/vulnerability/wordpress-firestorm-professional-real-estate-plugin-2-7-11-sql-injection-vulnerability?_s_id=cve |
| fleetdm–fleet | fleetdm/fleet is open source device management software. Prior to versions 4.78.2, 4.77.1, 4.76.2, 4.75.2, and 4.53.3, if Windows MDM is enabled, an unauthenticated attacker can exploit this XSS vulnerability to steal a Fleet administrator’s authentication token (FLEET::auth_token) from localStorage. This could allow unauthorized access to Fleet, including administrative access, visibility into device data, and modification of configuration. Versions 4.78.2, 4.77.1, 4.76.2, 4.75.2, and 4.53.3 fix the issue. If an immediate upgrade is not possible, affected Fleet users should temporarily disable Windows MDM. | 2026-01-21 | not yet calculated | CVE-2026-22808 | https://github.com/fleetdm/fleet/security/advisories/GHSA-gfpw-jgvr-cw4j |
| fleetdm–fleet | Fleet is open source device management software. A broken access control issue in versions prior to 4.78.3, 4.77.1, 4.76.2, 4.75.2, and 4.53.3 allowed authenticated users to access debug and profiling endpoints regardless of role. As a result, low-privilege users could view internal server diagnostics and trigger resource-intensive profiling operations. Fleet’s debug/pprof endpoints are accessible to any authenticated user regardless of role, including the lowest-privilege “Observer” role. This allows low-privilege users to access sensitive server internals, including runtime profiling data and in-memory application state, and to trigger CPU-intensive profiling operations that could lead to denial of service. Versions 4.78.3, 4.77.1, 4.76.2, 4.75.2, and 4.53.3 fix the issue. If an immediate upgrade is not possible, users should put the debug/pprof endpoints behind an IP allowlist as a workaround. | 2026-01-21 | not yet calculated | CVE-2026-23517 | https://github.com/fleetdm/fleet/security/advisories/GHSA-4r5r-ccr6-q6f6 https://github.com/fleetdm/fleet/commit/5c030e32a3a9bc512355b5e1bf19636e4e6d0317 |
| fleetdm–fleet | Fleet is open source device management software. In versions prior to 4.78.3, 4.77.1, 4.76.2, 4.75.2, and 4.53.3, a vulnerability in Fleet’s Windows MDM enrollment flow could allow an attacker to submit forged authentication tokens that are not properly validated. Because JWT signatures were not verified, Fleet could accept attacker-controlled identity claims, enabling enrollment of unauthorized devices under arbitrary Azure AD user identities. Versions 4.78.3, 4.77.1, 4.76.2, 4.75.2, and 4.53.3 fix the issue. If an immediate upgrade is not possible, affected Fleet users should temporarily disable Windows MDM. | 2026-01-21 | not yet calculated | CVE-2026-23518 | https://github.com/fleetdm/fleet/security/advisories/GHSA-63m5-974w-448v https://github.com/fleetdm/fleet/commit/e225ef57912c8f4ac8977e24b5ebe1d9fd875257 |
| flexostudio–flexo-posts-manager | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in flexostudio flexo-posts-manager flexo-posts-manager allows Reflected XSS. This issue affects flexo-posts-manager: from n/a through <= 1.0001. | 2026-01-22 | not yet calculated | CVE-2025-52762 | https://patchstack.com/database/Wordpress/Plugin/flexo-posts-manager/vulnerability/wordpress-flexo-posts-manager-plugin-1-0001-cross-site-scripting-xss-vulnerability?_s_id=cve |
| FmeAddons–Registration & Login with Mobile Phone Number for WooCommerce | Missing Authorization vulnerability in FmeAddons Registration & Login with Mobile Phone Number for WooCommerce registration-login-with-mobile-phone-number allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Registration & Login with Mobile Phone Number for WooCommerce: from n/a through <= 1.3.1. | 2026-01-22 | not yet calculated | CVE-2025-69052 | https://patchstack.com/database/Wordpress/Plugin/registration-login-with-mobile-phone-number/vulnerability/wordpress-registration-login-with-mobile-phone-number-for-woocommerce-plugin-1-2-9-broken-access-control-vulnerability?_s_id=cve |
| FooEvents–FooEvents for WooCommerce | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in FooEvents FooEvents for WooCommerce fooevents allows SQL Injection. This issue affects FooEvents for WooCommerce: from n/a through <= 1.20.4. | 2026-01-22 | not yet calculated | CVE-2025-69045 | https://patchstack.com/database/Wordpress/Plugin/fooevents/vulnerability/wordpress-fooevents-for-woocommerce-plugin-1-20-4-sql-injection-vulnerability?_s_id=cve |
| foreverpinetree–TheNa | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in foreverpinetree TheNa thena allows Reflected XSS. This issue affects TheNa: from n/a through <= 1.5.5. | 2026-01-22 | not yet calculated | CVE-2025-67614 | https://patchstack.com/database/Wordpress/Theme/thena/vulnerability/wordpress-thena-theme-1-5-5-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Foundation Agents–MetaGPT | Foundation Agents MetaGPT deserialize_message Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foundation Agents MetaGPT. Authentication is not required to exploit this vulnerability. The specific flaw exists within the deserialize_message function. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-28121. | 2026-01-23 | not yet calculated | CVE-2026-0760 | ZDI-26-026 |
| Foundation Agents–MetaGPT | Foundation Agents MetaGPT actionoutput_str_to_mapping Code Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foundation Agents MetaGPT. Authentication is not required to exploit this vulnerability. The specific flaw exists within the actionoutput_str_to_mapping function. The issue results from the lack of proper validation of a user-supplied string before using it to execute Python code. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-28124. | 2026-01-23 | not yet calculated | CVE-2026-0761 | ZDI-26-027 |
| Framelink–Figma MCP Server | Framelink Figma MCP Server fetchWithRetry Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Framelink Figma MCP Server. Authentication is not required to exploit this vulnerability. The specific flaw exists within the implementation of the fetchWithRetry method. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-27877. | 2026-01-23 | not yet calculated | CVE-2025-15061 | ZDI-25-1197 vendor-provided URL |
| Frank Corso–Quote Master | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Frank Corso Quote Master quote-master allows Reflected XSS. This issue affects Quote Master: from n/a through <= 7.1.1. | 2026-01-22 | not yet calculated | CVE-2025-68849 | https://patchstack.com/database/Wordpress/Plugin/quote-master/vulnerability/wordpress-quote-master-plugin-7-1-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| franklioxygen–MyTube | MyTube is a self-hosted downloader and player for several video websites. Versions 1.7.78 and below do not safeguard against authorization bypass, allowing guest users to download the complete application database. The application fails to properly validate user permissions on the database export endpoint, enabling low-privileged users to access sensitive data they should not have permission to view. | 2026-01-23 | not yet calculated | CVE-2026-24139 | https://github.com/franklioxygen/MyTube/security/advisories/GHSA-hhc3-8q8c-89q7 https://github.com/franklioxygen/MyTube/commit/e271775e27d51b26e54731b7b874447f47a1f280 |
| Free5GC–Free5GC | An issue was discovered in Free5gc NRF 1.4.0. In the access-token generation logic of free5GC, the AccessTokenScopeCheck() function in file internal/sbi/processor/access_token.go bypasses all scope validation when the attacker uses a crafted targetNF value. This allows attackers to obtain an access token with any arbitrary scope. | 2026-01-23 | not yet calculated | CVE-2025-66719 | https://github.com/free5gc/free5gc/issues/736 https://github.com/free5gc/nrf/pull/73 |
| Free5GC–Free5GC | Null pointer dereference in free5gc pcf 1.4.0 in file internal/sbi/processor/ampolicy.go in function HandleDeletePoliciesPolAssoId. | 2026-01-23 | not yet calculated | CVE-2025-66720 | https://github.com/free5gc/free5gc/issues/726 https://github.com/free5gc/pcf/pull/57 |
| FreeRDP–FreeRDP | FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0,`freerdp_bitmap_decompress_planar` does not validate `nSrcWidth`/`nSrcHeight` against `planar->maxWidth`/`maxHeight` before RLE decode. A malicious server can trigger a client‑side heap buffer overflow, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue. | 2026-01-19 | not yet calculated | CVE-2026-23530 | https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-r4hv-852m-fq7p https://github.com/FreeRDP/FreeRDP/blob/38514dfa5813aa945a86cfbcec279033f8394468/libfreerdp/codec/planar.c#L1689-L1696 https://github.com/FreeRDP/FreeRDP/blob/38514dfa5813aa945a86cfbcec279033f8394468/libfreerdp/codec/planar.c#L1713-L1716 https://github.com/FreeRDP/FreeRDP/blob/38514dfa5813aa945a86cfbcec279033f8394468/libfreerdp/codec/planar.c#L951-L953 https://github.com/FreeRDP/FreeRDP/releases/tag/3.21.0 |
| FreeRDP–FreeRDP | FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, in ClearCodec, when `glyphData` is present, `clear_decompress` calls `freerdp_image_copy_no_overlap` without validating the destination rectangle, allowing an out-of-bounds read/write via crafted RDPGFX surface updates. A malicious server can trigger a client‑side heap buffer overflow, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue. | 2026-01-19 | not yet calculated | CVE-2026-23531 | https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-xj5h-9cr5-23c5 https://github.com/FreeRDP/FreeRDP/blob/38514dfa5813aa945a86cfbcec279033f8394468/libfreerdp/codec/clear.c#L1139-L1145 https://github.com/FreeRDP/FreeRDP/releases/tag/3.21.0 |
| FreeRDP–FreeRDP | FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, a client-side heap buffer overflow occurs in the FreeRDP client’s `gdi_SurfaceToSurface` path due to a mismatch between destination rectangle clamping and the actual copy size. A malicious server can trigger a client‑side heap buffer overflow, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue. | 2026-01-19 | not yet calculated | CVE-2026-23532 | https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-fq8c-87hj-7gvr https://github.com/FreeRDP/FreeRDP/blob/38514dfa5813aa945a86cfbcec279033f8394468/libfreerdp/gdi/gfx.c#L1368-L1382 https://github.com/FreeRDP/FreeRDP/releases/tag/3.21.0 |
| FreeRDP–FreeRDP | FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, a client-side heap buffer overflow occurs in the RDPGFX ClearCodec decode path when maliciously crafted residual data causes out-of-bounds writes during color output. A malicious server can trigger a client‑side heap buffer overflow, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue. | 2026-01-19 | not yet calculated | CVE-2026-23533 | https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-32q9-m5qr-9j2v https://github.com/FreeRDP/FreeRDP/blob/38514dfa5813aa945a86cfbcec279033f8394468/libfreerdp/codec/clear.c#L268-L281 https://github.com/FreeRDP/FreeRDP/blob/38514dfa5813aa945a86cfbcec279033f8394468/libfreerdp/codec/clear.c#L336 https://github.com/FreeRDP/FreeRDP/releases/tag/3.21.0 |
| FreeRDP–FreeRDP | FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, a client-side heap buffer overflow occurs in the ClearCodec bands decode path when crafted band coordinates allow writes past the end of the destination surface buffer. A malicious server can trigger a client‑side heap buffer overflow, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue. | 2026-01-19 | not yet calculated | CVE-2026-23534 | https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-3frr-mp8w-4599 https://github.com/FreeRDP/FreeRDP/blob/38514dfa5813aa945a86cfbcec279033f8394468/libfreerdp/codec/clear.c#L878-L879 https://github.com/FreeRDP/FreeRDP/blob/38514dfa5813aa945a86cfbcec279033f8394468/libfreerdp/codec/clear.c#L883-L884 https://github.com/FreeRDP/FreeRDP/releases/tag/3.21.0 |
| FreeRDP–FreeRDP | FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, FastGlyph parsing trusts `cbData`/remaining length and never validates against the minimum size implied by `cx/cy`. A malicious server can trigger a client‑side global buffer overflow, causing a crash (DoS). Version 3.21.0 contains a patch for the issue. | 2026-01-19 | not yet calculated | CVE-2026-23732 | https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-7qxp-j2fj-c3pp https://github.com/FreeRDP/FreeRDP/blob/f96ee2a6dd02739325c2a4e36a14978b561f00ea/libfreerdp/cache/glyph.c#L463-L480 https://github.com/FreeRDP/FreeRDP/blob/f96ee2a6dd02739325c2a4e36a14978b561f00ea/libfreerdp/codec/color.c#L261-L277 https://github.com/FreeRDP/FreeRDP/blob/f96ee2a6dd02739325c2a4e36a14978b561f00ea/libfreerdp/core/graphics.c#L138 https://github.com/FreeRDP/FreeRDP/blob/f96ee2a6dd02739325c2a4e36a14978b561f00ea/libfreerdp/core/orders.c#L2186C17-L2199 https://github.com/FreeRDP/FreeRDP/releases/tag/3.21.0 |
| FreeRDP–FreeRDP | FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, `xf_Pointer_New` frees `cursorPixels` on failure, then `pointer_free` calls `xf_Pointer_Free` and frees it again, triggering ASan UAF. A malicious server can trigger a client‑side use after free, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue. | 2026-01-19 | not yet calculated | CVE-2026-23883 | https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-qcrr-85qx-4p6x https://github.com/FreeRDP/FreeRDP/blob/3370e30e92a021eb680892dda14d642bc8b8727c/client/X11/xf_graphics.c#L312-L319 https://github.com/FreeRDP/FreeRDP/blob/3370e30e92a021eb680892dda14d642bc8b8727c/client/X11/xf_graphics.c#L340 https://github.com/FreeRDP/FreeRDP/blob/3370e30e92a021eb680892dda14d642bc8b8727c/libfreerdp/cache/pointer.c#L164-L174 https://github.com/FreeRDP/FreeRDP/releases/tag/3.21.0 |
| FreeRDP–FreeRDP | FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.21.0, offscreen bitmap deletion leaves `gdi->drawing` pointing to freed memory, causing UAF when related update packets arrive. A malicious server can trigger a client‑side use after free, causing a crash (DoS) and potential heap corruption with code‑execution risk depending on allocator behavior and surrounding heap layout. Version 3.21.0 contains a patch for the issue. | 2026-01-19 | not yet calculated | CVE-2026-23884 | https://github.com/FreeRDP/FreeRDP/security/advisories/GHSA-cfgj-vc84-f3pp https://github.com/FreeRDP/FreeRDP/blob/3370e30e92a021eb680892dda14d642bc8b8727c/libfreerdp/cache/offscreen.c#L114-L122 https://github.com/FreeRDP/FreeRDP/blob/3370e30e92a021eb680892dda14d642bc8b8727c/libfreerdp/cache/offscreen.c#L87-L91 https://github.com/FreeRDP/FreeRDP/releases/tag/3.21.0 |
| Fsas Technologies Inc.–ServerView Agents for Windows | The installer of ServerView Agents for Windows provided by Fsas Technologies Inc. may insecurely load Dynamic Link Libraries. Arbitrary code may be executed with the administrator privilege when the installer is executed. | 2026-01-21 | not yet calculated | CVE-2026-24016 | https://www.fsastech.com/ja-jp/resources/security/2026/0121.html https://jvn.jp/en/jp/JVN65211823/ |
| fuelthemes–North | Deserialization of Untrusted Data vulnerability in fuelthemes North north-wp allows Object Injection. This issue affects North: from n/a through <= 5.7.5. | 2026-01-22 | not yet calculated | CVE-2025-69099 | https://patchstack.com/database/Wordpress/Theme/north-wp/vulnerability/wordpress-north-theme-5-7-5-php-object-injection-vulnerability?_s_id=cve |
| fuelthemes–North | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in fuelthemes North north-wp allows PHP Local File Inclusion. This issue affects North: from n/a through <= 5.7.5. | 2026-01-22 | not yet calculated | CVE-2025-69100 | https://patchstack.com/database/Wordpress/Theme/north-wp/vulnerability/wordpress-north-theme-5-7-5-local-file-inclusion-vulnerability?_s_id=cve |
| fuelthemes–Werkstatt | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in fuelthemes Werkstatt werkstatt allows PHP Local File Inclusion. This issue affects Werkstatt: from n/a through < 4.8.3. | 2026-01-22 | not yet calculated | CVE-2025-69314 | https://patchstack.com/database/Wordpress/Theme/werkstatt/vulnerability/wordpress-werkstatt-theme-4-8-3-local-file-inclusion-vulnerability?_s_id=cve |
| fuelthemes–WerkStatt Plugin | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in fuelthemes WerkStatt Plugin werkstatt-plugin allows PHP Local File Inclusion. This issue affects WerkStatt Plugin: from n/a through <= 1.6.6. | 2026-01-22 | not yet calculated | CVE-2025-63017 | https://patchstack.com/database/Wordpress/Plugin/werkstatt-plugin/vulnerability/wordpress-werkstatt-plugin-plugin-1-6-6-local-file-inclusion-vulnerability?_s_id=cve |
| garidium–g-FFL Checkout | Unrestricted Upload of File with Dangerous Type vulnerability in garidium g-FFL Checkout g-ffl-checkout allows Upload a Web Shell to a Web Server. This issue affects g-FFL Checkout: from n/a through <= 2.1.0. | 2026-01-22 | not yet calculated | CVE-2025-68001 | https://patchstack.com/database/Wordpress/Plugin/g-ffl-checkout/vulnerability/wordpress-g-ffl-checkout-plugin-2-1-0-arbitrary-file-upload-vulnerability?_s_id=cve |
| Gemini MCP Tool–gemini-mcp-tool | gemini-mcp-tool execAsync Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of gemini-mcp-tool. Authentication is not required to exploit this vulnerability. The specific flaw exists within the implementation of the execAsync method. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-27783. | 2026-01-23 | not yet calculated | CVE-2026-0755 | ZDI-26-021 |
| gemsloyalty–gemsloyalty | A vulnerability in the PHP backend of gemsloyalty.aptsys.com.sg thru 2025-05-28 allows unauthenticated remote attackers to trigger detailed error messages that disclose internal file paths, code snippets, and stack traces. This occurs when specially crafted HTTP GET/POST requests are sent to public API endpoints, exposing potentially sensitive information useful for further exploitation. This issue is classified under CWE-209: Information Exposure Through an Error Message. | 2026-01-23 | not yet calculated | CVE-2025-52022 | http://aptsys.com https://gist.github.com/ReverseThatApp/4a6be2b9b2ba39d38c35c8753e0afd39 |
| gemsloyalty–gemsloyalty | A vulnerability in the PHP backend of gemscms.aptsys.com.sg thru 2025-05-28 allows unauthenticated remote attackers to trigger detailed error messages that disclose internal file paths, code snippets, and stack traces. This occurs when specially crafted HTTP GET/POST requests are sent to public API endpoints, exposing potentially sensitive information useful for further exploitation. This issue is classified under CWE-209: Information Exposure Through an Error Message. | 2026-01-23 | not yet calculated | CVE-2025-52023 | http://aptsys.com http://gemscms.com https://gist.github.com/ReverseThatApp/4a6be2b9b2ba39d38c35c8753e0afd39 |
| gemsloyalty–gemsloyalty | A vulnerability exists in the Aptsys POS Platform Web Services module thru 2025-05-28, which exposes internal API testing tools to unauthenticated users. By accessing specific URLs, an attacker is presented with a directory-style index listing all available backend services and POS web services, each with an HTML form for submitting test input. These panels are intended for developer use, but are accessible in production environments with no authentication or session validation. This grants any external actor the ability to discover, test, and execute API endpoints that perform critical functions including but not limited to user transaction retrieval, credit adjustments, POS actions, and internal data queries. | 2026-01-23 | not yet calculated | CVE-2025-52024 | http://aptsys.com https://gist.github.com/ReverseThatApp/4a6be2b9b2ba39d38c35c8753e0afd39 |
| gemsloyalty–gemsloyalty | An SQL Injection vulnerability exists in the GetServiceByRestaurantID endpoint of the Aptsys gemscms POS Platform backend thru 2025-05-28. The vulnerability arises because user input is directly inserted into a dynamic SQL query syntax without proper sanitization or parameterization. This allows an attacker to inject and execute arbitrary SQL code by submitting crafted input in the id parameter, leading to unauthorized data access or modification. | 2026-01-23 | not yet calculated | CVE-2025-52025 | http://aptsys.com https://gist.github.com/ReverseThatApp/4a6be2b9b2ba39d38c35c8753e0afd39 |
| Genetech Products–Pie Register | Missing Authorization vulnerability in Genetech Products Pie Register pie-register allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Pie Register: from n/a through <= 3.8.4.7. | 2026-01-23 | not yet calculated | CVE-2026-24577 | https://patchstack.com/database/Wordpress/Plugin/pie-register/vulnerability/wordpress-pie-register-plugin-3-8-4-7-broken-access-control-vulnerability?_s_id=cve |
| Get-Simple–My SMTP Contact Plugin | GetSimple CMS My SMTP Contact Plugin 1.1.2 contains a PHP code injection vulnerability. An authenticated administrator can inject arbitrary PHP code through plugin configuration parameters, leading to remote code execution on the server. | 2026-01-21 | not yet calculated | CVE-2021-47778 | ExploitDB-49774 Vendor Homepage GetSimple CMS GitHub Repository Full Disclosure Repository VulnCheck Advisory: GetSimple CMS My SMTP Contact Plugin 1.1.2 – PHP Code Injection |
| getarcaneapp–arcane | Arcane is an interface for managing Docker containers, images, networks, and volumes. Prior to version 1.13.2, unauthenticated requests could be proxied to remote environment agents, allowing access to remote environment resources without authentication. The environment proxy middleware handled `/api/environments/{id}/…` requests for remote environments before authentication was enforced. When the environment ID was not local, the middleware proxied the request and attached the manager-held agent token, even if the caller was unauthenticated. This enabled unauthenticated access to remote environment operations (e.g., listing containers, streaming logs, or other agent endpoints). An unauthenticated attacker could access and manipulate remote environment resources via the proxy, potentially leading to data exposure, unauthorized changes, or service disruption. Version 1.13.2 patches the vulnerability. | 2026-01-19 | not yet calculated | CVE-2026-23944 | https://github.com/getarcaneapp/arcane/security/advisories/GHSA-2jv8-39rp-cqqr https://github.com/getarcaneapp/arcane/pull/1532 https://github.com/getarcaneapp/arcane/commit/2008e1b93b25d0c4c3fff3af07843766231614eb https://github.com/getarcaneapp/arcane/releases/tag/v1.13.2 |
| GetSimple CMS–My SMTP Contact Plugin | GetSimple CMS My SMTP Contact Plugin 1.1.1 contains a cross-site request forgery (CSRF) vulnerability. Attackers can craft a malicious webpage that, when visited by an authenticated administrator, can change SMTP configuration settings in the plugin. This may allow unauthorized changes but does not directly enable remote code execution. | 2026-01-21 | not yet calculated | CVE-2021-47830 | ExploitDB-49774 ExploitDB-49798 GetSimple CMS Webpage GetSimple CMS GitHub Repository VulnCheck Advisory: GetSimple CMS My SMTP Contact Plugin 1.1.1 – CSRF |
| GetSimple CMS–My SMTP Contact Plugin | GetSimple CMS My SMTP Contact Plugin 1.1.2 suffers from a Stored Cross-Site Scripting (XSS) vulnerability. The plugin attempts to sanitize user input using htmlspecialchars(), but this can be bypassed by passing dangerous characters as escaped hex bytes. This allows attackers to inject arbitrary client-side code that executes in the administrator’s browser when visiting a malicious page. | 2026-01-21 | not yet calculated | CVE-2021-47870 | Full Disclosure Repository Vendor Homepage GetSimple CMS GitHub Repository ExploitDB-49798 VulnCheck Advisory: GetSimple CMS My SMTP Contact Plugin 1.1.2 – Stored XSS |
| GIMP–GIMP | GIMP PSP File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of PSP files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28232. | 2026-01-23 | not yet calculated | CVE-2025-15059 | ZDI-25-1196 vendor-provided URL |
| Gitea–Gitea Open Source Git Server | Gitea may send release notification emails for private repositories to users whose access has been revoked. When a repository is changed from public to private, users who previously watched the repository may continue to receive release notifications, potentially disclosing release titles, tags, and content. | 2026-01-22 | not yet calculated | CVE-2026-0798 | GitHub Security Advisory GitHub Pull Request #36319 Gitea v1.25.4 Release Gitea v1.25.4 Release Blog Post |
| Gitea–Gitea Open Source Git Server | Gitea does not properly verify repository context when deleting attachments. A user who previously uploaded an attachment to a repository may be able to delete it after losing access to that repository by making the request through a different repository they can access. | 2026-01-22 | not yet calculated | CVE-2026-20736 | GitHub Security Advisory GitHub Pull Request #36320 Gitea v1.25.4 Release Gitea v1.25.4 Release Blog Post |
| Gitea–Gitea Open Source Git Server | Gitea does not properly validate project ownership in organization project operations. A user with project write access in one organization may be able to modify projects belonging to a different organization. | 2026-01-22 | not yet calculated | CVE-2026-20750 | GitHub Security Advisory GitHub Pull Request #36318 GitHub Pull Request #36373 Gitea v1.25.4 Release Gitea v1.25.4 Release Blog Post |
| Gitea–Gitea Open Source Git Server | Gitea’s notification API does not re-validate repository access permissions when returning notification details. After a user’s access to a private repository is revoked, they may still view issue and pull request titles through previously received notifications. | 2026-01-22 | not yet calculated | CVE-2026-20800 | GitHub Security Advisory GitHub Pull Request #36339 Gitea v1.25.4 Release Gitea v1.25.4 Release Blog Post |
| Gitea–Gitea Open Source Git Server | Gitea’s stopwatch API does not re-validate repository access permissions. After a user’s access to a private repository is revoked, they may still view issue titles and repository names through previously started stopwatches. | 2026-01-22 | not yet calculated | CVE-2026-20883 | GitHub Security Advisory GitHub Pull Request #36340 GitHub Pull Request #36368 Gitea v1.25.4 Release Gitea v1.25.4 Release Blog Post |
| Gitea–Gitea Open Source Git Server | Gitea does not properly verify authorization when canceling scheduled auto-merges via the web interface. A user with read access to pull requests may be able to cancel auto-merges scheduled by other users. | 2026-01-22 | not yet calculated | CVE-2026-20888 | GitHub Security Advisory GitHub Pull Request #36341 GitHub Pull Request #36356 Gitea v1.25.4 Release Gitea v1.25.4 Release Blog Post |
| Gitea–Gitea Open Source Git Server | Gitea does not properly validate repository ownership when deleting Git LFS locks. A user with write access to one repository may be able to delete LFS locks belonging to other repositories. | 2026-01-22 | not yet calculated | CVE-2026-20897 | GitHub Security Advisory GitHub Pull Request #36344 GitHub Pull Request #36349 Gitea v1.25.4 Release Gitea v1.25.4 Release Blog Post |
| Gitea–Gitea Open Source Git Server | Gitea does not properly validate ownership when toggling OpenID URI visibility. An authenticated user may be able to change the visibility settings of other users’ OpenID identities. | 2026-01-22 | not yet calculated | CVE-2026-20904 | GitHub Security Advisory GitHub Pull Request #36346 GitHub Pull Request #36361 Gitea v1.25.4 Release Gitea v1.25.4 Release Blog Post |
| Gitea–Gitea Open Source Git Server | Gitea does not properly validate repository ownership when linking attachments to releases. An attachment uploaded to a private repository could potentially be linked to a release in a different public repository, making it accessible to unauthorized users. | 2026-01-22 | not yet calculated | CVE-2026-20912 | GitHub Security Advisory GitHub Pull Request #36320 GitHub Pull Request #36355 Gitea v1.25.4 Release Gitea v1.25.4 Release Blog Post |
| github-kanban-mcp-server–github-kanban-mcp-server | github-kanban-mcp-server execAsync Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of github-kanban-mcp-server. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of the create_issue parameter. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-27784. | 2026-01-23 | not yet calculated | CVE-2026-0756 | ZDI-26-022 |
| GLS–GLS Shipping for WooCommerce | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in GLS GLS Shipping for WooCommerce gls-shipping-for-woocommerce allows Reflected XSS. This issue affects GLS Shipping for WooCommerce: from n/a through <= 1.4.0. | 2026-01-22 | not yet calculated | CVE-2025-68011 | https://patchstack.com/database/Wordpress/Plugin/gls-shipping-for-woocommerce/vulnerability/wordpress-gls-shipping-for-woocommerce-plugin-1-3-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| goalthemes–Bailly | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in goalthemes Bailly bailly allows PHP Local File Inclusion. This issue affects Bailly: from n/a through <= 1.3.4. | 2026-01-22 | not yet calculated | CVE-2025-69039 | https://patchstack.com/database/Wordpress/Theme/bailly/vulnerability/wordpress-bailly-theme-1-3-4-local-file-inclusion-vulnerability?_s_id=cve |
| goalthemes–Bfres | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in goalthemes Bfres bfres allows PHP Local File Inclusion. This issue affects Bfres: from n/a through <= 1.2.1. | 2026-01-22 | not yet calculated | CVE-2025-69040 | https://patchstack.com/database/Wordpress/Theme/bfres/vulnerability/wordpress-bfres-theme-1-2-1-local-file-inclusion-vulnerability?_s_id=cve |
| goalthemes–Dekoro | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in goalthemes Dekoro dekoro allows PHP Local File Inclusion. This issue affects Dekoro: from n/a through <= 1.0.7. | 2026-01-22 | not yet calculated | CVE-2025-69041 | https://patchstack.com/database/Wordpress/Theme/dekoro/vulnerability/wordpress-dekoro-theme-1-0-7-local-file-inclusion-vulnerability?_s_id=cve |
| goalthemes–Hyori | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in goalthemes Hyori hyori allows PHP Local File Inclusion. This issue affects Hyori: from n/a through <= 1.3.6. | 2026-01-22 | not yet calculated | CVE-2025-69038 | https://patchstack.com/database/Wordpress/Theme/hyori/vulnerability/wordpress-hyori-theme-1-3-6-local-file-inclusion-vulnerability?_s_id=cve |
| goalthemes–Lindo | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in goalthemes Lindo lindo allows PHP Local File Inclusion. This issue affects Lindo: from n/a through <= 1.2.5. | 2026-01-22 | not yet calculated | CVE-2025-69042 | https://patchstack.com/database/Wordpress/Theme/lindo/vulnerability/wordpress-lindo-theme-1-2-5-local-file-inclusion-vulnerability?_s_id=cve |
| goalthemes–Pippo | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in goalthemes Pippo pippo allows PHP Local File Inclusion. This issue affects Pippo: from n/a through <= 1.2.3. | 2026-01-22 | not yet calculated | CVE-2025-69037 | https://patchstack.com/database/Wordpress/Theme/pippo/vulnerability/wordpress-pippo-theme-1-2-3-local-file-inclusion-vulnerability?_s_id=cve |
| goalthemes–Rashy | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in goalthemes Rashy rashy allows PHP Local File Inclusion. This issue affects Rashy: from n/a through <= 1.1.3. | 2026-01-22 | not yet calculated | CVE-2025-69043 | https://patchstack.com/database/Wordpress/Theme/rashy/vulnerability/wordpress-rashy-theme-1-1-3-local-file-inclusion-vulnerability?_s_id=cve |
| goalthemes–Vango | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in goalthemes Vango vango allows PHP Local File Inclusion. This issue affects Vango: from n/a through <= 1.3.3. | 2026-01-22 | not yet calculated | CVE-2025-69044 | https://patchstack.com/database/Wordpress/Theme/vango/vulnerability/wordpress-vango-theme-1-3-3-local-file-inclusion-vulnerability?_s_id=cve |
| Google–Chrome | Out of bounds memory access in V8 in Google Chrome prior to 144.0.7559.59 allowed a remote attacker to potentially exploit object corruption via a crafted HTML page. (Chromium security severity: High) | 2026-01-20 | not yet calculated | CVE-2026-0899 | https://chromereleases.googleblog.com/2026/01/stable-channel-update-for-desktop_13.html https://issues.chromium.org/issues/458914193 |
| Google–Chrome | Inappropriate implementation in V8 in Google Chrome prior to 144.0.7559.59 allowed a remote attacker to potentially exploit object corruption via a crafted HTML page. (Chromium security severity: High) | 2026-01-20 | not yet calculated | CVE-2026-0900 | https://chromereleases.googleblog.com/2026/01/stable-channel-update-for-desktop_13.html https://issues.chromium.org/issues/465730465 |
| Google–Chrome | Inappropriate implementation in Blink in Google Chrome on Android prior to 144.0.7559.59 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: High) | 2026-01-20 | not yet calculated | CVE-2026-0901 | https://chromereleases.googleblog.com/2026/01/stable-channel-update-for-desktop_13.html https://issues.chromium.org/issues/40057499 |
| Google–Chrome | Inappropriate implementation in V8 in Google Chrome prior to 144.0.7559.59 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: Medium) | 2026-01-20 | not yet calculated | CVE-2026-0902 | https://chromereleases.googleblog.com/2026/01/stable-channel-update-for-desktop_13.html https://issues.chromium.org/issues/469143679 |
| Google–Chrome | Inappropriate implementation in Downloads in Google Chrome on Windows prior to 144.0.7559.59 allowed a remote attacker to bypass dangerous file type protections via a malicious file. (Chromium security severity: Medium) | 2026-01-20 | not yet calculated | CVE-2026-0903 | https://chromereleases.googleblog.com/2026/01/stable-channel-update-for-desktop_13.html https://issues.chromium.org/issues/444803530 |
| Google–Chrome | Incorrect security UI in Digital Credentials in Google Chrome prior to 144.0.7559.59 allowed a remote attacker to perform domain spoofing via a crafted HTML page. (Chromium security severity: Medium) | 2026-01-20 | not yet calculated | CVE-2026-0904 | https://chromereleases.googleblog.com/2026/01/stable-channel-update-for-desktop_13.html https://issues.chromium.org/issues/452209495 |
| Google–Chrome | Insufficient policy enforcement in Network in Google Chrome prior to 144.0.7559.59 allowed an attack who obtained a network log file to potentially obtain potentially sensitive information via a network log file. (Chromium security severity: Medium) | 2026-01-20 | not yet calculated | CVE-2026-0905 | https://chromereleases.googleblog.com/2026/01/stable-channel-update-for-desktop_13.html https://issues.chromium.org/issues/465466773 |
| Google–Chrome | Incorrect security UI in Google Chrome on Android prior to 144.0.7559.59 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. (Chromium security severity: Low) | 2026-01-20 | not yet calculated | CVE-2026-0906 | https://chromereleases.googleblog.com/2026/01/stable-channel-update-for-desktop_13.html https://issues.chromium.org/issues/467448811 |
| Google–Chrome | Incorrect security UI in Split View in Google Chrome prior to 144.0.7559.59 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low) | 2026-01-20 | not yet calculated | CVE-2026-0907 | https://chromereleases.googleblog.com/2026/01/stable-channel-update-for-desktop_13.html https://issues.chromium.org/issues/444653104 |
| Google–Chrome | Use after free in ANGLE in Google Chrome prior to 144.0.7559.59 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Low) | 2026-01-20 | not yet calculated | CVE-2026-0908 | https://chromereleases.googleblog.com/2026/01/stable-channel-update-for-desktop_13.html https://issues.chromium.org/issues/452209503 |
| Google–Sentencepiece | Invalid memory access in Sentencepiece versions less than 0.2.1 when using a vulnerable model file, which is not created in the normal training procedure. | 2026-01-22 | not yet calculated | CVE-2026-1260 | https://github.com/google/sentencepiece/releases/tag/v0.2.1 |
| GPT Academic–GPT Academic | GPT Academic stream_daas Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GPT Academic. Interaction with a malicious DAAS server is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the stream_daas function. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-27956. | 2026-01-23 | not yet calculated | CVE-2026-0762 | ZDI-26-028 |
| GPT Academic–GPT Academic | GPT Academic run_in_subprocess_wrapper_func Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GPT Academic. Authentication is not required to exploit this vulnerability. The specific flaw exists within the run_in_subprocess_wrapper_func function. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-27958. | 2026-01-23 | not yet calculated | CVE-2026-0763 | ZDI-26-029 |
| GPT Academic–GPT Academic | GPT Academic upload Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GPT Academic. Authentication is not required to exploit this vulnerability. The specific flaw exists within the upload endpoint. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-27957. | 2026-01-23 | not yet calculated | CVE-2026-0764 | ZDI-26-030 |
| gregmolnar–Simple XML Sitemap | Cross-Site Request Forgery (CSRF) vulnerability in gregmolnar Simple XML Sitemap simple-xml-sitemap allows Stored XSS. This issue affects Simple XML Sitemap: from n/a through <= 1.3. | 2026-01-22 | not yet calculated | CVE-2026-22355 | https://patchstack.com/database/Wordpress/Plugin/simple-xml-sitemap/vulnerability/wordpress-simple-xml-sitemap-plugin-1-3-csrf-to-stored-xss-vulnerability?_s_id=cve |
| Hangzhou Kuozhi Network Technology Co., Ltd.–EduSoho | EduSoho versions prior to 22.4.7 contain an arbitrary file read vulnerability in the classroom-course-statistics export functionality. A remote, unauthenticated attacker can supply crafted path traversal sequences in the fileNames[] parameter to read arbitrary files from the server filesystem, including application configuration files such as config/parameters.yml that may contain secrets and database credentials. Exploitation evidence was observed by the Shadowserver Foundation on 2026-01-19 (UTC). | 2026-01-22 | not yet calculated | CVE-2023-7335 | https://www.edusoho.com/ https://github.com/edusoho/edusoho/releases/tag/v22.4.7 https://cn-sec.com/archives/2451582.html https://blog.csdn.net/qq_41904294/article/details/135007351 https://github.com/zeroChen00/exp-poc/blob/main/EduSoho%E6%95%99%E5%9F%B9%E7%B3%BB%E7%BB%9Fclassropm-course-statistics%E5%AD%98%E5%9C%A8%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E6%BC%8F%E6%B4%9E.md https://github.com/gobysec/GobyVuls/blob/master/CNVD-2023-03903.md https://www.cnvd.org.cn/flaw/show/CNVD-2023-03903 https://www.vulncheck.com/advisories/edusoho-arbitrary-file-read-via-classroom-course-statistics |
| HappyMonster–Happy Addons for Elementor | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in HappyMonster Happy Addons for Elementor happy-elementor-addons allows Blind SQL Injection. This issue affects Happy Addons for Elementor: from n/a through <= 3.20.4. | 2026-01-22 | not yet calculated | CVE-2025-68999 | https://patchstack.com/database/Wordpress/Plugin/happy-elementor-addons/vulnerability/wordpress-happy-addons-for-elementor-plugin-3-20-4-sql-injection-vulnerability?_s_id=cve |
| Harmonic Design–HD Quiz | Missing Authorization vulnerability in Harmonic Design HD Quiz hd-quiz allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects HD Quiz: from n/a through <= 2.0.9. | 2026-01-23 | not yet calculated | CVE-2026-24544 | https://patchstack.com/database/Wordpress/Plugin/hd-quiz/vulnerability/wordpress-hd-quiz-plugin-2-0-9-broken-access-control-vulnerability?_s_id=cve |
| Harmonic Design–HDForms | Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) vulnerability in Harmonic Design HDForms hdforms allows Path Traversal. This issue affects HDForms: from n/a through <= 1.6.1. | 2026-01-22 | not yet calculated | CVE-2025-68912 | https://patchstack.com/database/Wordpress/Plugin/hdforms/vulnerability/wordpress-hdforms-plugin-1-6-1-arbitrary-file-deletion-vulnerability?_s_id=cve |
| hassantafreshi–Easy Form Builder | Missing Authorization vulnerability in hassantafreshi Easy Form Builder easy-form-builder allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Easy Form Builder: from n/a through <= 3.9.6. | 2026-01-22 | not yet calculated | CVE-2026-22472 | https://patchstack.com/database/Wordpress/Plugin/easy-form-builder/vulnerability/wordpress-easy-form-builder-plugin-3-9-4-broken-access-control-vulnerability?_s_id=cve |
| hexpm–hexpm | Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) vulnerability in hexpm hexpm/hexpm (‘Elixir.HexpmWeb.SharedAuthorizationView’ modules) allows Cross-Site Scripting (XSS). This vulnerability is associated with program files lib/hexpm_web/views/shared_authorization_view.ex and program routines ‘Elixir.HexpmWeb.SharedAuthorizationView’:render_grouped_scopes/3. This issue affects hexpm: from 617e44c71f1dd9043870205f371d375c5c4d886d before c692438684ead90c3bcbfb9ccf4e63c768c668a8, from pkg:github/hexpm/hexpm@617e44c71f1dd9043870205f371d375c5c4d886d before pkg:github/hexpm/hexpm@c692438684ead90c3bcbfb9ccf4e63c768c668a8; hex.pm: from 2025-10-01 before 2026-01-19. | 2026-01-19 | not yet calculated | CVE-2026-21618 | https://github.com/hexpm/hexpm/security/advisories/GHSA-6cw9-5gg4-rhpj https://github.com/hexpm/hexpm/commit/c692438684ead90c3bcbfb9ccf4e63c768c668a8 |
| highwarden–Super Interactive Maps | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in highwarden Super Interactive Maps super-interactive-maps allows Reflected XSS. This issue affects Super Interactive Maps: from n/a through <= 2.3. | 2026-01-22 | not yet calculated | CVE-2025-49045 | https://patchstack.com/database/Wordpress/Plugin/super-interactive-maps/vulnerability/wordpress-super-interactive-maps-plugin-2-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| highwarden–Super Logos Showcase | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in highwarden Super Logos Showcase superlogoshowcase-wp allows Reflected XSS. This issue affects Super Logos Showcase: from n/a through <= 2.8. | 2026-01-22 | not yet calculated | CVE-2025-69054 | https://patchstack.com/database/Wordpress/Plugin/superlogoshowcase-wp/vulnerability/wordpress-super-logos-showcase-plugin-2-8-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Horea Radu–Materialis Companion | Missing Authorization vulnerability in Horea Radu Materialis Companion materialis-companion allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Materialis Companion: from n/a through <= 1.3.52. | 2026-01-23 | not yet calculated | CVE-2026-24543 | https://patchstack.com/database/Wordpress/Plugin/materialis-companion/vulnerability/wordpress-materialis-companion-plugin-1-3-52-broken-access-control-vulnerability?_s_id=cve |
