CVE-2026-42089 - yeoman-environment Vulnerable to Arbitrary Package Installation without User Confirmation
CVE ID :CVE-2026-42089
Published : June 16, 2026, 5:16 p.m. | 43 minutes ago
Description :Yeoman Environment provides an API to discover, create, and run generators, and to configure where and how a generator is resolved. Versions 2.9.0 through 6.0.0 install missing local generator packages from caller-supplied package names without user confirmation. In downstream consumers that pass attacker-controlled project configuration into this path, this can result in arbitrary package installation and code execution during CLI bootstrap. The vulnerable method is installLocalGenerators(), which calls repository.install() directly without prompting the user. This issue has been fixed in version 6.0.0.
Severity: 8.6 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-42089
Published : June 16, 2026, 5:16 p.m. | 43 minutes ago
Description :Yeoman Environment provides an API to discover, create, and run generators, and to configure where and how a generator is resolved. Versions 2.9.0 through 6.0.0 install missing local generator packages from caller-supplied package names without user confirmation. In downstream consumers that pass attacker-controlled project configuration into this path, this can result in arbitrary package installation and code execution during CLI bootstrap. The vulnerable method is installLocalGenerators(), which calls repository.install() directly without prompting the user. This issue has been fixed in version 6.0.0.
Severity: 8.6 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-44932 - indirect remote shell command injection via unsanitized DHCP options in wicked
CVE ID :CVE-2026-44932
Published : June 16, 2026, 5:16 p.m. | 43 minutes ago
Description :Passing of unsanitized strings from DHCP replies into the wicked dhcp client before wicked 0.6.79 could be used by attackers operating a malicious DHCP server to execute code on the local machine.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-44932
Published : June 16, 2026, 5:16 p.m. | 43 minutes ago
Description :Passing of unsanitized strings from DHCP replies into the wicked dhcp client before wicked 0.6.79 could be used by attackers operating a malicious DHCP server to execute code on the local machine.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-53776 - Perry < 0.5.1166 JWT Expiration Bypass via verify_decode
CVE ID :CVE-2026-53776
Published : June 16, 2026, 5:16 p.m. | 43 minutes ago
Description :Perry before 0.5.1166 contains a JWT validation vulnerability that allows remote attackers to bypass token expiration by exploiting the unconditional setting of validate_exp = false in the verify_decode helper within the stdlib JWT verification path. Attackers in possession of a previously issued bearer token can present expired tokens to any jwt.verify() call and retain authenticated access indefinitely, bypassing force-expired sessions such as user logout or administrative revocation.
Severity: 9.3 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-53776
Published : June 16, 2026, 5:16 p.m. | 43 minutes ago
Description :Perry before 0.5.1166 contains a JWT validation vulnerability that allows remote attackers to bypass token expiration by exploiting the unconditional setting of validate_exp = false in the verify_decode helper within the stdlib JWT verification path. Attackers in possession of a previously issued bearer token can present expired tokens to any jwt.verify() call and retain authenticated access indefinitely, bypassing force-expired sessions such as user logout or administrative revocation.
Severity: 9.3 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-39580 - WordPress Micdrop theme <= 1.3.1 - PHP Object Injection vulnerability
CVE ID :CVE-2026-39580
Published : June 16, 2026, 8:57 p.m. | 1 hour, 3 minutes ago
Description :Unauthenticated PHP Object Injection in Micdrop <= 1.3.1 versions.
Severity: 8.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-39580
Published : June 16, 2026, 8:57 p.m. | 1 hour, 3 minutes ago
Description :Unauthenticated PHP Object Injection in Micdrop <= 1.3.1 versions.
Severity: 8.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-40736 - WordPress Laurits theme <= 1.5.1 - PHP Object Injection vulnerability
CVE ID :CVE-2026-40736
Published : June 16, 2026, 8:57 p.m. | 1 hour, 3 minutes ago
Description :Unauthenticated PHP Object Injection in Laurits <= 1.5.1 versions.
Severity: 8.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-40736
Published : June 16, 2026, 8:57 p.m. | 1 hour, 3 minutes ago
Description :Unauthenticated PHP Object Injection in Laurits <= 1.5.1 versions.
Severity: 8.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-40739 - WordPress LuxeDrive theme <= 1.4 - PHP Object Injection vulnerability
CVE ID :CVE-2026-40739
Published : June 16, 2026, 8:57 p.m. | 1 hour, 3 minutes ago
Description :Unauthenticated PHP Object Injection in LuxeDrive <= 1.4 versions.
Severity: 8.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-40739
Published : June 16, 2026, 8:57 p.m. | 1 hour, 3 minutes ago
Description :Unauthenticated PHP Object Injection in LuxeDrive <= 1.4 versions.
Severity: 8.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-40751 - WordPress Ashtanga theme <= 1.2 - PHP Object Injection vulnerability
CVE ID :CVE-2026-40751
Published : June 16, 2026, 8:57 p.m. | 1 hour, 3 minutes ago
Description :Unauthenticated PHP Object Injection in Ashtanga <= 1.2 versions.
