CVE-2026-61970 - WordPress Auto Featured Image (Auto Post Thumbnail) plugin <= 5.0.4 - Server Side Request Forgery (SSRF) vulnerability
CVE ID :CVE-2026-61970
Published : July 13, 2026, 10:16 a.m. | 2 hours, 14 minutes ago
Description :Server-Side Request Forgery (SSRF) vulnerability in Themeisle Auto Featured Image (Auto Post Thumbnail) auto-post-thumbnail allows Server Side Request Forgery.This issue affects Auto Featured Image (Auto Post Thumbnail): from n/a through <= 5.0.4.
Severity: 4.9 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-61970
Published : July 13, 2026, 10:16 a.m. | 2 hours, 14 minutes ago
Description :Server-Side Request Forgery (SSRF) vulnerability in Themeisle Auto Featured Image (Auto Post Thumbnail) auto-post-thumbnail allows Server Side Request Forgery.This issue affects Auto Featured Image (Auto Post Thumbnail): from n/a through <= 5.0.4.
Severity: 4.9 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-61971 - WordPress User Profile Picture plugin <= 2.6.3 - Insecure Direct Object References (IDOR) vulnerability
CVE ID :CVE-2026-61971
Published : July 13, 2026, 10:16 a.m. | 2 hours, 14 minutes ago
Description :Authorization Bypass Through User-Controlled Key vulnerability in Cozmoslabs User Profile Picture metronet-profile-picture allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects User Profile Picture: from n/a through <= 2.6.3.
Severity: 2.7 | LOW
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-61971
Published : July 13, 2026, 10:16 a.m. | 2 hours, 14 minutes ago
Description :Authorization Bypass Through User-Controlled Key vulnerability in Cozmoslabs User Profile Picture metronet-profile-picture allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects User Profile Picture: from n/a through <= 2.6.3.
Severity: 2.7 | LOW
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-61975 - WordPress JetReviews plugin <= 3.0.1 - Sensitive Data Exposure vulnerability
CVE ID :CVE-2026-61975
Published : July 13, 2026, 10:16 a.m. | 2 hours, 14 minutes ago
Description :Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Crocoblock JetReviews jet-reviews allows Retrieve Embedded Sensitive Data.This issue affects JetReviews: from n/a through <= 3.0.1.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-61975
Published : July 13, 2026, 10:16 a.m. | 2 hours, 14 minutes ago
Description :Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Crocoblock JetReviews jet-reviews allows Retrieve Embedded Sensitive Data.This issue affects JetReviews: from n/a through <= 3.0.1.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-61976 - WordPress JetBlocks For Elementor plugin <= 1.5.0 - Sensitive Data Exposure vulnerability
CVE ID :CVE-2026-61976
Published : July 13, 2026, 10:16 a.m. | 2 hours, 14 minutes ago
Description :Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Crocoblock JetBlocks For Elementor jet-blocks allows Retrieve Embedded Sensitive Data.This issue affects JetBlocks For Elementor: from n/a through <= 1.5.0.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-61976
Published : July 13, 2026, 10:16 a.m. | 2 hours, 14 minutes ago
Description :Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Crocoblock JetBlocks For Elementor jet-blocks allows Retrieve Embedded Sensitive Data.This issue affects JetBlocks For Elementor: from n/a through <= 1.5.0.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-61977 - WordPress JetSearch plugin <= 3.6.1.2 - Sensitive Data Exposure vulnerability
CVE ID :CVE-2026-61977
Published : July 13, 2026, 10:16 a.m. | 2 hours, 14 minutes ago
Description :Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Crocoblock JetSearch jet-search allows Retrieve Embedded Sensitive Data.This issue affects JetSearch: from n/a through <= 3.6.1.2.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-61977
Published : July 13, 2026, 10:16 a.m. | 2 hours, 14 minutes ago
Description :Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Crocoblock JetSearch jet-search allows Retrieve Embedded Sensitive Data.This issue affects JetSearch: from n/a through <= 3.6.1.2.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-61983 - WordPress Church Admin plugin <= 5.0.30 - Broken Access Control vulnerability
CVE ID :CVE-2026-61983
Published : July 13, 2026, 10:16 a.m. | 2 hours, 14 minutes ago
Description :Missing Authorization vulnerability in andy_moyle Church Admin church-admin allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Church Admin: from n/a through <= 5.0.30.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-61983
Published : July 13, 2026, 10:16 a.m. | 2 hours, 14 minutes ago
Description :Missing Authorization vulnerability in andy_moyle Church Admin church-admin allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Church Admin: from n/a through <= 5.0.30.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-61985 - WordPress Car Rental Manager plugin <= 1.3.7 - Broken Access Control vulnerability
CVE ID :CVE-2026-61985
Published : July 13, 2026, 10:16 a.m. | 2 hours, 14 minutes ago
Description :Missing Authorization vulnerability in magepeopleteam Car Rental Manager car-rental-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Car Rental Manager: from n/a through <= 1.3.7.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-61985
Published : July 13, 2026, 10:16 a.m. | 2 hours, 14 minutes ago
Description :Missing Authorization vulnerability in magepeopleteam Car Rental Manager car-rental-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Car Rental Manager: from n/a through <= 1.3.7.