| horilla-opensource–horilla | Horilla is a free and open source Human Resource Management System (HRMS). A critical File Upload vulnerability in versions prior to 1.5.0, with Social Engineering, allows authenticated users to deploy phishing attacks. By uploading a malicious HTML file disguised as a profile picture, an attacker can create a convincing login page replica that steals user credentials. When a victim visits the uploaded file URL, they see an authentic-looking “Session Expired” message prompting them to re-authenticate. All entered credentials are captured and sent to the attacker’s server, enabling Account Takeover. Version 1.5.0 patches the issue. | 2026-01-22 | not yet calculated | CVE-2026-24010 | https://github.com/horilla-opensource/horilla/security/advisories/GHSA-5jfv-gw8w-49h3 https://github.com/horilla-opensource/horilla/releases/tag/1.5.0 |
| Hossni Mubarak–JobWP | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Hossni Mubarak JobWP jobwp allows Stored XSS. This issue affects JobWP: from n/a through <= 2.4.5. | 2026-01-22 | not yet calculated | CVE-2025-69318 | https://patchstack.com/database/Wordpress/Plugin/jobwp/vulnerability/wordpress-jobwp-plugin-2-4-5-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Hotwired Turbo–Hotwire Turbo | Race condition in the turbo-frame element handler in Hotwired Turbo before 8.0.x causes logout operations to fail when delayed frame responses reapply session cookies after logout. This can be exploited by remote attackers via selective network delays (e.g. delaying requests based on sequence or timing) or by physically proximate attackers when the race condition occurs naturally on shared computers. | 2026-01-20 | not yet calculated | CVE-2025-66803 | https://github.com/hotwired/turbo/pull/1399 https://turbo.hotwired.dev/handbook/frames https://github.com/hotwired/turbo/security/advisories/GHSA-qppm-g56g-fpvp |
| Hubitat–Elevation C3 | An Authorization Bypass Through User-Controlled Key vulnerability in Hubitat Elevation home automation controllers prior to version 2.4.2.157 could allow a remote authenticated user to control connected devices outside of their authorized scope via client-side request manipulation. | 2026-01-22 | not yet calculated | CVE-2026-1201 | https://www.cisa.gov/news-events/ics-advisories/icsa-26-022-06 |
| Hyyan Abo Fakher–Hyyan WooCommerce Polylang Integration | Missing Authorization vulnerability in Hyyan Abo Fakher Hyyan WooCommerce Polylang Integration woo-poly-integration allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Hyyan WooCommerce Polylang Integration: from n/a through <= 1.5.0. | 2026-01-23 | not yet calculated | CVE-2026-24585 | https://patchstack.com/database/Wordpress/Plugin/woo-poly-integration/vulnerability/wordpress-hyyan-woocommerce-polylang-integration-plugin-1-5-0-broken-access-control-vulnerability?_s_id=cve |
| Icegram–Icegram | Missing Authorization vulnerability in Icegram Icegram icegram allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Icegram: from n/a through <= 3.1.35. | 2026-01-22 | not yet calculated | CVE-2025-68507 | https://patchstack.com/database/Wordpress/Plugin/icegram/vulnerability/wordpress-icegram-plugin-3-1-35-broken-access-control-vulnerability?_s_id=cve |
| ichurakov–Paid Downloads | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in ichurakov Paid Downloads paid-downloads allows Blind SQL Injection. This issue affects Paid Downloads: from n/a through <= 3.15. | 2026-01-22 | not yet calculated | CVE-2025-68857 | https://patchstack.com/database/Wordpress/Plugin/paid-downloads/vulnerability/wordpress-paid-downloads-plugin-3-15-sql-injection-vulnerability?_s_id=cve |
| ilmosys–Order Listener for WooCommerce | Missing Authorization vulnerability in ilmosys Order Listener for WooCommerce woc-order-alert allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Order Listener for WooCommerce: from n/a through <= 3.6.1. | 2026-01-22 | not yet calculated | CVE-2025-68018 | https://patchstack.com/database/Wordpress/Plugin/woc-order-alert/vulnerability/wordpress-order-listener-for-woocommerce-plugin-3-6-0-broken-access-control-vulnerability?_s_id=cve |
| Imaginate Solutions–File Uploads Addon for WooCommerce | Missing Authorization vulnerability in Imaginate Solutions File Uploads Addon for WooCommerce woo-addon-uploads allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects File Uploads Addon for WooCommerce: from n/a through <= 1.7.3. | 2026-01-23 | not yet calculated | CVE-2026-24625 | https://patchstack.com/database/Wordpress/Plugin/woo-addon-uploads/vulnerability/wordpress-file-uploads-addon-for-woocommerce-plugin-1-7-3-broken-access-control-vulnerability?_s_id=cve |
| Imagination Technologies–Graphics DDK | A web page that contains unusual GPU shader code is loaded from the Internet into the GPU compiler process triggers a write use-after-free crash in the GPU shader compiler library. On certain platforms, when the compiler process has system privileges this could enable further exploits on the device. The shader code contained in the web page executes a path in the compiler that held onto an out of date pointer, pointing to a freed memory object. | 2026-01-24 | not yet calculated | CVE-2025-13952 | https://www.imaginationtech.com/gpu-driver-vulnerabilities/ |
| Imran Emu–Owl Carousel WP | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Imran Emu Owl Carousel WP owl-carousel-wp allows Stored XSS. This issue affects Owl Carousel WP: from n/a through <= 2.2.2. | 2026-01-22 | not yet calculated | CVE-2026-22388 | https://patchstack.com/database/Wordpress/Plugin/owl-carousel-wp/vulnerability/wordpress-owl-carousel-wp-plugin-2-2-2-cross-site-scripting-xss-vulnerability?_s_id=cve |
| iNET–iNET Webkit | Missing Authorization vulnerability in iNET iNET Webkit inet-webkit allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects iNET Webkit: from n/a through <= 1.2.4. | 2026-01-23 | not yet calculated | CVE-2026-24566 | https://patchstack.com/database/Wordpress/Plugin/inet-webkit/vulnerability/wordpress-inet-webkit-plugin-1-2-4-broken-access-control-vulnerability?_s_id=cve |
| Infility–Infility Global | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Infility Infility Global infility-global allows Stored XSS. This issue affects Infility Global: from n/a through <= 2.14.50. | 2026-01-22 | not yet calculated | CVE-2025-68864 | https://patchstack.com/database/Wordpress/Plugin/infility-global/vulnerability/wordpress-infility-global-plugin-2-14-49-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Inkscape–Inkscape | MacOS version of Inkscape bundles a Python interpreter that inherits the Transparency, Consent, and Control (TCC) permissions granted by the user to the main application bundle. An attacker with local user access can invoke this interpreter with arbitrary commands or scripts, leveraging the application’s previously granted TCC permissions to access user’s files in privacy-protected folders without triggering user prompts. Accessing other resources beyond previously granted TCC permissions will prompt the user for approval in the name of Inkscape, potentially disguising attacker’s malicious intent. This issue has been fixed in 1.4.3 version of Inkscape. | 2026-01-22 | not yet calculated | CVE-2025-15523 | https://inkscape.org/ https://cert.pl/en/posts/2026/01/CVE-2025-15523/ |
| InspiryThemes–Real Homes CRM | Unrestricted Upload of File with Dangerous Type vulnerability in InspiryThemes Real Homes CRM realhomes-crm allows Using Malicious Files. This issue affects Real Homes CRM: from n/a through <= 1.0.0. | 2026-01-22 | not yet calculated | CVE-2025-67968 | https://patchstack.com/database/Wordpress/Plugin/realhomes-crm/vulnerability/wordpress-real-homes-crm-plugin-1-0-0-arbitrary-file-upload-vulnerability?_s_id=cve |
| Intermesh–groupoffice | Group-Office is an enterprise customer relationship management and groupware tool. In versions 6.8.148 and below, and 25.0.1 through 25.0.79, the application stores unsanitized filenames in the database, which can lead to Stored Cross-Site Scripting (XSS). Users who interact with these specially crafted file names within the Group-Office application are affected. While the scope is limited to the file-viewing context, it could still be used to interfere with user sessions or perform unintended actions in the browser. This issue is fixed in versions 6.8.149 and 25.0.80. | 2026-01-21 | not yet calculated | CVE-2026-23887 | https://github.com/Intermesh/groupoffice/security/advisories/GHSA-3gj5-gvvr-g6hp https://github.com/Intermesh/groupoffice/commit/3fa40d7edd31fbe33babe07061d5a14ad19ea40f https://github.com/Intermesh/groupoffice/commit/ac91b128157bc9c5ea015b6141ce71cd3bbc43f0 |
| Israpil–Textmetrics | Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Israpil Textmetrics webtexttool allows Code Injection. This issue affects Textmetrics: from n/a through <= 3.6.3. | 2026-01-23 | not yet calculated | CVE-2026-24564 | https://patchstack.com/database/Wordpress/Plugin/webtexttool/vulnerability/wordpress-textmetrics-plugin-3-6-3-arbitrary-shortcode-execution-vulnerability?_s_id=cve |
| jagdish1o1–Delay Redirects | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in jagdish1o1 Delay Redirects delay-redirects allows DOM-Based XSS. This issue affects Delay Redirects: from n/a through <= 1.0.0. | 2026-01-23 | not yet calculated | CVE-2026-24632 | https://patchstack.com/database/Wordpress/Plugin/delay-redirects/vulnerability/wordpress-delay-redirects-plugin-1-0-0-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Jahid Hasan–Admin login URL Change | Missing Authorization vulnerability in Jahid Hasan Admin login URL Change admin-login-url-change allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Admin login URL Change: from n/a through <= 1.1.5. | 2026-01-23 | not yet calculated | CVE-2026-24578 | https://patchstack.com/database/Wordpress/Plugin/admin-login-url-change/vulnerability/wordpress-admin-login-url-change-plugin-1-1-5-broken-access-control-vulnerability?_s_id=cve |
| Jamf–Jamf Pro | Authentication Bypass by Primary Weakness vulnerability in Jamf Jamf Pro allows unspecified impact. This issue affects Jamf Pro: from 11.20 through 11.24. | 2026-01-21 | not yet calculated | CVE-2026-1290 | https://learn.jamf.com/en-US/bundle/jamf-pro-release-notes-11.24.0/page/Resolved_Issues.html |
| jegtheme–JNews – Frontend Submit | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in jegtheme JNews – Frontend Submit jnews-frontend-submit allows Reflected XSS. This issue affects JNews – Frontend Submit: from n/a through <= 11.0.0. | 2026-01-22 | not yet calculated | CVE-2025-68904 | https://patchstack.com/database/Wordpress/Plugin/jnews-frontend-submit/vulnerability/wordpress-jnews-frontend-submit-plugin-11-0-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| jegtheme–JNews – Pay Writer | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in jegtheme JNews – Pay Writer jnews-pay-writer allows PHP Local File Inclusion. This issue affects JNews – Pay Writer: from n/a through <= 11.0.0. | 2026-01-22 | not yet calculated | CVE-2025-68905 | https://patchstack.com/database/Wordpress/Plugin/jnews-pay-writer/vulnerability/wordpress-jnews-pay-writer-plugin-11-0-0-local-file-inclusion-vulnerability?_s_id=cve |
| jegtheme–JNews – Video | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in jegtheme JNews – Video jnews-video allows Reflected XSS. This issue affects JNews – Video: from n/a through <= 11.0.2. | 2026-01-22 | not yet calculated | CVE-2025-68906 | https://patchstack.com/database/Wordpress/Plugin/jnews-video/vulnerability/wordpress-jnews-video-plugin-11-0-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Johan Jonk Stenstrm–Cookies and Content Security Policy | Insertion of Sensitive Information Into Sent Data vulnerability in Johan Jonk Stenström Cookies and Content Security Policy cookies-and-content-security-policy allows Retrieve Embedded Sensitive Data. This issue affects Cookies and Content Security Policy: from n/a through <= 2.34. | 2026-01-22 | not yet calculated | CVE-2025-63019 | https://patchstack.com/database/Wordpress/Plugin/cookies-and-content-security-policy/vulnerability/wordpress-cookies-and-content-security-policy-plugin-2-34-sensitive-data-exposure-vulnerability?_s_id=cve |
| John James Jacoby–WP Term Order | Cross-Site Request Forgery (CSRF) vulnerability in John James Jacoby WP Term Order wp-term-order allows Cross Site Request Forgery. This issue affects WP Term Order: from n/a through <= 2.1.0. | 2026-01-23 | not yet calculated | CVE-2026-24542 | https://patchstack.com/database/Wordpress/Plugin/wp-term-order/vulnerability/wordpress-wp-term-order-plugin-2-1-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Jthemes–xSmart | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Jthemes xSmart xsmart allows Reflected XSS. This issue affects xSmart: from n/a through <= 1.2.9.4. | 2026-01-22 | not yet calculated | CVE-2025-50006 | https://patchstack.com/database/Wordpress/Theme/xsmart/vulnerability/wordpress-xsmart-theme-1-2-9-4-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Jthemes–xSmart | Incorrect Privilege Assignment vulnerability in Jthemes xSmart xsmart allows Privilege Escalation. This issue affects xSmart: from n/a through <= 1.2.9.4. | 2026-01-22 | not yet calculated | CVE-2025-50007 | https://patchstack.com/database/Wordpress/Theme/xsmart/vulnerability/wordpress-xsmart-theme-1-2-9-4-privilege-escalation-vulnerability?_s_id=cve |
| Jthemes–xSmart | Missing Authorization vulnerability in Jthemes xSmart xsmart allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects xSmart: from n/a through <= 1.2.9.4. | 2026-01-22 | not yet calculated | CVE-2025-54002 | https://patchstack.com/database/Wordpress/Theme/xsmart/vulnerability/wordpress-xsmart-theme-1-2-9-4-broken-access-control-vulnerability?_s_id=cve |
| JV–HarfBuzz::Shaper | HarfBuzz::Shaper versions before 0.032 for Perl contains a bundled library with a null pointer dereference vulnerability. Versions before 0.032 contain HarfBuzz 8.4.0 or earlier bundled as hb_src.tar.gz in the source tarball, which is affected by CVE-2026-22693. | 2026-01-19 | not yet calculated | CVE-2026-0943 | https://bugzilla.redhat.com/show_bug.cgi?id=2429296 https://www.cve.org/CVERecord?id=CVE-2026-22693 https://metacpan.org/release/JV/HarfBuzz-Shaper-0.032/changes |
| Kaira–Blockons | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Kaira Blockons blockons allows Stored XSS. This issue affects Blockons: from n/a through <= 1.2.15. | 2026-01-23 | not yet calculated | CVE-2026-24550 | https://patchstack.com/database/Wordpress/Plugin/blockons/vulnerability/wordpress-blockons-plugin-1-2-15-cross-site-scripting-xss-vulnerability?_s_id=cve |
| kamleshyadav–WP Lead Capturing Pages | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in kamleshyadav WP Lead Capturing Pages wp-lead-capture allows Blind SQL Injection. This issue affects WP Lead Capturing Pages: from n/a through <= 2.5. | 2026-01-22 | not yet calculated | CVE-2025-49050 | https://patchstack.com/database/Wordpress/Plugin/wp-lead-capture/vulnerability/wordpress-wp-lead-capturing-pages-plugin-2-5-sql-injection-vulnerability-2?_s_id=cve |
| kamleshyadav–WP Lead Capturing Pages | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in kamleshyadav WP Lead Capturing Pages wp-lead-capture allows Blind SQL Injection. This issue affects WP Lead Capturing Pages: from n/a through <= 2.5. | 2026-01-22 | not yet calculated | CVE-2025-49055 | https://patchstack.com/database/Wordpress/Plugin/wp-lead-capture/vulnerability/wordpress-wp-lead-capturing-pages-plugin-2-5-sql-injection-vulnerability?_s_id=cve |
| Kapil Chugh–My Post Order | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Kapil Chugh My Post Order my-posts-order allows Reflected XSS. This issue affects My Post Order: from n/a through <= 1.2.1.1. | 2026-01-22 | not yet calculated | CVE-2025-68004 | https://patchstack.com/database/Wordpress/Plugin/my-posts-order/vulnerability/wordpress-my-post-order-plugin-1-2-1-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Kapil Paul–Payment Gateway bKash for WC | Missing Authorization vulnerability in Kapil Paul Payment Gateway bKash for WC woo-payment-bkash allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Payment Gateway bKash for WC: from n/a through <= 3.1.0. | 2026-01-22 | not yet calculated | CVE-2025-62754 | https://patchstack.com/database/Wordpress/Plugin/woo-payment-bkash/vulnerability/wordpress-payment-gateway-bkash-for-wc-plugin-3-0-0-broken-access-control-vulnerability?_s_id=cve |
| Katana Network–Development Starter Kit | Katana Network Development Starter Kit executeCommand Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Katana Network Development Starter Kit. Authentication is not required to exploit this vulnerability. The specific flaw exists within the implementation of the executeCommand method. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-27786. | 2026-01-23 | not yet calculated | CVE-2026-0759 | ZDI-26-025 |
| kpdecker–jsdiff | jsdiff is a JavaScript text differencing implementation. Prior to versions 8.0.3, 5.2.2, and 4.0.4, attempting to parse a patch whose filename headers contain the line break characters `r`, `u2028`, or `u2029` can cause the `parsePatch` method to enter an infinite loop. It then consumes memory without limit until the process crashes due to running out of memory. Applications are therefore likely to be vulnerable to a denial-of-service attack if they call `parsePatch` with a user-provided patch as input. A large payload is not needed to trigger the vulnerability, so size limits on user input do not provide any protection. Furthermore, some applications may be vulnerable even when calling `parsePatch` on a patch generated by the application itself if the user is nonetheless able to control the filename headers (e.g. by directly providing the filenames of the files to be diffed). The `applyPatch` method is similarly affected if (and only if) called with a string representation of a patch as an argument, since under the hood it parses that string using `parsePatch`. Other methods of the library are unaffected. Finally, a second and lesser interdependent bug – a ReDOS – also exhibits when those same line break characters are present in a patch’s *patch* header (also known as its “leading garbage”). A maliciously-crafted patch header of length *n* can take `parsePatch` O(*n*³) time to parse. Versions 8.0.3, 5.2.2, and 4.0.4 contain a fix. As a workaround, do not attempt to parse patches that contain any of these characters: `r`, `u2028`, or `u2029`. | 2026-01-22 | not yet calculated | CVE-2026-24001 | https://github.com/kpdecker/jsdiff/security/advisories/GHSA-73rr-hh4g-fpgx https://github.com/kpdecker/jsdiff/issues/653 https://github.com/kpdecker/jsdiff/pull/649 https://github.com/kpdecker/jsdiff/commit/15a1585230748c8ae6f8274c202e0c87309142f5 |
| Kriesi–Enfold | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Kriesi Enfold enfold allows DOM-Based XSS. This issue affects Enfold: from n/a through <= 7.1.3. | 2026-01-22 | not yet calculated | CVE-2025-68900 | https://patchstack.com/database/Wordpress/Theme/enfold/vulnerability/wordpress-enfold-theme-7-1-3-cross-site-scripting-xss-vulnerability?_s_id=cve |
| kutsy–AJAX Hits Counter + Popular Posts Widget | Missing Authorization vulnerability in kutsy AJAX Hits Counter + Popular Posts Widget ajax-hits-counter allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects AJAX Hits Counter + Popular Posts Widget: from n/a through <= 0.10.210305. | 2026-01-23 | not yet calculated | CVE-2026-24587 | https://patchstack.com/database/Wordpress/Plugin/ajax-hits-counter/vulnerability/wordpress-ajax-hits-counter-popular-posts-widget-plugin-0-10-210305-broken-access-control-vulnerability?_s_id=cve |
| LambertGroup–Accordion Slider PRO | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in LambertGroup Accordion Slider PRO accordion_slider_pro allows Reflected XSS. This issue affects Accordion Slider PRO: from n/a through <= 1.2. | 2026-01-22 | not yet calculated | CVE-2025-49066 | https://patchstack.com/database/Wordpress/Plugin/accordion_slider_pro/vulnerability/wordpress-accordion-slider-pro-plugin-1-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| LambertGroup–HTML5 Video Player | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in LambertGroup HTML5 Video Player lbg-vp2-html5-bottom allows Reflected XSS. This issue affects HTML5 Video Player: from n/a through <= 5.3.5. | 2026-01-22 | not yet calculated | CVE-2025-27005 | https://patchstack.com/database/Wordpress/Plugin/lbg-vp2-html5-bottom/vulnerability/wordpress-html5-video-player-plugin-5-3-5-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| LambertGroup–HTML5 Video Player with Playlist & Multiple Skins | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in LambertGroup HTML5 Video Player with Playlist & Multiple Skins lbg-vp2-html5-rightside allows Reflected XSS. This issue affects HTML5 Video Player with Playlist & Multiple Skins: from n/a through <= 5.3.5. | 2026-01-22 | not yet calculated | CVE-2025-32123 | https://patchstack.com/database/Wordpress/Plugin/lbg-vp2-html5-rightside/vulnerability/wordpress-html5-video-player-with-playlist-multiple-skins-plugin-5-3-5-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| LambertGroup–Image&Video FullScreen Background | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in LambertGroup Image&Video FullScreen Background lbg_fullscreen_fullwidth_slider allows Reflected XSS. This issue affects Image&Video FullScreen Background: from n/a through <= 1.6.7. | 2026-01-22 | not yet calculated | CVE-2025-47666 | https://patchstack.com/database/Wordpress/Plugin/lbg_fullscreen_fullwidth_slider/vulnerability/wordpress-image-video-fullscreen-background-plugin-1-6-7-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| LambertGroup–Magic Responsive Slider and Carousel WordPress | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in LambertGroup Magic Responsive Slider and Carousel WordPress magic_carousel allows Reflected XSS. This issue affects Magic Responsive Slider and Carousel WordPress: from n/a through <= 1.6. | 2026-01-22 | not yet calculated | CVE-2025-49043 | https://patchstack.com/database/Wordpress/Plugin/magic_carousel/vulnerability/wordpress-magic-responsive-slider-and-carousel-wordpress-plugin-1-6-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| LambertGroup–Magic Slider | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in LambertGroup Magic Slider magic_slider allows Reflected XSS. This issue affects Magic Slider: from n/a through <= 2.2. | 2026-01-22 | not yet calculated | CVE-2025-48094 | https://patchstack.com/database/Wordpress/Plugin/magic_slider/vulnerability/wordpress-magic-slider-plugin-2-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| LambertGroup–Universal Video Player | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in LambertGroup Universal Video Player universal-video-player allows Reflected XSS. This issue affects Universal Video Player: from n/a through <= 3.8.4. | 2026-01-22 | not yet calculated | CVE-2025-69048 | https://patchstack.com/database/Wordpress/Plugin/universal-video-player/vulnerability/wordpress-universal-video-player-plugin-3-8-4-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| LambertGroup–Universal Video Player | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in LambertGroup Universal Video Player universal-video-player allows Reflected XSS. This issue affects Universal Video Player: from n/a through <= 3.8.4. | 2026-01-22 | not yet calculated | CVE-2025-69053 | https://patchstack.com/database/Wordpress/Plugin/universal-video-player/vulnerability/wordpress-universal-video-player-plugin-3-8-4-reflected-cross-site-scripting-xss-vulnerability-2?_s_id=cve |
| LambertGroup–xPromoter | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in LambertGroup xPromoter top_bar_promoter allows Reflected XSS. This issue affects xPromoter: from n/a through <= 1.3.4. | 2026-01-22 | not yet calculated | CVE-2025-49046 | https://patchstack.com/database/Wordpress/Plugin/top_bar_promoter/vulnerability/wordpress-xpromoter-plugin-1-3-4-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Langflow–Langflow | Langflow code Code Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Langflow. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of the code parameter provided to the validate endpoint. The issue results from the lack of proper validation of a user-supplied string before using it to execute Python code. An attacker can leverage this vulnerability to execute code in the context of root. . Was ZDI-CAN-27322. | 2026-01-23 | not yet calculated | CVE-2026-0768 | ZDI-26-034 |
| Langflow–Langflow | Langflow eval_custom_component_code Eval Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Langflow. Authentication is not required to exploit this vulnerability. The specific flaw exists within the implementation of eval_custom_component_code function. The issue results from the lack of proper validation of a user-supplied string before using it to execute python code. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-26972. | 2026-01-23 | not yet calculated | CVE-2026-0769 | ZDI-26-035 |
| Langflow–Langflow | Langflow exec_globals Inclusion of Functionality from Untrusted Control Sphere Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Langflow. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of the exec_globals parameter provided to the validate endpoint. The issue results from the inclusion of a resource from an untrusted control sphere. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-27325. | 2026-01-23 | not yet calculated | CVE-2026-0770 | ZDI-26-036 |
| Langflow–Langflow | Langflow PythonFunction Code Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Langflow. Attack vectors and exploitability will vary depending on the configuration of the product. The specific flaw exists within the handling of Python function components. Depending upon product configuration, an attacker may be able to introduce custom Python code into a workflow. An attacker can leverage this vulnerability to execute code in the context of the application. Was ZDI-CAN-27497. | 2026-01-23 | not yet calculated | CVE-2026-0771 | ZDI-26-037 |
| Langflow–Langflow | Langflow Disk Cache Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Langflow. Authentication is required to exploit this vulnerability. The specific flaw exists within the disk cache service. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-27919. | 2026-01-23 | not yet calculated | CVE-2026-0772 | ZDI-26-038 |
| langfuse–langfuse | Langfuse is an open source large language model engineering platform. In versions 3.146.0 and below, the /api/public/slack/install endpoint initiates Slack OAuth using a projectId provided by the client without authentication or authorization. The projectId is preserved throughout the OAuth flow, and the callback stores installations based on this untrusted metadata. This allows an attacker to bind their Slack workspace to any project and potentially receive changes to prompts stored in Langfuse Prompt Management. An attacker can replace existing Prompt Slack Automation integrations or pre-register a malicious one, though the latter requires an authenticated user to unknowingly configure it despite visible workspace and channel indicators in the UI. This issue has been fixed in version 3.147.0. | 2026-01-22 | not yet calculated | CVE-2026-24055 | https://github.com/langfuse/langfuse/security/advisories/GHSA-pvq7-vvfj-p98x https://github.com/langfuse/langfuse/commit/3adc89e4d72729eabef55e46888b8ce80a7e3b0a https://github.com/langfuse/langfuse/releases/tag/v3.147.0 https://langfuse.com/docs/prompt-management/features/webhooks-slack-integrations |
| launchinteractive–Merge + Minify + Refresh | Cross-Site Request Forgery (CSRF) vulnerability in launchinteractive Merge + Minify + Refresh merge-minify-refresh allows Cross Site Request Forgery. This issue affects Merge + Minify + Refresh: from n/a through <= 2.14. | 2026-01-22 | not yet calculated | CVE-2026-24384 | https://patchstack.com/database/Wordpress/Plugin/merge-minify-refresh/vulnerability/wordpress-merge-minify-refresh-plugin-2-14-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| LavaLite–LavaLite CMS | LavaLite CMS versions up to and including 10.1.0 contain a stored cross-site scripting vulnerability in the package creation and search functionality. Authenticated users can supply crafted HTML or JavaScript in the package Name or Description fields that is stored and later rendered without proper output encoding in package search results. When other users view search results that include the malicious package, the injected script executes in their browsers, potentially enabling session hijacking, credential theft, and unauthorized actions in the context of the victim. | 2026-01-23 | not yet calculated | CVE-2025-71177 | https://github.com/LavaLite/cms/issues/420 https://lavalite.org/ https://www.vulncheck.com/advisories/lavalite-cms-stored-xss-via-package-creation-and-search |
| LazyCoders LLC–LazyTasks | Incorrect Privilege Assignment vulnerability in LazyCoders LLC LazyTasks lazytasks-project-task-management allows Privilege Escalation. This issue affects LazyTasks: from n/a through <= 1.4.01. | 2026-01-22 | not yet calculated | CVE-2025-68869 | https://patchstack.com/database/Wordpress/Plugin/lazytasks-project-task-management/vulnerability/wordpress-lazytasks-plugin-1-2-37-privilege-escalation-vulnerability?_s_id=cve |
| Leap13–Premium Addons for Elementor | Missing Authorization vulnerability in Leap13 Premium Addons for Elementor premium-addons-for-elementor allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Premium Addons for Elementor: from n/a through <= 4.11.63. | 2026-01-22 | not yet calculated | CVE-2025-69300 | https://patchstack.com/database/Wordpress/Plugin/premium-addons-for-elementor/vulnerability/wordpress-premium-addons-for-elementor-plugin-4-11-63-settings-change-vulnerability?_s_id=cve |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: usb: phy: isp1301: fix non-OF device reference imbalance A recent change fixing a device reference leak in a UDC driver introduced a potential use-after-free in the non-OF case as the isp1301_get_client() helper only increases the reference count for the returned I2C device in the OF case. Increment the reference count also for non-OF so that the caller can decrement it unconditionally. Note that this is inherently racy just as using the returned I2C device is since nothing is preventing the PHY driver from being unbound while in use. | 2026-01-23 | not yet calculated | CVE-2025-71145 | https://git.kernel.org/stable/c/43e58abad6c08c5f0943594126ef4cd6559aac0b https://git.kernel.org/stable/c/03bbdaa4da8c6ea0c8431a5011db188a07822c8a https://git.kernel.org/stable/c/75c5d9bce072abbbc09b701a49869ac23c34a906 https://git.kernel.org/stable/c/5d3df03f70547d4e3fc10ed4381c052eff51b157 https://git.kernel.org/stable/c/7501ecfe3e5202490c2d13dc7e181203601fcd69 https://git.kernel.org/stable/c/b4b64fda4d30a83a7f00e92a0c8a1d47699609f3 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conncount: fix leaked ct in error paths There are some situations where ct might be leaked as error paths are skipping the refcounted check and return immediately. In order to solve it make sure that the check is always called. | 2026-01-23 | not yet calculated | CVE-2025-71146 | https://git.kernel.org/stable/c/08fa37f4c8c59c294e9c18fea2d083ee94074e5a https://git.kernel.org/stable/c/e1ac8dce3a893641bef224ad057932f142b8a36f https://git.kernel.org/stable/c/f381a33f34dda9e4023e38ba68c943bca83245e9 https://git.kernel.org/stable/c/325eb61bb30790ea27782203a17b007ce1754a67 https://git.kernel.org/stable/c/0b88be7211d21a0d68bb1e56dc805944e3654d6f https://git.kernel.org/stable/c/4bd2b89f4028f250dd1c1625eb3da1979b04a5e8 https://git.kernel.org/stable/c/2e2a720766886190a6d35c116794693aabd332b6 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: KEYS: trusted: Fix a memory leak in tpm2_load_cmd ‘tpm2_load_cmd’ allocates a tempoary blob indirectly via ‘tpm2_key_decode’ but it is not freed in the failure paths. Address this by wrapping the blob into with a cleanup helper. | 2026-01-23 | not yet calculated | CVE-2025-71147 | https://git.kernel.org/stable/c/3fd7df4636d8fd5e3592371967a5941204368936 https://git.kernel.org/stable/c/af0689cafb127a8d1af78cc8b72585c9b2a19ecd https://git.kernel.org/stable/c/19166de9737218b77122c41a5730ac87025e089f https://git.kernel.org/stable/c/9b015f2918b95bdde2ca9cefa10ef02b138aae1e https://git.kernel.org/stable/c/9e7c63c69f57b1db1a8a1542359a6167ff8fcef1 https://git.kernel.org/stable/c/62cd5d480b9762ce70d720a81fa5b373052ae05f |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net/handshake: restore destructor on submit failure handshake_req_submit() replaces sk->sk_destruct but never restores it when submission fails before the request is hashed. handshake_sk_destruct() then returns early and the original destructor never runs, leaking the socket. Restore sk_destruct on the error path. | 2026-01-23 | not yet calculated | CVE-2025-71148 | https://git.kernel.org/stable/c/cd8cf2be3717137554744233fda051ffc09d1d44 https://git.kernel.org/stable/c/7b82a1d6ae869533d8bdb0282a3a78faed8e63dd https://git.kernel.org/stable/c/b225325be7b247c7268e65eea6090db1fc786d1f https://git.kernel.org/stable/c/6af2a01d65f89e73c1cbb9267f8880d83a88cee4 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: io_uring/poll: correctly handle io_poll_add() return value on update When the core of io_uring was updated to handle completions consistently and with fixed return codes, the POLL_REMOVE opcode with updates got slightly broken. If a POLL_ADD is pending and then POLL_REMOVE is used to update the events of that request, if that update causes the POLL_ADD to now trigger, then that completion is lost and a CQE is never posted. Additionally, ensure that if an update does cause an existing POLL_ADD to complete, that the completion value isn’t always overwritten with -ECANCELED. For that case, whatever io_poll_add() set the value to should just be retained. | 2026-01-23 | not yet calculated | CVE-2025-71149 | https://git.kernel.org/stable/c/8b777ab48441b153502772ecfc78c107d4353f29 https://git.kernel.org/stable/c/0126560370ed5217958b85657b590ad25e8b9c00 https://git.kernel.org/stable/c/c1669c03bfbc2a9b5ebff4428eecebe734c646fe https://git.kernel.org/stable/c/13a8f7b88c2d40c6b33f6216190478dda95d385f https://git.kernel.org/stable/c/84230ad2d2afbf0c44c32967e525c0ad92e26b4e |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ksmbd: Fix refcount leak when invalid session is found on session lookup When a session is found but its state is not SMB2_SESSION_VALID, It indicates that no valid session was found, but it is missing to decrement the reference count acquired by the session lookup, which results in a reference count leak. This patch fixes the issue by explicitly calling ksmbd_user_session_put to release the reference to the session. | 2026-01-23 | not yet calculated | CVE-2025-71150 | https://git.kernel.org/stable/c/0fb87b28cafae71e9c8248432cc3a6a1fd759efc https://git.kernel.org/stable/c/e54fb2a4772545701766cba08aab20de5eace8cd https://git.kernel.org/stable/c/02e06785e85b4bd86ef3d23b7c8d87acc76773d5 https://git.kernel.org/stable/c/8cabcb4dd3dc85dd83a37d26efcc59a66a4074d7 https://git.kernel.org/stable/c/cafb57f7bdd57abba87725eb4e82bbdca4959644 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: cifs: Fix memory and information leak in smb3_reconfigure() In smb3_reconfigure(), if smb3_sync_session_ctx_passwords() fails, the function returns immediately without freeing and erasing the newly allocated new_password and new_password2. This causes both a memory leak and a potential information leak. Fix this by calling kfree_sensitive() on both password buffers before returning in this error case. | 2026-01-23 | not yet calculated | CVE-2025-71151 | https://git.kernel.org/stable/c/bc390b2737205163e48cc1655f6a0c8cd55b02fc https://git.kernel.org/stable/c/5679cc90bb5415801fa29041da0319d9e15d295d https://git.kernel.org/stable/c/bb82aaee16907dc4d0b9b0ca7953ceb3edc328c6 https://git.kernel.org/stable/c/cb6d5aa9c0f10074f1ad056c3e2278ad2cc7ec8d |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net: dsa: properly keep track of conduit reference Problem description ——————- DSA has a mumbo-jumbo of reference handling of the conduit net device and its kobject which, sadly, is just wrong and doesn’t make sense. There are two distinct problems. 1. The OF path, which uses of_find_net_device_by_node(), never releases the elevated refcount on the conduit’s kobject. Nominally, the OF and non-OF paths should result in objects having identical reference counts taken, and it is already suspicious that dsa_dev_to_net_device() has a put_device() call which is missing in dsa_port_parse_of(), but we can actually even verify that an issue exists. With CONFIG_DEBUG_KOBJECT_RELEASE=y, if we run this command “before” and “after” applying this patch: (unbind the conduit driver for net device eno2) echo 0000:00:00.2 > /sys/bus/pci/drivers/fsl_enetc/unbind we see these lines in the output diff which appear only with the patch applied: kobject: ‘eno2’ (ffff002009a3a6b8): kobject_release, parent 0000000000000000 (delayed 1000) kobject: ‘109’ (ffff0020099d59a0): kobject_release, parent 0000000000000000 (delayed 1000) 2. After we find the conduit interface one way (OF) or another (non-OF), it can get unregistered at any time, and DSA remains with a long-lived, but in this case stale, cpu_dp->conduit pointer. Holding the net device’s underlying kobject isn’t actually of much help, it just prevents it from being freed (but we never need that kobject directly). What helps us to prevent the net device from being unregistered is the parallel netdev reference mechanism (dev_hold() and dev_put()). Actually we actually use that netdev tracker mechanism implicitly on user ports since commit 2f1e8ea726e9 (“net: dsa: link interfaces with the DSA master to get rid of lockdep warnings”), via netdev_upper_dev_link(). But time still passes at DSA switch probe time between the initial of_find_net_device_by_node() code and the user port creation time, time during which the conduit could unregister itself and DSA wouldn’t know about it. So we have to run of_find_net_device_by_node() under rtnl_lock() to prevent that from happening, and release the lock only with the netdev tracker having acquired the reference. Do we need to keep the reference until dsa_unregister_switch() / dsa_switch_shutdown()? 1: Maybe yes. A switch device will still be registered even if all user ports failed to probe, see commit 86f8b1c01a0a (“net: dsa: Do not make user port errors fatal”), and the cpu_dp->conduit pointers remain valid. I haven’t audited all call paths to see whether they will actually use the conduit in lack of any user port, but if they do, it seems safer to not rely on user ports for that reference. 