π¨ CVE-2025-69130
Subscriber PHP Object Injection in Entrepreneur - Booking for Small Businesses WordPress Theme <= 3.1.3 versions.
π@cveNotify
Subscriber PHP Object Injection in Entrepreneur - Booking for Small Businesses WordPress Theme <= 3.1.3 versions.
π@cveNotify
Patchstack
PHP Object Injection in WordPress Entrepreneur - Booking for Small Businesses WordPress Theme Theme
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
π¨ CVE-2025-69166
Unauthenticated Local File Inclusion in Gunslinger <= 1.7 versions.
π@cveNotify
Unauthenticated Local File Inclusion in Gunslinger <= 1.7 versions.
π@cveNotify
Patchstack
Local File Inclusion in WordPress Gunslinger Theme
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
π¨ CVE-2025-69189
Missing Authorization vulnerability in EMV JobBank allows Exploiting Incorrectly Configured Access Control Security Levels.
This issue affects JobBank: from n/a through 1.2.3.
π@cveNotify
Missing Authorization vulnerability in EMV JobBank allows Exploiting Incorrectly Configured Access Control Security Levels.
This issue affects JobBank: from n/a through 1.2.3.
π@cveNotify
Patchstack
Broken Access Control in WordPress JobBank Plugin
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
π¨ CVE-2026-40757
Unauthenticated PHP Object Injection in ChΓ’teau <= 1.2.1 versions.
π@cveNotify
Unauthenticated PHP Object Injection in ChΓ’teau <= 1.2.1 versions.
π@cveNotify
Patchstack
PHP Object Injection in WordPress ChΓ’teau Theme
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
π¨ CVE-2026-49268
A remote attacker can inject LDAP special characters into the Distinguished Name (DN) construction in DefaultLdapRealm class. User-supplied username input is directly concatenated into the LDAP DN template without any escaping of RFC 2253 special characters. This allows an attacker to manipulate the DN structure used for LDAP bind authentication, potentially bypassing authentication or impersonating other users.
This issue affects all Apache Shiro versions through 2.2.0, and 3.0.0-alpha-1 when using DefaultLdapRealm
Upgrade to Apache Shiro 2.2.1 or 3.0.0-alpha-2 or later, which fixes the issue.
π@cveNotify
A remote attacker can inject LDAP special characters into the Distinguished Name (DN) construction in DefaultLdapRealm class. User-supplied username input is directly concatenated into the LDAP DN template without any escaping of RFC 2253 special characters. This allows an attacker to manipulate the DN structure used for LDAP bind authentication, potentially bypassing authentication or impersonating other users.
This issue affects all Apache Shiro versions through 2.2.0, and 3.0.0-alpha-1 when using DefaultLdapRealm
Upgrade to Apache Shiro 2.2.1 or 3.0.0-alpha-2 or later, which fixes the issue.
π@cveNotify
π¨ CVE-2026-52716
Unauthenticated Arbitrary File Deletion in WorkScout-Core <= 1.7.11 versions.
π@cveNotify
Unauthenticated Arbitrary File Deletion in WorkScout-Core <= 1.7.11 versions.
π@cveNotify
Patchstack
Arbitrary File Deletion in WordPress WorkScout-Core Plugin
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
π¨ CVE-2026-54193
Contributor Arbitrary File Deletion in Fusion Builder <= 3.15.4 versions.
π@cveNotify
Contributor Arbitrary File Deletion in Fusion Builder <= 3.15.4 versions.
π@cveNotify
Patchstack
Arbitrary File Deletion in WordPress Fusion Builder Plugin
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
π¨ CVE-2026-54417
An integer overflow in the mtar_next() function in src/microtar.c in rxi microtar 0.1.0 allows a remote attacker to cause a denial of service (uncontrolled CPU consumption / infinite loop) via a crafted tar archive. mtar_next() computes the offset to the next record as round_up(h.size, 512) + sizeof(mtar_raw_header_t) using 32-bit arithmetic. When the header size field is a multiple of 512 in the range 0xFFFFFC01-0xFFFFFE00 (e.g. 0xFFFFFE00), the addition wraps to 0, so mtar_next() seeks to the current record position instead of advancing. As a result, mtar_find() and any loop that iterates entries with mtar_next() repeat indefinitely over the same record, hanging the process at 100% CPU with no recovery.
π@cveNotify
An integer overflow in the mtar_next() function in src/microtar.c in rxi microtar 0.1.0 allows a remote attacker to cause a denial of service (uncontrolled CPU consumption / infinite loop) via a crafted tar archive. mtar_next() computes the offset to the next record as round_up(h.size, 512) + sizeof(mtar_raw_header_t) using 32-bit arithmetic. When the header size field is a multiple of 512 in the range 0xFFFFFC01-0xFFFFFE00 (e.g. 0xFFFFFE00), the addition wraps to 0, so mtar_next() seeks to the current record position instead of advancing. As a result, mtar_find() and any loop that iterates entries with mtar_next() repeat indefinitely over the same record, hanging the process at 100% CPU with no recovery.
π@cveNotify
GitHub
GitHub - rxi/microtar: A lightweight tar library written in ANSI C
A lightweight tar library written in ANSI C. Contribute to rxi/microtar development by creating an account on GitHub.
π¨ CVE-2026-54809
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in VillaTheme GIFT4U allows Blind SQL Injection.
