CVE tracker
344 subscribers
4.68K links
News monitoring: @irnewsagency

Main channel: @orgsecuritygate

Site: SecurityGate.org
Download Telegram
CVE-2026-57763 - WordPress Structured Content plugin <= 1.7.0 - Cross Site Scripting (XSS) vulnerability

CVE ID :CVE-2026-57763
Published : July 2, 2026, 11:16 a.m. | 2 hours, 24 minutes ago
Description :Contributor Cross Site Scripting (XSS) in Structured Content <= 1.7.0 versions.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-57764 - WordPress Surbma | Yoast SEO Breadcrumb Shortcode plugin <= 1.2 - Cross Site Scripting (XSS) vulnerability

CVE ID :CVE-2026-57764
Published : July 2, 2026, 11:16 a.m. | 2 hours, 24 minutes ago
Description :Contributor Cross Site Scripting (XSS) in Surbma | Yoast SEO Breadcrumb Shortcode <= 1.2 versions.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-57765 - WordPress WP EasyCart plugin <= 5.9.0 - SQL Injection vulnerability

CVE ID :CVE-2026-57765
Published : July 2, 2026, 11:16 a.m. | 2 hours, 24 minutes ago
Description :Contributor SQL Injection in WP EasyCart <= 5.9.0 versions.
Severity: 8.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-57766 - WordPress WPIDE – File Manager & Code Editor plugin <= 3.5.6 - Cross Site Request Forgery (CSRF) vulnerability

CVE ID :CVE-2026-57766
Published : July 2, 2026, 11:16 a.m. | 2 hours, 24 minutes ago
Description :Unauthenticated Cross Site Request Forgery (CSRF) in WPIDE – File Manager & Code Editor <= 3.5.6 versions.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-56037 - WordPress Themify Popup plugin <= 1.4.3 - PHP Object Injection vulnerability

CVE ID :CVE-2026-56037
Published : July 2, 2026, 11:30 a.m. | 2 hours, 9 minutes ago
Description :Deserialization of Untrusted Data vulnerability in Themify Themify Popup allows Object Injection. This issue affects Themify Popup: from n/a through 1.4.3.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-57678 - WordPress Slider Revolution plugin 7.0.0-7.0.16 - Cross Site Scripting (XSS) vulnerability

CVE ID :CVE-2026-57678
Published : July 2, 2026, 11:32 a.m. | 2 hours, 8 minutes ago
Description :Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemePunch Slider Revolution allows Reflected XSS. This issue affects Slider Revolution: from 7.0.0 through 7.0.16.
Severity: 7.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-57760 - WordPress Sendcloud Shipping plugin <= 1.0.29 - Broken Access Control vulnerability

CVE ID :CVE-2026-57760
Published : July 2, 2026, 11:33 a.m. | 2 hours, 7 minutes ago
Description :Missing Authorization vulnerability in Sendcloud Sendcloud Shipping allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Sendcloud Shipping: from n/a through 1.0.29.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-14449 - POST-based reflected XSS via the thanks parameter in form components

CVE ID :CVE-2026-14449
Published : July 2, 2026, 11:47 a.m. | 1 hour, 52 minutes ago
Description :u5CMS through v12.8.8 is vulnerable to reflected XSS via the ‘thanks’ parameter in multiple form components
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-58652 - luci-app-travelmate - Arbitrary Command Execution via UCI Script Parameter

CVE ID :CVE-2026-58652
Published : July 2, 2026, 12:28 p.m. | 1 hour, 11 minutes ago
Description :luci-app-travelmate (and the travelmate package) contain a privilege-escalation flaw: a LuCI/rpcd session holding the luci-app-travelmate write ACL is granted config-wide UCI write access to the travelmate configuration. While the LuCI UI restricts the auto-login script picker to /etc/travelmate/*.login, this is only a frontend restriction. The backend travelmate service (running as root) reads the raw UCI 'script' and 'script_args' values and executes the configured path when the captive-portal auto-login branch (f_check() in travelmate-functions.sh) is reached. An attacker with delegated write permissions can set script to /bin/sh and script_args to attacker-controlled arguments, resulting in arbitrary command execution as root. Confirmed in luci-app-travelmate/travelmate 2.4.5-r3; the sink is still present in travelmate 2.4.6-1 and no patched version is known.
Severity: 7.7 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-58653 - PraisonAI - Authorization Bypass via Unvalidated project_id in Issue Create/Update

CVE ID :CVE-2026-58653
Published : July 2, 2026, 12:34 p.m. | 1 hour, 6 minutes ago
Description :PraisonAI before 0.1.7 fails to validate that project_id in issue create and update request bodies belongs to the URL workspace. An attacker can create issues referencing projects from other workspaces, causing cross-tenant data pollution in project statistics aggregation without workspace constraints.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-5524 - Divi Form Builder <= 5.1.8 - Unauthenticated Arbitrary File Upload Leading to Remote Code Execution via 'acceptFileTypes' Parameter