2. Definitely yes. We support changing the conduit which a user port is associated to, and we can get into a situation where we’ve moved all user ports away from a conduit, thus no longer hold any reference to it via the net device tracker. But we shouldn’t let it go nonetheless – see the next change in relation to dsa_tree_find_first_conduit() and LAG conduits which disappear. We have to be prepared to return to the physical conduit, so the CPU port must explicitly keep another reference to it. This is also to say: the user ports and their CPU ports may not always keep a reference to the same conduit net device, and both are needed. As for the conduit’s kobject for the /sys/class/net/ entry, we don’t care about it, we can release it as soon as we hold the net device object itself. History and blame attribution —————————– The code has been refactored so many times, it is very difficult to follow and properly attribute a blame, but I’ll try to make a short history which I hope to be correct. We have two distinct probing paths: – one for OF, introduced in 2016 i —truncated— | 2026-01-23 | not yet calculated | CVE-2025-71152 | https://git.kernel.org/stable/c/0e766b77ba5093583dfe609fae0aa1545c46dbbd https://git.kernel.org/stable/c/06e219f6a706c367c93051f408ac61417643d2f9 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ksmbd: Fix memory leak in get_file_all_info() In get_file_all_info(), if vfs_getattr() fails, the function returns immediately without freeing the allocated filename, leading to a memory leak. Fix this by freeing the filename before returning in this error case. | 2026-01-23 | not yet calculated | CVE-2025-71153 | https://git.kernel.org/stable/c/5012b4c812230ae066902a00442708c999111183 https://git.kernel.org/stable/c/676907004256e0226c7ed3691db9f431404ca258 https://git.kernel.org/stable/c/d026f47db68638521df8543535ef863814fb01b1 https://git.kernel.org/stable/c/0c56693b06a68476ba113db6347e7897475f9e4c |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net: usb: rtl8150: fix memory leak on usb_submit_urb() failure In async_set_registers(), when usb_submit_urb() fails, the allocated async_req structure and URB are not freed, causing a memory leak. The completion callback async_set_reg_cb() is responsible for freeing these allocations, but it is only called after the URB is successfully submitted and completes (successfully or with error). If submission fails, the callback never runs and the memory is leaked. Fix this by freeing both the URB and the request structure in the error path when usb_submit_urb() fails. | 2026-01-23 | not yet calculated | CVE-2025-71154 | https://git.kernel.org/stable/c/a4e2442d3c48355a84463342f397134f149936d7 https://git.kernel.org/stable/c/2f966186b99550e3c665dbfb87b8314e30acea02 https://git.kernel.org/stable/c/db2244c580540306d60ce783ed340190720cd429 https://git.kernel.org/stable/c/4bd4ea3eb326608ffc296db12c105f92dc2f2190 https://git.kernel.org/stable/c/6492ad6439ff1a479fc94dc6052df3628faed8b6 https://git.kernel.org/stable/c/151403e903840c9cf06754097b6732c14f26c532 https://git.kernel.org/stable/c/12cab1191d9890097171156d06bfa8d31f1e39c8 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: KVM: s390: Fix gmap_helper_zap_one_page() again A few checks were missing in gmap_helper_zap_one_page(), which can lead to memory corruption in the guest under specific circumstances. Add the missing checks. | 2026-01-23 | not yet calculated | CVE-2025-71155 | https://git.kernel.org/stable/c/2af2abbcbf8573100288e8f8aea2dab8a2a0ceb7 https://git.kernel.org/stable/c/2f393c228cc519ddf19b8c6c05bf15723241aa96 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: gve: defer interrupt enabling until NAPI registration Currently, interrupts are automatically enabled immediately upon request. This allows interrupt to fire before the associated NAPI context is fully initialized and cause failures like below: [ 0.946369] Call Trace: [ 0.946369] <IRQ> [ 0.946369] __napi_poll+0x2a/0x1e0 [ 0.946369] net_rx_action+0x2f9/0x3f0 [ 0.946369] handle_softirqs+0xd6/0x2c0 [ 0.946369] ? handle_edge_irq+0xc1/0x1b0 [ 0.946369] __irq_exit_rcu+0xc3/0xe0 [ 0.946369] common_interrupt+0x81/0xa0 [ 0.946369] </IRQ> [ 0.946369] <TASK> [ 0.946369] asm_common_interrupt+0x22/0x40 [ 0.946369] RIP: 0010:pv_native_safe_halt+0xb/0x10 Use the `IRQF_NO_AUTOEN` flag when requesting interrupts to prevent auto enablement and explicitly enable the interrupt in NAPI initialization path (and disable it during NAPI teardown). This ensures that interrupt lifecycle is strictly coupled with readiness of NAPI context. | 2026-01-23 | not yet calculated | CVE-2025-71156 | https://git.kernel.org/stable/c/f5b7f49bd2377916ad57cbd1210c61196daff013 https://git.kernel.org/stable/c/48f9277680925e1a8623d6b2c50aadb7af824ace https://git.kernel.org/stable/c/3d970eda003441f66551a91fda16478ac0711617 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: RDMA/core: always drop device refcount in ib_del_sub_device_and_put() Since nldev_deldev() (introduced by commit 060c642b2ab8 (“RDMA/nldev: Add support to add/delete a sub IB device through netlink”) grabs a reference using ib_device_get_by_index() before calling ib_del_sub_device_and_put(), we need to drop that reference before returning -EOPNOTSUPP error. | 2026-01-23 | not yet calculated | CVE-2025-71157 | https://git.kernel.org/stable/c/20436f2742a92b7afeb2504eb559a98d2196b001 https://git.kernel.org/stable/c/fe8d456080423b9ed410469fbd1e2098d3acce2b https://git.kernel.org/stable/c/fa3c411d21ebc26ffd175c7256c37cefa35020aa |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: gpio: mpsse: ensure worker is torn down When an IRQ worker is running, unplugging the device would cause a crash. The sealevel hardware this driver was written for was not hotpluggable, so I never realized it. This change uses a spinlock to protect a list of workers, which it tears down on disconnect. | 2026-01-23 | not yet calculated | CVE-2025-71158 | https://git.kernel.org/stable/c/472d900c8bcac301ae0e40fdca7db799bd989ff5 https://git.kernel.org/stable/c/179ef1127d7a4f09f0e741fa9f30b8a8e7886271 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: btrfs: fix use-after-free warning in btrfs_get_or_create_delayed_node() Previously, btrfs_get_or_create_delayed_node() set the delayed_node’s refcount before acquiring the root->delayed_nodes lock. Commit e8513c012de7 (“btrfs: implement ref_tracker for delayed_nodes”) moved refcount_set inside the critical section, which means there is no longer a memory barrier between setting the refcount and setting btrfs_inode->delayed_node. Without that barrier, the stores to node->refs and btrfs_inode->delayed_node may become visible out of order. Another thread can then read btrfs_inode->delayed_node and attempt to increment a refcount that hasn’t been set yet, leading to a refcounting bug and a use-after-free warning. The fix is to move refcount_set back to where it was to take advantage of the implicit memory barrier provided by lock acquisition. Because the allocations now happen outside of the lock’s critical section, they can use GFP_NOFS instead of GFP_ATOMIC. | 2026-01-23 | not yet calculated | CVE-2025-71159 | https://git.kernel.org/stable/c/c8385851a5435f4006281828d428e5d0b0bbf8af https://git.kernel.org/stable/c/83f59076a1ae6f5c6845d6f7ed3a1a373d883684 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_tables: avoid chain re-validation if possible Hamza Mahfooz reports cpu soft lock-ups in nft_chain_validate(): watchdog: BUG: soft lockup – CPU#1 stuck for 27s! [iptables-nft-re:37547] [..] RIP: 0010:nft_chain_validate+0xcb/0x110 [nf_tables] [..] nft_immediate_validate+0x36/0x50 [nf_tables] nft_chain_validate+0xc9/0x110 [nf_tables] nft_immediate_validate+0x36/0x50 [nf_tables] nft_chain_validate+0xc9/0x110 [nf_tables] nft_immediate_validate+0x36/0x50 [nf_tables] nft_chain_validate+0xc9/0x110 [nf_tables] nft_immediate_validate+0x36/0x50 [nf_tables] nft_chain_validate+0xc9/0x110 [nf_tables] nft_immediate_validate+0x36/0x50 [nf_tables] nft_chain_validate+0xc9/0x110 [nf_tables] nft_immediate_validate+0x36/0x50 [nf_tables] nft_chain_validate+0xc9/0x110 [nf_tables] nft_table_validate+0x6b/0xb0 [nf_tables] nf_tables_validate+0x8b/0xa0 [nf_tables] nf_tables_commit+0x1df/0x1eb0 [nf_tables] [..] Currently nf_tables will traverse the entire table (chain graph), starting from the entry points (base chains), exploring all possible paths (chain jumps). But there are cases where we could avoid revalidation. Consider: 1 input -> j2 -> j3 2 input -> j2 -> j3 3 input -> j1 -> j2 -> j3 Then the second rule does not need to revalidate j2, and, by extension j3, because this was already checked during validation of the first rule. We need to validate it only for rule 3. This is needed because chain loop detection also ensures we do not exceed the jump stack: Just because we know that j2 is cycle free, its last jump might now exceed the allowed stack size. We also need to update all reachable chains with the new largest observed call depth. Care has to be taken to revalidate even if the chain depth won’t be an issue: chain validation also ensures that expressions are not called from invalid base chains. For example, the masquerade expression can only be called from NAT postrouting base chains. Therefore we also need to keep record of the base chain context (type, hooknum) and revalidate if the chain becomes reachable from a different hook location. | 2026-01-23 | not yet calculated | CVE-2025-71160 | https://git.kernel.org/stable/c/53de1e6cde8f9b791d9cf61aa0e7b02cf5bbe8b1 https://git.kernel.org/stable/c/14fa3d1927f1382f86e3f70a51f26005c8e3cff6 https://git.kernel.org/stable/c/09d6074995c186e449979fe6c1b0f1a69cf9bd3b https://git.kernel.org/stable/c/8e1a1bc4f5a42747c08130b8242ebebd1210b32f |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: dm-verity: disable recursive forward error correction There are two problems with the recursive correction: 1. It may cause denial-of-service. In fec_read_bufs, there is a loop that has 253 iterations. For each iteration, we may call verity_hash_for_block recursively. There is a limit of 4 nested recursions – that means that there may be at most 253^4 (4 billion) iterations. Red Hat QE team actually created an image that pushes dm-verity to this limit – and this image just makes the udev-worker process get stuck in the ‘D’ state. 2. It doesn’t work. In fec_read_bufs we store data into the variable “fio->bufs”, but fio bufs is shared between recursive invocations, if “verity_hash_for_block” invoked correction recursively, it would overwrite partially filled fio->bufs. | 2026-01-23 | not yet calculated | CVE-2025-71161 | https://git.kernel.org/stable/c/232948cf600fba69aff36b25d85ef91a73a35756 https://git.kernel.org/stable/c/d9f3e47d3fae0c101d9094bc956ed24e7a0ee801 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: dmaengine: tegra-adma: Fix use-after-free A use-after-free bug exists in the Tegra ADMA driver when audio streams are terminated, particularly during XRUN conditions. The issue occurs when the DMA buffer is freed by tegra_adma_terminate_all() before the vchan completion tasklet finishes accessing it. The race condition follows this sequence: 1. DMA transfer completes, triggering an interrupt that schedules the completion tasklet (tasklet has not executed yet) 2. Audio playback stops, calling tegra_adma_terminate_all() which frees the DMA buffer memory via kfree() 3. The scheduled tasklet finally executes, calling vchan_complete() which attempts to access the already-freed memory Since tasklets can execute at any time after being scheduled, there is no guarantee that the buffer will remain valid when vchan_complete() runs. Fix this by properly synchronizing the virtual channel completion: – Calling vchan_terminate_vdesc() in tegra_adma_stop() to mark the descriptors as terminated instead of freeing the descriptor. – Add the callback tegra_adma_synchronize() that calls vchan_synchronize() which kills any pending tasklets and frees any terminated descriptors. Crash logs: [ 337.427523] BUG: KASAN: use-after-free in vchan_complete+0x124/0x3b0 [ 337.427544] Read of size 8 at addr ffff000132055428 by task swapper/0/0 [ 337.427562] Call trace: [ 337.427564] dump_backtrace+0x0/0x320 [ 337.427571] show_stack+0x20/0x30 [ 337.427575] dump_stack_lvl+0x68/0x84 [ 337.427584] print_address_description.constprop.0+0x74/0x2b8 [ 337.427590] kasan_report+0x1f4/0x210 [ 337.427598] __asan_load8+0xa0/0xd0 [ 337.427603] vchan_complete+0x124/0x3b0 [ 337.427609] tasklet_action_common.constprop.0+0x190/0x1d0 [ 337.427617] tasklet_action+0x30/0x40 [ 337.427623] __do_softirq+0x1a0/0x5c4 [ 337.427628] irq_exit+0x110/0x140 [ 337.427633] handle_domain_irq+0xa4/0xe0 [ 337.427640] gic_handle_irq+0x64/0x160 [ 337.427644] call_on_irq_stack+0x20/0x4c [ 337.427649] do_interrupt_handler+0x7c/0x90 [ 337.427654] el1_interrupt+0x30/0x80 [ 337.427659] el1h_64_irq_handler+0x18/0x30 [ 337.427663] el1h_64_irq+0x7c/0x80 [ 337.427667] cpuidle_enter_state+0xe4/0x540 [ 337.427674] cpuidle_enter+0x54/0x80 [ 337.427679] do_idle+0x2e0/0x380 [ 337.427685] cpu_startup_entry+0x2c/0x70 [ 337.427690] rest_init+0x114/0x130 [ 337.427695] arch_call_rest_init+0x18/0x24 [ 337.427702] start_kernel+0x380/0x3b4 [ 337.427706] __primary_switched+0xc0/0xc8 | 2026-01-25 | not yet calculated | CVE-2025-71162 | https://git.kernel.org/stable/c/cb2c9c4bb1322cc3c9984ad17db8cdd2663879ca https://git.kernel.org/stable/c/be655c3736b3546f39bc8116ffbf2a3b6cac96c4 https://git.kernel.org/stable/c/2efd07a7c36949e6fa36a69183df24d368bf9e96 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: fix device leaks on compat bind and unbind Make sure to drop the reference taken when looking up the idxd device as part of the compat bind and unbind sysfs interface. | 2026-01-25 | not yet calculated | CVE-2025-71163 | https://git.kernel.org/stable/c/0c97ff108f825a70c3bb29d65ddf0a013d231bb9 https://git.kernel.org/stable/c/a7226fd61def74b60dd8e47ec84cabafc39d575b https://git.kernel.org/stable/c/799900f01792cf8b525a44764f065f83fcafd468 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_qfq: Fix NULL deref when deactivating inactive aggregate in qfq_reset `qfq_class->leaf_qdisc->q.qlen > 0` does not imply that the class itself is active. Two qfq_class objects may point to the same leaf_qdisc. This happens when: 1. one QFQ qdisc is attached to the dev as the root qdisc, and 2. another QFQ qdisc is temporarily referenced (e.g., via qdisc_get() / qdisc_put()) and is pending to be destroyed, as in function tc_new_tfilter. When packets are enqueued through the root QFQ qdisc, the shared leaf_qdisc->q.qlen increases. At the same time, the second QFQ qdisc triggers qdisc_put and qdisc_destroy: the qdisc enters qfq_reset() with its own q->q.qlen == 0, but its class’s leaf qdisc->q.qlen > 0. Therefore, the qfq_reset would wrongly deactivate an inactive aggregate and trigger a null-deref in qfq_deactivate_agg: [ 0.903172] BUG: kernel NULL pointer dereference, address: 0000000000000000 [ 0.903571] #PF: supervisor write access in kernel mode [ 0.903860] #PF: error_code(0x0002) – not-present page [ 0.904177] PGD 10299b067 P4D 10299b067 PUD 10299c067 PMD 0 [ 0.904502] Oops: Oops: 0002 [#1] SMP NOPTI [ 0.904737] CPU: 0 UID: 0 PID: 135 Comm: exploit Not tainted 6.19.0-rc3+ #2 NONE [ 0.905157] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org 04/01/2014 [ 0.905754] RIP: 0010:qfq_deactivate_agg (include/linux/list.h:992 (discriminator 2) include/linux/list.h:1006 (discriminator 2) net/sched/sch_qfq.c:1367 (discriminator 2) net/sched/sch_qfq.c:1393 (discriminator 2)) [ 0.906046] Code: 0f 84 4d 01 00 00 48 89 70 18 8b 4b 10 48 c7 c2 ff ff ff ff 48 8b 78 08 48 d3 e2 48 21 f2 48 2b 13 48 8b 30 48 d3 ea 8b 4b 18 0 Code starting with the faulting instruction =========================================== 0: 0f 84 4d 01 00 00 je 0x153 6: 48 89 70 18 mov %rsi,0x18(%rax) a: 8b 4b 10 mov 0x10(%rbx),%ecx d: 48 c7 c2 ff ff ff ff mov $0xffffffffffffffff,%rdx 14: 48 8b 78 08 mov 0x8(%rax),%rdi 18: 48 d3 e2 shl %cl,%rdx 1b: 48 21 f2 and %rsi,%rdx 1e: 48 2b 13 sub (%rbx),%rdx 21: 48 8b 30 mov (%rax),%rsi 24: 48 d3 ea shr %cl,%rdx 27: 8b 4b 18 mov 0x18(%rbx),%ecx … [ 0.907095] RSP: 0018:ffffc900004a39a0 EFLAGS: 00010246 [ 0.907368] RAX: ffff8881043a0880 RBX: ffff888102953340 RCX: 0000000000000000 [ 0.907723] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [ 0.908100] RBP: ffff888102952180 R08: 0000000000000000 R09: 0000000000000000 [ 0.908451] R10: ffff8881043a0000 R11: 0000000000000000 R12: ffff888102952000 [ 0.908804] R13: ffff888102952180 R14: ffff8881043a0ad8 R15: ffff8881043a0880 [ 0.909179] FS: 000000002a1a0380(0000) GS:ffff888196d8d000(0000) knlGS:0000000000000000 [ 0.909572] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 0.909857] CR2: 0000000000000000 CR3: 0000000102993002 CR4: 0000000000772ef0 [ 0.910247] PKRU: 55555554 [ 0.910391] Call Trace: [ 0.910527] <TASK> [ 0.910638] qfq_reset_qdisc (net/sched/sch_qfq.c:357 net/sched/sch_qfq.c:1485) [ 0.910826] qdisc_reset (include/linux/skbuff.h:2195 include/linux/skbuff.h:2501 include/linux/skbuff.h:3424 include/linux/skbuff.h:3430 net/sched/sch_generic.c:1036) [ 0.911040] __qdisc_destroy (net/sched/sch_generic.c:1076) [ 0.911236] tc_new_tfilter (net/sched/cls_api.c:2447) [ 0.911447] rtnetlink_rcv_msg (net/core/rtnetlink.c:6958) [ 0.911663] ? __pfx_rtnetlink_rcv_msg (net/core/rtnetlink.c:6861) [ 0.911894] netlink_rcv_skb (net/netlink/af_netlink.c:2550) [ 0.912100] netlink_unicast (net/netlink/af_netlink.c:1319 net/netlink/af_netlink.c:1344) [ 0.912296] ? __alloc_skb (net/core/skbuff.c:706) [ 0.912484] netlink_sendmsg (net/netlink/af —truncated— | 2026-01-21 | not yet calculated | CVE-2026-22976 | https://git.kernel.org/stable/c/6116a83ec167d3ab1390cded854d237481f41b63 https://git.kernel.org/stable/c/0809c4bc06c9c961222df29f2eccfd449304056f https://git.kernel.org/stable/c/cdb24200b043438a144df501f1ebbd926bb1a2c7 https://git.kernel.org/stable/c/11bf9134613f6c71fc0ff36c5d8d33856f6ae3bb https://git.kernel.org/stable/c/43497313d0da3e12b5cfcd97aa17bf48ee663f95 https://git.kernel.org/stable/c/51ffd447bc37bf1a5776b85523f51d2bc69977f6 https://git.kernel.org/stable/c/c1d73b1480235731e35c81df70b08f4714a7d095 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net: sock: fix hardened usercopy panic in sock_recv_errqueue skbuff_fclone_cache was created without defining a usercopy region, [1] unlike skbuff_head_cache which properly whitelists the cb[] field. [2] This causes a usercopy BUG() when CONFIG_HARDENED_USERCOPY is enabled and the kernel attempts to copy sk_buff.cb data to userspace via sock_recv_errqueue() -> put_cmsg(). The crash occurs when: 1. TCP allocates an skb using alloc_skb_fclone() (from skbuff_fclone_cache) [1] 2. The skb is cloned via skb_clone() using the pre-allocated fclone [3] 3. The cloned skb is queued to sk_error_queue for timestamp reporting 4. Userspace reads the error queue via recvmsg(MSG_ERRQUEUE) 5. sock_recv_errqueue() calls put_cmsg() to copy serr->ee from skb->cb [4] 6. __check_heap_object() fails because skbuff_fclone_cache has no usercopy whitelist [5] When cloned skbs allocated from skbuff_fclone_cache are used in the socket error queue, accessing the sock_exterr_skb structure in skb->cb via put_cmsg() triggers a usercopy hardening violation: [ 5.379589] usercopy: Kernel memory exposure attempt detected from SLUB object ‘skbuff_fclone_cache’ (offset 296, size 16)! [ 5.382796] kernel BUG at mm/usercopy.c:102! [ 5.383923] Oops: invalid opcode: 0000 [#1] SMP KASAN NOPTI [ 5.384903] CPU: 1 UID: 0 PID: 138 Comm: poc_put_cmsg Not tainted 6.12.57 #7 [ 5.384903] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.3-0-ga6ed6b701f0a-prebuilt.qemu.org 04/01/2014 [ 5.384903] RIP: 0010:usercopy_abort+0x6c/0x80 [ 5.384903] Code: 1a 86 51 48 c7 c2 40 15 1a 86 41 52 48 c7 c7 c0 15 1a 86 48 0f 45 d6 48 c7 c6 80 15 1a 86 48 89 c1 49 0f 45 f3 e8 84 27 88 ff <0f> 0b 490 [ 5.384903] RSP: 0018:ffffc900006f77a8 EFLAGS: 00010246 [ 5.384903] RAX: 000000000000006f RBX: ffff88800f0ad2a8 RCX: 1ffffffff0f72e74 [ 5.384903] RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffffffff87b973a0 [ 5.384903] RBP: 0000000000000010 R08: 0000000000000000 R09: fffffbfff0f72e74 [ 5.384903] R10: 0000000000000003 R11: 79706f6372657375 R12: 0000000000000001 [ 5.384903] R13: ffff88800f0ad2b8 R14: ffffea00003c2b40 R15: ffffea00003c2b00 [ 5.384903] FS: 0000000011bc4380(0000) GS:ffff8880bf100000(0000) knlGS:0000000000000000 [ 5.384903] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 5.384903] CR2: 000056aa3b8e5fe4 CR3: 000000000ea26004 CR4: 0000000000770ef0 [ 5.384903] PKRU: 55555554 [ 5.384903] Call Trace: [ 5.384903] <TASK> [ 5.384903] __check_heap_object+0x9a/0xd0 [ 5.384903] __check_object_size+0x46c/0x690 [ 5.384903] put_cmsg+0x129/0x5e0 [ 5.384903] sock_recv_errqueue+0x22f/0x380 [ 5.384903] tls_sw_recvmsg+0x7ed/0x1960 [ 5.384903] ? srso_alias_return_thunk+0x5/0xfbef5 [ 5.384903] ? schedule+0x6d/0x270 [ 5.384903] ? srso_alias_return_thunk+0x5/0xfbef5 [ 5.384903] ? mutex_unlock+0x81/0xd0 [ 5.384903] ? __pfx_mutex_unlock+0x10/0x10 [ 5.384903] ? __pfx_tls_sw_recvmsg+0x10/0x10 [ 5.384903] ? _raw_spin_lock_irqsave+0x8f/0xf0 [ 5.384903] ? _raw_read_unlock_irqrestore+0x20/0x40 [ 5.384903] ? srso_alias_return_thunk+0x5/0xfbef5 The crash offset 296 corresponds to skb2->cb within skbuff_fclones: – sizeof(struct sk_buff) = 232 – offsetof(struct sk_buff, cb) = 40 – offset of skb2.cb in fclones = 232 + 40 = 272 – crash offset 296 = 272 + 24 (inside sock_exterr_skb.ee) This patch uses a local stack variable as a bounce buffer to avoid the hardened usercopy check failure. [1] https://elixir.bootlin.com/linux/v6.12.62/source/net/ipv4/tcp.c#L885 [2] https://elixir.bootlin.com/linux/v6.12.62/source/net/core/skbuff.c#L5104 [3] https://elixir.bootlin.com/linux/v6.12.62/source/net/core/skbuff.c#L5566 [4] https://elixir.bootlin.com/linux/v6.12.62/source/net/core/skbuff.c#L5491 [5] https://elixir.bootlin.com/linux/v6.12.62/source/mm/slub.c#L5719 | 2026-01-21 | not yet calculated | CVE-2026-22977 | https://git.kernel.org/stable/c/88dd6be7ebb3153b662c2cebcb06e032a92857f5 https://git.kernel.org/stable/c/c655d2167bf014d4c61b4faeca59b60ff9b9f6b1 https://git.kernel.org/stable/c/8c6901aa29626e35045130bac09b75f791acca85 https://git.kernel.org/stable/c/582a5e922a9652fcbb7d0165c95d5b20aa37575d https://git.kernel.org/stable/c/005671c60fcf1dbdb8bddf12a62568fd5e4ec391 https://git.kernel.org/stable/c/e00b169eaac5f7cdbf710c354c8fa76d02009115 https://git.kernel.org/stable/c/2a71a1a8d0ed718b1c7a9ac61f07e5755c47ae20 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: avoid kernel-infoleak from struct iw_point struct iw_point has a 32bit hole on 64bit arches. struct iw_point { void __user *pointer; /* Pointer to the data (in user space) */ __u16 length; /* number of fields or size in bytes */ __u16 flags; /* Optional params */ }; Make sure to zero the structure to avoid disclosing 32bits of kernel data to user space. | 2026-01-23 | not yet calculated | CVE-2026-22978 | https://git.kernel.org/stable/c/d943b5f592767b107ba8c12a902f17431350378c https://git.kernel.org/stable/c/a3827e310b5a73535646ef4a552d53b3c8bf74f6 https://git.kernel.org/stable/c/442ceac0393185e9982323f6682a52a53e8462b1 https://git.kernel.org/stable/c/d21ec867d84c9f3a9845d7d8c90c9ce35dbe48f8 https://git.kernel.org/stable/c/024f71a57d563fbe162e528c8bf2d27e9cac7c7b https://git.kernel.org/stable/c/e3c35177103ead4658b8a62f41e3080d45885464 https://git.kernel.org/stable/c/21cbf883d073abbfe09e3924466aa5e0449e7261 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net: fix memory leak in skb_segment_list for GRO packets When skb_segment_list() is called during packet forwarding, it handles packets that were aggregated by the GRO engine. Historically, the segmentation logic in skb_segment_list assumes that individual segments are split from a parent SKB and may need to carry their own socket memory accounting. Accordingly, the code transfers truesize from the parent to the newly created segments. Prior to commit ed4cccef64c1 (“gro: fix ownership transfer”), this truesize subtraction in skb_segment_list() was valid because fragments still carry a reference to the original socket. However, commit ed4cccef64c1 (“gro: fix ownership transfer”) changed this behavior by ensuring that fraglist entries are explicitly orphaned (skb->sk = NULL) to prevent illegal orphaning later in the stack. This change meant that the entire socket memory charge remained with the head SKB, but the corresponding accounting logic in skb_segment_list() was never updated. As a result, the current code unconditionally adds each fragment’s truesize to delta_truesize and subtracts it from the parent SKB. Since the fragments are no longer charged to the socket, this subtraction results in an effective under-count of memory when the head is freed. This causes sk_wmem_alloc to remain non-zero, preventing socket destruction and leading to a persistent memory leak. The leak can be observed via KMEMLEAK when tearing down the networking environment: unreferenced object 0xffff8881e6eb9100 (size 2048): comm “ping”, pid 6720, jiffies 4295492526 backtrace: kmem_cache_alloc_noprof+0x5c6/0x800 sk_prot_alloc+0x5b/0x220 sk_alloc+0x35/0xa00 inet6_create.part.0+0x303/0x10d0 __sock_create+0x248/0x640 __sys_socket+0x11b/0x1d0 Since skb_segment_list() is exclusively used for SKB_GSO_FRAGLIST packets constructed by GRO, the truesize adjustment is removed. The call to skb_release_head_state() must be preserved. As documented in commit cf673ed0e057 (“net: fix fraglist segmentation reference count leak”), it is still required to correctly drop references to SKB extensions that may be overwritten during __copy_skb_header(). | 2026-01-23 | not yet calculated | CVE-2026-22979 | https://git.kernel.org/stable/c/0b27828ebd1ed3107d7929c3737adbe862e99e74 https://git.kernel.org/stable/c/88bea149db2057112af3aaf63534b24fab5858ab https://git.kernel.org/stable/c/3264881431e308b9c72cb8a0159d57a56d67dd79 https://git.kernel.org/stable/c/c114a32a2e70b82d447f409f7ffcfa3058f9d5bd https://git.kernel.org/stable/c/238e03d0466239410b72294b79494e43d4fabe77 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: nfsd: provide locking for v4_end_grace Writing to v4_end_grace can race with server shutdown and result in memory being accessed after it was freed – reclaim_str_hashtbl in particularly. We cannot hold nfsd_mutex across the nfsd4_end_grace() call as that is held while client_tracking_op->init() is called and that can wait for an upcall to nfsdcltrack which can write to v4_end_grace, resulting in a deadlock. nfsd4_end_grace() is also called by the landromat work queue and this doesn’t require locking as server shutdown will stop the work and wait for it before freeing anything that nfsd4_end_grace() might access. However, we must be sure that writing to v4_end_grace doesn’t restart the work item after shutdown has already waited for it. For this we add a new flag protected with nn->client_lock. It is set only while it is safe to make client tracking calls, and v4_end_grace only schedules work while the flag is set with the spinlock held. So this patch adds a nfsd_net field “client_tracking_active” which is set as described. Another field “grace_end_forced”, is set when v4_end_grace is written. After this is set, and providing client_tracking_active is set, the laundromat is scheduled. This “grace_end_forced” field bypasses other checks for whether the grace period has finished. This resolves a race which can result in use-after-free. | 2026-01-23 | not yet calculated | CVE-2026-22980 | https://git.kernel.org/stable/c/ca97360860eb02e3ae4ba42c19b439a0fcecbf06 https://git.kernel.org/stable/c/e8bfa2401d4c51eca6e48e9b33c798828ca9df61 https://git.kernel.org/stable/c/34eb22836e0cdba093baac66599d68c4cd245a9d https://git.kernel.org/stable/c/06600719d0f7a723811c45e4d51f5b742f345309 https://git.kernel.org/stable/c/ba4811c8b433bfa681729ca42cc62b6034f223b0 https://git.kernel.org/stable/c/53f07d095e7e680c5e4569a55a019f2c0348cdc6 https://git.kernel.org/stable/c/2857bd59feb63fcf40fe4baf55401baea6b4feb4 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: idpf: detach and close netdevs while handling a reset Protect the reset path from callbacks by setting the netdevs to detached state and close any netdevs in UP state until the reset handling has completed. During a reset, the driver will de-allocate resources for the vport, and there is no guarantee that those will recover, which is why the existing vport_ctrl_lock does not provide sufficient protection. idpf_detach_and_close() is called right before reset handling. If the reset handling succeeds, the netdevs state is recovered via call to idpf_attach_and_open(). If the reset handling fails the netdevs remain down. The detach/down calls are protected with RTNL lock to avoid racing with callbacks. On the recovery side the attach can be done without holding the RTNL lock as there are no callbacks expected at that point, due to detach/close always being done first in that flow. The previous logic restoring the netdevs state based on the IDPF_VPORT_UP_REQUESTED flag in the init task is not needed anymore, hence the removal of idpf_set_vport_state(). The IDPF_VPORT_UP_REQUESTED is still being used to restore the state of the netdevs following the reset, but has no use outside of the reset handling flow. idpf_init_hard_reset() is converted to void, since it was used as such and there is no error handling being done based on its return value. Before this change, invoking hard and soft resets simultaneously will cause the driver to lose the vport state: ip -br a <inf> UP echo 1 > /sys/class/net/ens801f0/device/reset& ethtool -L ens801f0 combined 8 ip -br a <inf> DOWN ip link set <inf> up ip -br a <inf> DOWN Also in case of a failure in the reset path, the netdev is left exposed to external callbacks, while vport resources are not initialized, leading to a crash on subsequent ifup/down: [408471.398966] idpf 0000:83:00.0: HW reset detected [408471.411744] idpf 0000:83:00.0: Device HW Reset initiated [408472.277901] idpf 0000:83:00.0: The driver was unable to contact the device’s firmware. Check that the FW is running. Driver state= 0x2 [408508.125551] BUG: kernel NULL pointer dereference, address: 0000000000000078 [408508.126112] #PF: supervisor read access in kernel mode [408508.126687] #PF: error_code(0x0000) – not-present page [408508.127256] PGD 2aae2f067 P4D 0 [408508.127824] Oops: Oops: 0000 [#1] SMP NOPTI … [408508.130871] RIP: 0010:idpf_stop+0x39/0x70 [idpf] … [408508.139193] Call Trace: [408508.139637] <TASK> [408508.140077] __dev_close_many+0xbb/0x260 [408508.140533] __dev_change_flags+0x1cf/0x280 [408508.140987] netif_change_flags+0x26/0x70 [408508.141434] dev_change_flags+0x3d/0xb0 [408508.141878] devinet_ioctl+0x460/0x890 [408508.142321] inet_ioctl+0x18e/0x1d0 [408508.142762] ? _copy_to_user+0x22/0x70 [408508.143207] sock_do_ioctl+0x3d/0xe0 [408508.143652] sock_ioctl+0x10e/0x330 [408508.144091] ? find_held_lock+0x2b/0x80 [408508.144537] __x64_sys_ioctl+0x96/0xe0 [408508.144979] do_syscall_64+0x79/0x3d0 [408508.145415] entry_SYSCALL_64_after_hwframe+0x76/0x7e [408508.145860] RIP: 0033:0x7f3e0bb4caff | 2026-01-23 | not yet calculated | CVE-2026-22981 | https://git.kernel.org/stable/c/ac122f5fb050903b3d262001562c452be95eaf70 https://git.kernel.org/stable/c/2e281e1155fc476c571c0bd2ffbfe28ab829a5c3 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net: mscc: ocelot: Fix crash when adding interface under a lag Commit 15faa1f67ab4 (“lan966x: Fix crash when adding interface under a lag”) fixed a similar issue in the lan966x driver caused by a NULL pointer dereference. The ocelot_set_aggr_pgids() function in the ocelot driver has similar logic and is susceptible to the same crash. This issue specifically affects the ocelot_vsc7514.c frontend, which leaves unused ports as NULL pointers. The felix_vsc9959.c frontend is unaffected as it uses the DSA framework which registers all ports. Fix this by checking if the port pointer is valid before accessing it. | 2026-01-23 | not yet calculated | CVE-2026-22982 | https://git.kernel.org/stable/c/8767f238b0e6c3d0b295ac6dce9fbe6a99bd1b9d https://git.kernel.org/stable/c/b17818307446c5a8d925a39a792261dbfa930041 https://git.kernel.org/stable/c/2985712dc76dfa670eb7fd607c09d4d48e5f5c6e https://git.kernel.org/stable/c/03fb1708b7d1e76aecebf767ad059c319845039f https://git.kernel.org/stable/c/f490af47bbee02441e356a1e0b86e3b3dd5120ff https://git.kernel.org/stable/c/34f3ff52cb9fa7dbf04f5c734fcc4cb6ed5d1a95 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net: do not write to msg_get_inq in callee NULL pointer dereference fix. msg_get_inq is an input field from caller to callee. Don’t set it in the callee, as the caller may not clear it on struct reuse. This is a kernel-internal variant of msghdr only, and the only user does reinitialize the field. So this is not critical for that reason. But it is more robust to avoid the write, and slightly simpler code. And it fixes a bug, see below. Callers set msg_get_inq to request the input queue length to be returned in msg_inq. This is equivalent to but independent from the SO_INQ request to return that same info as a cmsg (tp->recvmsg_inq). To reduce branching in the hot path the second also sets the msg_inq. That is WAI. This is a fix to commit 4d1442979e4a (“af_unix: don’t post cmsg for SO_INQ unless explicitly asked for”), which fixed the inverse. Also avoid NULL pointer dereference in unix_stream_read_generic if state->msg is NULL and msg->msg_get_inq is written. A NULL state->msg can happen when splicing as of commit 2b514574f7e8 (“net: af_unix: implement splice for stream af_unix sockets”). Also collapse two branches using a bitwise or. | 2026-01-23 | not yet calculated | CVE-2026-22983 | https://git.kernel.org/stable/c/ffa2be496ef65055b28b39c6bd9a7d66943ee89a https://git.kernel.org/stable/c/7d11e047eda5f98514ae62507065ac961981c025 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: libceph: prevent potential out-of-bounds reads in handle_auth_done() Perform an explicit bounds check on payload_len to avoid a possible out-of-bounds access in the callout. [ idryomov: changelog ] | 2026-01-23 | not yet calculated | CVE-2026-22984 | https://git.kernel.org/stable/c/194cfe2af4d2a1de599d39dad636b47c2f6c2c96 https://git.kernel.org/stable/c/79fe3511db416d2f2edcfd93569807cb02736e5e https://git.kernel.org/stable/c/ef208ea331ef688729f64089b895ed1b49e842e3 https://git.kernel.org/stable/c/2802ef3380fa8c4a08cda51ec1f085b1a712e9e2 https://git.kernel.org/stable/c/2d653bb63d598ae4b096dd678744bdcc34ee89e8 https://git.kernel.org/stable/c/818156caffbf55cb4d368f9c3cac64e458fb49c9 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: idpf: Fix RSS LUT NULL pointer crash on early ethtool operations The RSS LUT is not initialized until the interface comes up, causing the following NULL pointer crash when ethtool operations like rxhash on/off are performed before the interface is brought up for the first time. Move RSS LUT initialization from ndo_open to vport creation to ensure LUT is always available. This enables RSS configuration via ethtool before bringing the interface up. Simplify LUT management by maintaining all changes in the driver’s soft copy and programming zeros to the indirection table when rxhash is disabled. Defer HW programming until the interface comes up if it is down during rxhash and LUT configuration changes. Steps to reproduce: ** Load idpf driver; interfaces will be created modprobe idpf ** Before bringing the interfaces up, turn rxhash off ethtool -K eth2 rxhash off [89408.371875] BUG: kernel NULL pointer dereference, address: 0000000000000000 [89408.371908] #PF: supervisor read access in kernel mode [89408.371924] #PF: error_code(0x0000) – not-present page [89408.371940] PGD 0 P4D 0 [89408.371953] Oops: Oops: 0000 [#1] SMP NOPTI <snip> [89408.372052] RIP: 0010:memcpy_orig+0x16/0x130 [89408.372310] Call Trace: [89408.372317] <TASK> [89408.372326] ? idpf_set_features+0xfc/0x180 [idpf] [89408.372363] __netdev_update_features+0x295/0xde0 [89408.372384] ethnl_set_features+0x15e/0x460 [89408.372406] genl_family_rcv_msg_doit+0x11f/0x180 [89408.372429] genl_rcv_msg+0x1ad/0x2b0 [89408.372446] ? __pfx_ethnl_set_features+0x10/0x10 [89408.372465] ? __pfx_genl_rcv_msg+0x10/0x10 [89408.372482] netlink_rcv_skb+0x58/0x100 [89408.372502] genl_rcv+0x2c/0x50 [89408.372516] netlink_unicast+0x289/0x3e0 [89408.372533] netlink_sendmsg+0x215/0x440 [89408.372551] __sys_sendto+0x234/0x240 [89408.372571] __x64_sys_sendto+0x28/0x30 [89408.372585] x64_sys_call+0x1909/0x1da0 [89408.372604] do_syscall_64+0x7a/0xfa0 [89408.373140] ? clear_bhb_loop+0x60/0xb0 [89408.373647] entry_SYSCALL_64_after_hwframe+0x76/0x7e [89408.378887] </TASK> <snip> | 2026-01-23 | not yet calculated | CVE-2026-22985 | https://git.kernel.org/stable/c/b29a5a7dd1f4293ee49c469938c25bf85a5aa802 https://git.kernel.org/stable/c/83f38f210b85676f40ba8586b5a8edae19b56995 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: gpiolib: fix race condition for gdev->srcu If two drivers were calling gpiochip_add_data_with_key(), one may be traversing the srcu-protected list in gpio_name_to_desc(), meanwhile other has just added its gdev in gpiodev_add_to_list_unlocked(). This creates a non-mutexed and non-protected timeframe, when one instance is dereferencing and using &gdev->srcu, before the other has initialized it, resulting in crash: [ 4.935481] Unable to handle kernel paging request at virtual address ffff800272bcc000 [ 4.943396] Mem abort info: [ 4.943400] ESR = 0x0000000096000005 [ 4.943403] EC = 0x25: DABT (current EL), IL = 32 bits [ 4.943407] SET = 0, FnV = 0 [ 4.943410] EA = 0, S1PTW = 0 [ 4.943413] FSC = 0x05: level 1 translation fault [ 4.943416] Data abort info: [ 4.943418] ISV = 0, ISS = 0x00000005, ISS2 = 0x00000000 [ 4.946220] CM = 0, WnR = 0, TnD = 0, TagAccess = 0 [ 4.955261] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [ 4.955268] swapper pgtable: 4k pages, 48-bit VAs, pgdp=0000000038e6c000 [ 4.961449] [ffff800272bcc000] pgd=0000000000000000 [ 4.969203] , p4d=1000000039739003 [ 4.979730] , pud=0000000000000000 [ 4.980210] phandle (CPU): 0x0000005e, phandle (BE): 0x5e000000 for node “reset” [ 4.991736] Internal error: Oops: 0000000096000005 [#1] PREEMPT SMP … [ 5.121359] pc : __srcu_read_lock+0x44/0x98 [ 5.131091] lr : gpio_name_to_desc+0x60/0x1a0 [ 5.153671] sp : ffff8000833bb430 [ 5.298440] [ 5.298443] Call trace: [ 5.298445] __srcu_read_lock+0x44/0x98 [ 5.309484] gpio_name_to_desc+0x60/0x1a0 [ 5.320692] gpiochip_add_data_with_key+0x488/0xf00 5.946419] —[ end trace 0000000000000000 ]— Move initialization code for gdev fields before it is added to gpio_devices, with adjacent initialization code. Adjust goto statements to reflect modified order of operations [Bartosz: fixed a build issue, removed stray newline] | 2026-01-23 | not yet calculated | CVE-2026-22986 | https://git.kernel.org/stable/c/fb674c8f1a5d8dd3113a7326030f963fa2d79c02 https://git.kernel.org/stable/c/a7ac22d53d0990152b108c3f4fe30df45fcb0181 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net/sched: act_api: avoid dereferencing ERR_PTR in tcf_idrinfo_destroy syzbot reported a crash in tc_act_in_hw() during netns teardown where tcf_idrinfo_destroy() passed an ERR_PTR(-EBUSY) value as a tc_action pointer, leading to an invalid dereference. Guard against ERR_PTR entries when iterating the action IDR so teardown does not call tc_act_in_hw() on an error pointer. | 2026-01-23 | not yet calculated | CVE-2026-22987 | https://git.kernel.org/stable/c/67550a1130b647bb0d093c9c0a810c69aa6a30a8 https://git.kernel.org/stable/c/adb25a46dc0a43173f5ea5f5f58fc8ba28970c7c |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: arp: do not assume dev_hard_header() does not change skb->head arp_create() is the only dev_hard_header() caller making assumption about skb->head being unchanged. A recent commit broke this assumption. Initialize @arp pointer after dev_hard_header() call. | 2026-01-23 | not yet calculated | CVE-2026-22988 | https://git.kernel.org/stable/c/e432dbff342b95fe44645f9a90fcf333c80f4b5e https://git.kernel.org/stable/c/393525dee5c39acff8d6705275d7fcaabcfb7f0a https://git.kernel.org/stable/c/70bddc16491ef4681f3569b3a2c80309a3edcdd1 https://git.kernel.org/stable/c/029935507d0af6553c45380fbf6feecf756fd226 https://git.kernel.org/stable/c/dd6ccec088adff4bdf33e2b2dd102df20a7128fa https://git.kernel.org/stable/c/949647e7771a4a01963fe953a96d81fba7acecf3 https://git.kernel.org/stable/c/c92510f5e3f82ba11c95991824a41e59a9c5ed81 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: nfsd: check that server is running in unlock_filesystem If we are trying to unlock the filesystem via an administrative interface and nfsd isn’t running, it crashes the server. This happens currently because nfsd4_revoke_states() access state structures (eg., conf_id_hashtbl) that has been freed as a part of the server shutdown. [ 59.465072] Call trace: [ 59.465308] nfsd4_revoke_states+0x1b4/0x898 [nfsd] (P) [ 59.465830] write_unlock_fs+0x258/0x440 [nfsd] [ 59.466278] nfsctl_transaction_write+0xb0/0x120 [nfsd] [ 59.466780] vfs_write+0x1f0/0x938 [ 59.467088] ksys_write+0xfc/0x1f8 [ 59.467395] __arm64_sys_write+0x74/0xb8 [ 59.467746] invoke_syscall.constprop.0+0xdc/0x1e8 [ 59.468177] do_el0_svc+0x154/0x1d8 [ 59.468489] el0_svc+0x40/0xe0 [ 59.468767] el0t_64_sync_handler+0xa0/0xe8 [ 59.469138] el0t_64_sync+0x1ac/0x1b0 Ensure this can’t happen by taking the nfsd_mutex and checking that the server is still up, and then holding the mutex across the call to nfsd4_revoke_states(). | 2026-01-23 | not yet calculated | CVE-2026-22989 | https://git.kernel.org/stable/c/d95499900fe52f3d461ed26b7a30bebea8f12914 https://git.kernel.org/stable/c/e06c9f6c0f554148d4921c2a15bd054260a054ac https://git.kernel.org/stable/c/d0424066fcd294977f310964bed6f2a487fa4515 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: libceph: replace overzealous BUG_ON in osdmap_apply_incremental() If the osdmap is (maliciously) corrupted such that the incremental osdmap epoch is different from what is expected, there is no need to BUG. Instead, just declare the incremental osdmap to be invalid. | 2026-01-23 | not yet calculated | CVE-2026-22990 | https://git.kernel.org/stable/c/9aa0b0c14cefece078286d78b97d4c09685e372d https://git.kernel.org/stable/c/4b106fbb1c7b841cd402abd83eb2447164c799ea https://git.kernel.org/stable/c/6afd2a4213524bc742b709599a3663aeaf77193c https://git.kernel.org/stable/c/d3613770e2677683e65d062da5e31f48c409abe9 https://git.kernel.org/stable/c/6c6cec3db3b418c4fdf815731bc39e46dff75e1b https://git.kernel.org/stable/c/6348d70af847b79805374fe628d3809a63fd7df3 https://git.kernel.org/stable/c/e00c3f71b5cf75681dbd74ee3f982a99cb690c2b |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: libceph: make free_choose_arg_map() resilient to partial allocation free_choose_arg_map() may dereference a NULL pointer if its caller fails after a partial allocation. For example, in decode_choose_args(), if allocation of arg_map->args fails, execution jumps to the fail label and free_choose_arg_map() is called. Since arg_map->size is updated to a non-zero value before memory allocation, free_choose_arg_map() will iterate over arg_map->args and dereference a NULL pointer. To prevent this potential NULL pointer dereference and make free_choose_arg_map() more resilient, add checks for pointers before iterating. | 2026-01-23 | not yet calculated | CVE-2026-22991 | https://git.kernel.org/stable/c/9b3730dabcf3764bfe3ff07caf55e641a0b45234 https://git.kernel.org/stable/c/851241d3f78a5505224dc21c03d8692f530256b4 https://git.kernel.org/stable/c/ec1850f663da64842614c86b20fe734be070c2ba https://git.kernel.org/stable/c/8081faaf089db5280c3be820948469f7c58ef8dd https://git.kernel.org/stable/c/c4c2152a858c0ce4d2bff6ca8c1d5b0ef9f2cbdf https://git.kernel.org/stable/c/f21c3fdb96833aac2f533506899fe38c19cf49d5 https://git.kernel.org/stable/c/e3fe30e57649c551757a02e1cad073c47e1e075e |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: libceph: return the handler error from mon_handle_auth_done() Currently any error from ceph_auth_handle_reply_done() is propagated via finish_auth() but isn’t returned from mon_handle_auth_done(). This results in higher layers learning that (despite the monitor considering us to be successfully authenticated) something went wrong in the authentication phase and reacting accordingly, but msgr2 still trying to proceed with establishing the session in the background. In the case of secure mode this can trigger a WARN in setup_crypto() and later lead to a NULL pointer dereference inside of prepare_auth_signature(). | 2026-01-23 | not yet calculated | CVE-2026-22992 | https://git.kernel.org/stable/c/77229551f2cf72f3e35636db68e6a825b912cf16 https://git.kernel.org/stable/c/33908769248b38a5e77cf9292817bb28e641992d https://git.kernel.org/stable/c/e097cd858196b1914309e7e3d79b4fa79383754d https://git.kernel.org/stable/c/d2c4a5f6996683f287f3851ef5412797042de7f1 https://git.kernel.org/stable/c/9e0101e57534ef0e7578dd09608a6106736b82e5 https://git.kernel.org/stable/c/e84b48d31b5008932c0a0902982809fbaa1d3b70 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: idpf: Fix RSS LUT NULL ptr issue after soft reset During soft reset, the RSS LUT is freed and not restored unless the interface is up. If an ethtool command that accesses the rss lut is attempted immediately after reset, it will result in NULL ptr dereference. Also, there is no need to reset the rss lut if the soft reset does not involve queue count change. After soft reset, set the RSS LUT to default values based on the updated queue count only if the reset was a result of a queue count change and the LUT was not configured by the user. In all other cases, don’t touch the LUT. Steps to reproduce: ** Bring the interface