Severity: 8.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-40751
Published : June 16, 2026, 8:57 p.m. | 1 hour, 3 minutes ago
Description :Unauthenticated PHP Object Injection in Ashtanga <= 1.2 versions.
Severity: 8.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-40754 - WordPress Roisin theme <= 1.4 - PHP Object Injection vulnerability
CVE ID :CVE-2026-40754
Published : June 16, 2026, 8:57 p.m. | 1 hour, 3 minutes ago
Description :Unauthenticated PHP Object Injection in Roisin <= 1.4 versions.
Severity: 8.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-40754
Published : June 16, 2026, 8:57 p.m. | 1 hour, 3 minutes ago
Description :Unauthenticated PHP Object Injection in Roisin <= 1.4 versions.
Severity: 8.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-40755 - WordPress TechLink theme <= 1.3 - PHP Object Injection vulnerability
CVE ID :CVE-2026-40755
Published : June 16, 2026, 8:57 p.m. | 1 hour, 3 minutes ago
Description :Unauthenticated PHP Object Injection in TechLink <= 1.3 versions.
Severity: 8.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-40755
Published : June 16, 2026, 8:57 p.m. | 1 hour, 3 minutes ago
Description :Unauthenticated PHP Object Injection in TechLink <= 1.3 versions.
Severity: 8.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-40758 - WordPress Léonie theme <= 1.2.1 - PHP Object Injection vulnerability
CVE ID :CVE-2026-40758
Published : June 16, 2026, 8:57 p.m. | 1 hour, 3 minutes ago
Description :Unauthenticated PHP Object Injection in Léonie <= 1.2.1 versions.
Severity: 8.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-40758
Published : June 16, 2026, 8:57 p.m. | 1 hour, 3 minutes ago
Description :Unauthenticated PHP Object Injection in Léonie <= 1.2.1 versions.
Severity: 8.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-40759 - WordPress Esmée theme <= 1.4 - PHP Object Injection vulnerability
CVE ID :CVE-2026-40759
Published : June 16, 2026, 8:57 p.m. | 1 hour, 3 minutes ago
Description :Unauthenticated PHP Object Injection in Esmée <= 1.4 versions.
Severity: 8.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-40759
Published : June 16, 2026, 8:57 p.m. | 1 hour, 3 minutes ago
Description :Unauthenticated PHP Object Injection in Esmée <= 1.4 versions.
Severity: 8.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-40760 - WordPress Behold theme <= 1.5 - PHP Object Injection vulnerability
CVE ID :CVE-2026-40760
Published : June 16, 2026, 8:57 p.m. | 1 hour, 3 minutes ago
Description :Unauthenticated PHP Object Injection in Behold <= 1.5 versions.
Severity: 8.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-40760
Published : June 16, 2026, 8:57 p.m. | 1 hour, 3 minutes ago
Description :Unauthenticated PHP Object Injection in Behold <= 1.5 versions.
Severity: 8.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-40761 - WordPress Valeska theme <= 1.2.2 - PHP Object Injection vulnerability
CVE ID :CVE-2026-40761
Published : June 16, 2026, 8:57 p.m. | 1 hour, 3 minutes ago
Description :Unauthenticated PHP Object Injection in Valeska <= 1.2.2 versions.
Severity: 8.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-40761
Published : June 16, 2026, 8:57 p.m. | 1 hour, 3 minutes ago
Description :Unauthenticated PHP Object Injection in Valeska <= 1.2.2 versions.
Severity: 8.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-48869 - WordPress Enfold theme <= 7.1.4 - Reflected Cross Site Scripting (XSS) vulnerability
CVE ID :CVE-2026-48869
Published : June 16, 2026, 8:57 p.m. | 1 hour, 3 minutes ago
Description :Unauthenticated Cross Site Scripting (XSS) in Enfold <= 7.1.4 versions.
Severity: 7.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-48869
Published : June 16, 2026, 8:57 p.m. | 1 hour, 3 minutes ago
Description :Unauthenticated Cross Site Scripting (XSS) in Enfold <= 7.1.4 versions.
Severity: 7.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-49057 - WordPress JobSearch plugin <= 3.2.7 - Broken Access Control vulnerability
CVE ID :CVE-2026-49057
Published : June 16, 2026, 8:57 p.m. | 1 hour, 3 minutes ago
Description :Unauthenticated Broken Access Control in JobSearch <= 3.2.7 versions.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-49057
Published : June 16, 2026, 8:57 p.m. | 1 hour, 3 minutes ago
Description :Unauthenticated Broken Access Control in JobSearch <= 3.2.7 versions.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-49080 - WordPress wpDataTables plugin <= 7.3.6 - SQL Injection vulnerability
CVE ID :CVE-2026-49080
Published : June 16, 2026, 8:57 p.m. | 1 hour, 3 minutes ago
Description :Unauthenticated SQL Injection in wpDataTables <= 7.3.6 versions.