Severity: 5.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-14934 - Cross-Tenant Repository Takeover via Improper Access Control in BigQuery, Dataform and Colab Enterprise
CVE ID :CVE-2026-14934
Published : July 13, 2026, 11:16 a.m. | 1 hour, 14 minutes ago
Description :A Missing Authorization vulnerability in the repository creation functionality in Google Cloud BigQuery, Dataform and Colab Enterprise, in the versions between October 2025 and May 10th, 2026, on Google Cloud Platform, allows an authenticated attacker to escalate privileges and perform cross-tenant repository takeover. This vulnerability was patched on 10 May 2026, and no customer action is needed.
Severity: 9.4 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-14934
Published : July 13, 2026, 11:16 a.m. | 1 hour, 14 minutes ago
Description :A Missing Authorization vulnerability in the repository creation functionality in Google Cloud BigQuery, Dataform and Colab Enterprise, in the versions between October 2025 and May 10th, 2026, on Google Cloud Platform, allows an authenticated attacker to escalate privileges and perform cross-tenant repository takeover. This vulnerability was patched on 10 May 2026, and no customer action is needed.
Severity: 9.4 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-4765 - Stored Cross-Site Scripting (XSS) in Tallos Chat by RD Station Conversas
CVE ID :CVE-2026-4765
Published : July 13, 2026, 11:16 a.m. | 1 hour, 14 minutes ago
Description :Stored Cross-Site Scripting (XSS) vulnerability in the RD Station Conversas chat. The vulnerability resides in the ‘name’ parameter of the initialization process due to improper sanitization of user input. The vulnerability is not limited to self-exploitation: when a support agent joins the conversation, the malicious script also executes in their browser, increasing the impact. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code within the context of the application.
Severity: 5.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-4765
Published : July 13, 2026, 11:16 a.m. | 1 hour, 14 minutes ago
Description :Stored Cross-Site Scripting (XSS) vulnerability in the RD Station Conversas chat. The vulnerability resides in the ‘name’ parameter of the initialization process due to improper sanitization of user input. The vulnerability is not limited to self-exploitation: when a support agent joins the conversation, the malicious script also executes in their browser, increasing the impact. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary JavaScript code within the context of the application.
Severity: 5.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-6541 - Unscoped updates to other playbooks' metric configuration
CVE ID :CVE-2026-6541
Published : July 13, 2026, 11:16 a.m. | 1 hour, 14 minutes ago
Description :Mattermost versions 11.7.x <= 11.7.1, 11.6.x <= 11.6.4, 10.11.x <= 10.11.19 fail to restrict metric configuration changes to the playbook being saved, which allows an authenticated user with team access to alter another user’s playbook metric settings via a crafted import or update request with a foreign metric ID. Mattermost Advisory ID: MMSA-2026-00653
Severity: 4.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-6541
Published : July 13, 2026, 11:16 a.m. | 1 hour, 14 minutes ago
Description :Mattermost versions 11.7.x <= 11.7.1, 11.6.x <= 11.6.4, 10.11.x <= 10.11.19 fail to restrict metric configuration changes to the playbook being saved, which allows an authenticated user with team access to alter another user’s playbook metric settings via a crafted import or update request with a foreign metric ID. Mattermost Advisory ID: MMSA-2026-00653
Severity: 4.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-9820 - Mattermost schemes teams endpoint exposes private team invite IDs
CVE ID :CVE-2026-9820
Published : July 13, 2026, 11:16 a.m. | 1 hour, 14 minutes ago
Description :Mattermost versions 11.7.x <= 11.7.2, 10.11.x <= 10.11.19 fail to sanitize team objects returned by the scheme teams endpoint, which allows a user with the User Manager role to obtain invite links for private teams and use them to join or share access to those teams via the scheme teams API endpoint.. Mattermost Advisory ID: MMSA-2026-00671
Severity: 3.8 | LOW
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-9820
Published : July 13, 2026, 11:16 a.m. | 1 hour, 14 minutes ago
Description :Mattermost versions 11.7.x <= 11.7.2, 10.11.x <= 10.11.19 fail to sanitize team objects returned by the scheme teams endpoint, which allows a user with the User Manager role to obtain invite links for private teams and use them to join or share access to those teams via the scheme teams API endpoint.. Mattermost Advisory ID: MMSA-2026-00671
Severity: 3.8 | LOW
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-9824 - Remote cluster metadata enumeration via /share-channel autocomplete
CVE ID :CVE-2026-9824
Published : July 13, 2026, 11:16 a.m. | 1 hour, 14 minutes ago