down (if up) ifconfig eth1 down ** update the queue count (eg., 27->20) ethtool -L eth1 combined 20 ** display the RSS LUT ethtool -x eth1 [82375.558338] BUG: kernel NULL pointer dereference, address: 0000000000000000 [82375.558373] #PF: supervisor read access in kernel mode [82375.558391] #PF: error_code(0x0000) – not-present page [82375.558408] PGD 0 P4D 0 [82375.558421] Oops: Oops: 0000 [#1] SMP NOPTI <snip> [82375.558516] RIP: 0010:idpf_get_rxfh+0x108/0x150 [idpf] [82375.558786] Call Trace: [82375.558793] <TASK> [82375.558804] rss_prepare.isra.0+0x187/0x2a0 [82375.558827] rss_prepare_data+0x3a/0x50 [82375.558845] ethnl_default_doit+0x13d/0x3e0 [82375.558863] genl_family_rcv_msg_doit+0x11f/0x180 [82375.558886] genl_rcv_msg+0x1ad/0x2b0 [82375.558902] ? __pfx_ethnl_default_doit+0x10/0x10 [82375.558920] ? __pfx_genl_rcv_msg+0x10/0x10 [82375.558937] netlink_rcv_skb+0x58/0x100 [82375.558957] genl_rcv+0x2c/0x50 [82375.558971] netlink_unicast+0x289/0x3e0 [82375.558988] netlink_sendmsg+0x215/0x440 [82375.559005] __sys_sendto+0x234/0x240 [82375.559555] __x64_sys_sendto+0x28/0x30 [82375.560068] x64_sys_call+0x1909/0x1da0 [82375.560576] do_syscall_64+0x7a/0xfa0 [82375.561076] ? clear_bhb_loop+0x60/0xb0 [82375.561567] entry_SYSCALL_64_after_hwframe+0x76/0x7e <snip> | 2026-01-23 | not yet calculated | CVE-2026-22993 | https://git.kernel.org/stable/c/ab92fa4dd81beaaed4e93a851f7a37c9b2d9776f https://git.kernel.org/stable/c/ebecca5b093895da801b3eba1a55b4ec4027d196 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: bpf: Fix reference count leak in bpf_prog_test_run_xdp() syzbot is reporting unregister_netdevice: waiting for sit0 to become free. Usage count = 2 problem. A debug printk() patch found that a refcount is obtained at xdp_convert_md_to_buff() from bpf_prog_test_run_xdp(). According to commit ec94670fcb3b (“bpf: Support specifying ingress via xdp_md context in BPF_PROG_TEST_RUN”), the refcount obtained by xdp_convert_md_to_buff() will be released by xdp_convert_buff_to_md(). Therefore, we can consider that the error handling path introduced by commit 1c1949982524 (“bpf: introduce frags support to bpf_prog_test_run_xdp()”) forgot to call xdp_convert_buff_to_md(). | 2026-01-23 | not yet calculated | CVE-2026-22994 | https://git.kernel.org/stable/c/368569bc546d3368ee9980ba79fc42fdff9a3365 https://git.kernel.org/stable/c/98676ee71fd4eafeb8be63c7f3f1905d40e03101 https://git.kernel.org/stable/c/fb9ef40cccdbacce36029b305d0ef1e12e4fea38 https://git.kernel.org/stable/c/737be05a765761d7d7c9f7fe92274bd8e6f6951e https://git.kernel.org/stable/c/ec69daabe45256f98ac86c651b8ad1b2574489a7 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ublk: fix use-after-free in ublk_partition_scan_work A race condition exists between the async partition scan work and device teardown that can lead to a use-after-free of ub->ub_disk: 1. ublk_ctrl_start_dev() schedules partition_scan_work after add_disk() 2. ublk_stop_dev() calls ublk_stop_dev_unlocked() which does: – del_gendisk(ub->ub_disk) – ublk_detach_disk() sets ub->ub_disk = NULL – put_disk() which may free the disk 3. The worker ublk_partition_scan_work() then dereferences ub->ub_disk leading to UAF Fix this by using ublk_get_disk()/ublk_put_disk() in the worker to hold a reference to the disk during the partition scan. The spinlock in ublk_get_disk() synchronizes with ublk_detach_disk() ensuring the worker either gets a valid reference or sees NULL and exits early. Also change flush_work() to cancel_work_sync() to avoid running the partition scan work unnecessarily when the disk is already detached. | 2026-01-23 | not yet calculated | CVE-2026-22995 | https://git.kernel.org/stable/c/72e28774e9644c2bdbb4920842fbf77103a15a85 https://git.kernel.org/stable/c/f0d385f6689f37a2828c686fb279121df006b4cb |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Don’t store mlx5e_priv in mlx5e_dev devlink priv mlx5e_priv is an unstable structure that can be memset(0) if profile attaching fails, mlx5e_priv in mlx5e_dev devlink private is used to reference the netdev and mdev associated with that struct. Instead, store netdev directly into mlx5e_dev and get mdev from the containing mlx5_adev aux device structure. This fixes a kernel oops in mlx5e_remove when switchdev mode fails due to change profile failure. $ devlink dev eswitch set pci/0000:00:03.0 mode switchdev Error: mlx5_core: Failed setting eswitch to offloads. dmesg: workqueue: Failed to create a rescuer kthread for wq “mlx5e”: -EINTR mlx5_core 0012:03:00.1: mlx5e_netdev_init_profile:6214:(pid 37199): mlx5e_priv_init failed, err=-12 mlx5_core 0012:03:00.1 gpu3rdma1: mlx5e_netdev_change_profile: new profile init failed, -12 workqueue: Failed to create a rescuer kthread for wq “mlx5e”: -EINTR mlx5_core 0012:03:00.1: mlx5e_netdev_init_profile:6214:(pid 37199): mlx5e_priv_init failed, err=-12 mlx5_core 0012:03:00.1 gpu3rdma1: mlx5e_netdev_change_profile: failed to rollback to orig profile, -12 $ devlink dev reload pci/0000:00:03.0 ==> oops BUG: kernel NULL pointer dereference, address: 0000000000000520 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) – not-present page PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 3 UID: 0 PID: 521 Comm: devlink Not tainted 6.18.0-rc5+ #117 PREEMPT(voluntary) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014 RIP: 0010:mlx5e_remove+0x68/0x130 RSP: 0018:ffffc900034838f0 EFLAGS: 00010246 RAX: ffff88810283c380 RBX: ffff888101874400 RCX: ffffffff826ffc45 RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000 RBP: ffff888102d789c0 R08: ffff8881007137f0 R09: ffff888100264e10 R10: ffffc90003483898 R11: ffffc900034838a0 R12: ffff888100d261a0 R13: ffff888100d261a0 R14: ffff8881018749a0 R15: ffff888101874400 FS: 00007f8565fea740(0000) GS:ffff88856a759000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000520 CR3: 000000010b11a004 CR4: 0000000000370ef0 Call Trace: <TASK> device_release_driver_internal+0x19c/0x200 bus_remove_device+0xc6/0x130 device_del+0x160/0x3d0 ? devl_param_driverinit_value_get+0x2d/0x90 mlx5_detach_device+0x89/0xe0 mlx5_unload_one_devl_locked+0x3a/0x70 mlx5_devlink_reload_down+0xc8/0x220 devlink_reload+0x7d/0x260 devlink_nl_reload_doit+0x45b/0x5a0 genl_family_rcv_msg_doit+0xe8/0x140 | 2026-01-25 | not yet calculated | CVE-2026-22996 | https://git.kernel.org/stable/c/dcb2ad755a16cb0ecd2dc98234d71a6e216ae7fe https://git.kernel.org/stable/c/a3d4f87d41f5140f1cf5c02fce5cdad2637f6244 https://git.kernel.org/stable/c/123eda2e5b1638e298e3a66bb1e64a8da92de5e1 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net: can: j1939: j1939_xtp_rx_rts_session_active(): deactivate session upon receiving the second rts Since j1939_session_deactivate_activate_next() in j1939_tp_rxtimer() is called only when the timer is enabled, we need to call j1939_session_deactivate_activate_next() if we cancelled the timer. Otherwise, refcount for j1939_session leaks, which will later appear as | unregister_netdevice: waiting for vcan0 to become free. Usage count = 2. problem. | 2026-01-25 | not yet calculated | CVE-2026-22997 | https://git.kernel.org/stable/c/cb2a610867bc379988bae0bb4b8bbc59c0decf1a https://git.kernel.org/stable/c/6121b7564c725b632ffe4764abe85aa239d37703 https://git.kernel.org/stable/c/1809c82aa073a11b7d335ae932d81ce51a588a4a |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: nvme-tcp: fix NULL pointer dereferences in nvmet_tcp_build_pdu_iovec Commit efa56305908b (“nvmet-tcp: Fix a kernel panic when host sends an invalid H2C PDU length”) added ttag bounds checking and data_offset validation in nvmet_tcp_handle_h2c_data_pdu(), but it did not validate whether the command’s data structures (cmd->req.sg and cmd->iov) have been properly initialized before processing H2C_DATA PDUs. The nvmet_tcp_build_pdu_iovec() function dereferences these pointers without NULL checks. This can be triggered by sending H2C_DATA PDU immediately after the ICREQ/ICRESP handshake, before sending a CONNECT command or NVMe write command. Attack vectors that trigger NULL pointer dereferences: 1. H2C_DATA PDU sent before CONNECT → both pointers NULL 2. H2C_DATA PDU for READ command → cmd->req.sg allocated, cmd->iov NULL 3. H2C_DATA PDU for uninitialized command slot → both pointers NULL The fix validates both cmd->req.sg and cmd->iov before calling nvmet_tcp_build_pdu_iovec(). Both checks are required because: – Uninitialized commands: both NULL – READ commands: cmd->req.sg allocated, cmd->iov NULL – WRITE commands: both allocated | 2026-01-25 | not yet calculated | CVE-2026-22998 | https://git.kernel.org/stable/c/3def5243150716be86599c2a1767c29c68838b6d https://git.kernel.org/stable/c/374b095e265fa27465f34780e0eb162ff1bef913 https://git.kernel.org/stable/c/32b63acd78f577b332d976aa06b56e70d054cbba |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net/sched: sch_qfq: do not free existing class in qfq_change_class() Fixes qfq_change_class() error case. cl->qdisc and cl should only be freed if a new class and qdisc were allocated, or we risk various UAF. | 2026-01-25 | not yet calculated | CVE-2026-22999 | https://git.kernel.org/stable/c/362e269bb03f7076ba9990e518aeddb898232e50 https://git.kernel.org/stable/c/e9d8f11652fa08c647bf7bba7dd8163241a332cd https://git.kernel.org/stable/c/3879cffd9d07aa0377c4b8835c4f64b4fb24ac78 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Fix crash on profile change rollback failure mlx5e_netdev_change_profile can fail to attach a new profile and can fail to rollback to old profile, in such case, we could end up with a dangling netdev with a fully reset netdev_priv. A retry to change profile, e.g. another attempt to call mlx5e_netdev_change_profile via switchdev mode change, will crash trying to access the now NULL priv->mdev. This fix allows mlx5e_netdev_change_profile() to handle previous failures and an empty priv, by not assuming priv is valid. Pass netdev and mdev to all flows requiring mlx5e_netdev_change_profile() and avoid passing priv. In mlx5e_netdev_change_profile() check if current priv is valid, and if not, just attach the new profile without trying to access the old one. This fixes the following oops, when enabling switchdev mode for the 2nd time after first time failure: ## Enabling switchdev mode first time: mlx5_core 0012:03:00.1: E-Switch: Supported tc chains and prios offload workqueue: Failed to create a rescuer kthread for wq “mlx5e”: -EINTR mlx5_core 0012:03:00.1: mlx5e_netdev_init_profile:6214:(pid 37199): mlx5e_priv_init failed, err=-12 mlx5_core 0012:03:00.1 gpu3rdma1: mlx5e_netdev_change_profile: new profile init failed, -12 workqueue: Failed to create a rescuer kthread for wq “mlx5e”: -EINTR mlx5_core 0012:03:00.1: mlx5e_netdev_init_profile:6214:(pid 37199): mlx5e_priv_init failed, err=-12 mlx5_core 0012:03:00.1 gpu3rdma1: mlx5e_netdev_change_profile: failed to rollback to orig profile, -12 ^^^^^^^^ mlx5_core 0000:00:03.0: E-Switch: Disable: mode(LEGACY), nvfs(0), necvfs(0), active vports(0) ## retry: Enabling switchdev mode 2nd time: mlx5_core 0000:00:03.0: E-Switch: Supported tc chains and prios offload BUG: kernel NULL pointer dereference, address: 0000000000000038 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) – not-present page PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 13 UID: 0 PID: 520 Comm: devlink Not tainted 6.18.0-rc4+ #91 PREEMPT(voluntary) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014 RIP: 0010:mlx5e_detach_netdev+0x3c/0x90 Code: 50 00 00 f0 80 4f 78 02 48 8b bf e8 07 00 00 48 85 ff 74 16 48 8b 73 78 48 d1 ee 83 e6 01 83 f6 01 40 0f b6 f6 e8 c4 42 00 00 <48> 8b 45 38 48 85 c0 74 08 48 89 df e8 cc 47 40 1e 48 8b bb f0 07 RSP: 0018:ffffc90000673890 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff8881036a89c0 RCX: 0000000000000000 RDX: ffff888113f63800 RSI: ffffffff822fe720 RDI: 0000000000000000 RBP: 0000000000000000 R08: 0000000000002dcd R09: 0000000000000000 R10: ffffc900006738e8 R11: 00000000ffffffff R12: 0000000000000000 R13: 0000000000000000 R14: ffff8881036a89c0 R15: 0000000000000000 FS: 00007fdfb8384740(0000) GS:ffff88856a9d6000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000038 CR3: 0000000112ae0005 CR4: 0000000000370ef0 Call Trace: <TASK> mlx5e_netdev_change_profile+0x45/0xb0 mlx5e_vport_rep_load+0x27b/0x2d0 mlx5_esw_offloads_rep_load+0x72/0xf0 esw_offloads_enable+0x5d0/0x970 mlx5_eswitch_enable_locked+0x349/0x430 ? is_mp_supported+0x57/0xb0 mlx5_devlink_eswitch_mode_set+0x26b/0x430 devlink_nl_eswitch_set_doit+0x6f/0xf0 genl_family_rcv_msg_doit+0xe8/0x140 genl_rcv_msg+0x18b/0x290 ? __pfx_devlink_nl_pre_doit+0x10/0x10 ? __pfx_devlink_nl_eswitch_set_doit+0x10/0x10 ? __pfx_devlink_nl_post_doit+0x10/0x10 ? __pfx_genl_rcv_msg+0x10/0x10 netlink_rcv_skb+0x52/0x100 genl_rcv+0x28/0x40 netlink_unicast+0x282/0x3e0 ? __alloc_skb+0xd6/0x190 netlink_sendmsg+0x1f7/0x430 __sys_sendto+0x213/0x220 ? __sys_recvmsg+0x6a/0xd0 __x64_sys_sendto+0x24/0x30 do_syscall_64+0x50/0x1f0 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7fdfb8495047 | 2026-01-25 | not yet calculated | CVE-2026-23000 | https://git.kernel.org/stable/c/dad52950b409d6923880d65a4cddb383286e17d2 https://git.kernel.org/stable/c/e05b8084a20f6bd5827d338c928e5e0fcbafa496 https://git.kernel.org/stable/c/4dadc4077e3f77d6d31e199a925fc7a705e7adeb |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: macvlan: fix possible UAF in macvlan_forward_source() Add RCU protection on (struct macvlan_source_entry)->vlan. Whenever macvlan_hash_del_source() is called, we must clear entry->vlan pointer before RCU grace period starts. This allows macvlan_forward_source() to skip over entries queued for freeing. Note that macvlan_dev are already RCU protected, as they are embedded in a standard netdev (netdev_priv(ndev)). https: //lore.kernel.org/netdev/695fb1e8.050a0220.1c677c.039f.GAE@google.com/T/#u | 2026-01-25 | not yet calculated | CVE-2026-23001 | https://git.kernel.org/stable/c/8518712a2ca952d6da2238c6f0a16b4ae5ea3f13 https://git.kernel.org/stable/c/6dbead9c7677186f22b7981dd085a0feec1f038e https://git.kernel.org/stable/c/7470a7a63dc162f07c26dbf960e41ee1e248d80e |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: lib/buildid: use __kernel_read() for sleepable context Prevent a “BUG: unable to handle kernel NULL pointer dereference in filemap_read_folio”. For the sleepable context, convert freader to use __kernel_read() instead of direct page cache access via read_cache_folio(). This simplifies the faultable code path by using the standard kernel file reading interface which handles all the complexity of reading file data. At the moment we are not changing the code for non-sleepable context which uses filemap_get_folio() and only succeeds if the target folios are already in memory and up-to-date. The reason is to keep the patch simple and easier to backport to stable kernels. Syzbot repro does not crash the kernel anymore and the selftests run successfully. In the follow up we will make __kernel_read() with IOCB_NOWAIT work for non-sleepable contexts. In addition, I would like to replace the secretmem check with a more generic approach and will add fstest for the buildid code. | 2026-01-25 | not yet calculated | CVE-2026-23002 | https://git.kernel.org/stable/c/b11dfb7708f212b96c7973a474014c071aa02e05 https://git.kernel.org/stable/c/568aeb3476c770a3863c755dd2a199c212434286 https://git.kernel.org/stable/c/777a8560fd29738350c5094d4166fe5499452409 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ip6_tunnel: use skb_vlan_inet_prepare() in __ip6_tnl_rcv() Blamed commit did not take care of VLAN encapsulations as spotted by syzbot [1]. Use skb_vlan_inet_prepare() instead of pskb_inet_may_pull(). [1] BUG: KMSAN: uninit-value in __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline] BUG: KMSAN: uninit-value in INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline] BUG: KMSAN: uninit-value in IP6_ECN_decapsulate+0x7a8/0x1fa0 include/net/inet_ecn.h:321 __INET_ECN_decapsulate include/net/inet_ecn.h:253 [inline] INET_ECN_decapsulate include/net/inet_ecn.h:275 [inline] IP6_ECN_decapsulate+0x7a8/0x1fa0 include/net/inet_ecn.h:321 ip6ip6_dscp_ecn_decapsulate+0x16f/0x1b0 net/ipv6/ip6_tunnel.c:729 __ip6_tnl_rcv+0xed9/0x1b50 net/ipv6/ip6_tunnel.c:860 ip6_tnl_rcv+0xc3/0x100 net/ipv6/ip6_tunnel.c:903 gre_rcv+0x1529/0x1b90 net/ipv6/ip6_gre.c:-1 ip6_protocol_deliver_rcu+0x1c89/0x2c60 net/ipv6/ip6_input.c:438 ip6_input_finish+0x1f4/0x4a0 net/ipv6/ip6_input.c:489 NF_HOOK include/linux/netfilter.h:318 [inline] ip6_input+0x9c/0x330 net/ipv6/ip6_input.c:500 ip6_mc_input+0x7ca/0xc10 net/ipv6/ip6_input.c:590 dst_input include/net/dst.h:474 [inline] ip6_rcv_finish+0x958/0x990 net/ipv6/ip6_input.c:79 NF_HOOK include/linux/netfilter.h:318 [inline] ipv6_rcv+0xf1/0x3c0 net/ipv6/ip6_input.c:311 __netif_receive_skb_one_core net/core/dev.c:6139 [inline] __netif_receive_skb+0x1df/0xac0 net/core/dev.c:6252 netif_receive_skb_internal net/core/dev.c:6338 [inline] netif_receive_skb+0x57/0x630 net/core/dev.c:6397 tun_rx_batched+0x1df/0x980 drivers/net/tun.c:1485 tun_get_user+0x5c0e/0x6c60 drivers/net/tun.c:1953 tun_chr_write_iter+0x3e9/0x5c0 drivers/net/tun.c:1999 new_sync_write fs/read_write.c:593 [inline] vfs_write+0xbe2/0x15d0 fs/read_write.c:686 ksys_write fs/read_write.c:738 [inline] __do_sys_write fs/read_write.c:749 [inline] __se_sys_write fs/read_write.c:746 [inline] __x64_sys_write+0x1fb/0x4d0 fs/read_write.c:746 x64_sys_call+0x30ab/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:2 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xd3/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Uninit was created at: slab_post_alloc_hook mm/slub.c:4960 [inline] slab_alloc_node mm/slub.c:5263 [inline] kmem_cache_alloc_node_noprof+0x9e7/0x17a0 mm/slub.c:5315 kmalloc_reserve+0x13c/0x4b0 net/core/skbuff.c:586 __alloc_skb+0x805/0x1040 net/core/skbuff.c:690 alloc_skb include/linux/skbuff.h:1383 [inline] alloc_skb_with_frags+0xc5/0xa60 net/core/skbuff.c:6712 sock_alloc_send_pskb+0xacc/0xc60 net/core/sock.c:2995 tun_alloc_skb drivers/net/tun.c:1461 [inline] tun_get_user+0x1142/0x6c60 drivers/net/tun.c:1794 tun_chr_write_iter+0x3e9/0x5c0 drivers/net/tun.c:1999 new_sync_write fs/read_write.c:593 [inline] vfs_write+0xbe2/0x15d0 fs/read_write.c:686 ksys_write fs/read_write.c:738 [inline] __do_sys_write fs/read_write.c:749 [inline] __se_sys_write fs/read_write.c:746 [inline] __x64_sys_write+0x1fb/0x4d0 fs/read_write.c:746 x64_sys_call+0x30ab/0x3e70 arch/x86/include/generated/asm/syscalls_64.h:2 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xd3/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f CPU: 0 UID: 0 PID: 6465 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(none) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 | 2026-01-25 | not yet calculated | CVE-2026-23003 | https://git.kernel.org/stable/c/df5ffde9669314500809bc498ae73d6d3d9519ac https://git.kernel.org/stable/c/b9f915340f25cae1562f18e1eb52deafca328414 https://git.kernel.org/stable/c/81c734dae203757fb3c9eee6f9896386940776bd |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: dst: fix races in rt6_uncached_list_del() and rt_del_uncached_list() syzbot was able to crash the kernel in rt6_uncached_list_flush_dev() in an interesting way [1] Crash happens in list_del_init()/INIT_LIST_HEAD() while writing list->prev, while the prior write on list->next went well. static inline void INIT_LIST_HEAD(struct list_head *list) { WRITE_ONCE(list->next, list); // This went well WRITE_ONCE(list->prev, list); // Crash, @list has been freed. } Issue here is that rt6_uncached_list_del() did not attempt to lock ul->lock, as list_empty(&rt->dst.rt_uncached) returned true because the WRITE_ONCE(list->next, list) happened on the other CPU. We might use list_del_init_careful() and list_empty_careful(), or make sure rt6_uncached_list_del() always grabs the spinlock whenever rt->dst.rt_uncached_list has been set. A similar fix is neeed for IPv4. [1] BUG: KASAN: slab-use-after-free in INIT_LIST_HEAD include/linux/list.h:46 [inline] BUG: KASAN: slab-use-after-free in list_del_init include/linux/list.h:296 [inline] BUG: KASAN: slab-use-after-free in rt6_uncached_list_flush_dev net/ipv6/route.c:191 [inline] BUG: KASAN: slab-use-after-free in rt6_disable_ip+0x633/0x730 net/ipv6/route.c:5020 Write of size 8 at addr ffff8880294cfa78 by task kworker/u8:14/3450 CPU: 0 UID: 0 PID: 3450 Comm: kworker/u8:14 Tainted: G L syzkaller #0 PREEMPT_{RT,(full)} Tainted: [L]=SOFTLOCKUP Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 Workqueue: netns cleanup_net Call Trace: <TASK> dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xca/0x240 mm/kasan/report.c:482 kasan_report+0x118/0x150 mm/kasan/report.c:595 INIT_LIST_HEAD include/linux/list.h:46 [inline] list_del_init include/linux/list.h:296 [inline] rt6_uncached_list_flush_dev net/ipv6/route.c:191 [inline] rt6_disable_ip+0x633/0x730 net/ipv6/route.c:5020 addrconf_ifdown+0x143/0x18a0 net/ipv6/addrconf.c:3853 addrconf_notify+0x1bc/0x1050 net/ipv6/addrconf.c:-1 notifier_call_chain+0x19d/0x3a0 kernel/notifier.c:85 call_netdevice_notifiers_extack net/core/dev.c:2268 [inline] call_netdevice_notifiers net/core/dev.c:2282 [inline] netif_close_many+0x29c/0x410 net/core/dev.c:1785 unregister_netdevice_many_notify+0xb50/0x2330 net/core/dev.c:12353 ops_exit_rtnl_list net/core/net_namespace.c:187 [inline] ops_undo_list+0x3dc/0x990 net/core/net_namespace.c:248 cleanup_net+0x4de/0x7b0 net/core/net_namespace.c:696 process_one_work kernel/workqueue.c:3257 [inline] process_scheduled_works+0xad1/0x1770 kernel/workqueue.c:3340 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3421 kthread+0x711/0x8a0 kernel/kthread.c:463 ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246 </TASK> Allocated by task 803: kasan_save_stack mm/kasan/common.c:57 [inline] kasan_save_track+0x3e/0x80 mm/kasan/common.c:78 unpoison_slab_object mm/kasan/common.c:340 [inline] __kasan_slab_alloc+0x6c/0x80 mm/kasan/common.c:366 kasan_slab_alloc include/linux/kasan.h:253 [inline] slab_post_alloc_hook mm/slub.c:4953 [inline] slab_alloc_node mm/slub.c:5263 [inline] kmem_cache_alloc_noprof+0x18d/0x6c0 mm/slub.c:5270 dst_alloc+0x105/0x170 net/core/dst.c:89 ip6_dst_alloc net/ipv6/route.c:342 [inline] icmp6_dst_alloc+0x75/0x460 net/ipv6/route.c:3333 mld_sendpack+0x683/0xe60 net/ipv6/mcast.c:1844 mld_send_cr net/ipv6/mcast.c:2154 [inline] mld_ifc_work+0x83e/0xd60 net/ipv6/mcast.c:2693 process_one_work kernel/workqueue.c:3257 [inline] process_scheduled_works+0xad1/0x1770 kernel/workqueue.c:3340 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3421 kthread+0x711/0x8a0 kernel/kthread.c:463 ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entr —truncated— | 2026-01-25 | not yet calculated | CVE-2026-23004 | https://git.kernel.org/stable/c/722de945216144af7cd4d39bdeb936108d2595a7 https://git.kernel.org/stable/c/9a6f0c4d5796ab89b5a28a890ce542344d58bd69 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: x86/fpu: Clear XSTATE_BV[i] in guest XSAVE state whenever XFD[i]=1 When loading guest XSAVE state via KVM_SET_XSAVE, and when updating XFD in response to a guest WRMSR, clear XFD-disabled features in the saved (or to be restored) XSTATE_BV to ensure KVM doesn’t attempt to load state for features that are disabled via the guest’s XFD. Because the kernel executes XRSTOR with the guest’s XFD, saving XSTATE_BV[i]=1 with XFD[i]=1 will cause XRSTOR to #NM and panic the kernel. E.g. if fpu_update_guest_xfd() sets XFD without clearing XSTATE_BV: ————[ cut here ]———— WARNING: arch/x86/kernel/traps.c:1524 at exc_device_not_available+0x101/0x110, CPU#29: amx_test/848 Modules linked in: kvm_intel kvm irqbypass CPU: 29 UID: 1000 PID: 848 Comm: amx_test Not tainted 6.19.0-rc2-ffa07f7fd437-x86_amx_nm_xfd_non_init-vm #171 NONE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 RIP: 0010:exc_device_not_available+0x101/0x110 Call Trace: <TASK> asm_exc_device_not_available+0x1a/0x20 RIP: 0010:restore_fpregs_from_fpstate+0x36/0x90 switch_fpu_return+0x4a/0xb0 kvm_arch_vcpu_ioctl_run+0x1245/0x1e40 [kvm] kvm_vcpu_ioctl+0x2c3/0x8f0 [kvm] __x64_sys_ioctl+0x8f/0xd0 do_syscall_64+0x62/0x940 entry_SYSCALL_64_after_hwframe+0x4b/0x53 </TASK> —[ end trace 0000000000000000 ]— This can happen if the guest executes WRMSR(MSR_IA32_XFD) to set XFD[18] = 1, and a host IRQ triggers kernel_fpu_begin() prior to the vmexit handler’s call to fpu_update_guest_xfd(). and if userspace stuffs XSTATE_BV[i]=1 via KVM_SET_XSAVE: ————[ cut here ]———— WARNING: arch/x86/kernel/traps.c:1524 at exc_device_not_available+0x101/0x110, CPU#14: amx_test/867 Modules linked in: kvm_intel kvm irqbypass CPU: 14 UID: 1000 PID: 867 Comm: amx_test Not tainted 6.19.0-rc2-2dace9faccd6-x86_amx_nm_xfd_non_init-vm #168 NONE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 RIP: 0010:exc_device_not_available+0x101/0x110 Call Trace: <TASK> asm_exc_device_not_available+0x1a/0x20 RIP: 0010:restore_fpregs_from_fpstate+0x36/0x90 fpu_swap_kvm_fpstate+0x6b/0x120 kvm_load_guest_fpu+0x30/0x80 [kvm] kvm_arch_vcpu_ioctl_run+0x85/0x1e40 [kvm] kvm_vcpu_ioctl+0x2c3/0x8f0 [kvm] __x64_sys_ioctl+0x8f/0xd0 do_syscall_64+0x62/0x940 entry_SYSCALL_64_after_hwframe+0x4b/0x53 </TASK> —[ end trace 0000000000000000 ]— The new behavior is consistent with the AMX architecture. Per Intel’s SDM, XSAVE saves XSTATE_BV as ‘0’ for components that are disabled via XFD (and non-compacted XSAVE saves the initial configuration of the state component): If XSAVE, XSAVEC, XSAVEOPT, or XSAVES is saving the state component i, the instruction does not generate #NM when XCR0[i] = IA32_XFD[i] = 1; instead, it operates as if XINUSE[i] = 0 (and the state component was in its initial state): it saves bit i of XSTATE_BV field of the XSAVE header as 0; in addition, XSAVE saves the initial configuration of the state component (the other instructions do not save state component i). Alternatively, KVM could always do XRSTOR with XFD=0, e.g. by using a constant XFD based on the set of enabled features when XSAVEing for a struct fpu_guest. However, having XSTATE_BV[i]=1 for XFD-disabled features can only happen in the above interrupt case, or in similar scenarios involving preemption on preemptible kernels, because fpu_swap_kvm_fpstate()’s call to save_fpregs_to_fpstate() saves the outgoing FPU state with the current XFD; and that is (on all but the first WRMSR to XFD) the guest XFD. Therefore, XFD can only go out of sync with XSTATE_BV in the above interrupt case, or in similar scenarios involving preemption on preemptible kernels, and it we can consider it (de facto) part of KVM ABI that KVM_GET_XSAVE returns XSTATE_BV[i]=0 for XFD-disabled features. [Move clea —truncated— | 2026-01-25 | not yet calculated | CVE-2026-23005 | https://git.kernel.org/stable/c/f577508cc8a0adb8b4ebe9480bba7683b6149930 https://git.kernel.org/stable/c/eea6f395ca502c4528314c8112da9b5d65f685eb https://git.kernel.org/stable/c/b45f721775947a84996deb5c661602254ce25ce6 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ASoC: tlv320adcx140: fix null pointer The “snd_soc_component” in “adcx140_priv” was only used once but never set. It was only used for reaching “dev” which is already present in “adcx140_priv”. | 2026-01-25 | not yet calculated | CVE-2026-23006 | https://git.kernel.org/stable/c/61757f5191daab863d25f03680e912b5449a1eed https://git.kernel.org/stable/c/53bd838ed5950cb18927e4b2e8ee841b7cb10929 https://git.kernel.org/stable/c/be7664c81d3129fc313ef62ff275fd3d33cfecd4 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: block: zero non-PI portion of auto integrity buffer The auto-generated integrity buffer for writes needs to be fully initialized before being passed to the underlying block device, otherwise the uninitialized memory can be read back by userspace or anyone with physical access to the storage device. If protection information is generated, that portion of the integrity buffer is already initialized. The integrity data is also zeroed if PI generation is disabled via sysfs or the PI tuple size is 0. However, this misses the case where PI is generated and the PI tuple size is nonzero, but the metadata size is larger than the PI tuple. In this case, the remainder (“opaque”) of the metadata is left uninitialized. Generalize the BLK_INTEGRITY_CSUM_NONE check to cover any case when the metadata is larger than just the PI tuple. | 2026-01-25 | not yet calculated | CVE-2026-23007 | https://git.kernel.org/stable/c/d6072557b90e0c557df319a56f4a9dc482706d2c https://git.kernel.org/stable/c/ca22c566b89164f6e670af56ecc45f47ef3df819 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/vmwgfx: Fix KMS with 3D on HW version 10 HW version 10 does not have GB Surfaces so there is no backing buffer for surface backed FBs. This would result in a nullptr dereference and crash the driver causing a black screen. | 2026-01-25 | not yet calculated | CVE-2026-23008 | https://git.kernel.org/stable/c/a91bdd21d5efb3072beefbec13762b7722200c49 https://git.kernel.org/stable/c/d9186faeae6efb7d0841a5e8eb213ff4c7966614 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: xhci: sideband: don’t dereference freed ring when removing sideband endpoint xhci_sideband_remove_endpoint() incorrecly assumes that the endpoint is running and has a valid transfer ring. Lianqin reported a crash during suspend/wake-up stress testing, and found the cause to be dereferencing a non-existing transfer ring ‘ep->ring’ during xhci_sideband_remove_endpoint(). The endpoint and its ring may be in unknown state if this function is called after xHCI was reinitialized in resume (lost power), or if device is being re-enumerated, disconnected or endpoint already dropped. Fix this by both removing unnecessary ring access, and by checking ep->ring exists before dereferencing it. Also make sure endpoint is running before attempting to stop it. Remove the xhci_initialize_ring_info() call during sideband endpoint removal as is it only initializes ring structure enqueue, dequeue and cycle state values to their starting values without changing actual hardware enqueue, dequeue and cycle state. Leaving them out of sync is worse than leaving it as it is. The endpoint will get freed in after this in most usecases. If the (audio) class driver want’s to reuse the endpoint after offload then it is up to the class driver to ensure endpoint is properly set up. | 2026-01-25 | not yet calculated | CVE-2026-23009 | https://git.kernel.org/stable/c/34f6634dba87ef72b3c3a3a524be663adef7ab42 https://git.kernel.org/stable/c/dd83dc1249737b837ac5d57c81f2b0977c613d9f |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ipv6: Fix use-after-free in inet6_addr_del(). syzbot reported use-after-free of inet6_ifaddr in inet6_addr_del(). [0] The cited commit accidentally moved ipv6_del_addr() for mngtmpaddr before reading its ifp->flags for temporary addresses in inet6_addr_del(). Let’s move ipv6_del_addr() down to fix the UAF. [0]: BUG: KASAN: slab-use-after-free in inet6_addr_del.constprop.0+0x67a/0x6b0 net/ipv6/addrconf.c:3117 Read of size 4 at addr ffff88807b89c86c by task syz.3.1618/9593 CPU: 0 UID: 0 PID: 9593 Comm: syz.3.1618 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xcd/0x630 mm/kasan/report.c:482 kasan_report+0xe0/0x110 mm/kasan/report.c:595 inet6_addr_del.constprop.0+0x67a/0x6b0 net/ipv6/addrconf.c:3117 addrconf_del_ifaddr+0x11e/0x190 net/ipv6/addrconf.c:3181 inet6_ioctl+0x1e5/0x2b0 net/ipv6/af_inet6.c:582 sock_do_ioctl+0x118/0x280 net/socket.c:1254 sock_ioctl+0x227/0x6b0 net/socket.c:1375 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:597 [inline] __se_sys_ioctl fs/ioctl.c:583 [inline] __x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f164cf8f749 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f164de64038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007f164d1e5fa0 RCX: 00007f164cf8f749 RDX: 0000200000000000 RSI: 0000000000008936 RDI: 0000000000000003 RBP: 00007f164d013f91 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007f164d1e6038 R14: 00007f164d1e5fa0 R15: 00007ffde15c8288 </TASK> Allocated by task 9593: kasan_save_stack+0x33/0x60 mm/kasan/common.c:56 kasan_save_track+0x14/0x30 mm/kasan/common.c:77 poison_kmalloc_redzone mm/kasan/common.c:397 [inline] __kasan_kmalloc+0xaa/0xb0 mm/kasan/common.c:414 kmalloc_noprof include/linux/slab.h:957 [inline] kzalloc_noprof include/linux/slab.h:1094 [inline] ipv6_add_addr+0x4e3/0x2010 net/ipv6/addrconf.c:1120 inet6_addr_add+0x256/0x9b0 net/ipv6/addrconf.c:3050 addrconf_add_ifaddr+0x1fc/0x450 net/ipv6/addrconf.c:3160 inet6_ioctl+0x103/0x2b0 net/ipv6/af_inet6.c:580 sock_do_ioctl+0x118/0x280 net/socket.c:1254 sock_ioctl+0x227/0x6b0 net/socket.c:1375 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:597 [inline] __se_sys_ioctl fs/ioctl.c:583 [inline] __x64_sys_ioctl+0x18e/0x210 fs/ioctl.c:583 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xcd/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f Freed by task 6099: kasan_save_stack+0x33/0x60 mm/kasan/common.c:56 kasan_save_track+0x14/0x30 mm/kasan/common.c:77 kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:584 poison_slab_object mm/kasan/common.c:252 [inline] __kasan_slab_free+0x5f/0x80 mm/kasan/common.c:284 kasan_slab_free include/linux/kasan.h:234 [inline] slab_free_hook mm/slub.c:2540 [inline] slab_free_freelist_hook mm/slub.c:2569 [inline] slab_free_bulk mm/slub.c:6696 [inline] kmem_cache_free_bulk mm/slub.c:7383 [inline] kmem_cache_free_bulk+0x2bf/0x680 mm/slub.c:7362 kfree_bulk include/linux/slab.h:830 [inline] kvfree_rcu_bulk+0x1b7/0x1e0 mm/slab_common.c:1523 kvfree_rcu_drain_ready mm/slab_common.c:1728 [inline] kfree_rcu_monitor+0x1d0/0x2f0 mm/slab_common.c:1801 process_one_work+0x9ba/0x1b20 kernel/workqueue.c:3257 process_scheduled_works kernel/workqu —truncated— | 2026-01-25 | not yet calculated | CVE-2026-23010 | https://git.kernel.org/stable/c/2684610a9c9c53f262fd864fa5c407e79f304804 https://git.kernel.org/stable/c/8b6dcb565e419846bd521e31d5e1f98e4d0e1179 https://git.kernel.org/stable/c/ddf96c393a33aef4887e2e406c76c2f8cda1419c |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ipv4: ip_gre: make ipgre_header() robust Analog to commit db5b4e39c4e6 (“ip6_gre: make ip6gre_header() robust”) Over the years, syzbot found many ways to crash the kernel in ipgre_header() [1]. This involves team or bonding drivers ability to dynamically change their dev->needed_headroom and/or dev->hard_header_len In this particular crash mld_newpack() allocated an skb with a too small reserve/headroom, and by the time mld_sendpack() was called, syzbot managed to attach an ipgre device. [1] skbuff: skb_under_panic: text:ffffffff89ea3cb7 len:2030915468 put:2030915372 head:ffff888058b43000 data:ffff887fdfa6e194 tail:0x120 end:0x6c0 dev:team0 kernel BUG at net/core/skbuff.c:213 ! Oops: invalid opcode: 0000 [#1] SMP KASAN PTI CPU: 1 UID: 0 PID: 1322 Comm: kworker/1:9 Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 Workqueue: mld mld_ifc_work RIP: 0010:skb_panic+0x157/0x160 net/core/skbuff.c:213 Call Trace: <TASK> skb_under_panic net/core/skbuff.c:223 [inline] skb_push+0xc3/0xe0 net/core/skbuff.c:2641 ipgre_header+0x67/0x290 net/ipv4/ip_gre.c:897 dev_hard_header include/linux/netdevice.h:3436 [inline] neigh_connected_output+0x286/0x460 net/core/neighbour.c:1618 NF_HOOK_COND include/linux/netfilter.h:307 [inline] ip6_output+0x340/0x550 net/ipv6/ip6_output.c:247 NF_HOOK+0x9e/0x380 include/linux/netfilter.h:318 mld_sendpack+0x8d4/0xe60 net/ipv6/mcast.c:1855 mld_send_cr net/ipv6/mcast.c:2154 [inline] mld_ifc_work+0x83e/0xd60 net/ipv6/mcast.c:2693 process_one_work kernel/workqueue.c:3257 [inline] process_scheduled_works+0xad1/0x1770 kernel/workqueue.c:3340 worker_thread+0x8a0/0xda0 kernel/workqueue.c:3421 kthread+0x711/0x8a0 kernel/kthread.c:463 ret_from_fork+0x510/0xa50 arch/x86/kernel/process.c:158 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246 | 2026-01-25 | not yet calculated | CVE-2026-23011 | https://git.kernel.org/stable/c/aa57bfea4674e6da8104fa3a37760a6f5f255dad https://git.kernel.org/stable/c/554201ed0a8f4d32e719f42caeaeb2735a9ed6ca https://git.kernel.org/stable/c/e67c577d89894811ce4dcd1a9ed29d8b63476667 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: mm/damon/core: remove call_control in inactive contexts If damon_call() is executed against a DAMON context that is not running, the function returns error while keeping the damon_call_control object linked to the context’s call_controls list. Let’s suppose the object is deallocated after the damon_call(), and yet another damon_call() is executed against the same context. The function tries to add the new damon_call_control object to the call_controls list, which still has the pointer to the previous damon_call_control object, which is deallocated. As a result, use-after-free happens. This can actually be triggered using the DAMON sysfs interface. It is not easily exploitable since it requires the sysfs write permission and making a definitely weird file writes, though. Please refer to the report for more details about the issue reproduction steps. Fix the issue by making two changes. Firstly, move the final kdamond_call() for cancelling all existing damon_call() requests from terminating DAMON context to be done before the ctx->kdamond reset. This makes any code that sees NULL ctx->kdamond can safely assume the context may not access damon_call() requests anymore. Secondly, let damon_call() to cleanup the damon_call_control objects that were added to the already-terminated DAMON context, before returning the error. | 2026-01-25 | not yet calculated | CVE-2026-23012 | https://git.kernel.org/stable/c/23b061f421eef03647b512f3df48861706c87db3 https://git.kernel.org/stable/c/f9132fbc2e83baf2c45a77043672a63a675c9394 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net: octeon_ep_vf: fix free_irq dev_id mismatch in IRQ rollback octep_vf_request_irqs() requests MSI-X queue IRQs with dev_id set to ioq_vector. If request_irq() fails part-way, the rollback loop calls free_irq() with dev_id set to ‘oct’, which does not match the original dev_id and may leave the irqaction registered. This can keep IRQ handlers alive while ioq_vector is later freed during unwind/teardown, leading to a use-after-free or crash when an interrupt fires. Fix the error path to free IRQs with the same ioq_vector dev_id used during request_irq(). | 2026-01-25 | not yet calculated | CVE-2026-23013 | https://git.kernel.org/stable/c/aa05a8371ae4a452df623f7202c72409d3c50e40 https://git.kernel.org/stable/c/aa4c066229b05fc3d3c5f42693d25b1828533b6e https://git.kernel.org/stable/c/f93fc5d12d69012788f82151bee55fce937e1432 |
| linux4me2–Menu In Post | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in linux4me2 Menu In Post menu-in-post allows DOM-Based XSS. This issue affects Menu In Post: from n/a through <= 1.4.1. | 2026-01-22 | not yet calculated | CVE-2026-22349 | https://patchstack.com/database/Wordpress/Plugin/menu-in-post/vulnerability/wordpress-menu-in-post-plugin-1-3-cross-site-scripting-xss-vulnerability?_s_id=cve |
| livemesh–Livemesh Addons for WPBakery Page Builder | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in livemesh Livemesh Addons for WPBakery Page Builder addons-for-visual-composer allows Stored XSS. This issue affects Livemesh Addons for WPBakery Page Builder: from n/a through <= 3.9.4. | 2026-01-23 | not yet calculated | CVE-2026-24594 | https://patchstack.com/database/Wordpress/Plugin/addons-for-visual-composer/vulnerability/wordpress-livemesh-addons-for-wpbakery-page-builder-plugin-3-9-4-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Lodash–Lodash | Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes. The issue permits deletion of properties but does not allow overwriting their original behavior. This issue is patched on 4.17.23 | 2026-01-21 | not yet calculated | CVE-2025-13465 | https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg |
| LogicHunt–Logo Slider | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in LogicHunt Logo Slider logo-slider-wp allows Stored XSS. This issue affects Logo Slider: from n/a through <= 4.9.0. | 2026-01-23 | not yet calculated | CVE-2026-24626 | https://patchstack.com/database/Wordpress/Plugin/logo-slider-wp/vulnerability/wordpress-logo-slider-plugin-4-9-0-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Ludwig You–WPMasterToolKit | Missing Authorization vulnerability in Ludwig You WPMasterToolKit wpmastertoolkit allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WPMasterToolKit: from n/a through <= 2.14.0. | 2026-01-22 | not yet calculated | CVE-2026-24388 | https://patchstack.com/database/Wordpress/Plugin/wpmastertoolkit/vulnerability/wordpress-wpmastertoolkit-plugin-2-14-0-broken-access-control-vulnerability?_s_id=cve |
| M-Files Corporation–M-Files Server | Denial-of-service vulnerability in M-Files Server versions before 26.1.15632.3 allows an authenticated attacker with vault administrator privileges to crash the M-Files Server process by calling a vulnerable API endpoint. | 2026-01-21 | not yet calculated | CVE-2026-0663 | https://product.m-files.com/security-advisories/cve-2026-0663/ |
| mackron–dr_flac | dr_flac, an audio decoder within the dr_libs toolset, contains an integer overflow vulnerability flaw due to trusting the totalPCMFrameCount field from FLAC metadata before calculating buffer size, allowing an attacker with a specially crafted file to perform DoS against programs using the tool. | 2026-01-20 | not yet calculated | CVE-2025-14369 | https://github.com/mackron/dr_libs/commit/b2197b2eb7bb609df76315bebf44db4ec2a1aed0 |
| magentech–MaxShop | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in magentech MaxShop sw_maxshop allows PHP Local File Inclusion. This issue affects MaxShop: from n/a through <= 3.6.20. | 2026-01-22 | not yet calculated | CVE-2025-69047 | https://patchstack.com/database/Wordpress/Theme/sw_maxshop/vulnerability/wordpress-maxshop-theme-3-6-20-local-file-inclusion-vulnerability?_s_id=cve |
| Mahmudul Hasan Arif–FluentBoards | Missing Authorization vulnerability in Mahmudul Hasan Arif FluentBoards fluent-boards allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects FluentBoards: from n/a through <= 1.91.1. | 2026-01-23 | not yet calculated | CVE-2026-24561 | https://patchstack.com/database/Wordpress/Plugin/fluent-boards/vulnerability/wordpress-fluentboards-plugin-1-91-1-broken-access-control-vulnerability?_s_id=cve |
| MailerLite–MailerLite WooCommerce integration | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in MailerLite MailerLite – WooCommerce integration woo-mailerlite allows SQL Injection. This issue affects MailerLite – WooCommerce integration: from n/a through <= 3.1.2. | 2026-01-22 | not yet calculated | CVE-2025-67945 | https://patchstack.com/database/Wordpress/Plugin/woo-mailerlite/vulnerability/wordpress-mailerlite-woocommerce-integration-plugin-3-1-2-sql-injection-vulnerability?_s_id=cve |