Severity: 9.3 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-49080
Published : June 16, 2026, 8:57 p.m. | 1 hour, 3 minutes ago
Description :Unauthenticated SQL Injection in wpDataTables <= 7.3.6 versions.
Severity: 9.3 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-49113 - WordPress Cornerstone plugin < 7.8.8 - Arbitrary Code Execution vulnerability
CVE ID :CVE-2026-49113
Published : June 16, 2026, 8:57 p.m. | 1 hour, 3 minutes ago
Description :Subscriber Arbitrary Code Execution in Cornerstone < 7.8.8 versions.
Severity: 8.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-49113
Published : June 16, 2026, 8:57 p.m. | 1 hour, 3 minutes ago
Description :Subscriber Arbitrary Code Execution in Cornerstone < 7.8.8 versions.
Severity: 8.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-11410 - OS Command Injection in BigPond Cable (BPA) Configuration in TP-Link TL-WR940N
CVE ID :CVE-2026-11410
Published : June 16, 2026, 9:03 p.m. | 57 minutes ago
Description :An authenticated OS command injection vulnerability exists in the BigPond Cable (BPA) WAN configuration module in TL-WR940N v6 due to improper sanitization of user input. An attacker with administrative access may exploit this issue to execute arbitrary system commands with elevated privileges.
Severity: 8.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-11410
Published : June 16, 2026, 9:03 p.m. | 57 minutes ago
Description :An authenticated OS command injection vulnerability exists in the BigPond Cable (BPA) WAN configuration module in TL-WR940N v6 due to improper sanitization of user input. An attacker with administrative access may exploit this issue to execute arbitrary system commands with elevated privileges.
Severity: 8.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-11409 - OS Command Injection in IPv6 PPPoE Configuration in TP-Link TL-WR940N
CVE ID :CVE-2026-11409
Published : June 16, 2026, 9:03 p.m. | 56 minutes ago
Description :An authenticated OS command injection vulnerability exists in the IPv6 PPPoE configuration handler in TL-WR940N v6 due to improper sanitization of user input. An attacker with administrative access may exploit this issue to execute arbitrary system commands with elevated privileges.
Severity: 8.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-11409
Published : June 16, 2026, 9:03 p.m. | 56 minutes ago
Description :An authenticated OS command injection vulnerability exists in the IPv6 PPPoE configuration handler in TL-WR940N v6 due to improper sanitization of user input. An attacker with administrative access may exploit this issue to execute arbitrary system commands with elevated privileges.
Severity: 8.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-48055 - Streambert: Arbitrary File Write (Zip Slip) via Subtitle Extraction
CVE ID :CVE-2026-48055
Published : June 16, 2026, 9:17 p.m. | 42 minutes ago
Description :Streambert is a cross-platform Electron Desktop App to stream and download any video media. In versions 2.4.0 and prior, a high-severity Zip Slip vulnerability was identified in Streambert's subtitle extraction logic. The application does not sanitize archive entry filenames during extraction, allowing a malicious archive to perform path traversal and write arbitrary files to the host filesystem. The subtitle extraction process downloads a ZIP archive and extracts its entries. The destination file path is constructed by concatenating the raw archive entry name (extracted.name) directly to the temporary directory path. If a malicious ZIP archive containing directory traversal sequences is processed, it escapes the temporary directory boundaries. The application then writes the extracted payload anywhere on the host filesystem subject to the application's current write permissions. This issue has been fixed in version 2.5.0.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-48055
Published : June 16, 2026, 9:17 p.m. | 42 minutes ago
Description :Streambert is a cross-platform Electron Desktop App to stream and download any video media. In versions 2.4.0 and prior, a high-severity Zip Slip vulnerability was identified in Streambert's subtitle extraction logic. The application does not sanitize archive entry filenames during extraction, allowing a malicious archive to perform path traversal and write arbitrary files to the host filesystem. The subtitle extraction process downloads a ZIP archive and extracts its entries. The destination file path is constructed by concatenating the raw archive entry name (extracted.name) directly to the temporary directory path. If a malicious ZIP archive containing directory traversal sequences is processed, it escapes the temporary directory boundaries. The application then writes the extracted payload anywhere on the host filesystem subject to the application's current write permissions. This issue has been fixed in version 2.5.0.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-49073 - WordPress Directorist Booking plugin <= 3.0.3 - SQL Injection vulnerability
CVE ID :CVE-2026-49073
Published : June 16, 2026, 9:23 p.m. | 37 minutes ago
Description :Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in wpWax Directorist Booking allows Blind SQL Injection. This issue affects Directorist Booking: from n/a through 3.0.3.
Severity: 8.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-49073
Published : June 16, 2026, 9:23 p.m. | 37 minutes ago
Description :Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in wpWax Directorist Booking allows Blind SQL Injection. This issue affects Directorist Booking: from n/a through 3.0.3.
Severity: 8.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...