CVE tracker
352 subscribers
4.78K links
News monitoring: @irnewsagency

Main channel: @orgsecuritygate

Site: SecurityGate.org
Download Telegram
CVE-2026-12396 - WP Job Portal < 2.5.5 - Subscriber+ Arbitrary Job Approval, Featuring and Rejection

CVE ID :CVE-2026-12396
Published : July 13, 2026, 7:16 a.m. | 1 hour, 14 minutes ago
Description :The WP Job Portal WordPress plugin before 2.5.5 does not perform capability or ownership checks before allowing job moderation actions, allowing authenticated users with a subscriber-level (self-registerable) account to approve, feature, or reject arbitrary jobs, including those owned by other users.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-12397 - WP Job Portal < 2.5.5 - Subscriber+ Employer Email Disclosure via IDOR

CVE ID :CVE-2026-12397
Published : July 13, 2026, 7:16 a.m. | 1 hour, 14 minutes ago
Description :The WP Job Portal WordPress plugin before 2.5.5 does not verify ownership when returning an employer's contact email for a given job, allowing authenticated users with a subscriber-level (self-registerable) account to read other employers' private account email addresses by enumerating job identifiers.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-12582 - Library Management System < 3.5.8 - Unauthenticated SQL Injection via book_id

CVE ID :CVE-2026-12582
Published : July 13, 2026, 7:16 a.m. | 1 hour, 14 minutes ago
Description :The Library Management System WordPress plugin before 3.5.8 does not sanitize and escape a user-supplied parameter before using it in a SQL statement, allowing unauthenticated attackers to perform SQL injection and extract arbitrary data from the database, including user password hashes.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-15536 - itsourcecode Hospital Management System patviewprescription.php sql injection

CVE ID :CVE-2026-15536
Published : July 13, 2026, 7:16 a.m. | 1 hour, 14 minutes ago
Description :A vulnerability was identified in itsourcecode Hospital Management System 1.0. This affects an unknown part of the file /patviewprescription.php. The manipulation of the argument delid leads to sql injection. Remote exploitation of the attack is possible. The exploit is publicly available and might be used.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-15537 - SourceCodester Online Book Store System login.php sql injection

CVE ID :CVE-2026-15537
Published : July 13, 2026, 7:16 a.m. | 1 hour, 14 minutes ago
Description :A security flaw has been discovered in SourceCodester Online Book Store System 1.0. This vulnerability affects unknown code of the file admin/login.php. The manipulation of the argument Username results in sql injection. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-15538 - primefaces primereact API ObjectUtils.mutateFieldData prototype pollution

CVE ID :CVE-2026-15538
Published : July 13, 2026, 7:16 a.m. | 1 hour, 14 minutes ago
Description :A weakness has been identified in primefaces primereact up to 10.9.8. This issue affects the function ObjectUtils.mutateFieldData of the component API. This manipulation of the argument Field causes improperly controlled modification of object prototype attributes. The attack is possible to be carried out remotely. The project was informed of the problem early through an issue report but has not responded yet. This vulnerability only affects products that are no longer supported by the maintainer.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-15539 - SourceCodester Online Book Store System Book Image Upload Feature index.php books unrestricted upload

CVE ID :CVE-2026-15539
Published : July 13, 2026, 7:16 a.m. | 1 hour, 14 minutes ago
Description :A security vulnerability has been detected in SourceCodester Online Book Store System 1.0. Impacted is an unknown function of the file /admin/index.php?page=books of the component Book Image Upload Feature. Such manipulation leads to unrestricted upload. The attack may be performed from remote. The exploit has been disclosed publicly and may be used.
Severity: 5.8 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-14165 - Authorization Bypass Through User-Controlled Key vulnerability affecting Tuleap Enterprise Edition from 17.0 through 17.5

CVE ID :CVE-2026-14165
Published : July 13, 2026, 8:16 a.m. | 14 minutes ago
Description :An Authorization Bypass Through User-Controlled Key vulnerability affecting Tuleap Enterprise Edition from 17.0 through 17.5 could allow an attacker to access data of other users without authorization.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-15540 - SourceCodester Online Book Store System Administrative index.php php file inclusion

CVE ID :CVE-2026-15540
Published : July 13, 2026, 8:16 a.m. | 14 minutes ago
Description :A vulnerability was detected in SourceCodester Online Book Store System 1.0. The affected element is an unknown function of the file /admin/index.php of the component Administrative Interface. Performing a manipulation of the argument page results in improper control of filename for include/require statement in php program. It is possible to initiate the attack remotely. The exploit is now public and may be used.
Severity: 4.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-15541 - will-moss Isaiah Master Websocket server.go Server.Handle authorization

CVE ID :CVE-2026-15541
Published : July 13, 2026, 8:16 a.m. | 14 minutes ago
Description :A flaw has been found in will-moss Isaiah up to 1.36.9. The impacted element is the function Server.Handle of the file app/server/server/server.go of the component Master Websocket Handler. Executing a manipulation of the argument Agent can lead to missing authorization. It is possible to launch the attack remotely. The pull request to fix this issue awaits acceptance.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-15542 - will-moss Isaiah Websocket Connection Authentication main.go improper authentication