| ManageIQ–manageiq | ManageIQ is an open-source management platform. A flaw was found in the ManageIQ API prior to version radjabov-2 where a malformed TimeProfile could be created causing later UI and API requests to timeout leading to a Denial of Service. Version radjabov-2 contains a patch. One may also apply the patch manually. | 2026-01-21 | not yet calculated | CVE-2026-22598 | https://github.com/ManageIQ/manageiq/security/advisories/GHSA-m832-x3g8-63j3 https://github.com/ManageIQ/manageiq/commit/79cef10c7d0278d8a37c3f547c426948180df4df.patch https://github.com/ManageIQ/manageiq/commit/86132851257d73ed9e31a88315e47a8a2b838113 |
| Marco Milesi–ANAC XML Viewer | Server-Side Request Forgery (SSRF) vulnerability in Marco Milesi ANAC XML Viewer anac-xml-viewer allows Server Side Request Forgery. This issue affects ANAC XML Viewer: from n/a through <= 1.8.2. | 2026-01-22 | not yet calculated | CVE-2025-64252 | https://patchstack.com/database/Wordpress/Plugin/anac-xml-viewer/vulnerability/wordpress-anac-xml-viewer-plugin-1-8-2-server-side-request-forgery-ssrf-vulnerability?_s_id=cve |
| Marco van Wieren–WPO365 | Server-Side Request Forgery (SSRF) vulnerability in Marco van Wieren WPO365 wpo365-login allows Server Side Request Forgery. This issue affects WPO365: from n/a through <= 40.0. | 2026-01-22 | not yet calculated | CVE-2025-67961 | https://patchstack.com/database/Wordpress/Plugin/wpo365-login/vulnerability/wordpress-wpo365-plugin-40-0-server-side-request-forgery-ssrf-vulnerability?_s_id=cve |
| Marcus (aka @msykes)–WP FullCalendar | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Marcus (aka @msykes) WP FullCalendar wp-fullcalendar allows Retrieve Embedded Sensitive Data. This issue affects WP FullCalendar: from n/a through <= 1.6. | 2026-01-23 | not yet calculated | CVE-2026-24523 | https://patchstack.com/database/Wordpress/Plugin/wp-fullcalendar/vulnerability/wordpress-wp-fullcalendar-plugin-1-6-sensitive-data-exposure-vulnerability?_s_id=cve |
| Mario Peshev–WP-CRM System | Missing Authorization vulnerability in Mario Peshev WP-CRM System wp-crm-system allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP-CRM System: from n/a through <= 3.4.5. | 2026-01-22 | not yet calculated | CVE-2025-62106 | https://patchstack.com/database/Wordpress/Plugin/wp-crm-system/vulnerability/wordpress-wp-crm-system-plugin-3-4-5-broken-access-control-vulnerability-2?_s_id=cve |
| marynixie–Related Posts Thumbnails Plugin for WordPress | Cross-Site Request Forgery (CSRF) vulnerability in marynixie Related Posts Thumbnails Plugin for WordPress related-posts-thumbnails allows Cross Site Request Forgery. This issue affects Related Posts Thumbnails Plugin for WordPress: from n/a through <= 4.3.1. | 2026-01-23 | not yet calculated | CVE-2026-24596 | https://patchstack.com/database/Wordpress/Plugin/related-posts-thumbnails/vulnerability/wordpress-related-posts-thumbnails-plugin-for-wordpress-plugin-4-3-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| matiskiba–Ravpage | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in matiskiba Ravpage ravpage allows Reflected XSS. This issue affects Ravpage: from n/a through <= 2.33. | 2026-01-22 | not yet calculated | CVE-2025-68835 | https://patchstack.com/database/Wordpress/Plugin/ravpage/vulnerability/wordpress-ravpage-plugin-2-33-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| MCP Manager for Claude Desktop–MCP Manager for Claude Desktop | MCP Manager for Claude Desktop execute-command Command Injection Sandbox Escape Vulnerability. This vulnerability allows remote attackers to bypass the sandbox on affected installations of MCP Manager for Claude Desktop. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the processing of MCP config objects. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to escape the sandbox and execute arbitrary code in the context of the current process at medium integrity. Was ZDI-CAN-27810. | 2026-01-23 | not yet calculated | CVE-2026-0757 | ZDI-26-023 |
| mcp-server-siri-shortcuts–mcp-server-siri-shortcuts | mcp-server-siri-shortcuts shortcutName Command Injection Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of mcp-server-siri-shortcuts. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the shortcutName parameter. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the service account. Was ZDI-CAN-27910. | 2026-01-23 | not yet calculated | CVE-2026-0758 | ZDI-26-024 |
| merkulove–Audier For Elementor | Missing Authorization vulnerability in merkulove Audier For Elementor audier-elementor allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Audier For Elementor: from n/a through <= 1.0.9. | 2026-01-22 | not yet calculated | CVE-2025-66139 | https://patchstack.com/database/Wordpress/Plugin/audier-elementor/vulnerability/wordpress-audier-for-elementor-plugin-1-0-9-broken-access-control-vulnerability?_s_id=cve |
| merkulove–Carter for Elementor | Missing Authorization vulnerability in merkulove Carter for Elementor carter-elementor allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Carter for Elementor: from n/a through <= 1.0.2. | 2026-01-22 | not yet calculated | CVE-2025-66136 | https://patchstack.com/database/Wordpress/Plugin/carter-elementor/vulnerability/wordpress-carter-for-elementor-plugin-1-0-2-broken-access-control-vulnerability?_s_id=cve |
| merkulove–Comparimager for Elementor | Missing Authorization vulnerability in merkulove Comparimager for Elementor comparimager-elementor allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Comparimager for Elementor: from n/a through <= 1.0.1. | 2026-01-22 | not yet calculated | CVE-2025-66142 | https://patchstack.com/database/Wordpress/Plugin/comparimager-elementor/vulnerability/wordpress-comparimager-for-elementor-plugin-1-0-1-broken-access-control-vulnerability?_s_id=cve |
| merkulove–Crumber | Missing Authorization vulnerability in merkulove Crumber crumber-elementor allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Crumber: from n/a through <= 1.0.10. | 2026-01-22 | not yet calculated | CVE-2025-66143 | https://patchstack.com/database/Wordpress/Plugin/crumber-elementor/vulnerability/wordpress-crumber-plugin-1-0-10-broken-access-control-vulnerability?_s_id=cve |
| merkulove–Imager for Elementor | Missing Authorization vulnerability in merkulove Imager for Elementor imager-elementor allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Imager for Elementor: from n/a through <= 2.0.4. | 2026-01-22 | not yet calculated | CVE-2025-66135 | https://patchstack.com/database/Wordpress/Plugin/imager-elementor/vulnerability/wordpress-imager-for-elementor-plugin-2-0-4-broken-access-control-vulnerability?_s_id=cve |
| merkulove–Motionger for Elementor | Missing Authorization vulnerability in merkulove Motionger for Elementor motionger-elementor allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Motionger for Elementor: from n/a through <= 2.0.4. | 2026-01-22 | not yet calculated | CVE-2025-66138 | https://patchstack.com/database/Wordpress/Plugin/motionger-elementor/vulnerability/wordpress-motionger-for-elementor-plugin-2-0-4-broken-access-control-vulnerability?_s_id=cve |
| merkulove–Scroller | Missing Authorization vulnerability in merkulove Scroller scroller allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Scroller: from n/a through <= 2.0.2. | 2026-01-22 | not yet calculated | CVE-2025-66141 | https://patchstack.com/database/Wordpress/Plugin/scroller/vulnerability/wordpress-scroller-plugin-2-0-2-broken-access-control-vulnerability?_s_id=cve |
| merkulove–Searcher for Elementor | Missing Authorization vulnerability in merkulove Searcher for Elementor searcher-elementor allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Searcher for Elementor: from n/a through <= 1.0.3. | 2026-01-22 | not yet calculated | CVE-2025-66137 | https://patchstack.com/database/Wordpress/Plugin/searcher-elementor/vulnerability/wordpress-searcher-for-elementor-plugin-1-0-3-broken-access-control-vulnerability?_s_id=cve |
| merkulove–Uper for Elementor | Missing Authorization vulnerability in merkulove Uper for Elementor uper-elementor allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Uper for Elementor: from n/a through <= 1.0.5. | 2026-01-22 | not yet calculated | CVE-2025-66140 | https://patchstack.com/database/Wordpress/Plugin/uper-elementor/vulnerability/wordpress-uper-for-elementor-plugin-1-0-5-broken-access-control-vulnerability?_s_id=cve |
| Merv Barrett–Easy Property Listings | Missing Authorization vulnerability in Merv Barrett Easy Property Listings easy-property-listings allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Easy Property Listings: from n/a through <= 3.5.17. | 2026-01-22 | not yet calculated | CVE-2025-68072 | https://patchstack.com/database/Wordpress/Plugin/easy-property-listings/vulnerability/wordpress-easy-property-listings-plugin-3-5-16-broken-access-control-vulnerability?_s_id=cve |
| Metagauss–EventPrime | Missing Authorization vulnerability in Metagauss EventPrime eventprime-event-calendar-management allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects EventPrime: from n/a through <= 4.2.8.0. | 2026-01-22 | not yet calculated | CVE-2026-24380 | https://patchstack.com/database/Wordpress/Plugin/eventprime-event-calendar-management/vulnerability/wordpress-eventprime-plugin-4-2-8-0-broken-access-control-vulnerability?_s_id=cve |
| Metagauss–RegistrationMagic | Cross-Site Request Forgery (CSRF) vulnerability in Metagauss RegistrationMagic custom-registration-form-builder-with-submission-manager allows Cross Site Request Forgery. This issue affects RegistrationMagic: from n/a through <= 6.0.6.9. | 2026-01-22 | not yet calculated | CVE-2026-24374 | https://patchstack.com/database/Wordpress/Plugin/custom-registration-form-builder-with-submission-manager/vulnerability/wordpress-registrationmagic-plugin-6-0-6-9-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Micro.company–Form to Chat App | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Micro.company Form to Chat App form-to-chat allows Stored XSS. This issue affects Form to Chat App: from n/a through <= 1.2.5. | 2026-01-22 | not yet calculated | CVE-2026-22463 | https://patchstack.com/database/Wordpress/Plugin/form-to-chat/vulnerability/wordpress-form-to-chat-app-plugin-1-2-5-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Mikado-Themes–Biagiotti | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in Mikado-Themes Biagiotti biagiotti allows PHP Local File Inclusion. This issue affects Biagiotti: from n/a through < 3.5.2. | 2026-01-22 | not yet calculated | CVE-2025-67938 | https://patchstack.com/database/Wordpress/Theme/biagiotti/vulnerability/wordpress-biagiotti-theme-3-5-2-local-file-inclusion-vulnerability?_s_id=cve |
| Mikado-Themes–Cocco | Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Cocco cocco allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Cocco: from n/a through <= 1.5.1. | 2026-01-22 | not yet calculated | CVE-2026-22391 | https://patchstack.com/database/Wordpress/Theme/cocco/vulnerability/wordpress-cocco-theme-1-5-1-insecure-direct-object-references-idor-vulnerability?_s_id=cve |
| Mikado-Themes–Curly | Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Curly curly allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Curly: from n/a through <= 3.3. | 2026-01-22 | not yet calculated | CVE-2026-22393 | https://patchstack.com/database/Wordpress/Theme/curly/vulnerability/wordpress-curly-theme-3-3-insecure-direct-object-references-idor-vulnerability?_s_id=cve |
| Mikado-Themes–Depot | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in Mikado-Themes Depot depot allows PHP Local File Inclusion. This issue affects Depot: from n/a through <= 1.16. | 2026-01-22 | not yet calculated | CVE-2025-54003 | https://patchstack.com/database/Wordpress/Theme/depot/vulnerability/wordpress-depot-theme-1-16-local-file-inclusion-vulnerability?_s_id=cve |
| Mikado-Themes–Dolcino | Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Dolcino dolcino allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Dolcino: from n/a through <= 1.6. | 2026-01-22 | not yet calculated | CVE-2026-22411 | https://patchstack.com/database/Wordpress/Theme/dolcino/vulnerability/wordpress-dolcino-theme-1-6-insecure-direct-object-references-idor-vulnerability?_s_id=cve |
| Mikado-Themes–Fiorello | Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Fiorello fiorello allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Fiorello: from n/a through <= 1.0. | 2026-01-22 | not yet calculated | CVE-2026-22396 | https://patchstack.com/database/Wordpress/Theme/fiorello/vulnerability/wordpress-fiorello-theme-1-0-insecure-direct-object-references-idor-vulnerability?_s_id=cve |
| Mikado-Themes–Fleur | Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Fleur fleur allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Fleur: from n/a through <= 2.0. | 2026-01-22 | not yet calculated | CVE-2026-22398 | https://patchstack.com/database/Wordpress/Theme/fleur/vulnerability/wordpress-fleur-theme-2-0-insecure-direct-object-references-idor-vulnerability?_s_id=cve |
| Mikado-Themes–Holmes | Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Holmes holmes allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Holmes: from n/a through <= 1.7. | 2026-01-22 | not yet calculated | CVE-2026-22400 | https://patchstack.com/database/Wordpress/Theme/holmes/vulnerability/wordpress-holmes-theme-1-7-insecure-direct-object-references-idor-vulnerability?_s_id=cve |
| Mikado-Themes–Innovio | Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Innovio innovio allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Innovio: from n/a through <= 1.7. | 2026-01-22 | not yet calculated | CVE-2026-22404 | https://patchstack.com/database/Wordpress/Theme/innovio/vulnerability/wordpress-innovio-theme-1-7-insecure-direct-object-references-idor-vulnerability?_s_id=cve |
| Mikado-Themes–Justicia | Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Justicia justicia allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Justicia: from n/a through <= 1.2. | 2026-01-22 | not yet calculated | CVE-2026-22409 | https://patchstack.com/database/Wordpress/Theme/justicia/vulnerability/wordpress-justicia-theme-1-2-insecure-direct-object-references-idor-vulnerability?_s_id=cve |
| Mikado-Themes–Overton | Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Overton overton allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Overton: from n/a through <= 1.3. | 2026-01-22 | not yet calculated | CVE-2026-22406 | https://patchstack.com/database/Wordpress/Theme/overton/vulnerability/wordpress-overton-theme-1-3-insecure-direct-object-references-idor-vulnerability?_s_id=cve |
| Mikado-Themes–PawFriends – Pet Shop and Veterinary WordPress Theme | Cross-Site Request Forgery (CSRF) vulnerability in Mikado-Themes PawFriends – Pet Shop and Veterinary WordPress Theme pawfriends allows Cross Site Request Forgery. This issue affects PawFriends – Pet Shop and Veterinary WordPress Theme: from n/a through <= 1.3. | 2026-01-22 | not yet calculated | CVE-2026-22382 | https://patchstack.com/database/Wordpress/Theme/pawfriends/vulnerability/wordpress-pawfriends-pet-shop-and-veterinary-wordpress-theme-theme-1-3-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Mikado-Themes–Powerlift | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in Mikado-Themes Powerlift powerlift allows PHP Local File Inclusion. This issue affects Powerlift: from n/a through < 3.2.1. | 2026-01-22 | not yet calculated | CVE-2025-67940 | https://patchstack.com/database/Wordpress/Theme/powerlift/vulnerability/wordpress-powerlift-theme-3-2-1-local-file-inclusion-vulnerability?_s_id=cve |
| Mikado-Themes–Roam | Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Roam roam allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Roam: from n/a through <= 2.1.1. | 2026-01-22 | not yet calculated | CVE-2026-22407 | https://patchstack.com/database/Wordpress/Theme/roam/vulnerability/wordpress-roam-theme-2-1-1-insecure-direct-object-references-idor-vulnerability?_s_id=cve |
| Mikado-Themes–Rosebud | Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Rosebud rosebud allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Rosebud: from n/a through <= 1.4. | 2026-01-23 | not yet calculated | CVE-2026-24631 | https://patchstack.com/database/Wordpress/Theme/rosebud/vulnerability/wordpress-rosebud-theme-1-4-insecure-direct-object-references-idor-vulnerability?_s_id=cve |
| Mikado-Themes–Verdure | Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes Verdure verdure allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Verdure: from n/a through <= 1.6. | 2026-01-22 | not yet calculated | CVE-2026-22430 | https://patchstack.com/database/Wordpress/Theme/verdure/vulnerability/wordpress-verdure-theme-1-6-insecure-direct-object-references-idor-vulnerability?_s_id=cve |
| Mikado-Themes–Wanderland | Missing Authorization vulnerability in Mikado-Themes Wanderland wanderland allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Wanderland: from n/a through <= 1.5. | 2026-01-22 | not yet calculated | CVE-2026-22458 | https://patchstack.com/database/Wordpress/Theme/wanderland/vulnerability/wordpress-wanderland-theme-1-5-broken-access-control-vulnerability?_s_id=cve |
| Milner–ImageDirector Capture | The use of a hard-coded encryption key in calls to the Password function in C2SGlobalSettings.dll in Milner ImageDirector Capture on Windows allows a local attacker to decrypt database credentials by reading the cryptographic key from the executable. This issue affects ImageDirector Capture: from 7.0.9 before 7.6.3.25808. | 2026-01-20 | not yet calculated | CVE-2025-58740 | https://sra.io/advisories |
| Milner–ImageDirector Capture | Insufficiently Protected Credentials vulnerability in the Credential Field of Milner ImageDirector Capture allows retrieval of credential material and enables database access. This issue affects ImageDirector Capture: from 7.0.9 through 7.6.3.25808. | 2026-01-20 | not yet calculated | CVE-2025-58741 | https://sra.io/advisories |
| Milner–ImageDirector Capture | Insufficiently Protected Credentials, Improper Restriction of Communication Channel to Intended Endpoints vulnerability in the Connection Settings dialog in Milner ImageDirector Capture on Windows allows Adversary in the Middle (AiTM) by modifying the ‘Server’ field to redirect client authentication. This issue affects ImageDirector Capture: from 7.0.9 before 7.6.3.25808. | 2026-01-20 | not yet calculated | CVE-2025-58742 | https://sra.io/advisories |
| Milner–ImageDirector Capture | Use of a Broken or Risky Cryptographic Algorithm (DES) vulnerability in the Password class in C2SConnections.dll in Milner ImageDirector Capture on Windows allows Encryption Brute Forcing to obtain database credentials. This issue affects ImageDirector Capture: from 7.0.9.0 before 7.6.3.25808. | 2026-01-20 | not yet calculated | CVE-2025-58743 | https://sra.io/advisories |
| Milner–ImageDirector Capture | Use of Default Credentials, Hard-coded Credentials vulnerability in C2SGlobalSettings.dll in Milner ImageDirector Capture on Windows allows decryption of document archive files using credentials decrypted with hard-coded application encryption key. This issue affects ImageDirector Capture: from 7.0.9.0 before 7.6.3.25808. | 2026-01-20 | not yet calculated | CVE-2025-58744 | https://sra.io/advisories |
| miniserve–miniserve | A TOCTOU and symlink race in svenstaro/miniserve 0.32.0 upload finalization (when uploads are enabled) can allow an attacker to overwrite arbitrary files outside the intended upload/document root in deployments where the attacker can create/replace filesystem entries in the upload destination directory (e.g., shared writable directory/volume). | 2026-01-23 | not yet calculated | CVE-2025-67124 | https://github.com/svenstaro/miniserve https://gist.github.com/thesmartshadow/55688f87f8b985eb530e07d00ef8c63f |
| mkscripts–Download After Email | Missing Authorization vulnerability in mkscripts Download After Email download-after-email allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Download After Email: from n/a through <= 2.1.9. | 2026-01-23 | not yet calculated | CVE-2026-24541 | https://patchstack.com/database/Wordpress/Plugin/download-after-email/vulnerability/wordpress-download-after-email-plugin-2-1-9-broken-access-control-vulnerability?_s_id=cve |
| mndpsingh287–WP Mail | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in mndpsingh287 WP Mail wp-mail allows Reflected XSS. This issue affects WP Mail: from n/a through <= 1.3. | 2026-01-22 | not yet calculated | CVE-2025-68008 | https://patchstack.com/database/Wordpress/Plugin/wp-mail/vulnerability/wordpress-wp-mail-plugin-1-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| monetagwp–Monetag Official Plugin | Missing Authorization vulnerability in monetagwp Monetag Official Plugin monetag-official allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Monetag Official Plugin: from n/a through <= 1.1.3. | 2026-01-23 | not yet calculated | CVE-2026-24551 | https://patchstack.com/database/Wordpress/Plugin/monetag-official/vulnerability/wordpress-monetag-official-plugin-plugin-1-1-3-broken-access-control-vulnerability-2?_s_id=cve |
| mwtemplates–DeepDigital | Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in mwtemplates DeepDigital deepdigital allows Code Injection. This issue affects DeepDigital: from n/a through <= 1.0.2. | 2026-01-22 | not yet calculated | CVE-2026-22469 | https://patchstack.com/database/Wordpress/Theme/deepdigital/vulnerability/wordpress-deepdigital-theme-1-0-2-arbitrary-shortcode-execution-vulnerability?_s_id=cve |
| MyThemeShop–WP Subscribe | Missing Authorization vulnerability in MyThemeShop WP Subscribe wp-subscribe allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Subscribe: from n/a through <= 1.2.16. | 2026-01-23 | not yet calculated | CVE-2026-24522 | https://patchstack.com/database/Wordpress/Plugin/wp-subscribe/vulnerability/wordpress-wp-subscribe-plugin-1-2-16-broken-access-control-vulnerability?_s_id=cve |
| Nelio Software–Nelio AB Testing | Improper Control of Generation of Code (‘Code Injection’) vulnerability in Nelio Software Nelio AB Testing nelio-ab-testing allows Code Injection. This issue affects Nelio AB Testing: from n/a through <= 8.1.8. | 2026-01-22 | not yet calculated | CVE-2025-67944 | https://patchstack.com/database/Wordpress/Plugin/nelio-ab-testing/vulnerability/wordpress-nelio-ab-testing-plugin-8-1-8-arbitrary-code-execution-vulnerability?_s_id=cve |
| Nelio Software–Nelio Content | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in Nelio Software Nelio Content nelio-content allows Blind SQL Injection. This issue affects Nelio Content: from n/a through <= 4.1.0. | 2026-01-23 | not yet calculated | CVE-2026-24572 | https://patchstack.com/database/Wordpress/Plugin/nelio-content/vulnerability/wordpress-nelio-content-plugin-4-1-0-sql-injection-vulnerability?_s_id=cve |
| neo4j–Enterprise Edition | Neo4j Enterprise edition versions prior to 2025.11.2 and 5.26.17 are vulnerable to a potential information disclosure by an attacker who has some legitimate access to the database. The vulnerability allows attacker without read access to a property to infer information about its value by trying to enumerate all possible values through observing error messages of SET property. We recommend upgrading to 2025.11.2 or 5.26.17 and above, where the issues is fixed. | 2026-01-22 | not yet calculated | CVE-2025-12738 | https://neo4j.com/security/CVE-2025-12738 |
| nerves-hub–nerves_hub_web | NervesHub is a web service that allows users to manage over-the-air (OTA) firmware updates of devices in the field. A vulnerability present starting in version 1.0.0 and prior to version 2.3.0 allowed attackers to brute-force user API tokens due to the predictable format of previously issued tokens. Tokens included user-identifiable components and were not cryptographically secure, making them susceptible to guessing or enumeration. The vulnerability could have allowed unauthorized access to user accounts or API actions protected by these tokens. A fix is available in version 2.3.0 of NervesHub. This version introduces strong, cryptographically-random tokens using `:crypto.strong_rand_bytes/1`, hashing of tokens before database storage to prevent misuse even if the database is compromised, and context-aware token storage to distinguish between session and API tokens. There are no practical workarounds for this issue other than upgrading. In sensitive environments, as a temporary mitigation, firewalling access to the NervesHub server can help limit exposure until an upgrade is possible. | 2026-01-22 | not yet calculated | CVE-2025-64097 | https://github.com/nerves-hub/nerves_hub_web/security/advisories/GHSA-m9vj-776q-vc8m https://github.com/nerves-hub/nerves_hub_web/pull/2024 https://github.com/nerves-hub/nerves_hub_web/releases/tag/v2.3.0 |
| netgsm–Netgsm | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in netgsm Netgsm netgsm allows Reflected XSS. This issue affects Netgsm: from n/a through <= 2.9.63. | 2026-01-22 | not yet calculated | CVE-2025-68010 | https://patchstack.com/database/Wordpress/Plugin/netgsm/vulnerability/wordpress-netgsm-plugin-2-9-62-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| NewPlane–open5GS | Open 5GS WebUI uses a hard-coded JWT signing key (change-me) whenever the environment variable JWT_SECRET_KEY is unset | 2026-01-20 | not yet calculated | CVE-2026-0622 | https://github.com/open5gs/open5gs/issues/2264 https://github.com/open5gs/open5gs/issues/856 https://github.com/open5gs/open5gs/pull/857 |
| Ninetheme–Anarkali | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in Ninetheme Anarkali anarkali allows PHP Local File Inclusion. This issue affects Anarkali: from n/a through <= 1.0.9. | 2026-01-22 | not yet calculated | CVE-2025-47474 | https://patchstack.com/database/Wordpress/Theme/anarkali/vulnerability/wordpress-anarkali-theme-1-0-9-local-file-inclusion-vulnerability?_s_id=cve |
| Ninetheme–Electron | Missing Authorization vulnerability in Ninetheme Electron electron allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Electron: from n/a through <= 1.8.2. | 2026-01-22 | not yet calculated | CVE-2025-5805 | https://patchstack.com/database/Wordpress/Theme/electron/vulnerability/wordpress-electron-theme-1-8-2-broken-access-control-vulnerability?_s_id=cve |
| Ninja Team–GDPR CCPA Compliance Support | Missing Authorization vulnerability in Ninja Team GDPR CCPA Compliance Support ninja-gdpr-compliance allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects GDPR CCPA Compliance Support: from n/a through <= 2.7.4. | 2026-01-22 | not yet calculated | CVE-2025-68073 | https://patchstack.com/database/Wordpress/Plugin/ninja-gdpr-compliance/vulnerability/wordpress-gdpr-ccpa-compliance-support-plugin-2-7-4-broken-access-control-vulnerability?_s_id=cve |
| NixOS–nixpkgs | Tandoor Recipes is a recipe manager than can be installed with the Nix package manager. Starting in version 23.05 and prior to version 26.05, when using the default configuration of Tandoor Recipes, specifically using SQLite and default `MEDIA_ROOT`, the full database file may be externally accessible, potentially on the Internet. The root cause is that the NixOS module configures the working directory of Tandoor Recipes, as well as the value of `MEDIA_ROOT`, to be `/var/lib/tandoor-recipes`. This causes Tandoor Recipes to create its `db.sqlite3` database file in the same directory as `MEDIA_ROOT` causing it to be accessible without authentication through HTTP like any other media file. This is the case when using `GUNICORN_MEDIA=1` or when using a web server like nginx to serve media files. NixOS 26.05 changes the default value of `MEDIA_ROOT` to a sub folder of the data directory. This only applies to configurations with `system.stateVersion` >= 26.05. For older configurations, one of the workarounds should be applied instead. NixOS 25.11 has received a backport of this patch, though it doesn’t fix this vulnerability without user intervention. A recommended workaround is to move `MEDIA_ROOT` into a subdirectory. Non-recommended workarounds include switching to PostgreSQL or disallowing access to `db.sqlite3`. | 2026-01-19 | not yet calculated | CVE-2026-23838 | https://github.com/NixOS/nixpkgs/security/advisories/GHSA-g8w3-p77x-mmxh https://github.com/NixOS/nixpkgs/issues/338339 https://github.com/NixOS/nixpkgs/pull/427845 https://github.com/NixOS/nixpkgs/pull/481140 |
| noCreativity–Dooodl | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in noCreativity Dooodl dooodl allows Reflected XSS. This issue affects Dooodl: from n/a through <= 2.3.0. | 2026-01-22 | not yet calculated | CVE-2025-68871 | https://patchstack.com/database/Wordpress/Plugin/dooodl/vulnerability/wordpress-dooodl-plugin-2-3-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| nodejs–node | A flaw in Node.js’s Permissions model allows attackers to bypass `–allow-fs-read` and `–allow-fs-write` restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and read sensitive files. This breaks the expected isolation guarantees and enables arbitrary file read/write, leading to potential system compromise. This vulnerability affects users of the permission model on Node.js v20, v22, v24, and v25. | 2026-01-20 | not yet calculated | CVE-2025-55130 | https://nodejs.org/en/blog/vulnerability/december-2025-security-releases |
| nodejs–node | A flaw in Node.js’s buffer allocation logic can expose uninitialized memory when allocations are interrupted, when using the `vm` module with the timeout option. Under specific timing conditions, buffers allocated with `Buffer.alloc` and other `TypedArray` instances like `Uint8Array` may contain leftover data from previous operations, allowing in-process secrets like tokens or passwords to leak or causing data corruption. While exploitation typically requires precise timing or in-process code execution, it can become remotely exploitable when untrusted input influences workload and timeouts, leading to potential confidentiality and integrity impact. | 2026-01-20 | not yet calculated | CVE-2025-55131 | https://nodejs.org/en/blog/vulnerability/december-2025-security-releases |
| nodejs–node | A flaw in Node.js’s permission model allows a file’s access and modification timestamps to be changed via `futimes()` even when the process has only read permissions. Unlike `utimes()`, `futimes()` does not apply the expected write-permission checks, which means file metadata can be modified in read-only directories. This behavior could be used to alter timestamps in ways that obscure activity, reducing the reliability of logs. This vulnerability affects users of the permission model on Node.js v20, v22, v24, and v25. | 2026-01-20 | not yet calculated | CVE-2025-55132 | https://nodejs.org/en/blog/vulnerability/december-2025-security-releases |
| nodejs–node | A memory leak in Node.js’s OpenSSL integration occurs when converting `X.509` certificate fields to UTF-8 without freeing the allocated buffer. When applications call `socket.getPeerCertificate(true)`, each certificate field leaks memory, allowing remote clients to trigger steady memory growth through repeated TLS connections. Over time this can lead to resource exhaustion and denial of service. | 2026-01-20 | not yet calculated | CVE-2025-59464 | https://nodejs.org/en/blog/vulnerability/december-2025-security-releases |
| nodejs–node | A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket` error `ECONNRESET`. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. This primarily affects applications that do not attach explicit error handlers to secure sockets, for example: “` server.on(‘secureConnection’, socket => { socket.on(‘error’, err => { console.log(err) }) }) “` | 2026-01-20 | not yet calculated | CVE-2025-59465 | https://nodejs.org/en/blog/vulnerability/december-2025-security-releases |
| nodejs–node | We have identified a bug in Node.js error handling where “Maximum call stack size exceeded” errors become uncatchable when `async_hooks.createHook()` is enabled. Instead of reaching `process.on(‘uncaughtException’)`, the process terminates, making the crash unrecoverable. Applications that rely on `AsyncLocalStorage` (v22, v20) or `async_hooks.createHook()` (v24, v22, v20) become vulnerable to denial-of-service crashes triggered by deep recursion under specific conditions. | 2026-01-20 | not yet calculated | CVE-2025-59466 | https://nodejs.org/en/blog/vulnerability/december-2025-security-releases |
| nodejs–node | A flaw in Node.js’s permission model allows Unix Domain Socket (UDS) connections to bypass network restrictions when `–permission` is enabled. Even without `–allow-net`, attacker-controlled inputs (such as URLs or socketPath options) can connect to arbitrary local sockets via net, tls, or undici/fetch. This breaks the intended security boundary of the permission model and enables access to privileged local services, potentially leading to privilege escalation, data exposure, or local code execution. * The issue affects users of the Node.js permission model on version v25. In the moment of this vulnerability, network permissions (`–allow-net`) are still in the experimental phase. | 2026-01-20 | not yet calculated | CVE-2026-21636 | https://nodejs.org/en/blog/vulnerability/december-2025-security-releases |
| nodejs–node | A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when `pskCallback` or `ALPNCallback` are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths (tlsClientError and error), causing either immediate process termination or silent file descriptor leaks that eventually lead to denial of service. Because these callbacks process attacker-controlled input during the TLS handshake, a remote client can repeatedly trigger the issue. This vulnerability affects TLS servers using PSK or ALPN callbacks across Node.js versions where these callbacks throw without being safely wrapped. | 2026-01-20 | not yet calculated | CVE-2026-21637 | https://nodejs.org/en/blog/vulnerability/december-2025-security-releases |
| npm–cli | npm cli Incorrect Permission Assignment Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of npm cli. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the handling of modules. The application loads modules from an unsecured location. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of a target user. Was ZDI-CAN-25430. | 2026-01-23 | not yet calculated | CVE-2026-0775 | ZDI-26-043 |
| NSquared–Simply Schedule Appointments | Missing Authorization vulnerability in NSquared Simply Schedule Appointments simply-schedule-appointments allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Simply Schedule Appointments: from n/a through <= 1.6.9.15. | 2026-01-22 | not yet calculated | CVE-2025-69315 | https://patchstack.com/database/Wordpress/Plugin/simply-schedule-appointments/vulnerability/wordpress-simply-schedule-appointments-plugin-1-6-9-15-broken-access-control-vulnerability?_s_id=cve |
| Ollama MCP Server–Ollama MCP Server | Ollama MCP Server execAsync Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ollama MCP Server. Authentication is not required to exploit this vulnerability. The specific flaw exists within the implementation of the execAsync method. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-27683. | 2026-01-23 | not yet calculated | CVE-2025-15063 | ZDI-26-020 |
| ollama–ollama | An issue in ollama v.0.12.10 allows a remote attacker to cause a denial of service via the GGUF decoder | 2026-01-21 | not yet calculated | CVE-2025-66959 | https://github.com/ollama/ollama/issues/9820 https://zero.shotlearni.ng/blog/cve-2025-66959panic-dos-via-unchecked-length-in-gguf-decoder-copy/ |
| ollama-ollama | An issue in ollama v.0.12.10 allows a remote attacker to cause a denial of service via the fs/ggml/gguf.go, function readGGUFV1String reads a string length from untrusted GGUF metadata | 2026-01-21 | not yet calculated | CVE-2025-66960 | https://github.com/ollama/ollama/issues/9820 https://zero.shotlearni.ng/blog/cve-2025-66960guf-v1-string-length-cause-panic-in-readggufv1string/ |
| OmniApp–OmniApp | An unauthenticated information disclosure vulnerability in Newgen OmniApp allows attackers to enumerate valid privileged usernames via a publicly accessible client-side JavaScript resource. | 2026-01-23 | not yet calculated | CVE-2025-69908 | https://newgensoft.com/ https://github.com/CBx216/CVE-Newgen-Software-Advisories/blob/main/CVE-2025-69908.md |
| OmniDocs–OmniDocs | An unauthenticated information disclosure vulnerability exists in Newgen OmniDocs due to missing authentication and access control on the /omnidocs/GetListofCabinet API endpoint. A remote attacker can access this endpoint without valid credentials to retrieve sensitive internal configuration information, including cabinet names and database-related metadata. This allows unauthorized enumeration of backend deployment details and may facilitate further targeted attacks. | 2026-01-23 | not yet calculated | CVE-2025-69907 | https://newgensoft.com/ https://github.com/CBx216/CVE-Newgen-Software-Advisories/blob/main/CVE-2025-69907.md |
| omnipressteam–Omnipress | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in omnipressteam Omnipress omnipress allows PHP Local File Inclusion. This issue affects Omnipress: from n/a through <= 1.6.6. | 2026-01-23 | not yet calculated | CVE-2026-24538 | https://patchstack.com/database/Wordpress/Plugin/omnipress/vulnerability/wordpress-omnipress-plugin-1-6-6-local-file-inclusion-vulnerability?_s_id=cve |
| Onepay Sri Lanka–onepay Payment Gateway For WooCommerce | Missing Authorization vulnerability in Onepay Sri Lanka onepay Payment Gateway For WooCommerce onepay-payment-gateway-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects onepay Payment Gateway For WooCommerce: from n/a through <= 1.1.2. | 2026-01-22 | not yet calculated | CVE-2025-68016 | https://patchstack.com/database/Wordpress/Plugin/onepay-payment-gateway-for-woocommerce/vulnerability/wordpress-onepay-payment-gateway-for-woocommerce-plugin-1-1-2-other-vulnerability-type-vulnerability?_s_id=cve |
| Open WebUI–Open WebUI | Open WebUI PIP install_frontmatter_requirements Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Open WebUI. Authentication is required to exploit this vulnerability. The specific flaw exists within the install_frontmatter_requirements function.The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-28258. | 2026-01-23 | not yet calculated | CVE-2026-0765 | ZDI-26-031 |
| Open WebUI–Open WebUI | Open WebUI load_tool_module_by_id Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Open WebUI. Authentication is required to exploit this vulnerability. The specific flaw exists within the load_tool_module_by_id function. The issue results from the lack of proper validation of a user-supplied string before using it to execute Python code. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-28257. | 2026-01-23 | not yet calculated | CVE-2026-0766 | ZDI-26-032 |
| Open WebUI–Open WebUI | Open WebUI Cleartext Transmission of Credentials Information Disclosure Vulnerability. This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of Open WebUI. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of credentials provided to the endpoint. The issue results from transmitting sensitive information in plaintext. An attacker can leverage this vulnerability to disclose transmitted credentials, leading to further compromise. Was ZDI-CAN-28259. | 2026-01-23 | not yet calculated | CVE-2026-0767 | ZDI-26-033 |
| OpenSolution–Quick.Cart | Quick.Cart is vulnerable to reflected XSS via the sSort parameter. An attacker can craft a malicious URL which, when opened, results in arbitrary JavaScript execution in the victim’s browser. The vendor was notified early about this vulnerability, but didn’t respond with the details of vulnerability or vulnerable version range. Only version 6.7 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable. | 2026-01-22 | not yet calculated | CVE-2025-67683 | https://cert.pl/posts/2026/01/CVE-2025-67683 https://opensolution.org/sklep-internetowy-quick-cart.html |
| OpenSolution–Quick.Cart | Quick.Cart is vulnerable to Local File Inclusion and Path Traversal issues in the theme selection mechanism. Quick.Cart allows a privileged user to upload arbitrary file contents while only validating the filename extension. This allows an attacker to include and execute uploaded PHP code, resulting in Remote Code Execution on the server. The vendor was notified early about this vulnerability, but didn’t respond with the details of vulnerability or vulnerable version range. Only version 6.7 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable. | 2026-01-22 | not yet calculated | CVE-2025-67684 | https://cert.pl/posts/2026/01/CVE-2025-67683 https://opensolution.org/sklep-internetowy-quick-cart.html |
| orjson–orjson | The orjson.dumps function in orjson thru 3.11.4 does not limit recursion for deeply nested JSON documents. | 2026-01-22 | not yet calculated | CVE-2025-67221 | https://github.com/kpatsakis/orjson_vulnerability https://github.com/ijl/orjson |
| orval-labs–orval | Orval generates type-safe JS clients (TypeScript) from any valid OpenAPI v3 or Swagger v2 specification. Versions prior to 7.19.0 until 8.0.2 are vulnerable to arbitrary code execution in environments consuming generated clients. This issue is similar in nature to CVE-2026-22785, but affects a different code path in @orval/core that was not addressed by CVE-2026-22785’s fix. The vulnerability allows untrusted OpenAPI specifications to inject arbitrary TypeScript/JavaScript code into generated clients via the x-enumDescriptions field, which is embedded without proper escaping in getEnumImplementation(). I have confirmed that the injection occurs during const enum generation and results in executable code within the generated schema files. Orval 7.19.0 and 8.0.2 contain a fix for the issue. | 2026-01-20 | not yet calculated | CVE-2026-23947 | https://github.com/orval-labs/orval/security/advisories/GHSA-h526-wf6g-67jv https://github.com/orval-labs/orval/releases/tag/v8.0.2 |