CVE ID :CVE-2026-5524
Published : July 2, 2026, 12:34 p.m. | 1 hour, 5 minutes ago
Description :The Divi Form Builder plugin for WordPress is vulnerable to Arbitrary File Upload leading to Remote Code Execution in all versions up to and including 5.1.8. This is due to insufficient file extension validation in the do_image_upload() function where user-supplied input from the acceptFileTypes POST parameter is directly interpolated into a regular expression used to validate uploaded files. Attackers can specify PHP-executable extensions such as .phtml, .phar, .php5, or .php7 to bypass the plugin's .htaccess protection which only blocks .php files specifically. Additionally, on Nginx-based servers, the .htaccess protection is completely ineffective as Nginx does not process .htaccess files. This makes it possible for unauthenticated attackers (who can obtain a nonce from any public page containing a form) to upload executable PHP files to the publicly accessible /wp-content/uploads/de_fb_uploads/ directory and achieve Remote Code Execution by accessing the uploaded file via HTTP. The vulnerability was partially patched in version 5.1.3.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-4770 - DOM-Based XSS in TR7's WAF-ASP

CVE ID :CVE-2026-4770
Published : July 2, 2026, 12:37 p.m. | 1 hour, 2 minutes ago
Description :Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in TR7 Cyber ​​Defense Inc. Web Application Firewall allows DOM-Based XSS. This issue affects Web Application Firewall: from v1.0.42.239 before v1.4.0.117.
Severity: 4.6 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-4772 - Stored XSS in TR7's WAF-ASP

CVE ID :CVE-2026-4772
Published : July 2, 2026, 12:50 p.m. | 49 minutes ago
Description :Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in TR7 Cyber ​​Defense Inc. WAF-ASP allows Stored XSS. This issue affects WAF-ASP: from v1.0.324.900 before v1.4.0.117.
Severity: 5.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-55117 - UniFi Access Application Path Traversal

CVE ID :CVE-2026-55117
Published : July 2, 2026, 2:50 p.m. | 2 hours, 50 minutes ago
Description :A malicious actor with access to the network could exploit a Path Traversal vulnerability found in UniFi Access Application to access files on the host device.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-55112 - UniFi OS / UniFi Protect Improper Access Control Privilege Escalation

CVE ID :CVE-2026-55112
Published : July 2, 2026, 2:50 p.m. | 2 hours, 50 minutes ago
Description :A malicious actor with access to the network and low privileges and under certain conditions could exploit an Improper Access Control vulnerability found in UniFi OS with UniFi Protect Application to escalate privileges on the host device.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-55118 - UniFi Network Application Improper Access Control Privilege Escalation

CVE ID :CVE-2026-55118
Published : July 2, 2026, 2:50 p.m. | 2 hours, 50 minutes ago
Description :A malicious actor with access to the network,low privileges and under certain conditions could exploit an Improper Access Control vulnerability found in UniFi Network Application to escalate privileges within the UniFi Network Application.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-55115 - UniFi Protect Application SSRF Privilege Escalation

CVE ID :CVE-2026-55115
Published : July 2, 2026, 2:50 p.m. | 2 hours, 50 minutes ago
Description :A malicious actor with access to the network and low privileges could exploit a Server-Side Request Forgery (SSRF) in UniFi Protect Application to escalate privileges on the host device.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-56841 - UniFi Protect SQL Injection Privilege Escalation

CVE ID :CVE-2026-56841
Published : July 2, 2026, 2:50 p.m. | 2 hours, 50 minutes ago
Description :A malicious actor with access to the network and low privileges could exploit an authenticated SQL Injection vulnerability found in UniFi Protect Application to escalate privileges on the host device.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-55116 - UniFi OS Improper Access Control Vulnerability

CVE ID :CVE-2026-55116
Published : July 2, 2026, 2:50 p.m. | 2 hours, 50 minutes ago
Description :A malicious actor with access to the network and under certain network configurations could exploit an Improper Access Control vulnerability found in certain devices running UniFi OS to make unauthorized changes to such UniFi OS devices.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-56842 - UniFi Network Application Incorrect Authorization Privilege Escalation

CVE ID :CVE-2026-56842
Published : July 2, 2026, 2:50 p.m. | 2 hours, 50 minutes ago
Description :A malicious actor with access to the network and under certain conditions could exploit an Incorrect Authorization vulnerability found in UniFi Network Application to persist privileges within UniFi Network Application after such access had been removed.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-55114 - A malicious actor with access to the network and l

CVE ID :CVE-2026-55114
Published : July 2, 2026, 2:50 p.m. | 2 hours, 50 minutes ago
Description :A malicious actor with access to the network and low privileges could exploit an Improper Access Control vulnerability found in UniFi Network Application to escalate privileges within the UniFi Network Application.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...