CVE ID :CVE-2026-15542
Published : July 13, 2026, 8:16 a.m. | 14 minutes ago
Description :A vulnerability has been found in will-moss Isaiah up to 1.36.9. This affects an unknown function of the file app/main.go of the component Websocket Connection Authentication. The manipulation leads to improper authentication. The attack can be initiated remotely. The pull request to fix this issue awaits acceptance.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-15543 - Tenda CH22 CertListInfo formCertListInfo buffer overflow

CVE ID :CVE-2026-15543
Published : July 13, 2026, 8:16 a.m. | 14 minutes ago
Description :A vulnerability was found in Tenda CH22 1.0.0.1. This impacts the function formCertListInfo of the file /goform/CertListInfo. The manipulation of the argument Name results in buffer overflow. The attack can be launched remotely. The exploit has been made public and could be used.
Severity: 9.0 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-15544 - Shibby Tomato apcupsd tomatodata.cgi getupsvar stack-based overflow

CVE ID :CVE-2026-15544
Published : July 13, 2026, 8:16 a.m. | 14 minutes ago
Description :A vulnerability was determined in Shibby Tomato up to 1.28.0000. Affected is the function getupsvar of the file www/apcupsd/tomatodata.cgi of the component apcupsd. This manipulation of the argument Field causes stack-based buffer overflow. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. This project is superseded by FreshTomato.
Severity: 9.0 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-4769 - Unauthenticated Access to Internal Diagnostic Interface

CVE ID :CVE-2026-4769
Published : July 13, 2026, 8:16 a.m. | 14 minutes ago
Description :Certain devices in the WAGO System I/O Field series activate an internal diagnostic capability during the initial startup sequence. This functionality is not formally documented and becomes accessible without authentication for a brief period in the early boot phase. During this window, an unauthenticated remote attacker can gain access to the internal system processes, resulting in full system compromise.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-57829 - Joomla Extension - joomshaper.com - Unauthenticated stored XSS in Helix Ultimate < 2.2.7

CVE ID :CVE-2026-57829
Published : July 13, 2026, 8:16 a.m. | 14 minutes ago
Description :The Joomla extension Helix Ultimate is vulnerable to an unauthenticated stored XSS.
Severity: 8.7 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-57830 - Joomla Extension - joomshaper.com - Unauthenticated arbitrary file deletion < 2.2.7

CVE ID :CVE-2026-57830
Published : July 13, 2026, 8:16 a.m. | 14 minutes ago
Description :The Joomla extension Helix Ultimate is vulnerable to an unauthenticated arbitrary file deletion.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-59515 - WordPress AIWU plugin <= 1.5.4 - SQL Injection vulnerability

CVE ID :CVE-2026-59515
Published : July 13, 2026, 10:16 a.m. | 2 hours, 14 minutes ago
Description :Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Sergey AIWU ai-copilot-content-generator allows Blind SQL Injection.This issue affects AIWU: from n/a through <= 1.5.4.
Severity: 9.3 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-59516 - WordPress ICS Calendar plugin <= 12.1.1 - Cross Site Scripting (XSS) vulnerability

CVE ID :CVE-2026-59516
Published : July 13, 2026, 10:16 a.m. | 2 hours, 14 minutes ago
Description :Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Room 34 Creative Services, LLC ICS Calendar ics-calendar allows Reflected XSS.This issue affects ICS Calendar: from n/a through <= 12.1.1.
Severity: 7.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-59518 - WordPress Directorist plugin <= 8.8.2 - PHP Object Injection vulnerability

CVE ID :CVE-2026-59518
Published : July 13, 2026, 10:16 a.m. | 2 hours, 14 minutes ago
Description :Deserialization of Untrusted Data vulnerability in wpWax Directorist directorist allows Object Injection.This issue affects Directorist: from n/a through <= 8.8.2.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-59521 - WordPress Real Testimonials plugin <= 3.1.15 - PHP Object Injection vulnerability

CVE ID :CVE-2026-59521
Published : July 13, 2026, 10:16 a.m. | 2 hours, 14 minutes ago
Description :Deserialization of Untrusted Data vulnerability in ShapedPlugin LLC Real Testimonials testimonial-free allows Object Injection.This issue affects Real Testimonials: from n/a through <= 3.1.15.
Severity: 7.2 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-59523 - WordPress Simply Schedule Appointments plugin <= 1.6.11.11 - Broken Access Control vulnerability

CVE ID :CVE-2026-59523
Published : July 13, 2026, 10:16 a.m. | 2 hours, 14 minutes ago
Description :Missing Authorization vulnerability in NSquared Simply Schedule Appointments simply-schedule-appointments allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Simply Schedule Appointments: from n/a through <= 1.6.11.11.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...