| orval-labs–orval | Orval generates type-safe JS clients (TypeScript) from any valid OpenAPI v3 or Swagger v2 specification. Versions 7.19.0 and below and 8.0.0-rc.0 through 8.0.2 allow untrusted OpenAPI specifications to inject arbitrary TypeScript/JavaScript into generated mock files via the const keyword on schema properties. These const values are interpolated into the mock scalar generator (getMockScalar in packages/mock/src/faker/getters/scalar.ts) without proper escaping or type-safe serialization, which results in attacker-controlled code being emitted into both interface definitions and faker/MSW handlers. The vulnerability is similar in impact to the previously reported enum x-enumDescriptions (GHSA-h526-wf6g-67jv), but it affects a different code path in the faker-based mock generator rather than @orval/core. The issue has been fixed in versions 7.20.0 and 8.0.3. | 2026-01-22 | not yet calculated | CVE-2026-24132 | https://github.com/orval-labs/orval/security/advisories/GHSA-f456-rf33-4626 https://github.com/orval-labs/orval/pull/2828 https://github.com/orval-labs/orval/pull/2829 https://github.com/orval-labs/orval/pull/2830 https://github.com/orval-labs/orval/commit/44ca8c1f5f930a3e4cefb6b79b38bcde7f8532a5 https://github.com/orval-labs/orval/commit/6d8ece07ccb80693ad43edabccb3957aceadcd06 https://github.com/orval-labs/orval/commit/9b211cddc9f009f8a671e4ac5c6cb72cd8646b62 https://github.com/orval-labs/orval/releases/tag/v7.20.0 https://github.com/orval-labs/orval/releases/tag/v8.0.3 |
| ovatheme–Athens | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in ovatheme Athens athens allows PHP Local File Inclusion. This issue affects Athens: from n/a through <= 1.1.6. | 2026-01-22 | not yet calculated | CVE-2025-49994 | https://patchstack.com/database/Wordpress/Theme/athens/vulnerability/wordpress-athens-theme-1-1-6-local-file-inclusion-vulnerability?_s_id=cve |
| ovatheme–Movie Booking | Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) vulnerability in ovatheme Movie Booking movie-booking allows Path Traversal. This issue affects Movie Booking: from n/a through <= 1.1.5. | 2026-01-22 | not yet calculated | CVE-2025-67963 | https://patchstack.com/database/Wordpress/Plugin/movie-booking/vulnerability/wordpress-movie-booking-plugin-1-1-5-arbitrary-file-deletion-vulnerability?_s_id=cve |
| owntone–owntone | A NULL pointer dereference in the parse_meta function (src/httpd_daap.c) of owntone-server commit 334beb allows attackers to cause a Denial of Service (DoS) via sending a crafted DAAP request to the server. | 2026-01-20 | not yet calculated | CVE-2025-63647 | https://github.com/archersec/poc/tree/master/owntone-server https://github.com/owntone/owntone-server/commit/53ee9a3c3921e5448f502800c4dfa787865f6cb7 https://github.com/archersec/security-advisories/blob/master/owntone-server/owntone-server-advisory-2025.md |
| Paolo–GeoDirectory | Cross-Site Request Forgery (CSRF) vulnerability in Paolo GeoDirectory geodirectory allows Cross Site Request Forgery. This issue affects GeoDirectory: from n/a through <= 2.8.147. | 2026-01-23 | not yet calculated | CVE-2026-24549 | https://patchstack.com/database/Wordpress/Plugin/geodirectory/vulnerability/wordpress-geodirectory-plugin-2-8-147-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Passionate Brains–Add Expires Headers & Optimized Minify | Missing Authorization vulnerability in Passionate Brains Add Expires Headers & Optimized Minify add-expires-headers allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Add Expires Headers & Optimized Minify: from n/a through <= 3.1.0. | 2026-01-23 | not yet calculated | CVE-2026-24633 | https://patchstack.com/database/Wordpress/Plugin/add-expires-headers/vulnerability/wordpress-add-expires-headers-optimized-minify-plugin-3-1-0-broken-access-control-vulnerability?_s_id=cve |
| pavothemes–Freshio | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in pavothemes Freshio freshio allows PHP Local File Inclusion. This issue affects Freshio: from n/a through <= 2.4.2. | 2026-01-22 | not yet calculated | CVE-2026-22401 | https://patchstack.com/database/Wordpress/Theme/freshio/vulnerability/wordpress-freshio-theme-2-4-2-local-file-inclusion-vulnerability?_s_id=cve |
| pavothemes–Triply | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in pavothemes Triply triply allows PHP Local File Inclusion. This issue affects Triply: from n/a through <= 2.4.7. | 2026-01-22 | not yet calculated | CVE-2026-22402 | https://patchstack.com/database/Wordpress/Theme/triply/vulnerability/wordpress-triply-theme-2-4-7-local-file-inclusion-vulnerability?_s_id=cve |
| peachpayments–Peach Payments Gateway | Missing Authorization vulnerability in peachpayments Peach Payments Gateway wc-peach-payments-gateway allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Peach Payments Gateway: from n/a through <= 3.3.6. | 2026-01-22 | not yet calculated | CVE-2025-67942 | https://patchstack.com/database/Wordpress/Plugin/wc-peach-payments-gateway/vulnerability/wordpress-peach-payments-gateway-plugin-3-3-6-broken-access-control-vulnerability?_s_id=cve |
| PenciDesign–Penci Pay Writer | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in PenciDesign Penci Pay Writer penci-pay-writer allows Stored XSS. This issue affects Penci Pay Writer: from n/a through <= 1.5. | 2026-01-23 | not yet calculated | CVE-2026-24601 | https://patchstack.com/database/Wordpress/Plugin/penci-pay-writer/vulnerability/wordpress-penci-pay-writer-plugin-1-5-cross-site-scripting-xss-vulnerability?_s_id=cve |
| PenciDesign–Penci Review | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in PenciDesign Penci Review penci-review allows Stored XSS. This issue affects Penci Review: from n/a through <= 3.5. | 2026-01-23 | not yet calculated | CVE-2026-24600 | https://patchstack.com/database/Wordpress/Plugin/penci-review/vulnerability/wordpress-penci-review-plugin-3-5-cross-site-scripting-xss-vulnerability?_s_id=cve |
| PenciDesign–Penci Shortcodes & Performance | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in PenciDesign Penci Shortcodes & Performance penci-shortcodes allows DOM-Based XSS. This issue affects Penci Shortcodes & Performance: from n/a through <= 6.1. | 2026-01-22 | not yet calculated | CVE-2026-24354 | https://patchstack.com/database/Wordpress/Plugin/penci-shortcodes/vulnerability/wordpress-penci-shortcodes-performance-plugin-6-1-cross-site-scripting-xss-vulnerability-2?_s_id=cve |
| pencilwp–X Addons for Elementor | Missing Authorization vulnerability in pencilwp X Addons for Elementor x-addons-elementor allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects X Addons for Elementor: from n/a through <= 1.0.23. | 2026-01-23 | not yet calculated | CVE-2026-24605 | https://patchstack.com/database/Wordpress/Plugin/x-addons-elementor/vulnerability/wordpress-x-addons-for-elementor-plugin-1-0-23-broken-access-control-vulnerability?_s_id=cve |
| PHPgurukul–PHPgurukul | PHPgurukul Online Course Registration v3.1 lacks Cross-Site Request Forgery (CSRF) protection on all administrative forms. An attacker can perform unauthorized actions on behalf of authenticated administrators by tricking them into visiting a malicious webpage. | 2026-01-22 | not yet calculated | CVE-2025-70899 | https://phpgurukul.com/online-course-registration-free-download/ https://github.com/mathavamoorthi/CVE-2025-70899/blob/main/Missing_CSRF_protection_poc.md |
| Pithikos–Pithikos | An input validation issue in in Pithikos websocket-server v.0.6.4 allows a remote attacker to obtain sensitive information or cause unexpected server behavior via the websocket_server/websocket_server.py, WebSocketServer._message_received components. | 2026-01-20 | not yet calculated | CVE-2025-66902 | https://github.com/cyberinvest211/websocket-server-vuln-poc/tree/main |
| pixelgrade–Nova Blocks | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in pixelgrade Nova Blocks nova-blocks allows DOM-Based XSS. This issue affects Nova Blocks: from n/a through <= 2.1.9. | 2026-01-23 | not yet calculated | CVE-2026-24528 | https://patchstack.com/database/Wordpress/Plugin/nova-blocks/vulnerability/wordpress-nova-blocks-plugin-2-1-9-cross-site-scripting-xss-vulnerability?_s_id=cve |
| PluginOps–Landing Page Builder | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in PluginOps Landing Page Builder page-builder-add allows Stored XSS. This issue affects Landing Page Builder: from n/a through <= 1.5.3.3. | 2026-01-23 | not yet calculated | CVE-2026-24620 | https://patchstack.com/database/Wordpress/Plugin/page-builder-add/vulnerability/wordpress-landing-page-builder-plugin-1-5-3-3-cross-site-scripting-xss-vulnerability?_s_id=cve |
| pondol–Pondol BBS | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in pondol Pondol BBS pondol-bbs allows Stored XSS. This issue affects Pondol BBS: from n/a through <= 1.1.8.4. | 2026-01-22 | not yet calculated | CVE-2025-49336 | https://patchstack.com/database/Wordpress/Plugin/pondol-bbs/vulnerability/wordpress-pondol-bbs-plugin-1-1-8-4-cross-site-scripting-xss-vulnerability?_s_id=cve |
| PopCash–PopCash.Net Code Integration Tool | Missing Authorization vulnerability in PopCash PopCash.Net Code Integration Tool popcashnet-code-integration-tool allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects PopCash.Net Code Integration Tool: from n/a through <= 1.8. | 2026-01-23 | not yet calculated | CVE-2026-24619 | https://patchstack.com/database/Wordpress/Plugin/popcashnet-code-integration-tool/vulnerability/wordpress-popcash-net-code-integration-tool-plugin-1-8-broken-access-control-vulnerability?_s_id=cve |
| POSIMYTH–Nexter Blocks | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in POSIMYTH Nexter Blocks the-plus-addons-for-block-editor allows Retrieve Embedded Sensitive Data. This issue affects Nexter Blocks: from n/a through <= 4.6.3. | 2026-01-22 | not yet calculated | CVE-2026-24377 | https://patchstack.com/database/Wordpress/Plugin/the-plus-addons-for-block-editor/vulnerability/wordpress-nexter-blocks-plugin-4-6-3-sensitive-data-exposure-vulnerability?_s_id=cve |
| Poultry Farm Management System–Poultry Farm Management System | Stored Cross-Site Scripting (XSS) in Poultry Farm Management System v1.0 due to the lack of proper validation of user input by sending a POST request. The relationship between parameters and assigned identifiers is as follows: ‘companyaddress’, ‘companyemail’, ‘companyname’, ‘country’, ‘mobilenumber’ y ‘regno’ parameters in ‘/farm/farmprofile.php’. | 2026-01-20 | not yet calculated | CVE-2025-41024 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-poultry-farm-management-system |
| Poultry Farm Management System–Poultry Farm Management System | Stored Cross-Site Scripting (XSS) in Poultry Farm Management System v1.0 due to the lack of proper validation of user input by sending a POST request. The relationship between parameters and assigned identifiers is as follows: ‘category’ y ‘product’ parameters in ‘/farm/sell_product.php’. | 2026-01-20 | not yet calculated | CVE-2025-41025 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-poultry-farm-management-system |
| Prince–Integrate Google Drive | Missing Authorization vulnerability in Prince Integrate Google Drive integrate-google-drive allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Integrate Google Drive: from n/a through <= 1.5.5. | 2026-01-23 | not yet calculated | CVE-2026-24540 | https://patchstack.com/database/Wordpress/Plugin/integrate-google-drive/vulnerability/wordpress-integrate-google-drive-plugin-1-5-5-broken-access-control-vulnerability?_s_id=cve |
| Prince–Radio Player | Server-Side Request Forgery (SSRF) vulnerability in Prince Radio Player radio-player allows Server Side Request Forgery. This issue affects Radio Player: from n/a through <= 2.0.91. | 2026-01-23 | not yet calculated | CVE-2026-24548 | https://patchstack.com/database/Wordpress/Plugin/radio-player/vulnerability/wordpress-radio-player-plugin-2-0-91-server-side-request-forgery-ssrf-vulnerability?_s_id=cve |
| Proptech Plugin–Apimo Connector | Missing Authorization vulnerability in Proptech Plugin Apimo Connector apimo allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Apimo Connector: from n/a through <= 2.6.4. | 2026-01-22 | not yet calculated | CVE-2026-22445 | https://patchstack.com/database/Wordpress/Plugin/apimo/vulnerability/wordpress-apimo-connector-plugin-2-6-4-broken-access-control-vulnerability?_s_id=cve |
| pterodactyl–panel | Pterodactyl is a free, open-source game server management panel. Pterodactyl implements rate limits that are applied to the total number of resources (e.g. databases, port allocations, or backups) that can exist for an individual server. These resource limits are applied on a per-server basis, and validated during the request cycle. However, in versions prior to 1.12.0, it is possible for a malicious user to send a massive volume of requests at the same time that would create more resources than the server is allotted. This is because the validation occurs early in the request cycle and does not lock the target resource while it is processing. As a result sending a large volume of requests at the same time would lead all of those requests to validate as not using any of the target resources, and then all creating the resources at the same time. As a result a server would be able to create more databases, allocations, or backups than configured. A malicious user is able to deny resources to other users on the system, and may be able to excessively consume the limited allocations for a node, or fill up backup space faster than is allowed by the system. Version 1.12.0 fixes the issue. | 2026-01-19 | not yet calculated | CVE-2025-69198 | https://github.com/pterodactyl/panel/security/advisories/GHSA-jw2v-cq5x-q68g https://github.com/pterodactyl/panel/commit/09caa0d4995bd924b53b9a9e9b4883ac27bd5607 |
| pterodactyl–panel | Wings is the server control plane for Pterodactyl, a free, open-source game server management panel. Prior to version 1.12.0, websockets within wings lack proper rate limiting and throttling. As a result a malicious user can open a large number of connections and then request data through these sockets, causing an excessive volume of data over the network and overloading the host system memory and cpu. Additionally, there is not a limit applied to the total size of messages being sent or received, allowing a malicious user to open thousands of websocket connections and then send massive volumes of information over the socket, overloading the host network, and causing increased CPU and memory load within Wings. Version 1.12.0 patches the issue. | 2026-01-19 | not yet calculated | CVE-2025-69199 | https://github.com/pterodactyl/panel/security/advisories/GHSA-8w7m-w749-rx98 |
| pterodactyl–wings | Wings is the server control plane for Pterodactyl, a free, open-source game server management panel. Starting in version 1.7.0 and prior to version 1.12.0, Wings does not consider SQLite max parameter limit when processing activity log entries allowing for low privileged user to trigger a condition that floods the panel with activity records. After Wings sends activity logs to the panel it deletes the processed activity entries from the wings SQLite database. However, it does not consider the max parameter limit of SQLite, 32766 as of SQLite 3.32.0. If wings attempts to delete more than 32766 entries from the SQLite database in one query, it triggers an error (SQL logic error: too many SQL variables (1)) and does not remove any entries from the database. These entries are then indefinitely re-processed and resent to the panel each time the cron runs. By successfully exploiting this vulnerability, an attacker can trigger a situation where wings will keep uploading the same activity data to the panel repeatedly (growing each time to include new activity) until the panels’ database server runs out of disk space. Version 1.12.0 fixes the issue. | 2026-01-19 | not yet calculated | CVE-2026-21696 | https://github.com/pterodactyl/wings/security/advisories/GHSA-2497-gp99-2m74 https://github.com/pterodactyl/wings/blob/9ffbcdcdb1163da823cf9959b9602df9f7dcb54a/internal/cron/activity_cron.go#L81 https://github.com/pterodactyl/wings/blob/9ffbcdcdb1163da823cf9959b9602df9f7dcb54a/internal/cron/sftp_cron.go#L86 |
| purethemes–WorkScout | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in purethemes WorkScout workscout allows Reflected XSS. This issue affects WorkScout: from n/a through <= 4.1.07. | 2026-01-22 | not yet calculated | CVE-2025-67959 | https://patchstack.com/database/Wordpress/Theme/workscout/vulnerability/wordpress-workscout-theme-4-1-07-cross-site-scripting-xss-vulnerability?_s_id=cve |
| purethemes–WorkScout-Core | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in purethemes WorkScout-Core workscout-core allows Reflected XSS. This issue affects WorkScout-Core: from n/a through <= 1.7.06. | 2026-01-22 | not yet calculated | CVE-2025-67960 | https://patchstack.com/database/Wordpress/Plugin/workscout-core/vulnerability/wordpress-workscout-core-plugin-1-7-06-cross-site-scripting-xss-vulnerability-2?_s_id=cve |
| PyPI–PiPI | An undocumented and unsafe feature in the PLY (Python Lex-Yacc) library 3.11 allows Remote Code Execution (RCE) via the `picklefile` parameter in the `yacc()` function. This parameter accepts a `.pkl` file that is deserialized with `pickle.load()` without validation. Because `pickle` allows execution of embedded code via `__reduce__()`, an attacker can achieve code execution by passing a malicious pickle file. The parameter is not mentioned in official documentation or the GitHub repository, yet it is active in the PyPI version. This introduces a stealthy backdoor and persistence risk. | 2026-01-20 | not yet calculated | CVE-2025-56005 | https://github.com/bohmiiidd/Undocumented-RCE-in-PLY |
| Python Software Foundation–CPython | When folding a long comment in an email header containing exclusively unfoldable characters, the parenthesis would not be preserved. This could be used for injecting headers into email messages where addresses are user-controlled and not sanitized. | 2026-01-20 | not yet calculated | CVE-2025-11468 | https://github.com/python/cpython/pull/143936 https://github.com/python/cpython/issues/143935 https://mail.python.org/archives/list/security-announce@python.org/thread/FELSEOLBI2QR6YLG6Q7VYF7FWSGQTKLI/ https://github.com/python/cpython/commit/17d1490aa97bd6b98a42b1a9b324ead84e7fd8a2 |
| Python Software Foundation–CPython | When passing data to the b64decode(), standard_b64decode(), and urlsafe_b64decode() functions in the “base64” module the characters “+/” will always be accepted, regardless of the value of “altchars” parameter, typically used to establish an “alternative base64 alphabet” such as the URL safe alphabet. This behavior matches what is recommended in earlier base64 RFCs, but newer RFCs now recommend either dropping characters outside the specified base64 alphabet or raising an error. The old behavior has the possibility of causing data integrity issues. This behavior can only be insecure if your application uses an alternate base64 alphabet (without “+/”). If your application does not use the “altchars” parameter or the urlsafe_b64decode() function, then your application does not use an alternative base64 alphabet. The attached patches DOES NOT make the base64-decode behavior raise an error, as this would be a change in behavior and break existing programs. Instead, the patch deprecates the behavior which will be replaced with the newly recommended behavior in a future version of Python. Users are recommended to mitigate by verifying user-controlled inputs match the base64 alphabet they are expecting or verify that their application would not be affected if the b64decode() functions accepted “+” or “/” outside of altchars. | 2026-01-21 | not yet calculated | CVE-2025-12781 | https://github.com/python/cpython/pull/141128 https://github.com/python/cpython/issues/125346 https://mail.python.org/archives/list/security-announce@python.org/thread/KRI7GC6S27YV5NJ4FPDALS2WI5ENAFJ6/ https://github.com/python/cpython/commit/13360efd385d1a7d0659beba03787ea3d063ef9b https://github.com/python/cpython/commit/1be80bec7960f5ccd059e75f3dfbd45fca302947 https://github.com/python/cpython/commit/9060b4abbe475591b6230b23c2afefeff26fcca5 https://github.com/python/cpython/commit/e95e783dff443b68e8179fdb57737025bf02ba76 https://github.com/python/cpython/commit/fd17ee026fa9b67f6288cbafe374a3e479fe03a5 |
| Python Software Foundation–CPython | User-controlled data URLs parsed by urllib.request.DataHandler allow injecting headers through newlines in the data URL mediatype. | 2026-01-20 | not yet calculated | CVE-2025-15282 | https://github.com/python/cpython/pull/143926 https://github.com/python/cpython/issues/143925 https://mail.python.org/archives/list/security-announce@python.org/thread/X66HL7SISGJT33J53OHXMZT4DFLMHVKF/ https://github.com/python/cpython/commit/f25509e78e8be6ea73c811ac2b8c928c28841b9f https://github.com/python/cpython/commit/05356b1cc153108aaf27f3b72ce438af4aa218c0 |
| Python Software Foundation–CPython | The imaplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters. | 2026-01-20 | not yet calculated | CVE-2025-15366 | https://github.com/python/cpython/issues/143921 https://github.com/python/cpython/pull/143922 https://mail.python.org/archives/list/security-announce@python.org/thread/DD7C7JZJYTBXMDOWKCEIEBJLBRU64OMR/ https://github.com/python/cpython/commit/6262704b134db2a4ba12e85ecfbd968534f28b45 |
| Python Software Foundation–CPython | The poplib module, when passed a user-controlled command, can have additional commands injected using newlines. Mitigation rejects commands containing control characters. | 2026-01-20 | not yet calculated | CVE-2025-15367 | https://github.com/python/cpython/pull/143924 https://github.com/python/cpython/issues/143923 https://mail.python.org/archives/list/security-announce@python.org/thread/CBFBOWVGGUJFSGITQCCBZS4GEYYZ7ZNE/ https://github.com/python/cpython/commit/b234a2b67539f787e191d2ef19a7cbdce32874e7 |
| Python Software Foundation–CPython | When using http.cookies.Morsel, user-controlled cookie values and parameters can allow injecting HTTP headers into messages. Patch rejects all control characters within cookie names, values, and parameters. | 2026-01-20 | not yet calculated | CVE-2026-0672 | https://github.com/python/cpython/pull/143920 https://github.com/python/cpython/issues/143919 https://mail.python.org/archives/list/security-announce@python.org/thread/6VFLQQEIX673KXKFUZXCUNE5AZOGZ45M/ https://github.com/python/cpython/commit/95746b3a13a985787ef53b977129041971ed7f70 https://github.com/python/cpython/commit/712452e6f1d4b9f7f8c4c92ebfcaac1705faa440 |
| Python Software Foundation–CPython | User-controlled header names and values containing newlines can allow injecting HTTP headers. | 2026-01-20 | not yet calculated | CVE-2026-0865 | https://github.com/python/cpython/pull/143917 https://github.com/python/cpython/issues/143916 https://mail.python.org/archives/list/security-announce@python.org/thread/BJ6QPHNSHJTS3A7CFV6IBMCAP2DWRVNT/ https://github.com/python/cpython/commit/22e4d55285cee52bc4dbe061324e5f30bd4dee58 https://github.com/python/cpython/commit/23e3c0ae867cca0130e441e776c9955b9027c510 https://github.com/python/cpython/commit/4802b96a2cde58570c24c13ef3289490980961c5 https://github.com/python/cpython/commit/f7fceed79ca1bceae8dbe5ba5bc8928564da7211 https://github.com/python/cpython/commit/2f840249550e082dc351743f474ba56da10478d2 https://github.com/python/cpython/commit/e4846a93ac07a8ae9aa18203af0dd13d6e7a6995 |
| Python Software Foundation–CPython | The email module, specifically the “BytesGenerator” class, didn’t properly quote newlines for email headers when serializing an email message allowing for header injection when an email is serialized. This is only applicable if using “LiteralHeader” writing headers that don’t respect email folding rules, the new behavior will reject the incorrectly folded headers in “BytesGenerator”. | 2026-01-23 | not yet calculated | CVE-2026-1299 | https://github.com/python/cpython/pull/144126 https://github.com/python/cpython/issues/144125 https://cve.org/CVERecord?id=CVE-2024-6923 https://mail.python.org/archives/list/security-announce@python.org/thread/6ZZULGALJTITEAGEXLDJE2C6FORDXPBT/ https://github.com/python/cpython/commit/052e55e7d44718fe46cbba0ca995cb8fcc359413 |
| Python–Protobuf | A denial-of-service (DoS) vulnerability exists in google.protobuf.json_format.ParseDict() in Python, where the max_recursion_depth limit can be bypassed when parsing nested google.protobuf.Any messages. Due to missing recursion depth accounting inside the internal Any-handling logic, an attacker can supply deeply nested Any structures that bypass the intended recursion limit, eventually exhausting Python’s recursion stack and causing a RecursionError. | 2026-01-23 | not yet calculated | CVE-2026-0994 | https://github.com/protocolbuffers/protobuf/pull/25239 |
| QantumThemes–Kentha Elementor Widgets | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in QantumThemes Kentha Elementor Widgets kentha-elementor allows PHP Local File Inclusion. This issue affects Kentha Elementor Widgets: from n/a through < 3.1. | 2026-01-22 | not yet calculated | CVE-2026-24390 | https://patchstack.com/database/Wordpress/Plugin/kentha-elementor/vulnerability/wordpress-kentha-elementor-widgets-plugin-3-1-local-file-inclusion-vulnerability?_s_id=cve |
| QantumThemes–KenthaRadio | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in QantumThemes KenthaRadio qt-kentharadio allows Reflected XSS. This issue affects KenthaRadio: from n/a through <= 2.2.0. | 2026-01-22 | not yet calculated | CVE-2025-69003 | https://patchstack.com/database/Wordpress/Theme/qt-kentharadio/vulnerability/wordpress-kentharadio-theme-2-2-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| QOS.CH Sarl–Logback-core | ACE vulnerability in configuration file processing by QOS.CH logback-core up to and including version 1.5.24 in Java applications, allows an attacker to instantiate classes already present on the class path by compromising an existing logback configuration file. The instantiation of a potentially malicious Java class requires that said class is present on the user’s class-path. In addition, the attacker must have write access to a configuration file. However, after successful instantiation, the instance is very likely to be discarded with no further ado. | 2026-01-22 | not yet calculated | CVE-2026-1225 | https://logback.qos.ch/news.html#1.5.25 |
| Raptive–Raptive Ads | Missing Authorization vulnerability in Raptive Raptive Ads adthrive-ads allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Raptive Ads: from n/a through <= 3.10.0. | 2026-01-23 | not yet calculated | CVE-2026-24602 | https://patchstack.com/database/Wordpress/Plugin/adthrive-ads/vulnerability/wordpress-raptive-ads-plugin-3-10-0-broken-access-control-vulnerability?_s_id=cve |
| Rasedul Haque Rumi–BD Courier Order Ratio Checker | Missing Authorization vulnerability in Rasedul Haque Rumi BD Courier Order Ratio Checker bd-courier-order-ratio-checker allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects BD Courier Order Ratio Checker: from n/a through <= 2.0.1. | 2026-01-22 | not yet calculated | CVE-2026-22481 | https://patchstack.com/database/Wordpress/Plugin/bd-courier-order-ratio-checker/vulnerability/wordpress-bd-courier-order-ratio-checker-plugin-2-0-1-broken-access-control-vulnerability?_s_id=cve |
| RealMag777–TableOn | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in RealMag777 TableOn posts-table-filterable allows Reflected XSS. This issue affects TableOn: from n/a through <= 1.0.4.2. | 2026-01-22 | not yet calculated | CVE-2025-69316 | https://patchstack.com/database/Wordpress/Plugin/posts-table-filterable/vulnerability/wordpress-tableon-plugin-1-0-4-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Remi Corson–Easy Theme Options | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Remi Corson Easy Theme Options easy-theme-options allows Reflected XSS. This issue affects Easy Theme Options: from n/a through <= 1.0. | 2026-01-22 | not yet calculated | CVE-2025-68839 | https://patchstack.com/database/Wordpress/Plugin/easy-theme-options/vulnerability/wordpress-easy-theme-options-plugin-1-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| renatoatshown–Shown Connector | Missing Authorization vulnerability in renatoatshown Shown Connector shown-connector allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Shown Connector: from n/a through <= 1.2.10. | 2026-01-22 | not yet calculated | CVE-2025-68003 | https://patchstack.com/database/Wordpress/Plugin/shown-connector/vulnerability/wordpress-shown-connector-plugin-1-2-10-settings-change-vulnerability?_s_id=cve |
| Revive–Revive Adserver | HackerOne community member Faraz Ahmed (PakCyberbot) has reported a format string injection in the Revive Adserver settings. When specific character combinations are used in a setting, the admin user console could be disabled due to a fatal PHP error. | 2026-01-20 | not yet calculated | CVE-2026-21640 | https://hackerone.com/reports/3445332 |
| Revive–Revive Adserver | HackerOne community member Jad Ghamloush (0xjad) has reported an authorization bypass vulnerability in the `tracker-delete.php` script of Revive Adserver. Users with permissions to delete trackers are mistakenly allowed to delete trackers owned by other accounts. | 2026-01-20 | not yet calculated | CVE-2026-21641 | https://hackerone.com/reports/3445710 |
| Revive–Revive Adserver | HackerOne community member Patrick Lang (7yr) has reported a reflected XSS vulnerability in the `banner-acl.php` and `channel-acl.php` scripts of Revive Adserver. An attacker can craft a specific URL that includes an HTML payload in a parameter. If a logged in administrator visits the URL, the HTML is sent to the browser and malicious scripts would be executed. | 2026-01-20 | not yet calculated | CVE-2026-21642 | https://hackerone.com/reports/3470970 |
| Revive–Revive Adserver | HackerOne community member Patrick Lang (7yr) has reported a reflected XSS vulnerability in the banner-acl.php script of Revive Adserver. An attacker can craft a specific URL that includes an HTML payload in a parameter. If a logged in administrator visits the URL, the HTML is sent to the browser and malicious scripts would be executed. | 2026-01-20 | not yet calculated | CVE-2026-21663 | https://hackerone.com/reports/3473696 |
| Revive–Revive Adserver | HackerOne community member Huynh Pham Thanh Luc (nigh7c0r3) has reported a reflected XSS vulnerability in the afr.php delivery script of Revive Adserver. An attacker can craft a specific URL that includes an HTML payload in a parameter. If a logged in administrator visits the URL, the HTML is sent to the browser and malicious scripts would be executed. | 2026-01-20 | not yet calculated | CVE-2026-21664 | https://hackerone.com/reports/3468169 |
| richardevcom–Add Polylang support for Customizer | Cross-Site Request Forgery (CSRF) vulnerability in richardevcom Add Polylang support for Customizer add-polylang-support-for-customizer allows Cross Site Request Forgery. This issue affects Add Polylang support for Customizer: from n/a through <= 1.4.5. | 2026-01-22 | not yet calculated | CVE-2026-22462 | https://patchstack.com/database/Wordpress/Plugin/add-polylang-support-for-customizer/vulnerability/wordpress-add-polylang-support-for-customizer-plugin-1-4-5-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Riftzilla–QRGen | Reflected Cross-Site Scripting (XSS) vulnerability in Riftzilla’s QRGen. This vulnerability allows an attavker to execute JavaScript code in the victim’s browser by sending them a malicious URL using the ‘id’ parameter in ‘/article.php’. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user. | 2026-01-20 | not yet calculated | CVE-2025-40644 | https://www.incibe.es/en/incibe-cert/notices/aviso/reflected-cross-site-scripting-xss-qrgens-riftzilla |
| Rockwell Automation–ArmorStart LT | A security issue exists within ArmorStart® LT that can result in a denial-of-service condition. After running a Burp Suite active scan, the device loses ICMP connectivity, causing the web application to become inaccessible. | 2026-01-20 | not yet calculated | CVE-2025-9278 | https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1768.html |
| Rockwell Automation–ArmorStart LT | A security issue exists within ArmorStart® LT that can result in a denial-of-service condition. During execution of the Achilles EtherNet/IP Step Limit Storm tests, the device reboots unexpectedly, causing the Link State Monitor to go down for several seconds. | 2026-01-20 | not yet calculated | CVE-2025-9279 | https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1768.html |
| Rockwell Automation–ArmorStart LT | A security issue exists within ArmorStart® LT that can result in a denial-of-service condition. Fuzzing performed using Defensics causes the device to become unresponsive, requiring a reboot. | 2026-01-20 | not yet calculated | CVE-2025-9280 | https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1768.html |
| Rockwell Automation–ArmorStart LT | A security issue exists within ArmorStart® LT that can result in a denial-of-service condition. During execution of the Achilles Comprehensive step limit storm tests, the device reboots | 2026-01-20 | not yet calculated | CVE-2025-9281 | https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1768.html |
| Rockwell Automation–ArmorStart LT | A security issue exists within ArmorStart® LT that can result in a denial-of-service condition. During execution of the Achilles Comprehensive limited storm tests, the device reboots unexpectedly, causing the Link State Monitor to go down for several seconds. | 2026-01-20 | not yet calculated | CVE-2025-9282 | https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1768.html |
| Rockwell Automation–ArmorStart LT | A security issue exists within ArmorStart® LT that can result in a denial-of-service condition. During execution of the Achilles EtherNet/IP Step Limits Storms tests, the device reboots unexpectedly, causing the Link State Monitor to go down for several seconds. | 2026-01-20 | not yet calculated | CVE-2025-9283 | https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1768.html |
| Rockwell Automation–ArmorStart LT | A security issue exists within ArmorStart® LT that can result in a denial-of-service condition. This vulnerability is triggered during fuzzing of multiple CIP classes, which causes the CIP port to become unresponsive. | 2026-01-20 | not yet calculated | CVE-2025-9464 | https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1768.html |
| Rockwell Automation–ArmorStart LT | A security issue exists within ArmorStart® LT that can result in a denial-of-service condition. During execution of the Achilles Comprehensive grammar tests, the device reboots unexpectedly, causing the Link State Monitor to go down for several seconds. | 2026-01-20 | not yet calculated | CVE-2025-9465 | https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1768.html |
| Rockwell Automation–ArmorStart LT | A security issue exists within ArmorStart® LT that can result in a denial-of-service condition. During execution of the Achilles EtherNet/IP and CIP grammar tests, the device reboots unexpectedly, causing the Link State Monitor to go down for several seconds. | 2026-01-20 | not yet calculated | CVE-2025-9466 | https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1768.html |
| Rockwell Automation–CompactLogix 5370 | A denial-of-service security issue in the affected product. The security issue occurs when a malformed CIP forward open message is sent. This could result in a major nonrecoverable fault a restart is required to recover. | 2026-01-20 | not yet calculated | CVE-2025-11743 | https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1770.html |
| Rockwell Automation–ControlLogix Redundancy Enhanced Module | Multiple denial-of-service vulnerabilities exist in the affected product. These issues can be triggered through various crafted inputs, including malformed Class 3 messages, memory leak conditions, and other resource exhaustion scenarios. Exploitation may cause the device to become unresponsive and, in some cases, result in a major nonrecoverable fault. Recovery may require a restart. | 2026-01-20 | not yet calculated | CVE-2025-14027 | https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1769.html |
| Rockwell Automation–Verve Asset Manager | A security issue was discovered within the legacy ADI server component of Verve Asset Manager, caused by plaintext secrets stored in environment variables on the ADI server. This component has been retired and has been optional since the 1.36 release in 2024. | 2026-01-20 | not yet calculated | CVE-2025-14376 | https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1767.html |
| Rockwell Automation–Verve Asset Manager | A security issue was discovered within the legacy Ansible playbook component of Verve Asset Manager, caused by plaintext secrets incorrectly stored when a playbook is running. This component has been retired and has been optional since the 1.36 release in 2024. | 2026-01-20 | not yet calculated | CVE-2025-14377 | https://www.rockwellautomation.com/en-us/trust-center/security-advisories/advisory.SD1767.html |
| Roxnor–GetGenie | Missing Authorization vulnerability in Roxnor GetGenie getgenie allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects GetGenie: from n/a through <= 4.3.0. | 2026-01-22 | not yet calculated | CVE-2026-24356 | https://patchstack.com/database/Wordpress/Plugin/getgenie/vulnerability/wordpress-getgenie-plugin-4-3-0-broken-access-control-vulnerability?_s_id=cve |
| Ruijie Networks Co., Ltd.–AP180(JA) V1.xx | AP180 series with firmware versions prior to AP_RGOS 11.9(4)B1P8 contains an OS command injection vulnerability. If this vulnerability is exploited, arbitrary commands may be executed on the devices. | 2026-01-22 | not yet calculated | CVE-2026-23699 | https://www.ruijie.co.jp/products/rg-ap180-pe_p432111650928590848.html#productDocument https://jvn.jp/en/jp/JVN86850670/ |
| RuoYi–RuoYi | Incorrect access control in the update function of RuoYi v4.8.2 allows unauthorized attackers to arbitrarily modify data outside of their scope. | 2026-01-23 | not yet calculated | CVE-2025-70985 | https://github.com/yangzongzhuan/RuoYi https://gitee.com/y_project/RuoYi https://gitee.com/y_project/RuoYi/issues/IDIDK2 https://gist.github.com/old6ma/1a2dada02656ba9a4730c85f6c765f4f |
| RuoYi–RuoYi | Incorrect access control in the selectDept function of RuoYi v4.8.2 allows unauthorized attackers to arbitrarily access sensitive department data. | 2026-01-23 | not yet calculated | CVE-2025-70986 | https://github.com/yangzongzhuan/RuoYi https://gitee.com/y_project/RuoYi https://gitee.com/y_project/RuoYi/issues/IDIDME https://gist.github.com/old6ma/779320a98f361c299ca024521cb72db6 |
| Rustaurius–Ultimate Reviews | Authorization Bypass Through User-Controlled Key vulnerability in Rustaurius Ultimate Reviews ultimate-reviews allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Ultimate Reviews: from n/a through <= 3.2.16. | 2026-01-23 | not yet calculated | CVE-2026-24634 | https://patchstack.com/database/Wordpress/Plugin/ultimate-reviews/vulnerability/wordpress-ultimate-reviews-plugin-3-2-16-insecure-direct-object-references-idor-vulnerability?_s_id=cve |
| Ryviu–Ryviu – Product Reviews for WooCommerce | Missing Authorization vulnerability in Ryviu Ryviu – Product Reviews for WooCommerce ryviu allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Ryviu – Product Reviews for WooCommerce: from n/a through <= 3.1.26. | 2026-01-23 | not yet calculated | CVE-2026-24562 | https://patchstack.com/database/Wordpress/Plugin/ryviu/vulnerability/wordpress-ryviu-product-reviews-for-woocommerce-plugin-3-1-26-broken-access-control-vulnerability?_s_id=cve |
| Saad Iqbal–AppExperts | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in Saad Iqbal AppExperts appexperts allows SQL Injection. This issue affects AppExperts: from n/a through <= 1.4.5. | 2026-01-22 | not yet calculated | CVE-2025-68881 | https://patchstack.com/database/Wordpress/Plugin/appexperts/vulnerability/wordpress-appexperts-plugin-1-4-5-sql-injection-vulnerability?_s_id=cve |
| saeros1984–Neoforum | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in saeros1984 Neoforum neoforum allows Reflected XSS. This issue affects Neoforum: from n/a through <= 1.0. | 2026-01-23 | not yet calculated | CVE-2026-24623 | https://patchstack.com/database/Wordpress/Plugin/neoforum/vulnerability/wordpress-neoforum-plugin-1-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| saeros1984–Neoforum | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in saeros1984 Neoforum neoforum allows Blind SQL Injection. This issue affects Neoforum: from n/a through <= 1.0. | 2026-01-23 | not yet calculated | CVE-2026-24624 | https://patchstack.com/database/Wordpress/Plugin/neoforum/vulnerability/wordpress-neoforum-plugin-1-0-sql-injection-vulnerability?_s_id=cve |
| saleor–saleor | Saleor is an e-commerce platform. Starting in version 3.0.0 and prior to versions 3.20.108, 3.21.43, and 3.22.27, Saleor was allowing users to modify rich text fields with HTML without running any backend HTML cleaners thus allowing malicious actors to perform stored XSS attacks on dashboards and storefronts. Malicious staff members could craft script injections to target other staff members, possibly stealing their access and/or refresh tokens. This issue has been patched in versions 3.22.27, 3.21.43, and 3.20.108. In case of inability to upgrade straight away, a possible workaround is to use client-side cleaner. | 2026-01-21 | not yet calculated | CVE-2026-22849 | https://github.com/saleor/saleor/security/advisories/GHSA-8jcj-r5g2-qrpv https://github.com/saleor/saleor/commit/1085c7813224a0a65f1dac7275cbc3244e23c386 https://github.com/saleor/saleor/commit/676d95dbc7d811610e68f2ea8f9b6652cbd58e9b https://github.com/saleor/saleor/commit/9110eba68c3f73afa1f72b45bd9b1394c752d335 https://github.com/saleor/saleor/commit/b67a0b9d9f243e5d6c2f9c7643d42a54c24c90ee https://github.com/saleor/saleor/commit/bb5f883aeb0f085899a9d4f35d429cf7eb07a11d https://docs.saleor.io/security/#editorjs–html-cleaning |