Description :Mattermost versions 11.7.x <= 11.7.2, 11.6.x <= 11.6.4, 10.11.x <= 10.11.19 fail to check the manage_shared_channels permission in the /share-channel autocomplete handler, which allows an authenticated user without that permission to enumerate configured remote cluster connection metadata via slash command autocomplete.. Mattermost Advisory ID: MMSA-2026-00676
Severity: 4.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-9824
Published : July 13, 2026, 11:16 a.m. | 1 hour, 14 minutes ago
Description :Mattermost versions 11.7.x <= 11.7.2, 11.6.x <= 11.6.4, 10.11.x <= 10.11.19 fail to check the manage_shared_channels permission in the /share-channel autocomplete handler, which allows an authenticated user without that permission to enumerate configured remote cluster connection metadata via slash command autocomplete.. Mattermost Advisory ID: MMSA-2026-00676
Severity: 4.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-12257 - Remote code execution in Mura Software’s CMS
CVE ID :CVE-2026-12257
Published : July 13, 2026, 12:16 p.m. | 14 minutes ago
Description :Versions of Mura CMS prior to 10.0.712 contain a critical remote code execution (RCE) vulnerability. The flaw is located in the endpoint “/index.cfm/_api/json/v1/default”, where the “method” parameter in POST requests is not properly validated or sanitised before being processed by the ColdFusion engine. As a result, a remote attacker could exploit this vulnerability to inject and execute arbitrary CFML (ColdFusion Markup Language) expressions and instantiate malicious Java objects, thereby compromising the system’s security.
Severity: 5.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-12257
Published : July 13, 2026, 12:16 p.m. | 14 minutes ago
Description :Versions of Mura CMS prior to 10.0.712 contain a critical remote code execution (RCE) vulnerability. The flaw is located in the endpoint “/index.cfm/_api/json/v1/default”, where the “method” parameter in POST requests is not properly validated or sanitised before being processed by the ColdFusion engine. As a result, a remote attacker could exploit this vulnerability to inject and execute arbitrary CFML (ColdFusion Markup Language) expressions and instantiate malicious Java objects, thereby compromising the system’s security.
Severity: 5.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-15558 - CodeAstro Simple Online Leave Management System deletemp.php sql injection
CVE ID :CVE-2026-15558
Published : July 13, 2026, 12:16 p.m. | 14 minutes ago
Description :A security vulnerability has been detected in CodeAstro Simple Online Leave Management System 1.0. Affected by this issue is some unknown functionality of the file /SimpleOnlineLeave/admin/deletemp.php. Such manipulation of the argument ID leads to sql injection. The attack can be executed remotely. The exploit has been disclosed publicly and may be used.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-15558
Published : July 13, 2026, 12:16 p.m. | 14 minutes ago
Description :A security vulnerability has been detected in CodeAstro Simple Online Leave Management System 1.0. Affected by this issue is some unknown functionality of the file /SimpleOnlineLeave/admin/deletemp.php. Such manipulation of the argument ID leads to sql injection. The attack can be executed remotely. The exploit has been disclosed publicly and may be used.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-62147 - Tempo-operator: tempo operator: query rbac bypass
CVE ID :CVE-2026-62147
Published : July 13, 2026, 12:16 p.m. | 14 minutes ago
Description :The Tempo Operator's gateway component failed to consistently apply namespace-scoped redaction on some query API response paths when query RBAC was enabled, allowing an authenticated user to read span attributes belonging to other tenants' namespaces.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-62147
Published : July 13, 2026, 12:16 p.m. | 14 minutes ago
Description :The Tempo Operator's gateway component failed to consistently apply namespace-scoped redaction on some query API response paths when query RBAC was enabled, allowing an authenticated user to read span attributes belonging to other tenants' namespaces.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-15559 - CodeAstro Simple Online Leave Management System POST accept.php sql injection
CVE ID :CVE-2026-15559
Published : July 13, 2026, 1:16 p.m. | 3 hours, 14 minutes ago
Description :A vulnerability was detected in CodeAstro Simple Online Leave Management System 1.0. This affects an unknown part of the file /SimpleOnlineLeave/admin/accept.php of the component POST Handler. Performing a manipulation of the argument appid results in sql injection. The attack is possible to be carried out remotely. The exploit is now public and may be used.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-15559
Published : July 13, 2026, 1:16 p.m. | 3 hours, 14 minutes ago