This issue affects GIFT4U: from n/a through 1.0.10.
π@cveNotify
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in VillaTheme GIFT4U allows Blind SQL Injection.
This issue affects GIFT4U: from n/a through 1.0.10.
π@cveNotify
Patchstack
SQL Injection in WordPress GIFT4U Plugin
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
π¨ CVE-2026-54816
Improper Control of Generation of Code ('Code Injection') vulnerability in Monetizemore Advanced Ads allows Remote Code Inclusion.
This issue affects Advanced Ads: from n/a through 2.0.21.
π@cveNotify
Improper Control of Generation of Code ('Code Injection') vulnerability in Monetizemore Advanced Ads allows Remote Code Inclusion.
This issue affects Advanced Ads: from n/a through 2.0.21.
π@cveNotify
Patchstack
Remote Code Execution (RCE) in WordPress Advanced Ads Plugin
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
π¨ CVE-2026-54818
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in VeronaLabs Slimstat Analytics allows Blind SQL Injection.
This issue affects Slimstat Analytics: from n/a through 5.4.11.
π@cveNotify
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in VeronaLabs Slimstat Analytics allows Blind SQL Injection.
This issue affects Slimstat Analytics: from n/a through 5.4.11.
π@cveNotify
Patchstack
SQL Injection in WordPress Slimstat Analytics Plugin
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
π¨ CVE-2026-55738
A stack-based buffer overflow exists in the raw_to_header() function in src/microtar.c in rxi microtar 0.1.0. The function copies the 100-byte name and linkname fields of a TAR header with strcpy() without guaranteeing null termination of the source. The POSIX ustar format permits these fixed-width fields to be fully populated with non-null bytes, so a crafted archive whose linkname field (followed by the trailing padding of the 512-byte raw header) contains no null terminator causes strcpy() to read past the end of the 512-byte raw header stack buffer and to write past the destination header buffer. A remote attacker who supplies a crafted TAR archive that the victim opens or parses (via mtar_open(), mtar_read_header(), or mtar_find()) can cause an out-of-bounds read and a stack buffer overflow, resulting in denial of service (crash) and potentially arbitrary code execution. Confirmed with AddressSanitizer: stack-buffer-overflow READ of size 356 in raw_to_header at src/microtar.c:112.
π@cveNotify
A stack-based buffer overflow exists in the raw_to_header() function in src/microtar.c in rxi microtar 0.1.0. The function copies the 100-byte name and linkname fields of a TAR header with strcpy() without guaranteeing null termination of the source. The POSIX ustar format permits these fixed-width fields to be fully populated with non-null bytes, so a crafted archive whose linkname field (followed by the trailing padding of the 512-byte raw header) contains no null terminator causes strcpy() to read past the end of the 512-byte raw header stack buffer and to write past the destination header buffer. A remote attacker who supplies a crafted TAR archive that the victim opens or parses (via mtar_open(), mtar_read_header(), or mtar_find()) can cause an out-of-bounds read and a stack buffer overflow, resulting in denial of service (crash) and potentially arbitrary code execution. Confirmed with AddressSanitizer: stack-buffer-overflow READ of size 356 in raw_to_header at src/microtar.c:112.
π@cveNotify
GitHub
GitHub - rxi/microtar: A lightweight tar library written in ANSI C
A lightweight tar library written in ANSI C. Contribute to rxi/microtar development by creating an account on GitHub.
π¨ CVE-2026-9591
Cross-site request forgery (CSRF) in NewsItemApiController in SimplCommerce prior to commit 6233d73e allows an unauthenticated remote attacker to create or modify news items as an administrator via a crafted form submitted to `/api/news-items`, due to missing anti-CSRF protection.
π@cveNotify
Cross-site request forgery (CSRF) in NewsItemApiController in SimplCommerce prior to commit 6233d73e allows an unauthenticated remote attacker to create or modify news items as an administrator via a crafted form submitted to `/api/news-items`, due to missing anti-CSRF protection.
π@cveNotify
GitHub
Bring CookieOnlyAutoValidateAntiforgeryTokenAuthorizationFilter back Β· simplcommerce/SimplCommerce@6233d73
A simple, cross platform, modulith ecommerce system built on .NET - Bring CookieOnlyAutoValidateAntiforgeryTokenAuthorizationFilter back Β· simplcommerce/SimplCommerce@6233d73
π¨ CVE-2024-47477
Dell PowerFlex Manager, versions prior to 4.5.1.1, contain an improper certificate validation vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability leading to man-in-the-middle attack in tandem with DNS cache poisoning.
π@cveNotify
Dell PowerFlex Manager, versions prior to 4.5.1.1, contain an improper certificate validation vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability leading to man-in-the-middle attack in tandem with DNS cache poisoning.
π@cveNotify
π¨ CVE-2026-10850
Plane CE 1.3.1 allows a low-privileged project member to submit arbitrary HTML/JS in the description_html field when creating an intake work item through the API v1 intake endpoint.
π@cveNotify
Plane CE 1.3.1 allows a low-privileged project member to submit arbitrary HTML/JS in the description_html field when creating an intake work item through the API v1 intake endpoint.
π@cveNotify
Fluidattacks
Plane 1.3.1 - Stored XSS in intake issue description_html | Fluid Attacks
AppSec solution that integrates AI, automated tools, and pentesters to help you prevent, detect, manage, and fix vulnerabilities continuously across your SDLC.