| saleor–saleor | Saleor is an e-commerce platform. Starting in version 3.0.0 and prior to versions 3.20.108, 3.21.43, and 3.22.27, Saleor allowed authenticated staff users or Apps to upload arbitrary files, including malicious HTML and SVG files containing Javascript. Depending on the deployment strategy, these files may be served from the same domain as the dashboard without any restrictions leading to the execution of malicious scripts in the context of the user’s browser. Malicious staff members could craft script injections to target other staff members, possibly stealing their access and/or refresh tokens. Users are vulnerable if they host the media files inside the same domain as the dashboard, e.g., dashboard is at `example.com/dashboard/` and media are under `example.com/media/`. They are not impact if media files are hosted in a different domain, e.g., `media.example.com`. Users are impacted if they do not return a `Content-Disposition: attachment` header for the media files. Saleor Cloud users are not impacted. This issue has been patched in versions: 3.22.27, 3.21.43, and 3.20.108. Some workarounds are available for those unable to upgrade. Configure the servers hosting the media files (e.g., CDN or reverse proxy) to return the Content-Disposition: attachment header. This instructs browsers to download the file instead of rendering them in the browser. Prevent the servers from returning HTML and SVG files. Set-up a `Content-Security-Policy` for media files, such as `Content-Security-Policy: default-src ‘none’; base-uri ‘none’; frame-ancestors ‘none’; form-action ‘none’;`. | 2026-01-21 | not yet calculated | CVE-2026-23499 | https://github.com/saleor/saleor/security/advisories/GHSA-666h-2p49-pg95 https://github.com/saleor/saleor/commit/77f7927a0db9a216440df92c51012136f13e1d99 https://github.com/saleor/saleor/commit/7d33efc7a06252320cd51cbb20c2e308aed2fd10 https://github.com/saleor/saleor/commit/9110eba68c3f73afa1f72b45bd9b1394c752d335 https://github.com/saleor/saleor/commit/ac6936a336289c77398ef600cad3498ad4ba261c https://github.com/saleor/saleor/commit/b3cb27b3fe96dae3c879063e56d32a9398eabd24 https://docs.saleor.io/security/#restricted-file-uploads |
| saleor–saleor | Saleor is an e-commerce platform. Versions 3.2.0 through 3.20.109, 3.21.0-a.0 through 3.21.44 and 3.22.0-a.0 through 3.22.28 have a n Insecure Direct Object Reference (IDOR) vulnerability that allows unauthenticated actors to extract sensitive information in plain text. Orders created before Saleor 3.2.0 could have PIIs exfiltrated. The issue has been patched in Saleor versions: 3.22.29, 3.21.45, and 3.20.110. To workaround, temporarily block non-staff users from fetching order information (the order() GraphQL query) using a WAF. | 2026-01-23 | not yet calculated | CVE-2026-24136 | https://github.com/saleor/saleor/security/advisories/GHSA-r6fj-f4r9-36gr https://github.com/saleor/saleor/commit/5dab1857fbb2801f74e2bfe86f307e4590d9d2fa https://github.com/saleor/saleor/commit/718ce1b4fc3aef68eeac1aea0cf1d70a614ba6af https://github.com/saleor/saleor/commit/9bcd4f9000b189297eeb3ac88cc28c6c30229153 https://github.com/saleor/saleor/commit/aeaced8acb5e01055eddec584263f77e517d5944 |
| Salesforce–Marketing Cloud Engagement | Improper Neutralization of Argument Delimiters in a Command (‘Argument Injection’) vulnerability in Salesforce Marketing Cloud Engagement (MicrositeUrl module) allows Web Services Protocol Manipulation. This issue affects Marketing Cloud Engagement: before January 21st, 2026. | 2026-01-24 | not yet calculated | CVE-2026-22582 | https://help.salesforce.com/s/articleView?id=005299346&type=1 |
| Salesforce–Marketing Cloud Engagement | Improper Neutralization of Argument Delimiters in a Command (‘Argument Injection’) vulnerability in Salesforce Marketing Cloud Engagement (CloudPagesUrl module) allows Web Services Protocol Manipulation. This issue affects Marketing Cloud Engagement: before January 21st, 2026. | 2026-01-24 | not yet calculated | CVE-2026-22583 | https://help.salesforce.com/s/articleView?id=005299346&type=1 |
| Salesforce–Marketing Cloud Engagement | Use of a Broken or Risky Cryptographic Algorithm vulnerability in Salesforce Marketing Cloud Engagement (CloudPages, Forward to a Friend, Profile Center, Subscription Center, Unsub Center, View As Webpage modules) allows Web Services Protocol Manipulation. This issue affects Marketing Cloud Engagement: before January 21st, 2026. | 2026-01-24 | not yet calculated | CVE-2026-22585 | https://help.salesforce.com/s/articleView?id=005299346&type=1 |
| Salesforce–Marketing Cloud Engagement | Hard-coded Cryptographic Key vulnerability in Salesforce Marketing Cloud Engagement (CloudPages, Forward to a Friend, Profile Center, Subscription Center, Unsub Center, View As Webpage modules) allows Web Services Protocol Manipulation. This issue affects Marketing Cloud Engagement: before January 21st, 2026. | 2026-01-24 | not yet calculated | CVE-2026-22586 | https://help.salesforce.com/s/articleView?id=005299346&type=1 |
| Scalenut–Scalenut | Missing Authorization vulnerability in Scalenut Scalenut scalenut allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Scalenut: from n/a through <= 1.1.3. | 2026-01-22 | not yet calculated | CVE-2025-68882 | https://patchstack.com/database/Wordpress/Plugin/scalenut/vulnerability/wordpress-scalenut-plugin-1-1-3-broken-access-control-vulnerability?_s_id=cve |
| scriptsbundle–AdForest | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in scriptsbundle AdForest adforest allows PHP Local File Inclusion. This issue affects AdForest: from n/a through <= 6.0.11. | 2026-01-22 | not yet calculated | CVE-2025-67946 | https://patchstack.com/database/Wordpress/Theme/adforest/vulnerability/wordpress-adforest-theme-6-0-11-local-file-inclusion-vulnerability?_s_id=cve |
| scriptsbundle–AdForest Elementor | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in scriptsbundle AdForest Elementor adforest-elementor allows Reflected XSS. This issue affects AdForest Elementor: from n/a through <= 3.0.11. | 2026-01-22 | not yet calculated | CVE-2025-67947 | https://patchstack.com/database/Wordpress/Plugin/adforest-elementor/vulnerability/wordpress-adforest-elementor-plugin-3-0-11-cross-site-scripting-xss-vulnerability?_s_id=cve |
| scriptsbundle–CarSpot | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in scriptsbundle CarSpot carspot allows Reflected XSS. This issue affects CarSpot: from n/a through < 2.4.6. | 2026-01-22 | not yet calculated | CVE-2025-69317 | https://patchstack.com/database/Wordpress/Theme/carspot/vulnerability/wordpress-carspot-theme-2-4-6-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| SeaTheme–BM Content Builder | Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) vulnerability in SeaTheme BM Content Builder bm-builder allows Path Traversal. This issue affects BM Content Builder: from n/a through <= 3.16.3. | 2026-01-22 | not yet calculated | CVE-2025-69055 | https://patchstack.com/database/Wordpress/Plugin/bm-builder/vulnerability/wordpress-bm-content-builder-plugin-3-16-3-arbitrary-file-download-vulnerability?_s_id=cve |
| Select-Themes–Don Peppe | Missing Authorization vulnerability in Select-Themes Don Peppe donpeppe allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Don Peppe: from n/a through <= 1.3. | 2026-01-22 | not yet calculated | CVE-2026-22450 | https://patchstack.com/database/Wordpress/Theme/donpeppe/vulnerability/wordpress-don-peppe-theme-1-3-broken-access-control-vulnerability?_s_id=cve |
| Select-Themes–Prowess | Missing Authorization vulnerability in Select-Themes Prowess prowess allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Prowess: from n/a through <= 1.8.1. | 2026-01-22 | not yet calculated | CVE-2026-22447 | https://patchstack.com/database/Wordpress/Theme/prowess/vulnerability/wordpress-prowess-theme-1-8-1-broken-access-control-vulnerability?_s_id=cve |
| Select-Themes–Prowess | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in Select-Themes Prowess prowess allows PHP Local File Inclusion. This issue affects Prowess: from n/a through <= 2.3. | 2026-01-23 | not yet calculated | CVE-2026-24531 | https://patchstack.com/database/Wordpress/Theme/prowess/vulnerability/wordpress-prowess-theme-2-3-local-file-inclusion-vulnerability?_s_id=cve |
| SEOSEON EUROPE S.L–Affiliate Link Tracker | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in SEOSEON EUROPE S.L Affiliate Link Tracker affiliate-link-tracker allows Stored XSS. This issue affects Affiliate Link Tracker: from n/a through <= 0.2. | 2026-01-22 | not yet calculated | CVE-2025-62077 | https://patchstack.com/database/Wordpress/Plugin/affiliate-link-tracker/vulnerability/wordpress-affiliate-link-tracker-plugin-0-2-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Sergiy Dzysyak–Suggestion Toolkit | Missing Authorization vulnerability in Sergiy Dzysyak Suggestion Toolkit suggestion-toolkit allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Suggestion Toolkit: from n/a through <= 5.0. | 2026-01-23 | not yet calculated | CVE-2026-24622 | https://patchstack.com/database/Wordpress/Plugin/suggestion-toolkit/vulnerability/wordpress-suggestion-toolkit-plugin-5-0-broken-access-control-vulnerability?_s_id=cve |
| SESAME LABS, S.L–Sesame | Stored Cross-Site Scripting (XSS) vulnerability in Sesame web application, due to the fact that uploaded SVG images are not properly sanitized. This allows attackers to embed malicious scripts in SVG files by sending a POST request using the ‘logo’ parameter in ‘/api/v3/companies/<ID>/logo’, which are then stored on the server and executed in the context of any user who accesses the compromised resource. | 2026-01-20 | not yet calculated | CVE-2025-41084 | https://www.incibe.es/en/incibe-cert/notices/aviso/stored-cross-site-scripting-xss-sesame-web-application |
| Shahjahan Jewel–FluentForm | Improper Control of Generation of Code (‘Code Injection’) vulnerability in Shahjahan Jewel FluentForm fluentform allows Code Injection. This issue affects FluentForm: from n/a through <= 6.1.11. | 2026-01-22 | not yet calculated | CVE-2025-69001 | https://patchstack.com/database/Wordpress/Plugin/fluentform/vulnerability/wordpress-fluentform-plugin-6-1-11-arbitrary-shortcode-execution-vulnerability?_s_id=cve |
| sheepfish–WebP Conversion | Missing Authorization vulnerability in sheepfish WebP Conversion webp-conversion allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WebP Conversion: from n/a through <= 2.1. | 2026-01-23 | not yet calculated | CVE-2026-24530 | https://patchstack.com/database/Wordpress/Plugin/webp-conversion/vulnerability/wordpress-webp-conversion-plugin-2-1-broken-access-control-vulnerability?_s_id=cve |
| shinetheme–Traveler | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in shinetheme Traveler traveler allows Blind SQL Injection. This issue affects Traveler: from n/a through < 3.2.8. | 2026-01-22 | not yet calculated | CVE-2026-24367 | https://patchstack.com/database/Wordpress/Theme/traveler/vulnerability/wordpress-traveler-theme-3-2-8-sql-injection-vulnerability?_s_id=cve |
| shoutoutglobal–ShoutOut | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in shoutoutglobal ShoutOut shoutout allows Reflected XSS. This issue affects ShoutOut: from n/a through <= 4.0.2. | 2026-01-22 | not yet calculated | CVE-2025-68894 | https://patchstack.com/database/Wordpress/Plugin/shoutout/vulnerability/wordpress-shoutout-plugin-4-0-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| SiteLock–SiteLock Security | Missing Authorization vulnerability in SiteLock SiteLock Security sitelock allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects SiteLock Security: from n/a through <= 5.0.2. | 2026-01-23 | not yet calculated | CVE-2026-24532 | https://patchstack.com/database/Wordpress/Plugin/sitelock/vulnerability/wordpress-sitelock-security-plugin-5-0-2-broken-access-control-vulnerability?_s_id=cve |
| siyuan-note–siyuan | SiYuan is a personal knowledge management system. Versions prior to 3.5.4 are vulnerable to reflected cross-site scripting in /api/icon/getDynamicIcon due to unsanitized SVG input. The endpoint generates SVG images for text icons (type=8). The content query parameter is inserted directly into the SVG <text> tag without XML escaping. Since the response Content-Type is image/svg+xml, injecting unescaped tags allows breaking the XML structure and executing JavaScript. Version 3.5.4 patches the issue.] | 2026-01-19 | not yet calculated | CVE-2026-23847 | https://github.com/siyuan-note/siyuan/security/advisories/GHSA-w836-5gpm-7r93 https://github.com/siyuan-note/siyuan/issues/16844 https://github.com/siyuan-note/siyuan/commit/5c0cc375b47567e15edd2119066b09bb0aa18777 |
| siyuan-note–siyuan | SiYuan is a personal knowledge management system. In versions prior to 3.5.4, the markdown feature allows unrestricted server side html-rendering which allows arbitrary file read (LFD). Version 3.5.4 fixes the issue. | 2026-01-19 | not yet calculated | CVE-2026-23850 | https://github.com/siyuan-note/siyuan/security/advisories/GHSA-cv54-7wv7-qxcw https://github.com/siyuan-note/siyuan/issues/16860 https://github.com/siyuan-note/siyuan/commit/b2274baba2e11c8cf8901b0c5c871e5b27f1f6dd https://github.com/siyuan-note/siyuan/commit/f8f4b517077b92c90c0d7b51ac11be1b34b273ad https://github.com/siyuan-note/siyuan/blob/master/kernel/model/file.go#L1035 https://github.com/siyuan-note/siyuan/blob/v3.4.2/kernel/api/filetree.go#L799-L886 |
| siyuan-note–siyuan | SiYuan is a personal knowledge management system. Versions prior to 3.5.4 contain a logic vulnerability in the /api/file/globalCopyFiles endpoint. The function allows authenticated users to copy files from any location on the server’s filesystem into the application’s workspace without proper path validation. The vulnerability exists in the api/file.go source code. The function globalCopyFiles accepts a list of source paths (srcs) from the JSON request body. While the code checks if the source file exists using filelock.IsExist(src), it fails to validate whether the source path resides within the authorized workspace directory. Version 3.5.4 patches the issue. | 2026-01-19 | not yet calculated | CVE-2026-23851 | https://github.com/siyuan-note/siyuan/security/advisories/GHSA-94c7-g2fj-7682 https://github.com/siyuan-note/siyuan/issues/16860 https://github.com/siyuan-note/siyuan/commit/b2274baba2e11c8cf8901b0c5c871e5b27f1f6dd https://github.com/siyuan-note/siyuan/commit/f8f4b517077b92c90c0d7b51ac11be1b34b273ad |
| siyuan-note–siyuan | SiYuan is a personal knowledge management system. Versions prior to 3.5.4 have a stored Cross-Site Scripting (XSS) vulnerability that allows an attacker to inject arbitrary HTML attributes into the `icon` attribute of a block via the `/api/attr/setBlockAttrs` API. The payload is later rendered in the dynamic icon feature in an unsanitized context, leading to stored XSS and, in the desktop environment, potential remote code execution (RCE). This issue bypasses the previous fix for issue `#15970` (XSS → RCE via dynamic icons). Version 3.5.4 contains an updated fix. | 2026-01-19 | not yet calculated | CVE-2026-23852 | https://github.com/siyuan-note/siyuan/security/advisories/GHSA-7c6g-g2hx-23vv https://github.com/siyuan-note/siyuan/commit/0be7e1d4e0da9aac0da850b7aeb9b50ede7e5bdb |
| sizam–REHub Framework | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in sizam REHub Framework rehub-framework allows Retrieve Embedded Sensitive Data. This issue affects REHub Framework: from n/a through < 19.9.9.4. | 2026-01-22 | not yet calculated | CVE-2025-63051 | https://patchstack.com/database/Wordpress/Plugin/rehub-framework/vulnerability/wordpress-rehub-framework-plugin-19-9-9-sensitive-data-exposure-vulnerability?_s_id=cve |
| SmartDataSoft–Electrician – Electrical Service WordPress | Server-Side Request Forgery (SSRF) vulnerability in SmartDataSoft Electrician – Electrical Service WordPress electrician allows Server Side Request Forgery. This issue affects Electrician – Electrical Service WordPress: from n/a through <= 5.6. | 2026-01-22 | not yet calculated | CVE-2026-22358 | https://patchstack.com/database/Wordpress/Theme/electrician/vulnerability/wordpress-electrician-electrical-service-wordpress-theme-5-6-server-side-request-forgery-ssrf-vulnerability?_s_id=cve |
| SmartDataSoft–Pool Services | Server-Side Request Forgery (SSRF) vulnerability in SmartDataSoft Pool Services pool-services allows Server Side Request Forgery. This issue affects Pool Services: from n/a through <= 3.3. | 2026-01-22 | not yet calculated | CVE-2025-62741 | https://patchstack.com/database/Wordpress/Theme/pool-services/vulnerability/wordpress-pool-services-theme-3-3-server-side-request-forgery-ssrf-vulnerability?_s_id=cve |
| SmarterTools–SmarterMail | SmarterTools SmarterMail versions prior to build 9511 contain an authentication bypass vulnerability in the password reset API. The force-reset-password endpoint permits anonymous requests and fails to verify the existing password or a reset token when resetting system administrator accounts. An unauthenticated attacker can supply a target administrator username and a new password to reset the account, resulting in full administrative compromise of the SmarterMail instance. NOTE: SmarterMail system administrator privileges grant the ability to execute operating system commands via built-in management functionality, effectively providing administrative (SYSTEM or root) access on the underlying host. | 2026-01-22 | not yet calculated | CVE-2026-23760 | https://www.smartertools.com/smartermail/release-notes/current https://labs.watchtowr.com/attackers-with-decompilers-strike-again-smartertools-smartermail-wt-2026-0001-auth-bypass/ https://code-white.com/public-vulnerability-list/#authenticationserviceforceresetpassword-missing-authentication-in-smartermail https://www.vulncheck.com/advisories/smartertools-smartermail-authentication-bypass-via-password-reset-api |
| SmarterTools–SmarterMail | SmarterTools SmarterMail versions prior to build 9511 contain an unauthenticated remote code execution vulnerability in the ConnectToHub API method. The attacker could point the SmarterMail to the malicious HTTP server, which serves the malicious OS command. This command will be executed by the vulnerable application. | 2026-01-23 | not yet calculated | CVE-2026-24423 | https://www.smartertools.com/smartermail/release-notes/current https://code-white.com/public-vulnerability-list/#systemadminsettingscontrollerconnecttohub-missing-authentication-in-smartermail https://www.vulncheck.com/advisories/smartertools-smartermail-unauthenticated-rce-via-connecttohub-api |
| Softwebmedia–Gyan Elements | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in Softwebmedia Gyan Elements gyan-elements allows PHP Local File Inclusion. This issue affects Gyan Elements: from n/a through <= 2.2.1. | 2026-01-22 | not yet calculated | CVE-2026-23978 | https://patchstack.com/database/Wordpress/Plugin/gyan-elements/vulnerability/wordpress-gyan-elements-plugin-2-2-1-local-file-inclusion-vulnerability?_s_id=cve |
| solacewp–Solace | Missing Authorization vulnerability in solacewp Solace solace allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Solace: from n/a through <= 2.1.16. | 2026-01-22 | not yet calculated | CVE-2025-68911 | https://patchstack.com/database/Wordpress/Theme/solace/vulnerability/wordpress-solace-theme-2-1-16-broken-access-control-vulnerability?_s_id=cve |
| Sourcecodester–Sourcecodester | A Remote Code Execution (RCE) vulnerability exists in Sourcecodester Modern Image Gallery App v1.0 within the gallery/upload.php component. The application fails to properly validate uploaded file contents. Additionally, the application preserves the user-supplied file extension during the save process. This allows an unauthenticated attacker to upload arbitrary PHP code by spoofing the MIME type as an image, leading to full system compromise. | 2026-01-23 | not yet calculated | CVE-2025-70457 | https://www.sourcecodester.com/php/18572/modern-image-gallery-app-using-php-and-mysql-source-code.html https://github.com/ismaildawoodjee/vulnerability-research/security/advisories/GHSA-8xq6-hjhw-4983 |
| Sourcecodester–Sourcecodester | A DOM-based Cross-Site Scripting (XSS) vulnerability exists in the DomainCheckerApp class within domain/script.js of Sourcecodester Domain Availability Checker v1.0. The vulnerability occurs because the application improperly handles user-supplied data in the createResultElement method by using the unsafe innerHTML property to render domain search results. | 2026-01-23 | not yet calculated | CVE-2025-70458 | https://www.sourcecodester.com/php/18500/domain-availability-checker-using-php-and-javascript-source-code.html https://github.com/ismaildawoodjee/vulnerability-research/security/advisories/GHSA-chm7-vgf7-6f9p |
| SpringBlade–SpringBlade | Incorrect access control in the authRoutes function of SpringBlade v4.5.0 allows attackers with low-level privileges to escalate privileges. | 2026-01-23 | not yet calculated | CVE-2025-70983 | https://github.com/chillzhuang/SpringBlade https://github.com/chillzhuang/SpringBlade/issues/35 https://gist.github.com/old6ma/9c4d2ba32cd8f562cb80796538157912 |
| Steve Truman–Email Inquiry & Cart Options for WooCommerce | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Steve Truman Email Inquiry & Cart Options for WooCommerce woocommerce-email-inquiry-cart-options allows DOM-Based XSS. This issue affects Email Inquiry & Cart Options for WooCommerce: from n/a through <= 3.4.3. | 2026-01-23 | not yet calculated | CVE-2026-24526 | https://patchstack.com/database/Wordpress/Plugin/woocommerce-email-inquiry-cart-options/vulnerability/wordpress-email-inquiry-cart-options-for-woocommerce-plugin-3-4-3-cross-site-scripting-xss-vulnerability?_s_id=cve |
| storeapps–Stock Manager for WooCommerce | Cross-Site Request Forgery (CSRF) vulnerability in storeapps Stock Manager for WooCommerce woocommerce-stock-manager allows Cross Site Request Forgery. This issue affects Stock Manager for WooCommerce: from n/a through < 3.6.0. | 2026-01-22 | not yet calculated | CVE-2026-24365 | https://patchstack.com/database/Wordpress/Plugin/woocommerce-stock-manager/vulnerability/wordpress-stock-manager-for-woocommerce-plugin-3-6-0-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Strategy11 Team–AWP Classifieds | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Strategy11 Team AWP Classifieds another-wordpress-classifieds-plugin allows Retrieve Embedded Sensitive Data. This issue affects AWP Classifieds: from n/a through <= 4.4.3. | 2026-01-23 | not yet calculated | CVE-2026-24593 | https://patchstack.com/database/Wordpress/Plugin/another-wordpress-classifieds-plugin/vulnerability/wordpress-awp-classifieds-plugin-4-4-3-sensitive-data-exposure-vulnerability?_s_id=cve |
| strongholdthemes–Dental Care CPT | Deserialization of Untrusted Data vulnerability in strongholdthemes Dental Care CPT dentalcare-cpt allows Object Injection. This issue affects Dental Care CPT: from n/a through <= 20.2. | 2026-01-22 | not yet calculated | CVE-2025-69035 | https://patchstack.com/database/Wordpress/Plugin/dentalcare-cpt/vulnerability/wordpress-dental-care-cpt-plugin-20-2-php-object-injection-vulnerability?_s_id=cve |
| strongholdthemes–Tech Life CPT | Deserialization of Untrusted Data vulnerability in strongholdthemes Tech Life CPT techlife-cpt allows Object Injection. This issue affects Tech Life CPT: from n/a through <= 16.4. | 2026-01-22 | not yet calculated | CVE-2025-69036 | https://patchstack.com/database/Wordpress/Plugin/techlife-cpt/vulnerability/wordpress-tech-life-cpt-plugin-16-4-php-object-injection-vulnerability?_s_id=cve |
| subhansanjaya–Carousel Horizontal Posts Content Slider | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in subhansanjaya Carousel Horizontal Posts Content Slider carousel-horizontal-posts-content-slider allows DOM-Based XSS. This issue affects Carousel Horizontal Posts Content Slider: from n/a through <= 3.3.2. | 2026-01-22 | not yet calculated | CVE-2026-22347 | https://patchstack.com/database/Wordpress/Plugin/carousel-horizontal-posts-content-slider/vulnerability/wordpress-carousel-horizontal-posts-content-slider-plugin-3-3-2-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Sully–Media Library File Size | Missing Authorization vulnerability in Sully Media Library File Size media-library-file-size allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Media Library File Size: from n/a through <= 1.6.7. | 2026-01-23 | not yet calculated | CVE-2026-24569 | https://patchstack.com/database/Wordpress/Plugin/media-library-file-size/vulnerability/wordpress-media-library-file-size-plugin-1-6-7-broken-access-control-vulnerability?_s_id=cve |
| sumup–SumUp Payment Gateway For WooCommerce | Missing Authorization vulnerability in sumup SumUp Payment Gateway For WooCommerce sumup-payment-gateway-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects SumUp Payment Gateway For WooCommerce: from n/a through <= 2.7.9. | 2026-01-23 | not yet calculated | CVE-2026-24583 | https://patchstack.com/database/Wordpress/Plugin/sumup-payment-gateway-for-woocommerce/vulnerability/wordpress-sumup-payment-gateway-for-woocommerce-plugin-2-7-9-broken-access-control-vulnerability?_s_id=cve |
| swingmx–swingmusic | Swing Music is a self-hosted music player for local audio files. Prior to version 2.1.4, Swing Music’s `list_folders()` function in the `/folder/dir-browser` endpoint is vulnerable to directory traversal attacks. Any authenticated user (including non-admin) can browse arbitrary directories on the server filesystem. Version 2.1.4 fixes the issue. | 2026-01-19 | not yet calculated | CVE-2026-23877 | https://github.com/swingmx/swingmusic/security/advisories/GHSA-pj88-9xww-gxmh https://github.com/swingmx/swingmusic/commit/9a915ca62af1502b9550722df82f5d432cb73de3 |
| Syed Balkhi–Sugar Calendar (Lite) | Missing Authorization vulnerability in Syed Balkhi Sugar Calendar (Lite) sugar-calendar-lite allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Sugar Calendar (Lite): from n/a through <= 3.10.1. | 2026-01-23 | not yet calculated | CVE-2026-24636 | https://patchstack.com/database/Wordpress/Plugin/sugar-calendar-lite/vulnerability/wordpress-sugar-calendar-lite-plugin-3-10-1-broken-access-control-vulnerability?_s_id=cve |
| tabbyai–Tabby Checkout | Insertion of Sensitive Information Into Sent Data vulnerability in tabbyai Tabby Checkout tabby-checkout allows Retrieve Embedded Sensitive Data. This issue affects Tabby Checkout: from n/a through <= 5.8.4. | 2026-01-22 | not yet calculated | CVE-2025-68035 | https://patchstack.com/database/Wordpress/Plugin/tabby-checkout/vulnerability/wordpress-tabby-checkout-plugin-5-8-4-sensitive-data-exposure-vulnerability?_s_id=cve |
| tagDiv–tagDiv Composer | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in tagDiv tagDiv Composer td-composer allows DOM-Based XSS. This issue affects tagDiv Composer: from n/a through <= 5.4.2. | 2026-01-22 | not yet calculated | CVE-2025-50005 | https://patchstack.com/database/Wordpress/Plugin/td-composer/vulnerability/wordpress-tagdiv-composer-plugin-5-4-2-cross-site-scripting-xss-vulnerability?_s_id=cve |
| TangibleWP–Listivo Core | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in TangibleWP Listivo Core listivo-core allows PHP Local File Inclusion. This issue affects Listivo Core: from n/a through <= 2.3.77. | 2026-01-22 | not yet calculated | CVE-2025-67957 | https://patchstack.com/database/Wordpress/Plugin/listivo-core/vulnerability/wordpress-listivo-core-plugin-2-3-77-local-file-inclusion-vulnerability?_s_id=cve |
| TangibleWP–MyHome Core | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in TangibleWP MyHome Core myhome-core allows PHP Local File Inclusion. This issue affects MyHome Core: from n/a through <= 4.1.0. | 2026-01-22 | not yet calculated | CVE-2025-67955 | https://patchstack.com/database/Wordpress/Plugin/myhome-core/vulnerability/wordpress-myhome-core-plugin-4-1-0-local-file-inclusion-vulnerability?_s_id=cve |
| Tasos Fel–Civic Cookie Control | Missing Authorization vulnerability in Tasos Fel Civic Cookie Control civic-cookie-control-8 allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Civic Cookie Control: from n/a through <= 1.53. | 2026-01-22 | not yet calculated | CVE-2026-22348 | https://patchstack.com/database/Wordpress/Plugin/civic-cookie-control-8/vulnerability/wordpress-civic-cookie-control-plugin-1-53-broken-access-control-vulnerability?_s_id=cve |
| Taxcloud–TaxCloud for WooCommerce | Missing Authorization vulnerability in Taxcloud TaxCloud for WooCommerce simple-sales-tax allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects TaxCloud for WooCommerce: from n/a through <= 8.3.8. | 2026-01-22 | not yet calculated | CVE-2025-67958 | https://patchstack.com/database/Wordpress/Plugin/simple-sales-tax/vulnerability/wordpress-taxcloud-for-woocommerce-plugin-8-3-8-broken-access-control-vulnerability?_s_id=cve |
| temash–Barberry | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in temash Barberry barberry allows PHP Local File Inclusion. This issue affects Barberry: from n/a through <= 2.9.9.87. | 2026-01-22 | not yet calculated | CVE-2025-68908 | https://patchstack.com/database/Wordpress/Theme/barberry/vulnerability/wordpress-barberry-theme-2-9-9-87-local-file-inclusion-vulnerability?_s_id=cve |
| Tenda–Tenda | Tenda AX3 firmware v16.03.12.11 contains a stack overflow in formSetIptv via the list parameter, which can cause memory corruption and enable remote code execution. | 2026-01-21 | not yet calculated | CVE-2025-69762 | https://river-brow-763.notion.site/Tenda-AX3-Buffer-Overflow-in-formSetIptv-2c9a595a7aef80718ff2c3869d32392d?pvs=74 https://river-brow-763.notion.site/Tenda-AX3-Buffer-Overflow-in-formSetIptv-2c9a595a7aef80718ff2c3869d32392d |
| Tenda–Tenda | Tenda AX3 firmware v16.03.12.11 contains a stack overflow in formSetIptv via the vlanId parameter, which can cause memory corruption and enable remote code execution. | 2026-01-21 | not yet calculated | CVE-2025-69763 | https://river-brow-763.notion.site/Tenda-AX3-Buffer-Overflow-in-formSetIptv-2c9a595a7aef8025a3c6c4b102d95dd4?source=copy_link https://river-brow-763.notion.site/Tenda-AX3-Buffer-Overflow-in-formSetIptv-2c9a595a7aef8025a3c6c4b102d95dd4 |
| Tenda–Tenda | Tenda AX3 firmware v16.03.12.11 contains a stack-based buffer overflow in the formGetIptv function due to improper handling of the stbpvid stack buffer, which may result in memory corruption and remote code execution. | 2026-01-22 | not yet calculated | CVE-2025-69764 | https://river-brow-763.notion.site/Tenda-AX3-Buffer-Overflow-in-formGetIptv-2c9a595a7aef80e9b90fdaa56f51374b?source=copy_link https://river-brow-763.notion.site/Tenda-AX3-Buffer-Overflow-in-formGetIptv-2c9a595a7aef80e9b90fdaa56f51374b |
| Tenda–Tenda | Tenda AX3 firmware v16.03.12.11 contains a stack-based buffer overflow in the formGetIptv function due to improper handling of the citytag stack buffer, which may result in memory corruption and remote code execution. | 2026-01-21 | not yet calculated | CVE-2025-69766 | https://river-brow-763.notion.site/Tenda-AX3-Buffer-Overflow-in-formGetIptv-2c9a595a7aef8043a091e6722b8e255a?source=copy_link https://river-brow-763.notion.site/Tenda-AX3-Buffer-Overflow-in-formGetIptv-2c9a595a7aef8043a091e6722b8e255a |
| Tenda–Tenda | Tenda AX-1806 v1.0.0.1 was discovered to contain a stack overflow in the time parameter of the sub_60CFC function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. | 2026-01-21 | not yet calculated | CVE-2025-70644 | https://github.com/0-fool/VulnbyCola/blob/main/Tenda/AX-1806/3/1.md |
| Tenda–Tenda | Tenda AX-1806 v1.0.0.1 was discovered to contain a stack overflow in the deviceList parameter of the formSetWifiMacFilterCfg function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. | 2026-01-21 | not yet calculated | CVE-2025-70645 | https://github.com/0-fool/VulnbyCola/blob/main/Tenda/AX-1806/2/1.md |
| Tenda–Tenda | Tenda AX1803 v1.0.0.1 was discovered to contain a stack overflow in the security parameter of the sub_72290 function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. | 2026-01-21 | not yet calculated | CVE-2025-70646 | https://github.com/0-fool/VulnbyCola/blob/main/Tenda/AX-1803/5/1.md |
| Tenda–Tenda | Tenda AX1803 v1.0.0.1 was discovered to contain a stack overflow in the security_5g parameter of the sub_727F4 function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. | 2026-01-21 | not yet calculated | CVE-2025-70648 | https://github.com/0-fool/VulnbyCola/blob/main/Tenda/AX-1803/6/1.md |
| Tenda–Tenda | Tenda AX-1806 v1.0.0.1 was discovered to contain a stack overflow in the deviceList parameter of the formSetMacFilterCfg function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. | 2026-01-21 | not yet calculated | CVE-2025-70650 | https://github.com/0-fool/VulnbyCola/blob/main/Tenda/AX-1806/1/1.md |
| Tenda–Tenda | Tenda AX-1803 v1.0.0.1 was discovered to contain a stack overflow in the ssid parameter of the form_fast_setting_wifi_set function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. | 2026-01-21 | not yet calculated | CVE-2025-70651 | https://github.com/0-fool/VulnbyCola/blob/main/Tenda/AX-1803/4/1.md |
| The GNU C Library–glibc | Calling wordexp with WRDE_REUSE in conjunction with WRDE_APPEND in the GNU C Library version 2.0 to version 2.42 may cause the interface to return uninitialized memory in the we_wordv member, which on subsequent calls to wordfree may abort the process. | 2026-01-20 | not yet calculated | CVE-2025-15281 | https://sourceware.org/bugzilla/show_bug.cgi?id=33814 |
| Theme-one–The Grid | Missing Authorization vulnerability in Theme-one The Grid the-grid allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects The Grid: from n/a through < 2.8.0. | 2026-01-22 | not yet calculated | CVE-2026-24368 | https://patchstack.com/database/Wordpress/Plugin/the-grid/vulnerability/wordpress-the-grid-plugin-2-8-0-broken-access-control-vulnerability?_s_id=cve |
| themebeez–Cream Magazine | Missing Authorization vulnerability in themebeez Cream Magazine cream-magazine allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Cream Magazine: from n/a through <= 2.1.10. | 2026-01-23 | not yet calculated | CVE-2026-24615 | https://patchstack.com/database/Wordpress/Theme/cream-magazine/vulnerability/wordpress-cream-magazine-theme-2-1-10-broken-access-control-vulnerability?_s_id=cve |
| themebeez–Orchid Store | Missing Authorization vulnerability in themebeez Orchid Store orchid-store allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Orchid Store: from n/a through <= 1.5.15. | 2026-01-23 | not yet calculated | CVE-2026-24612 | https://patchstack.com/database/Wordpress/Theme/orchid-store/vulnerability/wordpress-orchid-store-theme-1-5-15-broken-access-control-vulnerability?_s_id=cve |
| themebeez–Simple GDPR Cookie Compliance | Missing Authorization vulnerability in themebeez Simple GDPR Cookie Compliance simple-gdpr-cookie-compliance allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Simple GDPR Cookie Compliance: from n/a through <= 2.0.0. | 2026-01-23 | not yet calculated | CVE-2026-24604 | https://patchstack.com/database/Wordpress/Plugin/simple-gdpr-cookie-compliance/vulnerability/wordpress-simple-gdpr-cookie-compliance-plugin-2-0-0-broken-access-control-vulnerability?_s_id=cve |
| themebeez–Universal Google Adsense and Ads manager | Missing Authorization vulnerability in themebeez Universal Google Adsense and Ads manager universal-google-adsense-and-ads-manager allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Universal Google Adsense and Ads manager: from n/a through <= 1.1.8. | 2026-01-23 | not yet calculated | CVE-2026-24603 | https://patchstack.com/database/Wordpress/Plugin/universal-google-adsense-and-ads-manager/vulnerability/wordpress-universal-google-adsense-and-ads-manager-plugin-1-1-8-broken-access-control-vulnerability?_s_id=cve |
| Themefic–Hydra Booking | Incorrect Privilege Assignment vulnerability in Themefic Hydra Booking hydra-booking allows Privilege Escalation. This issue affects Hydra Booking: from n/a through <= 1.1.32. | 2026-01-22 | not yet calculated | CVE-2025-68027 | https://patchstack.com/database/Wordpress/Plugin/hydra-booking/vulnerability/wordpress-hydra-booking-plugin-1-1-32-privilege-escalation-vulnerability?_s_id=cve |
| ThemeGoods–Craft | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in ThemeGoods Craft craftcoffee allows DOM-Based XSS. This issue affects Craft: from n/a through <= 2.3.6. | 2026-01-22 | not yet calculated | CVE-2025-68538 | https://patchstack.com/database/Wordpress/Theme/craftcoffee/vulnerability/wordpress-craft-coffee-shop-cafe-restaurant-wordpress-theme-2-3-6-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| ThemeGoods–DotLife | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in ThemeGoods DotLife dotlife allows Reflected XSS. This issue affects DotLife: from n/a through < 4.9.5. | 2026-01-22 | not yet calculated | CVE-2025-68520 | https://patchstack.com/database/Wordpress/Theme/dotlife/vulnerability/wordpress-dotlife-theme-4-9-5-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| ThemeGoods–Grand Magazine | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in ThemeGoods Grand Magazine grandmagazine allows Reflected XSS. This issue affects Grand Magazine: from n/a through <= 3.5.7. | 2026-01-22 | not yet calculated | CVE-2025-69320 | https://patchstack.com/database/Wordpress/Theme/grandmagazine/vulnerability/wordpress-grand-magazine-theme-3-5-7-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| ThemeGoods–Grand Restaurant Theme Elements for Elementor | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in ThemeGoods Grand Restaurant Theme Elements for Elementor grandrestaurant-elementor allows Stored XSS. This issue affects Grand Restaurant Theme Elements for Elementor: from n/a through <= 2.1.1. | 2026-01-22 | not yet calculated | CVE-2025-63026 | https://patchstack.com/database/Wordpress/Plugin/grandrestaurant-elementor/vulnerability/wordpress-grand-restaurant-theme-elements-for-elementor-plugin-2-1-1-cross-site-scripting-xss-vulnerability?_s_id=cve |
| ThemeGoods–Grand Spa | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in ThemeGoods Grand Spa grandspa allows Reflected XSS. This issue affects Grand Spa: from n/a through <= 3.5.5. | 2026-01-22 | not yet calculated | CVE-2025-69321 | https://patchstack.com/database/Wordpress/Theme/grandspa/vulnerability/wordpress-grand-spa-theme-3-5-5-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| ThemeGoods–Grand Tour | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in ThemeGoods Grand Tour grandtour allows Reflected XSS. This issue affects Grand Tour: from n/a through < 5.6.2. | 2026-01-22 | not yet calculated | CVE-2025-67952 | https://patchstack.com/database/Wordpress/Theme/grandtour/vulnerability/wordpress-grand-tour-theme-5-6-2-cross-site-scripting-xss-vulnerability?_s_id=cve |
| ThemeGoods–Hoteller | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in ThemeGoods Hoteller hoteller allows Reflected XSS. This issue affects Hoteller: from n/a through < 6.8.9. | 2026-01-22 | not yet calculated | CVE-2025-68518 | https://patchstack.com/database/Wordpress/Theme/hoteller/vulnerability/wordpress-hoteller-theme-6-8-9-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| ThemeGoods–Photography | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in ThemeGoods Photography photography allows PHP Local File Inclusion. This issue affects Photography: from n/a through < 7.7.5. | 2026-01-22 | not yet calculated | CVE-2025-68510 | https://patchstack.com/database/Wordpress/Theme/photography/vulnerability/wordpress-photography-theme-7-7-5-local-file-inclusion-vulnerability?_s_id=cve |
| ThemeGoods–PhotoMe | Server-Side Request Forgery (SSRF) vulnerability in ThemeGoods PhotoMe photome allows Server Side Request Forgery. This issue affects PhotoMe: from n/a through < 5.7.2. | 2026-01-22 | not yet calculated | CVE-2026-24381 | https://patchstack.com/database/Wordpress/Theme/photome/vulnerability/wordpress-photome-theme-5-7-2-server-side-request-forgery-ssrf-vulnerability?_s_id=cve |
| ThemeHunk–Contact Form & Lead Form Elementor Builder | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in ThemeHunk Contact Form & Lead Form Elementor Builder lead-form-builder allows Retrieve Embedded Sensitive Data. This issue affects Contact Form & Lead Form Elementor Builder: from n/a through <= 2.0.1. | 2026-01-22 | not yet calculated | CVE-2025-68046 | https://patchstack.com/database/Wordpress/Plugin/lead-form-builder/vulnerability/wordpress-contact-form-lead-form-elementor-builder-plugin-2-0-1-sensitive-data-exposure-vulnerability?_s_id=cve |
| themepassion–Ultra Portfolio | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in themepassion Ultra Portfolio ultra-portfolio allows Blind SQL Injection. This issue affects Ultra Portfolio: from n/a through <= 6.7. | 2026-01-22 | not yet calculated | CVE-2025-69180 | https://patchstack.com/database/Wordpress/Plugin/ultra-portfolio/vulnerability/wordpress-ultra-portfolio-plugin-6-7-sql-injection-vulnerability?_s_id=cve |
| ThemeREX–Sound | Musical Instruments Online Store | Deserialization of Untrusted Data vulnerability in ThemeREX Sound | Musical Instruments Online Store musicplace allows Object Injection. This issue affects Sound | Musical Instruments Online Store: from n/a through <= 1.6.9. | 2026-01-22 | not yet calculated | CVE-2025-69079 | https://patchstack.com/database/Wordpress/Theme/musicplace/vulnerability/wordpress-sound-musical-instruments-online-store-theme-1-6-9-deserialization-of-untrusted-data-vulnerability?_s_id=cve |
| themeton–Consult Aid | Deserialization of Untrusted Data vulnerability in themeton Consult Aid consultaid allows Object Injection. This issue affects Consult Aid: from n/a through <= 1.4.3. | 2026-01-22 | not yet calculated | CVE-2025-67617 | https://patchstack.com/database/Wordpress/Theme/consultaid/vulnerability/wordpress-consult-aid-theme-1-4-3-php-object-injection-vulnerability?_s_id=cve |
| Themeum–Tutor LMS | Authorization Bypass Through User-Controlled Key vulnerability in Themeum Tutor LMS tutor allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Tutor LMS: from n/a through <= 3.9.4. | 2026-01-22 | not yet calculated | CVE-2025-47555 | https://patchstack.com/database/Wordpress/Plugin/tutor/vulnerability/wordpress-tutor-lms-plugin-3-9-4-insecure-direct-object-references-idor-vulnerability?_s_id=cve |
| Themeum–Tutor LMS BunnyNet Integration | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Themeum Tutor LMS BunnyNet Integration tutor-lms-bunnynet-integration allows DOM-Based XSS. This issue affects Tutor LMS BunnyNet Integration: from n/a through <= 1.0.0. | 2026-01-23 | not yet calculated | CVE-2026-24584 | https://patchstack.com/database/Wordpress/Plugin/tutor-lms-bunnynet-integration/vulnerability/wordpress-tutor-lms-bunnynet-integration-plugin-1-0-0-cross-site-scripting-xss-vulnerability?_s_id=cve |