Description :A vulnerability was detected in CodeAstro Simple Online Leave Management System 1.0. This affects an unknown part of the file /SimpleOnlineLeave/admin/accept.php of the component POST Handler. Performing a manipulation of the argument appid results in sql injection. The attack is possible to be carried out remotely. The exploit is now public and may be used.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-15584 - Redhatinsights/incluster-checks: incluster-checks: privileged host-chroot debug pods created in shared default namespace enable privilege escalation to node root
CVE ID :CVE-2026-15584
Published : July 13, 2026, 1:16 p.m. | 3 hours, 14 minutes ago
Description :A privilege escalation vulnerability was found in the incluster-checks tool for OpenShift. The tool creates privileged debug pods with host filesystem access in the shared default namespace, where any user with the standard edit role can exec into them and obtain root access on cluster nodes.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-15584
Published : July 13, 2026, 1:16 p.m. | 3 hours, 14 minutes ago
Description :A privilege escalation vulnerability was found in the incluster-checks tool for OpenShift. The tool creates privileged debug pods with host filesystem access in the shared default namespace, where any user with the standard edit role can exec into them and obtain root access on cluster nodes.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-40467 - Use after free in gawk
CVE ID :CVE-2026-40467
Published : July 13, 2026, 1:16 p.m. | 3 hours, 14 minutes ago
Description :Use After Free vulnerability has been found in "io.c" program file of gawk (do_getline_redir() routine). This issue may lead to a crash. It affects gawk in versions 5.4.0 and below.
Severity: 5.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-40467
Published : July 13, 2026, 1:16 p.m. | 3 hours, 14 minutes ago
Description :Use After Free vulnerability has been found in "io.c" program file of gawk (do_getline_redir() routine). This issue may lead to a crash. It affects gawk in versions 5.4.0 and below.
Severity: 5.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-40468 - Heap buffer overflow in gawk
CVE ID :CVE-2026-40468
Published : July 13, 2026, 1:16 p.m. | 3 hours, 14 minutes ago
Description :Integer overflow vulnerability has been found in "builtin.c" program file of gawk. This issue may lead to memory exhaustion on the hosting operating system and could be used to overwrite gawk heap metadata and objects with attacker-controlled bytes. It affects gawk in versions 5.4.0 and below.
Severity: 2.1 | LOW
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-40468
Published : July 13, 2026, 1:16 p.m. | 3 hours, 14 minutes ago
Description :Integer overflow vulnerability has been found in "builtin.c" program file of gawk. This issue may lead to memory exhaustion on the hosting operating system and could be used to overwrite gawk heap metadata and objects with attacker-controlled bytes. It affects gawk in versions 5.4.0 and below.
Severity: 2.1 | LOW
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-40469 - Heap buffer overflow in gawk
CVE ID :CVE-2026-40469
Published : July 13, 2026, 1:16 p.m. | 3 hours, 14 minutes ago
Description :Integer overflow vulnerability has been found in "builtin.c" program file of gawk (do_sub() routine). This issue could be used to overwrite gawk heap metadata and objects causing the program to crash. It affects 32-bit builds of gawk in versions 5.4.0 and below.
Severity: 5.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-40469
Published : July 13, 2026, 1:16 p.m. | 3 hours, 14 minutes ago
Description :Integer overflow vulnerability has been found in "builtin.c" program file of gawk (do_sub() routine). This issue could be used to overwrite gawk heap metadata and objects causing the program to crash. It affects 32-bit builds of gawk in versions 5.4.0 and below.
Severity: 5.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-40553 - Stack-based buffer overflow in gawk
CVE ID :CVE-2026-40553
Published : July 13, 2026, 1:16 p.m. | 3 hours, 14 minutes ago
Description :Buffer overflow vulnerability has been found in "extension/readdir.c" program file of gawk (ftype() routine). This issue could be used to crash the program and potentially to achieve code execution, although the latter has not been confirmed to be feasible. It affects gawk in versions 5.4.0 and below.
Severity: 5.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-40553
Published : July 13, 2026, 1:16 p.m. | 3 hours, 14 minutes ago
Description :Buffer overflow vulnerability has been found in "extension/readdir.c" program file of gawk (ftype() routine). This issue could be used to crash the program and potentially to achieve code execution, although the latter has not been confirmed to be feasible. It affects gawk in versions 5.4.0 and below.
Severity: 5.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...