| ThimPress–LearnPress – Course Review | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in ThimPress LearnPress – Course Review learnpress-course-review allows Stored XSS. This issue affects LearnPress – Course Review: from n/a through <= 4.1.9. | 2026-01-22 | not yet calculated | CVE-2026-24361 | https://patchstack.com/database/Wordpress/Plugin/learnpress-course-review/vulnerability/wordpress-learnpress-course-review-plugin-4-1-9-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Tickera–Tickera | Missing Authorization vulnerability in Tickera Tickera tickera-event-ticketing-system allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Tickera: from n/a through <= 3.5.6.2. | 2026-01-22 | not yet calculated | CVE-2025-67939 | https://patchstack.com/database/Wordpress/Plugin/tickera-event-ticketing-system/vulnerability/wordpress-tickera-plugin-3-5-6-2-broken-access-control-vulnerability?_s_id=cve |
| Timur Kamaev–Kama Thumbnail | Cross-Site Request Forgery (CSRF) vulnerability in Timur Kamaev Kama Thumbnail kama-thumbnail allows Cross Site Request Forgery. This issue affects Kama Thumbnail: from n/a through <= 3.5.1. | 2026-01-23 | not yet calculated | CVE-2026-24521 | https://patchstack.com/database/Wordpress/Plugin/kama-thumbnail/vulnerability/wordpress-kama-thumbnail-plugin-3-5-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| tinyMOTT–tinyMOTT | In tinyMQTT commit 6226ade15bd4f97be2d196352e64dd10937c1962 (2024-02-18), a memory leak occurs due to the broker’s failure to validate or reject malformed UTF-8 strings in topic filters. An attacker can exploit this by sending repeated subscription requests with arbitrarily large or invalid filter payloads. Each request causes memory to be allocated for the malformed topic filter, but the broker does not free the associated memory, leading to unbounded heap growth and potential denial of service under sustained attack. | 2026-01-20 | not yet calculated | CVE-2025-56353 | https://github.com/JustDoIt0910/tinyMQTT/issues/19 |
| TMS Global–TMS Global | A path traversal vulnerability exists in TMS Management Console (version 6.3.7.27386.20250818) from TMS Global Software. The “Download Template” function in the profile dashboard does not neutralize directory traversal sequences (../) in the filePath parameter, allowing authenticated users to read arbitrary files, such as the server’s Web.config. | 2026-01-22 | not yet calculated | CVE-2025-69612 | http://tms.com https://tmsglobalsoft.com/ https://github.com/Cr0wld3r/CVE-2025-69612/blob/main/PoC.md |
| TMS Global–TMS Global | File Upload vulnerability in TMS Global Software TMS Management Console v.6.3.7.27386.20250818 allows a remote attacker to execute arbitrary code via the Logo upload in /Customer/AddEdit | 2026-01-22 | not yet calculated | CVE-2025-69828 | https://tmsglobalsoft.com https://github.com/ZuoqTr/CVE/blob/main/CVE-2025-69828.md |
| TopDesk–TopDesk | An improper certificate validation vulnerability exists in ToDesktop Builder v0.32.1 This vulnerability allows an unauthenticated, on-path attacker to spoof backend responses by exploiting insufficient certificate validation. | 2026-01-23 | not yet calculated | CVE-2025-67229 | https://www.todesktop.com/changelog https://www.todesktop.com/security/advisories/TDSA-2025-001 |
| TopDesktop–TopDesktop | Improper permissions in the handler for the Custom URL Scheme in ToDesktop Builder v0.33.0 allows attackers with renderer-context access to invoke external protocol handlers without sufficient validation. | 2026-01-23 | not yet calculated | CVE-2025-67230 | https://www.todesktop.com/changelog https://www.todesktop.com/security/advisories/TDSA-2025-002 |
| TopDesktop–TopDesktop | A reflected cross-site scripting (XSS) vulnerability in ToDesktop Builder v0.33.1 allows attackers to execute arbitrary code in the context of a user’s browser via a crafted payload. | 2026-01-23 | not yet calculated | CVE-2025-67231 | https://www.todesktop.com/changelog https://www.todesktop.com/security/advisories/TDSA-2025-003 |
| topdevs–Smart Product Viewer | Missing Authorization vulnerability in topdevs Smart Product Viewer smart-product-viewer allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Smart Product Viewer: from n/a through <= 1.5.4. | 2026-01-23 | not yet calculated | CVE-2026-24588 | https://patchstack.com/database/Wordpress/Plugin/smart-product-viewer/vulnerability/wordpress-smart-product-viewer-plugin-1-5-4-broken-access-control-vulnerability?_s_id=cve |
| TP-Link Systems Inc.–Archer C20 v6.0, Archer AX53 v1.0 | Logic vulnerability in TP-Link Archer C20 v6.0 and Archer AX53 v1.0 (TDDP module) allows unauthenticated adjacent attackers to execute administrative commands including factory reset and device reboot without credentials. Attackers on the adjacent network can remotely trigger factory resets and reboots without credentials, causing configuration loss and interruption of device availability. This issue affects Archer C20 v6.0 < V6_251031. Archer AX53 v1.0 < V1_251215 | 2026-01-21 | not yet calculated | CVE-2026-0834 | https://www.tp-link.com/en/support/download/archer-c20/v6/#Firmware https://www.tp-link.com/en/support/download/archer-ax53/v1/#Firmware https://mattg.systems/posts/cve-2026-0834/ |
| TP-Link Systems Inc.–Omada Software Controller | A Cross-Site Scripting (XSS) vulnerability was identified in a parameter in Omada Controllers due to improper input sanitization. Exploitation requires advanced conditions, such as network positioning or emulating a trusted entity, and user interaction by an authenticated administrator. If successful, an attacker could execute arbitrary JavaScript in the administrator’s browser, potentially exposing sensitive information and compromising confidentiality. | 2026-01-22 | not yet calculated | CVE-2025-9289 | https://support.omadanetworks.com/us/download/ https://support.omadanetworks.com/us/document/114950/ |
| TP-Link Systems Inc.–Omada Software Controller | An authentication weakness was identified in Omada Controllers, Gateways and Access Points, controller-device adoption due to improper handling of random values. Exploitation requires advanced network positioning and allows an attacker to intercept adoption traffic and forge valid authentication through offline precomputation, potentially exposing sensitive information and compromising confidentiality. | 2026-01-22 | not yet calculated | CVE-2025-9290 | https://support.omadanetworks.com/us/download/ https://support.omadanetworks.com/en/download/ https://support.omadanetworks.com/us/document/114950/ |
| Trimble–SketchUp | Trimble SketchUp SKP File Parsing Use-After-Free Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Trimble SketchUp. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of SKP files. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-27769. | 2026-01-23 | not yet calculated | CVE-2025-15062 | ZDI-25-1198 |
| Trusona–Trusona for WordPress | Missing Authorization vulnerability in Trusona Trusona for WordPress trusona allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Trusona for WordPress: from n/a through <= 2.0.0. | 2026-01-23 | not yet calculated | CVE-2026-24627 | https://patchstack.com/database/Wordpress/Plugin/trusona/vulnerability/wordpress-trusona-for-wordpress-plugin-2-0-0-broken-access-control-vulnerability?_s_id=cve |
| TYPO3–Extension “Mailqueue” | The extension extends TYPO3′ FileSpool component, which was vulnerable to Insecure Deserialization prior to TYPO3-CORE-SA-2026-004 https://typo3.org/security/advisory/typo3-core-sa-2026-004 . Since the related fix is overwritten by the extension, using the extension with a patched TYPO3 core version still allows for Insecure Deserialization, because the affected vulnerable code was extracted from TYPO3 core to the extension. More information about this vulnerability can be found in the related TYPO3 Core Security Advisory TYPO3-CORE-SA-2026-004 https://typo3.org/security/advisory/typo3-core-sa-2026-004 . | 2026-01-20 | not yet calculated | CVE-2026-0895 | https://typo3.org/security/advisory/typo3-ext-sa-2026-001 https://github.com/CPS-IT/mailqueue/commit/fd09aa4e1a751551bae4b228bee814e22f2048db https://github.com/CPS-IT/mailqueue/commit/12a0a35027bb5609917790a94e43bbf117abf733 |
| Unknown–Bookingor | The Bookingor WordPress plugin through 1.0.12 exposes authenticated AJAX actions without capability or nonce checks, allowing low-privileged users to delete Bookingor WordPress plugin through 1.0.12 data. | 2026-01-20 | not yet calculated | CVE-2025-12573 | https://wpscan.com/vulnerability/b6198d76-813c-4f13-8b3d-b4609095ae34/ |
| upnp–upnp | A command injection vulnerability exists in the upnp_relay() function in multiple ipTIME router models because the controlURL value used to pass port-forwarding information to an upper router is passed to system() without proper validation or sanitization, allowing OS command injection. | 2026-01-20 | not yet calculated | CVE-2025-55423 | https://iptime.com/iptime/?pageid=4&page_id=126&dfsid=3&dftid=583&uid=25203&mod=document https://docs.google.com/spreadsheets/d/1kryOFltCmnPJvDTpIrudgryt79uI4PWchuQ8-Gak24c/edit?usp=sharing https://github.com/0x0xxxx/CVE/blob/main/CVE-2025-55423/README.md https://github.com/0x0xxxx/CVE/blob/main/CVE-2025-55423/assets/affected_products_cve_format.json |
| uPress–Booter | Missing Authorization vulnerability in uPress Booter booter-bots-crawlers-manager allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Booter: from n/a through <= 1.5.7. | 2026-01-23 | not yet calculated | CVE-2026-24534 | https://patchstack.com/database/Wordpress/Plugin/booter-bots-crawlers-manager/vulnerability/wordpress-booter-plugin-1-5-7-broken-access-control-vulnerability?_s_id=cve |
| Upsonic–Upsonic | Upsonic Cloudpickle Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Upsonic. Authentication is not required to exploit this vulnerability. The specific flaw exists within the add_tool endpoint, which listens on TCP port 7541 by default. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-26845. | 2026-01-23 | not yet calculated | CVE-2026-0773 | ZDI-26-042 |
| uxper–Golo | Missing Authorization vulnerability in uxper Golo golo allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Golo: from n/a through < 1.7.5. | 2026-01-22 | not yet calculated | CVE-2026-23974 | https://patchstack.com/database/Wordpress/Theme/golo/vulnerability/wordpress-golo-theme-1-7-5-broken-access-control-vulnerability?_s_id=cve |
| uxper–Golo | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in uxper Golo golo allows PHP Local File Inclusion. This issue affects Golo: from n/a through < 1.7.5. | 2026-01-22 | not yet calculated | CVE-2026-23975 | https://patchstack.com/database/Wordpress/Theme/golo/vulnerability/wordpress-golo-theme-1-7-5-local-file-inclusion-vulnerability?_s_id=cve |
| VB-Audio Software–Matrix | VB-Audio Matrix and Matrix Coconut (versions ending in 1.0.2.2 and 2.0.2.2 and earlier, respectively), contain a local privilege escalation vulnerability in the VBMatrix VAIO virtual audio driver (vbmatrixvaio64*_win10.sys). The driver allocates a 128-byte non-paged pool buffer and, upon receiving IOCTL 0x222060, maps it into user space using an MDL and MmMapLockedPagesSpecifyCache. Because the allocation size is not page-aligned, the mapping exposes the entire 0x1000-byte kernel page containing the buffer plus adjacent non-paged pool allocations with read/write permissions. An unprivileged local attacker can open a device handle (using the required 0x800 attribute flag), invoke the IOCTL to obtain the mapping, and then read or modify live kernel objects and pointers present on that page. This enables bypass of KASLR, arbitrary kernel memory read/write within the exposed page, corruption of kernel objects, and escalation to SYSTEM. | 2026-01-22 | not yet calculated | CVE-2026-23763 | https://github.com/emkaix/security-research/tree/main/CVE-2026-23763 https://forum.vb-audio.com/viewtopic.php?p=7574#p7574 https://forum.vb-audio.com/viewtopic.php?p=7527#p7527 https://vb-audio.com/ https://www.vulncheck.com/advisories/vb-audio-matrix-drivers-local-privilege-escalation-via-kernel-memory-exposure |
| VB-Audio Software–Voicemeeter (Standard) | VB-Audio Voicemeeter, Voicemeeter Banana, and Voicemeeter Potato (versions ending in 1.1.1.9, 2.1.1.9, and 3.1.1.9 and earlier, respectively), as well as VB-Audio Matrix and Matrix Coconut (versions ending in 1.0.2.2 and 2.0.2.2 and earlier, respectively), contain a vulnerability in their virtual audio drivers (vbvoicemeetervaio64*.sys, vbmatrixvaio64*.sys, vbaudio_vmauxvaio*.sys, vbaudio_vmvaio*.sys, and vbaudio_vmvaio3*.sys). When a handle is opened with a special file attribute value, the drivers improperly initialize FILE_OBJECT->FsContext to a non-pointer magic value. If subsequent operations are not handled by the VB-Audio driver and are forwarded down the audio driver stack (e.g., via PortCls to ks.sys), the invalid FsContext value can be dereferenced, causing a kernel crash (BSoD), typically SYSTEM_SERVICE_EXCEPTION with STATUS_ACCESS_VIOLATION. This flaw allows a local unprivileged user to trigger a denial-of-service on affected Windows systems. | 2026-01-22 | not yet calculated | CVE-2026-23761 | https://github.com/emkaix/security-research/tree/main/CVE-2026-23761 https://forum.vb-audio.com/viewtopic.php?p=7574#p7574 https://forum.vb-audio.com/viewtopic.php?p=7527#p7527 https://vb-audio.com/ https://www.vulncheck.com/advisories/vb-audio-voicemeeter-and-matrix-drivers-dos-via-improper-file-object-fscontext-initialization |
| VB-Audio Software–Voicemeeter (Standard) | VB-Audio Voicemeeter, Voicemeeter Banana, and Voicemeeter Potato (versions ending in 1.1.1.9, 2.1.1.9, and 3.1.1.9 and earlier, respectively), as well as VB-Audio Matrix and Matrix Coconut (versions ending in 1.0.2.2 and 2.0.2.2 and earlier, respectively), contain a vulnerability in their virtual audio drivers (vbvoicemeetervaio64*.sys, vbmatrixvaio64*.sys, vbaudio_vmauxvaio*.sys, vbaudio_vmvaio*.sys, and vbaudio_vmvaio3*.sys). The drivers map non-paged pool memory into user space via MmMapLockedPagesSpecifyCache using UserMode access without proper exception handling. If the mapping fails, such as when a process has exhausted available virtual address space, MmMapLockedPagesSpecifyCache raises an exception that is not caught, causing a kernel crash (BSoD), typically SYSTEM_SERVICE_EXCEPTION with STATUS_NO_MEMORY. This flaw allows a local unprivileged user to trigger a denial-of-service on affected Windows systems. | 2026-01-22 | not yet calculated | CVE-2026-23762 | https://github.com/emkaix/security-research/tree/main/CVE-2026-23762 https://forum.vb-audio.com/viewtopic.php?p=7574#p7574 https://forum.vb-audio.com/viewtopic.php?p=7527#p7527 https://vb-audio.com/ https://www.vulncheck.com/advisories/vb-audio-voicemeeter-and-matrix-drivers-dos-via-mmmaplockedpagesspecifycache |
| VB-Audio Software–Voicemeeter (Standard) | VB-Audio Voicemeeter, Voicemeeter Banana, and Voicemeeter Potato (versions ending in 1.1.1.9, 2.1.1.9, and 3.1.1.9 and earlier, respectively), as well as VB-Audio Matrix and Matrix Coconut (versions ending in 1.0.2.2 and 2.0.2.2 and earlier, respectively), contain a vulnerability in their virtual audio drivers (vbvoicemeetervaio64*.sys, vbmatrixvaio64*.sys, vbaudio_vmauxvaio*.sys, vbaudio_vmvaio*.sys, and vbaudio_vmvaio3*.sys). The drivers allocate non-paged pool and map it into user space, where a length value associated with the allocation is exposed and can be modified by an unprivileged local attacker. On subsequent IOCTL handling, the corrupted length is used directly as the IoAllocateMdl length argument without adequate integrity checks before building and mapping the MDL, which can cause a kernel crash (BSoD), typically PAGE_FAULT_IN_NONPAGED_AREA. This flaw allows a local user to trigger a denial-of-service on affected Windows systems. | 2026-01-22 | not yet calculated | CVE-2026-23764 | https://github.com/emkaix/security-research/tree/main/CVE-2026-23764 https://forum.vb-audio.com/viewtopic.php?p=7574#p7574 https://forum.vb-audio.com/viewtopic.php?p=7527#p7527 https://vb-audio.com/ https://www.vulncheck.com/advisories/vb-audio-voicemeeter-and-matrix-drivers-dos-via-corrupted-ioallocatemdl-length |
| VEGA–VEGA | An issue in Beat XP VEGA Smartwatch (Firmware Version – RB303ATV006229) allows an attacker to cause a denial of service via the BLE connection | 2026-01-22 | not yet calculated | CVE-2025-69821 | https://github.com/CipherX1802/CVE-2025-69821-Beat-XP-Vega-Smartwatch-Security-Assessment/blob/main/BeatXP_Vega_Smartwatch_Security_Assessment_Report.pdf https://github.com/CipherX1802/CVE-2025-69821-Beat-XP-Vega-Smartwatch-Security-Assessment.git |
| VibeThemes–WPLMS | Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) vulnerability in VibeThemes WPLMS wplms_plugin allows Path Traversal. This issue affects WPLMS: from n/a through <= 1.9.9.5.4. | 2026-01-22 | not yet calculated | CVE-2025-69097 | https://patchstack.com/database/Wordpress/Plugin/wplms_plugin/vulnerability/wordpress-wplms-plugin-1-9-9-5-4-arbitrary-file-deletion-vulnerability?_s_id=cve |
| Vladimir Statsenko–Terms descriptions | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Vladimir Statsenko Terms descriptions terms-descriptions allows DOM-Based XSS. This issue affects Terms descriptions: from n/a through <= 3.4.9. | 2026-01-23 | not yet calculated | CVE-2026-24621 | https://patchstack.com/database/Wordpress/Plugin/terms-descriptions/vulnerability/wordpress-terms-descriptions-plugin-3-4-9-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Vollstart–Event Tickets with Ticket Scanner | Improper Control of Generation of Code (‘Code Injection’) vulnerability in Vollstart Event Tickets with Ticket Scanner event-tickets-with-ticket-scanner allows Code Injection. This issue affects Event Tickets with Ticket Scanner: from n/a through <= 2.8.3. | 2026-01-22 | not yet calculated | CVE-2025-68015 | https://patchstack.com/database/Wordpress/Plugin/event-tickets-with-ticket-scanner/vulnerability/wordpress-event-tickets-with-ticket-scanner-plugin-2-7-10-remote-code-execution-rce-vulnerability?_s_id=cve |
| vrpr–WDV One Page Docs | Missing Authorization vulnerability in vrpr WDV One Page Docs wdv-one-page-docs allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WDV One Page Docs: from n/a through <= 1.2.4. | 2026-01-22 | not yet calculated | CVE-2025-68896 | https://patchstack.com/database/Wordpress/Plugin/wdv-one-page-docs/vulnerability/wordpress-wdv-one-page-docs-plugin-1-2-4-broken-access-control-vulnerability?_s_id=cve |
| WANotifier–WANotifier | Missing Authorization vulnerability in WANotifier WANotifier notifier allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WANotifier: from n/a through <= 2.7.12. | 2026-01-22 | not yet calculated | CVE-2025-68020 | https://patchstack.com/database/Wordpress/Plugin/notifier/vulnerability/wordpress-wanotifier-plugin-2-7-12-broken-access-control-vulnerability?_s_id=cve |
| WatchYourLAN–WatchYourLAN | WatchYourLAN Configuration Page Argument Injection Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of WatchYourLAN. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of the arpstrs parameter. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-26708. | 2026-01-23 | not yet calculated | CVE-2026-0774 | ZDI-26-039 |
| wbolt.com–IMGspider | Server-Side Request Forgery (SSRF) vulnerability in wbolt.com IMGspider imgspider allows Server Side Request Forgery. This issue affects IMGspider: from n/a through <= 2.3.12. | 2026-01-22 | not yet calculated | CVE-2026-22482 | https://patchstack.com/database/Wordpress/Plugin/imgspider/vulnerability/wordpress-imgspider-plugin-2-3-12-server-side-request-forgery-ssrf-vulnerability?_s_id=cve |
| Web Impian–Bayarcash WooCommerce | Missing Authorization vulnerability in Web Impian Bayarcash WooCommerce bayarcash-wc allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Bayarcash WooCommerce: from n/a through <= 4.3.11. | 2026-01-23 | not yet calculated | CVE-2026-24606 | https://patchstack.com/database/Wordpress/Plugin/bayarcash-wc/vulnerability/wordpress-bayarcash-woocommerce-plugin-4-3-11-broken-access-control-vulnerability?_s_id=cve |
| WebAppick–CTX Feed | Missing Authorization vulnerability in WebAppick CTX Feed webappick-product-feed-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects CTX Feed: from n/a through <= 6.6.18. | 2026-01-22 | not yet calculated | CVE-2026-22461 | https://patchstack.com/database/Wordpress/Plugin/webappick-product-feed-for-woocommerce/vulnerability/wordpress-ctx-feed-plugin-6-6-15-broken-access-control-vulnerability?_s_id=cve |
| webdevstudios–Automatic Featured Images from Videos | Missing Authorization vulnerability in webdevstudios Automatic Featured Images from Videos automatic-featured-images-from-videos allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Automatic Featured Images from Videos: from n/a through <= 1.2.7. | 2026-01-23 | not yet calculated | CVE-2026-24535 | https://patchstack.com/database/Wordpress/Plugin/automatic-featured-images-from-videos/vulnerability/wordpress-automatic-featured-images-from-videos-plugin-1-2-7-broken-access-control-vulnerability?_s_id=cve |
| WebGeniusLab–iRecco Core | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in WebGeniusLab iRecco Core irecco-core allows PHP Local File Inclusion. This issue affects iRecco Core: from n/a through <= 1.3.6. | 2026-01-22 | not yet calculated | CVE-2025-69046 | https://patchstack.com/database/Wordpress/Plugin/irecco-core/vulnerability/wordpress-irecco-core-plugin-1-3-6-local-file-inclusion-vulnerability?_s_id=cve |
| WebPros–WebPros | An issue with WordPress directory names in WebPros WordPress Toolkit before 6.9.1 allows privilege escalation. | 2026-01-22 | not yet calculated | CVE-2025-66428 | https://docs.plesk.com/release-notes/obsidian/change-log/#wordpress-toolkit-6.9.1 |
| webpushr–Webpushr | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in webpushr Webpushr webpushr-web-push-notifications allows Retrieve Embedded Sensitive Data. This issue affects Webpushr: from n/a through <= 4.38.0. | 2026-01-23 | not yet calculated | CVE-2026-24536 | https://patchstack.com/database/Wordpress/Plugin/webpushr-web-push-notifications/vulnerability/wordpress-webpushr-plugin-4-38-0-sensitive-data-exposure-vulnerability?_s_id=cve |
| Weintek–cMT3072XH | The web application does not sufficiently verify inputs that are assumed to be immutable but are actually externally controllable. A low-privileged user can modify the parameters and potentially manipulate account-level privileges. | 2026-01-22 | not yet calculated | CVE-2025-14750 | https://www.cisa.gov/news-events/ics-advisories/icsa-26-022-05 |
| Weintek–cMT3072XH | A low-privileged user can bypass account credentials without confirming the user’s current authentication state, which may lead to unauthorized privilege escalation. | 2026-01-22 | not yet calculated | CVE-2025-14751 | https://www.cisa.gov/news-events/ics-advisories/icsa-26-022-05 |
| WEN Solutions–Contact Form 7 GetResponse Extension | Insertion of Sensitive Information Into Sent Data vulnerability in WEN Solutions Contact Form 7 GetResponse Extension contact-form-7-getresponse-extension allows Retrieve Embedded Sensitive Data. This issue affects Contact Form 7 GetResponse Extension: from n/a through <= 1.0.8. | 2026-01-23 | not yet calculated | CVE-2026-24557 | https://patchstack.com/database/Wordpress/Plugin/contact-form-7-getresponse-extension/vulnerability/wordpress-contact-form-7-getresponse-extension-plugin-1-0-8-sensitive-data-exposure-vulnerability?_s_id=cve |
| whisper-money–whisper-money | Whisper Money is a personal finance application. Versions prior to 0.1.5 have an insecure direct object reference vulnerability. A user can update/create account balances in other users’ bank accounts. Version 0.1.5 fixes the issue. | 2026-01-19 | not yet calculated | CVE-2026-23844 | https://github.com/whisper-money/whisper-money/security/advisories/GHSA-c4g3-wpxr-2m74 https://github.com/whisper-money/whisper-money/pull/60 https://github.com/whisper-money/whisper-money/commit/80117c3edeaf5c5a5166f3815fc555a15b5ce686 |
| winkm89–teachPress | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in winkm89 teachPress teachpress allows Stored XSS. This issue affects teachPress: from n/a through <= 9.0.12. | 2026-01-22 | not yet calculated | CVE-2026-22353 | https://patchstack.com/database/Wordpress/Plugin/teachpress/vulnerability/wordpress-teachpress-plugin-9-0-12-cross-site-scripting-xss-vulnerability?_s_id=cve |
| winkm89–teachPress | Cross-Site Request Forgery (CSRF) vulnerability in winkm89 teachPress teachpress allows Cross Site Request Forgery. This issue affects teachPress: from n/a through <= 9.0.12. | 2026-01-22 | not yet calculated | CVE-2026-22483 | https://patchstack.com/database/Wordpress/Plugin/teachpress/vulnerability/wordpress-teachpress-plugin-9-0-12-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| WisdmLabs–Edwiser Bridge | Missing Authorization vulnerability in WisdmLabs Edwiser Bridge edwiser-bridge allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Edwiser Bridge: from n/a through <= 4.3.2. | 2026-01-23 | not yet calculated | CVE-2026-24570 | https://patchstack.com/database/Wordpress/Plugin/edwiser-bridge/vulnerability/wordpress-edwiser-bridge-plugin-4-3-2-broken-access-control-vulnerability?_s_id=cve |
| woofer696–Dinatur | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in woofer696 Dinatur dinatur allows Stored XSS. This issue affects Dinatur: from n/a through <= 1.18. | 2026-01-22 | not yet calculated | CVE-2025-68866 | https://patchstack.com/database/Wordpress/Plugin/dinatur/vulnerability/wordpress-dinatur-plugin-1-18-cross-site-scripting-xss-vulnerability?_s_id=cve |
| WorklogPRO–WorklogPRO | The WorklogPRO – Timesheets for Jira plugin in Jira Data Center before version 4.23.6-jira10 and before version 4.23.5-jira9 allows users and attackers to inject arbitrary HTML or JavaScript via a Cross-Site Scripting (XSS) vulnerability. The vulnerability is exploited via a specially crafted payload placed in an issue’s summary field | 2026-01-21 | not yet calculated | CVE-2025-57681 | https://marketplace.atlassian.com/apps/1212626/worklogpro-timesheets-for-jira/version-history https://thestarware.atlassian.net/wiki/spaces/WLP/pages/3326574597/Security+Advisory+CVE-2025-57681+-+Stored+XSS+in+WorklogPRO+DC |
| WorklogPRO–WorklogPRO | The WorklogPRO – Jira Timesheets plugin in the Jira Data Center before 4.24.2-jira9, 4.24.2-jira10 and 4.24.2-jira11 allows attackers to inject arbitrary HTML or JavaScript via XSS. This is exploited via a crafted payload placed in the name of a filter. This code is executed in the browser when the user attempts to create a timesheet with the filter timesheet type on the custom timesheet dialog because the filter name is not properly sanitized during the action. | 2026-01-20 | not yet calculated | CVE-2025-67824 | https://marketplace.atlassian.com/apps/1212626/worklogpro-timesheets-for-jira/version-history https://thestarware.atlassian.net/wiki/x/CAAdyg |
| WP Chill–Gallery PhotoBlocks | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in WP Chill Gallery PhotoBlocks photoblocks-grid-gallery allows DOM-Based XSS. This issue affects Gallery PhotoBlocks: from n/a through <= 1.3.2. | 2026-01-22 | not yet calculated | CVE-2026-24389 | https://patchstack.com/database/Wordpress/Plugin/photoblocks-grid-gallery/vulnerability/wordpress-gallery-photoblocks-plugin-1-3-2-cross-site-scripting-xss-vulnerability?_s_id=cve |
| WP Chill–Modula Image Gallery | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in WP Chill Modula Image Gallery modula-best-grid-gallery allows Stored XSS. This issue affects Modula Image Gallery: from n/a through <= 2.13.4. | 2026-01-22 | not yet calculated | CVE-2026-23976 | https://patchstack.com/database/Wordpress/Plugin/modula-best-grid-gallery/vulnerability/wordpress-modula-image-gallery-plugin-2-13-4-cross-site-scripting-xss-vulnerability?_s_id=cve |
| WP Messiah–Ai Image Alt Text Generator for WP | Missing Authorization vulnerability in WP Messiah Ai Image Alt Text Generator for WP ai-image-alt-text-generator-for-wp allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Ai Image Alt Text Generator for WP: from n/a through <= 1.1.9. | 2026-01-23 | not yet calculated | CVE-2026-24579 | https://patchstack.com/database/Wordpress/Plugin/ai-image-alt-text-generator-for-wp/vulnerability/wordpress-ai-image-alt-text-generator-for-wp-plugin-1-1-9-broken-access-control-vulnerability?_s_id=cve |
| WP Messiah–Frontis Blocks | Server-Side Request Forgery (SSRF) vulnerability in WP Messiah Frontis Blocks frontis-blocks allows Server Side Request Forgery. This issue affects Frontis Blocks: from n/a through <= 1.1.5. | 2026-01-22 | not yet calculated | CVE-2025-68030 | https://patchstack.com/database/Wordpress/Plugin/frontis-blocks/vulnerability/wordpress-frontis-blocks-plugin-1-1-5-server-side-request-forgery-ssrf-vulnerability?_s_id=cve |
| WP Swings–Points and Rewards for WooCommerce | Missing Authorization vulnerability in WP Swings Points and Rewards for WooCommerce points-and-rewards-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Points and Rewards for WooCommerce: from n/a through <= 2.9.5. | 2026-01-23 | not yet calculated | CVE-2026-24581 | https://patchstack.com/database/Wordpress/Plugin/points-and-rewards-for-woocommerce/vulnerability/wordpress-points-and-rewards-for-woocommerce-plugin-2-9-5-broken-access-control-vulnerability?_s_id=cve |
| WP Travel–WP Travel | Missing Authorization vulnerability in WP Travel WP Travel wp-travel allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Travel: from n/a through <= 11.0.0. | 2026-01-23 | not yet calculated | CVE-2026-24568 | https://patchstack.com/database/Wordpress/Plugin/wp-travel/vulnerability/wordpress-wp-travel-plugin-11-0-0-broken-access-control-vulnerability?_s_id=cve |
| wpdive–ElementCamp | Missing Authorization vulnerability in wpdive ElementCamp element-camp allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects ElementCamp: from n/a through <= 2.3.2. | 2026-01-23 | not yet calculated | CVE-2026-24556 | https://patchstack.com/database/Wordpress/Plugin/element-camp/vulnerability/wordpress-elementcamp-plugin-2-3-2-broken-access-control-vulnerability?_s_id=cve |
| wpeverest–User Registration | Missing Authorization vulnerability in wpeverest User Registration user-registration allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects User Registration: from n/a through <= 4.4.6. | 2026-01-22 | not yet calculated | CVE-2025-67956 | https://patchstack.com/database/Wordpress/Plugin/user-registration/vulnerability/wordpress-user-registration-plugin-4-4-6-broken-access-control-vulnerability?_s_id=cve |
| wpeverest–User Registration | Missing Authorization vulnerability in wpeverest User Registration user-registration allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects User Registration: from n/a through <= 4.4.9. | 2026-01-22 | not yet calculated | CVE-2026-24353 | https://patchstack.com/database/Wordpress/Plugin/user-registration/vulnerability/wordpress-user-registration-plugin-4-4-9-arbitrary-shortcode-execution-vulnerability?_s_id=cve |
| wphocus–My auctions allegro | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in wphocus My auctions allegro my-auctions-allegro-free-edition allows Reflected XSS. This issue affects My auctions allegro: from n/a through <= 3.6.32. | 2026-01-22 | not yet calculated | CVE-2025-67943 | https://patchstack.com/database/Wordpress/Plugin/my-auctions-allegro-free-edition/vulnerability/wordpress-my-auctions-allegro-plugin-3-6-32-cross-site-scripting-xss-vulnerability-2?_s_id=cve |
| wphocus–My auctions allegro | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in wphocus My auctions allegro my-auctions-allegro-free-edition allows PHP Local File Inclusion. This issue affects My auctions allegro: from n/a through <= 3.6.33. | 2026-01-22 | not yet calculated | CVE-2026-22464 | https://patchstack.com/database/Wordpress/Plugin/my-auctions-allegro-free-edition/vulnerability/wordpress-my-auctions-allegro-plugin-3-6-33-local-file-inclusion-vulnerability?_s_id=cve |
| wpjobportal–WP Job Portal | Authorization Bypass Through User-Controlled Key vulnerability in wpjobportal WP Job Portal wp-job-portal allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Job Portal: from n/a through <= 2.4.3. | 2026-01-22 | not yet calculated | CVE-2026-24379 | https://patchstack.com/database/Wordpress/Plugin/wp-job-portal/vulnerability/wordpress-wp-job-portal-plugin-2-4-3-insecure-direct-object-references-idor-vulnerability?_s_id=cve |
| wproyal–Bard | Missing Authorization vulnerability in wproyal Bard bard allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Bard: from n/a through <= 2.229. | 2026-01-22 | not yet calculated | CVE-2025-63018 | https://patchstack.com/database/Wordpress/Theme/bard/vulnerability/wordpress-bard-theme-2-229-broken-access-control-vulnerability?_s_id=cve |
| wptravelengine–Travel Monster | Missing Authorization vulnerability in wptravelengine Travel Monster travel-monster allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Travel Monster: from n/a through <= 1.3.3. | 2026-01-23 | not yet calculated | CVE-2026-24607 | https://patchstack.com/database/Wordpress/Theme/travel-monster/vulnerability/wordpress-travel-monster-theme-1-3-3-broken-access-control-vulnerability?_s_id=cve |
| wpWave–Hide My WP | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in wpWave Hide My WP hide_my_wp allows Reflected XSS. This issue affects Hide My WP: from n/a through <= 6.2.12. | 2026-01-22 | not yet calculated | CVE-2025-69098 | https://patchstack.com/database/Wordpress/Plugin/hide_my_wp/vulnerability/wordpress-hide-my-wp-plugin-6-2-12-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve |
| WPXPO–PostX | Missing Authorization vulnerability in WPXPO PostX ultimate-post allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects PostX: from n/a through <= 5.0.3. | 2026-01-22 | not yet calculated | CVE-2025-69313 | https://patchstack.com/database/Wordpress/Plugin/ultimate-post/vulnerability/wordpress-postx-plugin-5-0-3-broken-access-control-vulnerability?_s_id=cve |
| XDocReport | A Server-Side Template Injection (SSTI) vulnerability in the FreeMarker component of opensagres XDocReport v1.0.0 to v2.1.0 allows attackers to execute arbitrary code via injecting crafted template expressions. | 2026-01-20 | not yet calculated | CVE-2025-64087 | https://github.com/opensagres/xdocreport https://github.com/opensagres/xdocreport/pull/705 https://hackmd.io/@cuongnh/BJEnw7SAlg https://hackmd.io/@cuongnh/SkQvhEf0lx https://github.com/AT190510-Cuong/CVE-2025-64087-SSTI- |
| XDocReport–XDocReport | An XML External Entity (XXE) vulnerability in opensagres XDocReport v0.9.2 to v2.0.3 allows attackers to execute arbitrary code via uploading a crafted .docx file. | 2026-01-20 | not yet calculated | CVE-2025-65482 | https://github.com/opensagres/xdocreport https://drive.google.com/drive/folders/1hUyCznpBN7ivo5krmyJ4OQc_q626Hy5q?usp=sharing https://hackmd.io/@cuongnh/r1B7B8fJ-g https://hackmd.io/@cuongnh/rkJPCgSy-l https://github.com/AT190510-Cuong/CVE-2025-65482-XXE- |
| XLPlugins–NextMove Lite | Authorization Bypass Through User-Controlled Key vulnerability in XLPlugins NextMove Lite woo-thank-you-page-nextmove-lite allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects NextMove Lite: from n/a through <= 2.23.0. | 2026-01-23 | not yet calculated | CVE-2026-24599 | https://patchstack.com/database/Wordpress/Plugin/woo-thank-you-page-nextmove-lite/vulnerability/wordpress-nextmove-lite-plugin-2-23-0-insecure-direct-object-references-idor-vulnerability?_s_id=cve |
| XpeedStudio–Bajaar – Highly Customizable WooCommerce WordPress Theme | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in XpeedStudio Bajaar – Highly Customizable WooCommerce WordPress Theme bajaar allows PHP Local File Inclusion. This issue affects Bajaar – Highly Customizable WooCommerce WordPress Theme: from n/a through <= 2.1.0. | 2026-01-22 | not yet calculated | CVE-2025-69004 | https://patchstack.com/database/Wordpress/Theme/bajaar/vulnerability/wordpress-bajaar-highly-customizable-woocommerce-wordpress-theme-theme-2-1-0-local-file-inclusion-vulnerability?_s_id=cve |
| Xpro–Xpro Elementor Addons | Unrestricted Upload of File with Dangerous Type vulnerability in Xpro Xpro Elementor Addons xpro-elementor-addons allows Upload a Web Shell to a Web Server. This issue affects Xpro Elementor Addons: from n/a through <= 1.4.19.1. | 2026-01-22 | not yet calculated | CVE-2025-69312 | https://patchstack.com/database/Wordpress/Plugin/xpro-elementor-addons/vulnerability/wordpress-xpro-elementor-addons-plugin-1-4-19-1-arbitrary-file-upload-vulnerability?_s_id=cve |
| xtemos–WoodMart | Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in xtemos WoodMart woodmart allows Code Injection. This issue affects WoodMart: from n/a through <= 8.3.7. | 2026-01-22 | not yet calculated | CVE-2025-47600 | https://patchstack.com/database/Wordpress/Theme/woodmart/vulnerability/wordpress-woodmart-theme-8-3-7-arbitrary-shortcode-execution-vulnerability?_s_id=cve |
| xwiki–xwiki-platform | XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Versions 7.0-milestone-2 through 16.10.11, 17.0.0-rc-1 through 17.4.4, and 17.5.0-rc-1 through 17.7.0 contain a reflected Cross-site Scripting (XSS) vulnerability, which allows an attacker to craft a malicious URL and execute arbitrary actions with the same privileges as the victim. If the victim has administrative or programming rights, those rights can be exploited to gain full access to the XWiki installation. This issue has been patched in versions 17.8.0-rc-1, 17.4.5 and 16.10.12. To workaround, the patch can be applied manually, only a single line in templates/logging_macros.vm needs to be changed, no restart is required. | 2026-01-23 | not yet calculated | CVE-2026-24128 | https://github.com/xwiki/xwiki-platform/security/advisories/GHSA-wvqx-m5px-6cmp https://github.com/xwiki/xwiki-platform/commit/8337ac8c3b19c37f306723b638b2cae8b0a57dbf https://github.com/xwiki/xwiki-platform/releases/tag/xwiki-platform-16.10.12 https://github.com/xwiki/xwiki-platform/releases/tag/xwiki-platform-17.4.5 https://github.com/xwiki/xwiki-platform/releases/tag/xwiki-platform-17.8.0-rc-1 https://jira.xwiki.org/browse/XWIKI-23462 |
| yasir129–Turn Yoast SEO FAQ Block to Accordion | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in yasir129 Turn Yoast SEO FAQ Block to Accordion faq-schema-block-to-accordion allows Stored XSS. This issue affects Turn Yoast SEO FAQ Block to Accordion: from n/a through <= 1.0.6. | 2026-01-23 | not yet calculated | CVE-2026-24591 | https://patchstack.com/database/Wordpress/Plugin/faq-schema-block-to-accordion/vulnerability/wordpress-turn-yoast-seo-faq-block-to-accordion-plugin-1-0-6-cross-site-scripting-xss-vulnerability?_s_id=cve |
| YITHEMES–YITH WooCommerce Request A Quote | Missing Authorization vulnerability in YITHEMES YITH WooCommerce Request A Quote yith-woocommerce-request-a-quote allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects YITH WooCommerce Request A Quote: from n/a through <= 2.46.0. | 2026-01-22 | not yet calculated | CVE-2026-24366 | https://patchstack.com/database/Wordpress/Plugin/yith-woocommerce-request-a-quote/vulnerability/wordpress-yith-woocommerce-request-a-quote-plugin-2-46-0-broken-access-control-vulnerability?_s_id=cve |
| zhblue–hustoj | hustoj is an open source online judge based on PHP/C++/MySQL/Linux for ACM/ICPC and NOIP training. All versions are vulnerable to CSV Injection (Formula Injection) through the contest rank export functionality (contestrank.xls.php and admin/ranklist_export.php). The application fails to sanitize user-supplied input (specifically the “Nickname” field) before exporting it to an .xls file (which renders as an HTML table but is opened by Excel). If a malicious user sets their nickname to an Excel formula when an administrator exports and opens the rank list in Microsoft Excel, the formula will be executed. This can lead to arbitrary command execution (RCE) on the administrator’s machine or data exfiltration. A fix was not available at the time of publication. | 2026-01-21 | not yet calculated | CVE-2026-23873 | https://github.com/zhblue/hustoj/security/advisories/GHSA-gqwv-v7vx-2qjw |
| zohocrm–Zoho CRM Lead Magnet | Missing Authorization vulnerability in zohocrm Zoho CRM Lead Magnet zoho-crm-forms allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Zoho CRM Lead Magnet: from n/a through <= 1.8.1.5. | 2026-01-23 | not yet calculated | CVE-2026-24595 | https://patchstack.com/database/Wordpress/Plugin/zoho-crm-forms/vulnerability/wordpress-zoho-crm-lead-magnet-plugin-1-8-1-5-broken-access-control-vulnerability?_s_id=cve |
| ZoomIt–DZS Video Gallery | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in ZoomIt DZS Video Gallery dzs-videogallery allows SQL Injection. This issue affects DZS Video Gallery: from n/a through <= 12.37. | 2026-01-22 | not yet calculated | CVE-2025-49049 | https://patchstack.com/database/Wordpress/Plugin/dzs-videogallery/vulnerability/wordpress-dzs-video-gallery-plugin-12-37-sql-injection-vulnerability?_s_id=cve |
| zozothemes–Miion | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in zozothemes Miion miion allows PHP Local File Inclusion. This issue affects Miion: from n/a through <= 1.2.7. | 2026-01-22 | not yet calculated | CVE-2025-68913 | https://patchstack.com/database/Wordpress/Theme/miion/vulnerability/wordpress-miion-theme-1-2-7-local-file-inclusion-vulnerability?_s_id=cve |
| zozothemes–Miion | Unrestricted Upload of File with Dangerous Type vulnerability in zozothemes Miion miion allows Upload a Web Shell to a Web Server. This issue affects Miion: from n/a through <= 1.2.7. | 2026-01-22 | not yet calculated | CVE-2025-68986 | https://patchstack.com/database/Wordpress/Theme/miion/vulnerability/wordpress-miion-theme-1-2-7-arbitrary-file-upload-vulnerability?_s_id=cve |
| Zuinq Studio–IsMyGym | Reflected Cross-Site Scripting (XSS) vulnerability in IsMyGym by Zuinq Studio. This vulnerability allows an attacker to execute JavaScript code in the victim’s browser by sending them a malicious URL with ‘/<PATH>.php/<XSS>’. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user. | 2026-01-20 | not yet calculated | CVE-2025-41081 | https://www.incibe.es/en/incibe-cert/notices/aviso/reflected-cross-site-scripting-xss-ismygym |